Analysis
-
max time kernel
133s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03-02-2024 19:12
Behavioral task
behavioral1
Sample
some_malicious_file.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
some_malicious_file.exe
Resource
win10v2004-20231222-en
General
-
Target
some_malicious_file.exe
-
Size
164KB
-
MD5
890a58f200dfff23165df9e1b088e58f
-
SHA1
74e3d82f7ee81109e150dc41112cf95b3a4b5307
-
SHA256
5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93
-
SHA512
2ee3636833cd9b02f5e311401817b15514845d4c12c1416d7e345845f8084775bf8c5f8f32822066b75a6b627a93138a0b27deb99c8bbb1f8d640132a2d8de0d
-
SSDEEP
3072:Hp5SexkWi1Lbi4eTMlwDCnu/q2GB96W/y:JvGWwbnWJ/yB9
Malware Config
Extracted
C:\Users\vh61nh-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/970A5184F6D10219
http://decryptor.top/970A5184F6D10219
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
some_malicious_file.exedescription ioc process File opened (read-only) \??\B: some_malicious_file.exe File opened (read-only) \??\H: some_malicious_file.exe File opened (read-only) \??\F: some_malicious_file.exe File opened (read-only) \??\A: some_malicious_file.exe File opened (read-only) \??\E: some_malicious_file.exe File opened (read-only) \??\N: some_malicious_file.exe File opened (read-only) \??\R: some_malicious_file.exe File opened (read-only) \??\T: some_malicious_file.exe File opened (read-only) \??\Z: some_malicious_file.exe File opened (read-only) \??\I: some_malicious_file.exe File opened (read-only) \??\J: some_malicious_file.exe File opened (read-only) \??\O: some_malicious_file.exe File opened (read-only) \??\P: some_malicious_file.exe File opened (read-only) \??\S: some_malicious_file.exe File opened (read-only) \??\X: some_malicious_file.exe File opened (read-only) \??\Q: some_malicious_file.exe File opened (read-only) \??\G: some_malicious_file.exe File opened (read-only) \??\V: some_malicious_file.exe File opened (read-only) \??\W: some_malicious_file.exe File opened (read-only) \??\D: some_malicious_file.exe File opened (read-only) \??\Y: some_malicious_file.exe File opened (read-only) \??\K: some_malicious_file.exe File opened (read-only) \??\L: some_malicious_file.exe File opened (read-only) \??\M: some_malicious_file.exe File opened (read-only) \??\U: some_malicious_file.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
some_malicious_file.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\39w2os9c432.bmp" some_malicious_file.exe -
Drops file in Program Files directory 32 IoCs
Processes:
some_malicious_file.exedescription ioc process File created \??\c:\program files\d60dff40.lock some_malicious_file.exe File opened for modification \??\c:\program files\EnterPing.wmx some_malicious_file.exe File opened for modification \??\c:\program files\SkipUse.zip some_malicious_file.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\d60dff40.lock some_malicious_file.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\d60dff40.lock some_malicious_file.exe File created \??\c:\program files (x86)\d60dff40.lock some_malicious_file.exe File opened for modification \??\c:\program files\ConvertFromExport.dwg some_malicious_file.exe File opened for modification \??\c:\program files\MergeAssert.mpeg2 some_malicious_file.exe File opened for modification \??\c:\program files\MoveGet.jpeg some_malicious_file.exe File opened for modification \??\c:\program files\RegisterDeny.dib some_malicious_file.exe File opened for modification \??\c:\program files\WatchWrite.xsl some_malicious_file.exe File opened for modification \??\c:\program files\RenameBackup.xht some_malicious_file.exe File opened for modification \??\c:\program files\UndoSearch.dwg some_malicious_file.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\d60dff40.lock some_malicious_file.exe File opened for modification \??\c:\program files\ExportSplit.nfo some_malicious_file.exe File opened for modification \??\c:\program files\SaveSend.contact some_malicious_file.exe File opened for modification \??\c:\program files\StartResume.crw some_malicious_file.exe File opened for modification \??\c:\program files\AddDisable.mp2v some_malicious_file.exe File opened for modification \??\c:\program files\PopStep.tif some_malicious_file.exe File opened for modification \??\c:\program files\DisableSelect.wm some_malicious_file.exe File opened for modification \??\c:\program files\OpenSwitch.mht some_malicious_file.exe File opened for modification \??\c:\program files\OpenUndo.xsl some_malicious_file.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\vh61nh-readme.txt some_malicious_file.exe File opened for modification \??\c:\program files\StopMeasure.gif some_malicious_file.exe File opened for modification \??\c:\program files\UnlockConvertFrom.tif some_malicious_file.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\vh61nh-readme.txt some_malicious_file.exe File created \??\c:\program files\vh61nh-readme.txt some_malicious_file.exe File created \??\c:\program files (x86)\vh61nh-readme.txt some_malicious_file.exe File opened for modification \??\c:\program files\CompressAdd.emf some_malicious_file.exe File opened for modification \??\c:\program files\SuspendUnregister.xlsx some_malicious_file.exe File opened for modification \??\c:\program files\UnlockSend.mp2v some_malicious_file.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\vh61nh-readme.txt some_malicious_file.exe -
Drops file in Windows directory 64 IoCs
Processes:
