sodinokibi | 5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93

General

Target

some_malicious_file.exe
Size

164KB
MD5

890a58f200dfff23165df9e1b088e58f
SHA1

74e3d82f7ee81109e150dc41112cf95b3a4b5307
SHA256

5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93
SHA512

2ee3636833cd9b02f5e311401817b15514845d4c12c1416d7e345845f8084775bf8c5f8f32822066b75a6b627a93138a0b27deb99c8bbb1f8d640132a2d8de0d
SSDEEP

3072:Hp5SexkWi1Lbi4eTMlwDCnu/q2GB96W/y:JvGWwbnWJ/yB9

Score

10^/10

sodinokibi ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\vh61nh-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion vh61nh. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/970A5184F6D10219 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/970A5184F6D10219 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Qwwba87lM/ijrFezqAMf77MuupxSqnfvVDG9Pc4lNAR7LDNvJfvbt3TfwdDuF8MY cc11B5kfY96pxUVSqFsYPSl7Ws+R1/JxzzQVzsqfy37JLWKIVJvIKOaymoNHZBjP Upy1FIIoFYzbueLJBBimUCAOo4Pc2Tb5QGfm9EvRMmO6MRhp9dHMVsnPzU0iyzUO qQi7Q3ZqvThlzzr9+HZVKuQtFLHxAaDZ8XHD79Yy0ftArDvjKcE5i7sSZ0SUfb7m rbvvohlJb5w7KHTdzzkyAWbqx5BKNviETUqXpM5+PhkCmz5mqYvlDwkwPJ56sJHl RAy4n/vx4JlzDiBxRts6hCR5TTBO0yalOrHdYe2QTyK1uAjgHcWXaCwS/k4zwpvw iOakuHV88tJ46ARjfPj8Tp+IhwjyjpcTob3EZnC2RiVQ8r5DfwJoq+RNRIobzoo0 KeoKN7NOTx17Tf2SRIjK3VWUFPGc40+1Xeu5aZDleUI+ijPNSc/1HIPmc1tpleqW XoTDvFydXtNO9T2iOrAfed6Sds/XLEq8vZZ2RLXpgxJYlWCjdyp2oCO53R69nENr b4x/DoNg0aMM1cP/TeuL/fXSR5FWfjcAtifwTf7uXec9peEY1AERiBTjhjbFWLN2 ihlHFCAnsaTtTMhcz5qX0++59fslA5cdHBIctLqzZMitP1y1SEipf08M7nCgf3o4 m4a62X5+FzZxnyAjX43te+wbPbWz8TI1o70JUNQ1fvUp1R5gu5OTN/2s5cJrWyAr OKcpm9vfKhZ9mu5JqLCdE/8U967Ob9k+gZTcbMivQ9ksfA4KmyaSytSkvm84qZAd 4H8c10xBcrPLnUtoHPgmf2/2rTSk6YVmhhH7xACPQnEEQgXF0ChVPlKvOSkwLGf/ GfR4bQ25Eub252hAhOdQ7/Q8hC3spCZZ5nM1sJZzq2lQ6RanZprgc39QK+yfFcLv guMBs+IUNdkqBmLWy4cDKSLSPAEq36t31drHjShEM8EIIOXpfybrixAjBJLLBw3t zr4DhuSaJrSUC2Rm1M4Da4NW0QPW21UEy3spw/WpekjdRYUcHaXTZ9wVXv0GWwHK EumncWpmt9zakDm28b88WSBappKqqA17WGsDVQM9/DYkzTeowWTytqSmb8SfPuap JmF7/+w41JyC06Ho6XWXbvqJXn20C+0C79dbcDFvzDYG8tshLkXeOOJwr+haq1Ey K6dgxeuJ32M= Extension name: vh61nh ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/970A5184F6D10219

