sodinokibi | 160c832f3bd93d3a3c157276e3e030aa9c770db7c02d54d9807350b6e8d62346

Analysis

max time kernel
132s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
Size

164KB
MD5

ca337c7130eef4f4ff8e8a4a8ec28647
SHA1

28558e35d3f9af01fe438eba7fba1c38201c86de
SHA256

17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467
SHA512

60b9b7841a942a6bcb700872b6ff1353fd282a7b318d6ac8d47e419573978aff43c961436a2fdb6a076e81545ef9759e7848fdc9eaa5a571638ab19d666a1c1c
SSDEEP

3072:LBVn11HzIOLbi4eTMlwDCnun4XbZIt+ypUF:d9jzvbnWJnu14p

Score

10^/10

sodinokibi ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\5e6ss7-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 5e6ss7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4DB2A44B74C43238 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/4DB2A44B74C43238 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: VwvQiT06XrpXlzfyjVFr9TZVL8j9Xl8iN3isW1GITTEv1XAZfoYnM58V8Ei1Z2KM CbGMGBv3O/9HMYCVY1bd1tvBSGO4i5Cn+I5eJTiUW/EV3j66J+2xGf6SoAP7Z6YT 8ub7FQh5vFz4P4lkQfL3e0CFvDEmbsEPXl61O+Rg68V4bARrc1RoFn6nABIKefWy 6KGiwrQh7rBGyXSqw7miyfuRs8KO7CjjwBTNcFKnHolDnBQs1CXrQD6jUDUrQmmz 0ClHwoLKeC7N4tCMo751xBPyTkKTstE3uLNIMKOsYVZCuYU3mUg4VlHLensknzVE bj5IFo+ZeX7fL6craWOOKqb2/lVtY2yWxrU4zyj/O40M+8csxuTuicyNMXmYA1wY oCUhXnX+sVxYKSHgrg1YhnEQwPVJii400pJjrTfz7SZLyVEaeecaYdlaaDfK+J3d jKdSVOi/nUNnGtyZoVRyjZFCWTP8vjeIdMmJzzQjOQT7vkg0jf8zbw0W7pVrXxMD aMUv2x2kkLZUdeXUd7q42xya+d11eVcp38h89FjvKdTgN3ntjqw159zKRDccG/eB 1KiGvdTXfxpArzEHptEOBoW0GI8FqmkKr76gWxbQ9eEa+hNaVpcep+3g4M5Sh4t4 psPef+OIvHbCct8ZzyG3SgJQdtwSIYuCv0lZAegvrh/v8zPHva8gM/RpvI3H3/y4 E+jAdkon4tiPV6F5vi5ze4hftUsDjpBPmZ3JQHw30zxJzDQjbOXZJkg2ngKLYgKr 8E+o3JI2Eo3BACup2c3v9nbwPMyf/qNXItWd6bEDIGZL5QO08BXwvXrhP22eTLdi fuLU1jmDm9AM04NVk2S6V777HeJPUmEef73lov+aTptCzH/iePEnIwefH+nyPSI4 1zFHdwI7EYG/7srljmT436ogpw6yVoRl2xmgLZcxiIaQp2Bf96+YM1ROot41pv3m OOjROLUNkMP60bIY9AQZkS6cyMBB7RHVj4q9eM2MNqdvdbLBnSXGr5zIcuUwDPN/ 1t+7dn4SX4GV1tgc7ihGpUMXvGJf4NBNK1wVUVc501Hw8lFevIWNlSfu1K1nKepA nBzCLCihcHh+BHmzGd55mcbiOhH+Wkjd77QCmyLWIKhWIkfIZE+ZlVtf71GoGp04 iN8Sktf6TGtqaV5O1/gJFlb/jAQaoaCaVFEy/JLHEvqylAML6FpsEDGqeGGnq7n7 pNvhm2TfaPxMG02ih2cURQ== Extension name: 5e6ss7 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4DB2A44B74C43238