some_malicious_file.exedescription ioc process File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_es-es_24d3552052fff863_iscsidsc.mfl_20ed5374 some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-international-core_31bf3856ad364e35_6.1.7600.16385_none_459f562ff37206dd_nlscoremig.dll_0ee3acd5 some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_en-us_b7cfcc08ef7b2e35.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_573fbf08fcf78292_iscsiexe.dll.mui_7d81b1cc some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aff2d2ecf720d651.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f840295d0e5d03eb_dhcpcmonitor.dll.mui_478a7103 some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_0a2f4680d5ae26b7_sti.dll.mui_00a4f15b some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_ro-ro_33b6644f20ba3abe.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..ltinstall.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5335e4fbc5e68cec.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b98e60acbd094074_axinstsv.dll.mui_be092a2d some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_en-us_cd970b6106ea9e70_prflbmsg.dll.mui_4caa0054 some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-rpc-local_31bf3856ad364e35_6.1.7601.17514_none_1c754ed890149b9b_rpcrt4.dll_5aa847dd some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8046f18849ea1075_scfilter.sys.mui_cebab716 some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_10d22dcfce04430a_axinstui.exe.mui_aea34130 some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_8c256fc0a6a20d36.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e0ac3a3491076c7a_dhcpcsvc6.dll.mui_b45c7567 some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-msmincho_31bf3856ad364e35_6.1.7600.16385_none_be34642396bfadae_msmincho.ttc_45a433bb some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-keyiso.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ace42a47c85d5097.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f39c285e7fbf22f0_scarddlg.dll.mui_300ae9df some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_it-it_d5c6fcd450b860a2_comdlg32.dll.mui_ac8e62f4 some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-hal_31bf3856ad364e35_6.1.7601.17514_none_094ef8137049c196_hal.dll_f279be4d some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bd67490bab84b358.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-e..orerframe.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e89294b2fdfa6c6f_explorerframe.dll.mui_074caeb5 some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_477d5eb32bbddc05.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ba0c82eccf526351_rascfg.dll.mui_0b036e1f some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5755001a50c31e1a.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a50a9780dc53728d_advapi32.dll.mui_28c7718f some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-e..estorageengine-isam_31bf3856ad364e35_6.1.7601.17514_none_f3ebb0cc8a4dd814_esent.dll_35f49bdd some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104_jvgasys.fon_d163c032 some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7a35b864711272dc_rasautou.exe.mui_55686a97 some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-codeintegrity_31bf3856ad364e35_6.1.7601.17514_none_fe9df6ad1b5f6e87_ci.dll_070fb998 some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_zh-hk_a74d96a66e8abfbf.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1c8666cba19c26e1_serialui.dll.mui_7d29d2a3 some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..geadapter.resources_31bf3856ad364e35_6.1.7600.16385_de-de_387d94d0a70893b6_winbiostorageadapter.dll.mui_40b1790d some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..endencies.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4d185b6643bf2577.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_zh-cn_04ce5feb5c81cd4f_msimsg.dll.mui_72e8994f some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_6.1.7600.16385_es-es_099dba41b29ce8e2.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mpr.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e92c2c565299ae13.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_11ed75c93fd15e23_bootfix.bin_ee6f205e some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_fi-fi_8be3f9b7c370e5b6_comdlg32.dll.mui_ac8e62f4 some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-cryptnet-dll_31bf3856ad364e35_6.1.7600.16385_none_730e32c11586bfeb.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-efs-core-library_31bf3856ad364e35_6.1.7601.17514_none_b4c7e8f4ae2a1921.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-oleaccrc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e8f87beada663817_oleaccrc.dll.mui_26339d25 some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-eventlog-api.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_527d3f0d761d006f_wevtapi.dll.mui_27c9f5dd some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-courier_31bf3856ad364e35_6.1.7600.16385_none_5283fef09ca6fa1a_couf1255.fon_26dbd66b some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3bdcee47d56ca31c.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_bg-bg_5abc71b3b20b3a94.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_231366a72d1cda71.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..temclient.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bade38e6e7749ea0.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_en-us_318843f5a10be121_msxml6r.dll.mui_4516d602 some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..ificateenrollmentui_31bf3856ad364e35_6.1.7600.16385_none_86663b85e279cca2.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_521851f9ea3be82c.