http://decryptor.top/970A5184F6D10219

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

some_malicious_file.exe

description	ioc	process
File opened (read-only)	\??\B:	some_malicious_file.exe
File opened (read-only)	\??\H:	some_malicious_file.exe
File opened (read-only)	\??\F:	some_malicious_file.exe
File opened (read-only)	\??\A:	some_malicious_file.exe
File opened (read-only)	\??\E:	some_malicious_file.exe
File opened (read-only)	\??\N:	some_malicious_file.exe
File opened (read-only)	\??\R:	some_malicious_file.exe
File opened (read-only)	\??\T:	some_malicious_file.exe
File opened (read-only)	\??\Z:	some_malicious_file.exe
File opened (read-only)	\??\I:	some_malicious_file.exe
File opened (read-only)	\??\J:	some_malicious_file.exe
File opened (read-only)	\??\O:	some_malicious_file.exe
File opened (read-only)	\??\P:	some_malicious_file.exe
File opened (read-only)	\??\S:	some_malicious_file.exe
File opened (read-only)	\??\X:	some_malicious_file.exe
File opened (read-only)	\??\Q:	some_malicious_file.exe
File opened (read-only)	\??\G:	some_malicious_file.exe
File opened (read-only)	\??\V:	some_malicious_file.exe
File opened (read-only)	\??\W:	some_malicious_file.exe
File opened (read-only)	\??\D:	some_malicious_file.exe
File opened (read-only)	\??\Y:	some_malicious_file.exe
File opened (read-only)	\??\K:	some_malicious_file.exe
File opened (read-only)	\??\L:	some_malicious_file.exe
File opened (read-only)	\??\M:	some_malicious_file.exe
File opened (read-only)	\??\U:	some_malicious_file.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

some_malicious_file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\39w2os9c432.bmp"	some_malicious_file.exe

Drops file in Program Files directory 32 IoCs

Processes:

some_malicious_file.exe

description	ioc	process
File created	\??\c:\program files\d60dff40.lock	some_malicious_file.exe
File opened for modification	\??\c:\program files\EnterPing.wmx	some_malicious_file.exe
File opened for modification	\??\c:\program files\SkipUse.zip	some_malicious_file.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\d60dff40.lock	some_malicious_file.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\d60dff40.lock	some_malicious_file.exe
File created	\??\c:\program files (x86)\d60dff40.lock	some_malicious_file.exe
File opened for modification	\??\c:\program files\ConvertFromExport.dwg	some_malicious_file.exe
File opened for modification	\??\c:\program files\MergeAssert.mpeg2	some_malicious_file.exe
File opened for modification	\??\c:\program files\MoveGet.jpeg	some_malicious_file.exe
File opened for modification	\??\c:\program files\RegisterDeny.dib	some_malicious_file.exe
File opened for modification	\??\c:\program files\WatchWrite.xsl	some_malicious_file.exe
File opened for modification	\??\c:\program files\RenameBackup.xht	some_malicious_file.exe
File opened for modification	\??\c:\program files\UndoSearch.dwg	some_malicious_file.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\d60dff40.lock	some_malicious_file.exe
File opened for modification	\??\c:\program files\ExportSplit.nfo	some_malicious_file.exe
File opened for modification	\??\c:\program files\SaveSend.contact	some_malicious_file.exe
File opened for modification	\??\c:\program files\StartResume.crw	some_malicious_file.exe
File opened for modification	\??\c:\program files\AddDisable.mp2v	some_malicious_file.exe
File opened for modification	\??\c:\program files\PopStep.tif	some_malicious_file.exe
File opened for modification	\??\c:\program files\DisableSelect.wm	some_malicious_file.exe
File opened for modification	\??\c:\program files\OpenSwitch.mht	some_malicious_file.exe
File opened for modification	\??\c:\program files\OpenUndo.xsl	some_malicious_file.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\vh61nh-readme.txt	some_malicious_file.exe
File opened for modification	\??\c:\program files\StopMeasure.gif	some_malicious_file.exe
File opened for modification	\??\c:\program files\UnlockConvertFrom.tif	some_malicious_file.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\vh61nh-readme.txt	some_malicious_file.exe
File created	\??\c:\program files\vh61nh-readme.txt	some_malicious_file.exe
File created	\??\c:\program files (x86)\vh61nh-readme.txt	some_malicious_file.exe
File opened for modification	\??\c:\program files\CompressAdd.emf	some_malicious_file.exe
File opened for modification	\??\c:\program files\SuspendUnregister.xlsx	some_malicious_file.exe
File opened for modification	\??\c:\program files\UnlockSend.mp2v	some_malicious_file.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\vh61nh-readme.txt	some_malicious_file.exe

Drops file in Windows directory 64 IoCs

Processes:

some_malicious_file.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_es-es_24d3552052fff863_iscsidsc.mfl_20ed5374	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-international-core_31bf3856ad364e35_6.1.7600.16385_none_459f562ff37206dd_nlscoremig.dll_0ee3acd5	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_en-us_b7cfcc08ef7b2e35.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_573fbf08fcf78292_iscsiexe.dll.mui_7d81b1cc	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aff2d2ecf720d651.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f840295d0e5d03eb_dhcpcmonitor.dll.mui_478a7103	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_0a2f4680d5ae26b7_sti.dll.mui_00a4f15b	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_ro-ro_33b6644f20ba3abe.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..ltinstall.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5335e4fbc5e68cec.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b98e60acbd094074_axinstsv.dll.mui_be092a2d	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_en-us_cd970b6106ea9e70_prflbmsg.dll.mui_4caa0054	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rpc-local_31bf3856ad364e35_6.1.7601.17514_none_1c754ed890149b9b_rpcrt4.dll_5aa847dd	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8046f18849ea1075_scfilter.sys.mui_cebab716	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_10d22dcfce04430a_axinstui.exe.mui_aea34130	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_8c256fc0a6a20d36.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e0ac3a3491076c7a_dhcpcsvc6.dll.mui_b45c7567	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-msmincho_31bf3856ad364e35_6.1.7600.16385_none_be34642396bfadae_msmincho.ttc_45a433bb	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-keyiso.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ace42a47c85d5097.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f39c285e7fbf22f0_scarddlg.dll.mui_300ae9df	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_it-it_d5c6fcd450b860a2_comdlg32.dll.mui_ac8e62f4	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-hal_31bf3856ad364e35_6.1.7601.17514_none_094ef8137049c196_hal.dll_f279be4d	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bd67490bab84b358.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-e..orerframe.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e89294b2fdfa6c6f_explorerframe.dll.mui_074caeb5	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_477d5eb32bbddc05.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ba0c82eccf526351_rascfg.dll.mui_0b036e1f	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5755001a50c31e1a.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a50a9780dc53728d_advapi32.dll.mui_28c7718f	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-e..estorageengine-isam_31bf3856ad364e35_6.1.7601.17514_none_f3ebb0cc8a4dd814_esent.dll_35f49bdd	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104_jvgasys.fon_d163c032	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7a35b864711272dc_rasautou.exe.mui_55686a97	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-codeintegrity_31bf3856ad364e35_6.1.7601.17514_none_fe9df6ad1b5f6e87_ci.dll_070fb998	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_zh-hk_a74d96a66e8abfbf.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1c8666cba19c26e1_serialui.dll.mui_7d29d2a3	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..geadapter.resources_31bf3856ad364e35_6.1.7600.16385_de-de_387d94d0a70893b6_winbiostorageadapter.dll.mui_40b1790d	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..endencies.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4d185b6643bf2577.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_zh-cn_04ce5feb5c81cd4f_msimsg.dll.mui_72e8994f	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_6.1.7600.16385_es-es_099dba41b29ce8e2.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mpr.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e92c2c565299ae13.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_11ed75c93fd15e23_bootfix.bin_ee6f205e	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_fi-fi_8be3f9b7c370e5b6_comdlg32.dll.mui_ac8e62f4	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-cryptnet-dll_31bf3856ad364e35_6.1.7600.16385_none_730e32c11586bfeb.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-efs-core-library_31bf3856ad364e35_6.1.7601.17514_none_b4c7e8f4ae2a1921.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-oleaccrc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e8f87beada663817_oleaccrc.dll.mui_26339d25	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-eventlog-api.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_527d3f0d761d006f_wevtapi.dll.mui_27c9f5dd	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-courier_31bf3856ad364e35_6.1.7600.16385_none_5283fef09ca6fa1a_couf1255.fon_26dbd66b	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3bdcee47d56ca31c.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_bg-bg_5abc71b3b20b3a94.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_231366a72d1cda71.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..temclient.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bade38e6e7749ea0.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_en-us_318843f5a10be121_msxml6r.dll.mui_4516d602	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..ificateenrollmentui_31bf3856ad364e35_6.1.7600.16385_none_86663b85e279cca2.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_521851f9ea3be82c.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_26cee700b53a673d_sdbinst.exe.mui_258ad624	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_sv-se_d2199a50165e07e9_comdlg32.dll.mui_ac8e62f4	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4326dcc95e110bbe_samsrv.dll.mui_32250491	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_ro-ro_ccd1c51fc6ac7e26_mlang.dll.mui_2904864a	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-halftone-ui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9db31541093af182_htui.dll.mui_038c60dd	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-869_31bf3856ad364e35_6.1.7600.16385_none_2add61a8b4e2a71a_c_869.nls_a71cf43a	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b5c5f27e73b45f19_auditpol.exe.mui_df4767d7	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_1423e918b2cd2d4b_rtm.dll_dbf434cd	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_18bebc54f8bc1876_dnsapi.dll.mui_97465f8a	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase-asyncmac_31bf3856ad364e35_6.1.7600.16385_none_804cc08a4e8a4516.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..nrollment.resources_31bf3856ad364e35_6.1.7600.16385_de-de_008abe00ec7ed418.manifest	some_malicious_file.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-winbio.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9b7c76e94cbb839f.manifest	some_malicious_file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3020 vssadmin.exe