http://decryptor.top/4DB2A44B74C43238

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\S:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\D:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\K:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\M:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\U:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\T:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\Z:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\F:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\A:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\H:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\J:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\Q:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\Y:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\E:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\G:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\I:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\P:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\W:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\O:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\X:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\N:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\R:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\B:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\V:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tnn3ma3.bmp"	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\OptimizeConfirm.wmv	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	\??\c:\program files\EnterConvertFrom.ppsx	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	\??\c:\program files\HideSelect.mp4v	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	\??\c:\program files\ExportConfirm.contact	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	\??\c:\program files\GroupSync.xlsm	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File created	\??\c:\program files (x86)\5e6ss7-readme.txt	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	\??\c:\program files\CopySkip.emz	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	\??\c:\program files\PublishRepair.tmp	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File created	\??\c:\program files\37db623e.lock	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File created	\??\c:\program files (x86)\37db623e.lock	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	\??\c:\program files\TraceCopy.mht	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	\??\c:\program files\UnblockRead.au	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File created	\??\c:\program files\5e6ss7-readme.txt	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	\??\c:\program files\PublishJoin.rtf	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_ro-ro_05272d3c05a54a31.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directui-resourcesrs1_31bf3856ad364e35_10.0.19041.1_none_11f2e2f301213a90.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_e1c7c5c5782839e2_wmiutils.dll.mui_42583eaf	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gpuenergydriver_31bf3856ad364e35_10.0.19041.1_none_046a9b5a2d69211d_gpuenergydrv.sys_9567f543	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.19041.789_none_93e6eb93accdac11_ucrtbase.dll_a00b9625	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-sechost_31bf3856ad364e35_10.0.19041.906_none_703c15786005c809_sechost.dll_a7bf8aa9	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_it-it_05ff04e5d71bfd5f.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984_comctl32.dll_9c499789	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_86d2322d49223ce5_vds.exe.mui_2268d934	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ole-automation_31bf3856ad364e35_10.0.19041.985_none_a521e37e8ecb8aa3.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base_31bf3856ad364e35_10.0.19041.1288_none_82b5dd00dbb53a5c.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0b2962a13e12f002_iscsiexe.dll.mui_7d81b1cc	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_en-us_c10bc33ae3f4a3aa.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_es-es_81fee3c06ca876bd_tcpipcfg.dll.mui_a5479fc1	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.19041.423_en-us_c99b855b8edbac2b_wbiosrvc.dll.mui_d5b8b2b8	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon-ext_31bf3856ad364e35_10.0.19041.1_none_3990ef4a132546c8_winlogonext.dll_fa102d5e	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_ko-kr_0703274c38013b60_bootmgr.efi.mui_be5d0075	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nt-core-bootmanager_31bf3856ad364e35_10.0.19041.1_none_a1c3d9420e6939cc.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_pt-br_62e0d9e4d5e89337.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directcomposition_31bf3856ad364e35_10.0.19041.1266_none_123a7540f6f47a8e_dcomp.dll_a2e93a7d	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc_31bf3856ad364e35_10.0.19041.84_none_f35474a560ca755b.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profapi-onecore_31bf3856ad364e35_10.0.19041.844_none_e413cef1d5bfa747.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..n-cmdline.resources_31bf3856ad364e35_10.0.19041.1_es-es_8559d1e56d0ddfe6.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_uk-ua_3d1792f0b5c2671e.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_10.0.19041.1202_none_cc0c3d35675da3a1.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_es-mx_36cb4cea87054a3a.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.19041.1_en-us_1fee549ac552b43c.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_4c39b2a1b0c21c01_scarddlg.dll.mui_300ae9df	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_fr-ca_43eaf76475822ccb.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.1288_none_d9539a9fe102720c_gdiplus.dll_423f7010	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base_31bf3856ad364e35_10.0.19041.1288_none_82b5dd00dbb53a5c_combase.dll_a2567a6a	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_de-de_ce34d3262165aa68.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad_vgafixr.fon_de339586	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_de-de_70c254192b5ba65d_dsreg.dll.mui_5d9efc7e	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_es-es_197e86f61a60a3c7_userdeviceregistration.ngc.dll.mui_d2c6ca95	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_e1c7c5c5782839e2_mofcomp.exe.mui_35badf56	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_lv-lv_ab9bc1d129a747ed_bootmgr.efi.mui_be5d0075	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..istration.resources_31bf3856ad364e35_10.0.19041.1_it-it_2c2b0820313203ea.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..e-microsoftjhenghei_31bf3856ad364e35_10.0.19041.1_none_1b31c6067f7278ae_msjh.ttc_ea675e59	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.19041.1_none_61b242cab8dd7003.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_sr-..-rs_8a91a3efb9e8975c.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-partitionmanager_31bf3856ad364e35_10.0.19041.1110_none_56683e3b6f9cb252.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_ega80woa.fon_72a205e7	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_bg-bg_36e6bc5fe8ecffc2_msimsg.dll.mui_72e8994f	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c859c559627601c9_storsvc.dll.mui_2fc7b1d3	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_4c39b2a1b0c21c01_certprop.dll.mui_602eaab4	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_10.0.19041.1237_none_5f00842b9149cc7c.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_sv-se_f82a6602cfd53ee1_comctl32.dll.mui_0da4e682	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.388_en-us_3b9e163a021f3ac3.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.19041.1266_none_0a518745d856f00f.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..ndowmanager-effects_31bf3856ad364e35_10.0.19041.546_none_d951a72ad1ee4c8e_wuceffects.dll_0c15b7d5	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-etw-ese.resources_31bf3856ad364e35_10.0.19041.1_en-us_aa43e6777eda8f90.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_10.0.19041.1_none_78990edc010a0704.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-onecore-pnp-umpnpmgr.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_be5624a41aefd846.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_sl-si_60a279d553aa108e_bootmgr.exe.mui_c434701f	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_ro-ro_7b81ce88dad4adc1_bootmgr.efi.mui_be5d0075	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.19041.1_es-es_4f298dd28b5b80db.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_10.0.19041.1_it-it_6c512b243847d5d6.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_es-es_1b5efa638ab6e61d_hidserv.dll.mui_561adfc8	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_10.0.19041.1_en-us_296ac06bb93cb570_provsvc.dll.mui_3a2926ae	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-null_31bf3856ad364e35_10.0.19041.1_none_5f56fb00ba5a9142_null.sys_e821cef0	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-onecore-pnp-drvinst_31bf3856ad364e35_10.0.19041.1202_none_ca1e0a7a1f21274c.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_10.0.19041.1202_none_86a33fbc3190c341_iphlpsvc.dll_805aaf49	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_01d9cddf1dc42162.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4200	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
4200	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 2540	4200	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe	90
PID 4200 wrote to memory of 2540	4200	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe	90
PID 4200 wrote to memory of 2540	4200	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe	90

C:\Users\Admin\AppData\Local\Temp\17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
"C:\Users\Admin\AppData\Local\Temp\17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\5e6ss7-readme.txt

Filesize
6KB

MD5
76c52fd8f766c210e5d407f38de3d63c

SHA1
3bdfd9a2555c2c801518778572110222c3cdb8e0

SHA256
9eaf76cc954e2a2b64ada09ee80e8a545da7d2e04c613797899329fd4590ec16

SHA512
dbafd2ea09becf891f56f78cd728281e0c70eed59f821f3ec308edb2d0245c6b6d2c272d1932f6b18667946fd0c027cb0c566a85fdff891e93313131bf998293

Download Submit