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_26cee700b53a673d_sdbinst.exe.mui_258ad624 some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_sv-se_d2199a50165e07e9_comdlg32.dll.mui_ac8e62f4 some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4326dcc95e110bbe_samsrv.dll.mui_32250491 some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_ro-ro_ccd1c51fc6ac7e26_mlang.dll.mui_2904864a some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-halftone-ui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9db31541093af182_htui.dll.mui_038c60dd some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-869_31bf3856ad364e35_6.1.7600.16385_none_2add61a8b4e2a71a_c_869.nls_a71cf43a some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b5c5f27e73b45f19_auditpol.exe.mui_df4767d7 some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_1423e918b2cd2d4b_rtm.dll_dbf434cd some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_18bebc54f8bc1876_dnsapi.dll.mui_97465f8a some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase-asyncmac_31bf3856ad364e35_6.1.7600.16385_none_804cc08a4e8a4516.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..nrollment.resources_31bf3856ad364e35_6.1.7600.16385_de-de_008abe00ec7ed418.manifest some_malicious_file.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-winbio.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9b7c76e94cbb839f.manifest some_malicious_file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3020 vssadmin.exe -
Processes:
some_malicious_file.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 some_malicious_file.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 some_malicious_file.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 some_malicious_file.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 some_malicious_file.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 some_malicious_file.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 some_malicious_file.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
some_malicious_file.exepid process 2244 some_malicious_file.exe 2244 some_malicious_file.exe 2244 some_malicious_file.exe 2244 some_malicious_file.exe 2244 some_malicious_file.exe 2244 some_malicious_file.exe 2244 some_malicious_file.exe 2244 some_malicious_file.exe 2244 some_malicious_file.exe 2244 some_malicious_file.exe 2244 some_malicious_file.exe 2244 some_malicious_file.exe 2244 some_malicious_file.exe 2244 some_malicious_file.exe 2244 some_malicious_file.exe 2244 some_malicious_file.exe 2244 some_malicious_file.exe 2244 some_malicious_file.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2308 vssvc.exe Token: SeRestorePrivilege 2308 vssvc.exe Token: SeAuditPrivilege 2308 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
some_malicious_file.execmd.exedescription pid process target process PID 2244 wrote to memory of 3032 2244 some_malicious_file.exe cmd.exe PID 2244 wrote to memory of 3032 2244 some_malicious_file.exe cmd.exe PID 2244 wrote to memory of 3032 2244 some_malicious_file.exe cmd.exe PID 2244 wrote to memory of 3032 2244 some_malicious_file.exe cmd.exe PID 3032 wrote to memory of 3020 3032 cmd.exe vssadmin.exe PID 3032 wrote to memory of 3020 3032 cmd.exe vssadmin.exe PID 3032 wrote to memory of 3020 3032 cmd.exe vssadmin.exe PID 3032 wrote to memory of 3020 3032 cmd.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\some_malicious_file.exe"C:\Users\Admin\AppData\Local\Temp\some_malicious_file.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD577fa754632423b4356bcc624ec964631
SHA18393ad257dd9aa7816aaba86340078850328dad8
SHA2567021b02dacff408a7c45ed73b1069041c0e31382c0b3539ca34ffa8534e6eb97
SHA51252fd182cc60302753c01648146c8d2230db83789898c1760dda705ad27baee4b78a8297747236acd44b9076c7901cee19a57e961771a238b8152f53f9265a1ef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5ea3c771693b1d4f305ebe8b27bc62279
SHA1c3585055b452535649ab471554688eb9c16cad00
SHA25686eb9020f88e3108b32f2fbab95361d0505cd67494fe77f7d31bfba5d12c8b83
SHA512212889b61a46d05cbf1c3dbd91548ba1ce74c1b34f0c685e9062b24445502dac2c5e5194bfc63664afdbaaa3da2d0f420c4e9668e9f87c1ea2298ba9c45a208c
-
C:\Users\Admin\AppData\Local\Temp\Cab12.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar54.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\vh61nh-readme.txtFilesize
6KB
MD53d2196671f5873d856ace2aa295193f5
SHA198ce96170d979632cb344a9ebc44a0ff0add6d9b
SHA2566f510a447407d010aa0da456c107e851edd115c7964f1e31c5eeb10dfdfa5f1d
SHA512fbf2b887fd90e3e4664e34bac847a1fceb96cf8bbaf1890445fc9062c8ad1dc511217e37de18fa85b951aa122fc8fc167fe5730e5152444f7ee433923b740d59
-
memory/2244-7-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/2244-12-0x00000000001A0000-0x00000000001A6000-memory.dmpFilesize
24KB
-
memory/2244-8-0x0000000000290000-0x00000000002AF000-memory.dmpFilesize
124KB
-
memory/2244-0-0x00000000000E0000-0x00000000000EA000-memory.dmpFilesize
40KB
-
memory/2244-11-0x00000000001A0000-0x00000000001A6000-memory.dmpFilesize
24KB
-
memory/2244-10-0x00000000001A0000-0x00000000001A6000-memory.dmpFilesize
24KB
-
memory/2244-9-0x0000000001120000-0x0000000001229000-memory.dmpFilesize
1.0MB
-
memory/2244-2-0x0000000000CD0000-0x0000000000D99000-memory.dmpFilesize
804KB
-
memory/2244-14-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/2244-3-0x0000000000460000-0x00000000004FF000-memory.dmpFilesize
636KB
-
memory/2244-5-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/2244-6-0x0000000000DA0000-0x0000000000ECD000-memory.dmpFilesize
1.2MB
-
memory/2244-4-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/2244-1-0x00000000000E0000-0x00000000000EA000-memory.dmpFilesize
40KB