pid	process
3020	vssadmin.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

some_malicious_file.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	some_malicious_file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	some_malicious_file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	some_malicious_file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	some_malicious_file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	some_malicious_file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	some_malicious_file.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

some_malicious_file.exe

pid	process
2244	some_malicious_file.exe
2244	some_malicious_file.exe
2244	some_malicious_file.exe
2244	some_malicious_file.exe
2244	some_malicious_file.exe
2244	some_malicious_file.exe
2244	some_malicious_file.exe
2244	some_malicious_file.exe
2244	some_malicious_file.exe
2244	some_malicious_file.exe
2244	some_malicious_file.exe
2244	some_malicious_file.exe
2244	some_malicious_file.exe
2244	some_malicious_file.exe
2244	some_malicious_file.exe
2244	some_malicious_file.exe
2244	some_malicious_file.exe
2244	some_malicious_file.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2308 vssvc.exe
Token: SeRestorePrivilege 2308 vssvc.exe
Token: SeAuditPrivilege 2308 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	2308	vssvc.exe
Token: SeRestorePrivilege	2308	vssvc.exe
Token: SeAuditPrivilege	2308	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

some_malicious_file.execmd.exe

description	pid	process	target process
PID 2244 wrote to memory of 3032	2244	some_malicious_file.exe	cmd.exe
PID 2244 wrote to memory of 3032	2244	some_malicious_file.exe	cmd.exe
PID 2244 wrote to memory of 3032	2244	some_malicious_file.exe	cmd.exe
PID 2244 wrote to memory of 3032	2244	some_malicious_file.exe	cmd.exe
PID 3032 wrote to memory of 3020	3032	cmd.exe	vssadmin.exe
PID 3032 wrote to memory of 3020	3032	cmd.exe	vssadmin.exe
PID 3032 wrote to memory of 3020	3032	cmd.exe	vssadmin.exe
PID 3032 wrote to memory of 3020	3032	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\some_malicious_file.exe
"C:\Users\Admin\AppData\Local\Temp\some_malicious_file.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:3020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2308

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
77fa754632423b4356bcc624ec964631

SHA1
8393ad257dd9aa7816aaba86340078850328dad8

SHA256
7021b02dacff408a7c45ed73b1069041c0e31382c0b3539ca34ffa8534e6eb97

SHA512
52fd182cc60302753c01648146c8d2230db83789898c1760dda705ad27baee4b78a8297747236acd44b9076c7901cee19a57e961771a238b8152f53f9265a1ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ea3c771693b1d4f305ebe8b27bc62279

SHA1
c3585055b452535649ab471554688eb9c16cad00

SHA256
86eb9020f88e3108b32f2fbab95361d0505cd67494fe77f7d31bfba5d12c8b83

SHA512
212889b61a46d05cbf1c3dbd91548ba1ce74c1b34f0c685e9062b24445502dac2c5e5194bfc63664afdbaaa3da2d0f420c4e9668e9f87c1ea2298ba9c45a208c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab12.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar54.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\vh61nh-readme.txt
Filesize
6KB

MD5
3d2196671f5873d856ace2aa295193f5

SHA1
98ce96170d979632cb344a9ebc44a0ff0add6d9b

SHA256
6f510a447407d010aa0da456c107e851edd115c7964f1e31c5eeb10dfdfa5f1d

SHA512
fbf2b887fd90e3e4664e34bac847a1fceb96cf8bbaf1890445fc9062c8ad1dc511217e37de18fa85b951aa122fc8fc167fe5730e5152444f7ee433923b740d59

Download Submit
memory/2244-7-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2244-12-0x00000000001A0000-0x00000000001A6000-memory.dmp

Filesize
24KB

Download
memory/2244-8-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/2244-0-0x00000000000E0000-0x00000000000EA000-memory.dmp

Filesize
40KB

Download
memory/2244-11-0x00000000001A0000-0x00000000001A6000-memory.dmp

Filesize
24KB

Download
memory/2244-10-0x00000000001A0000-0x00000000001A6000-memory.dmp

Filesize
24KB

Download
memory/2244-9-0x0000000001120000-0x0000000001229000-memory.dmp

Filesize
1.0MB

Download
memory/2244-2-0x0000000000CD0000-0x0000000000D99000-memory.dmp

Filesize
804KB

Download
memory/2244-14-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2244-3-0x0000000000460000-0x00000000004FF000-memory.dmp

Filesize
636KB

Download
memory/2244-5-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2244-6-0x0000000000DA0000-0x0000000000ECD000-memory.dmp

Filesize
1.2MB

Download
memory/2244-4-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2244-1-0x00000000000E0000-0x00000000000EA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads