sodinokibi | df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07

General

Target

13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
Size

164KB
MD5

13d4c1451da6fa284c08c669a7d0e7c1
SHA1

2ea65287c7489d8ab5abd04e172c55d1518a4052
SHA256

df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07
SHA512

f845335dd84b5bf9b20889dfd051bf012dfcf96adaf4f6de171b3a8e62f42cf03c0e18314ad6ca59ff3eb5e1c0ef3dce179845aac6582b9438c0b13809f47554
SSDEEP

3072:ffYWjswg4fQlt4ndm8jX5IXzs+M9VQHDO9KR/vOst3b:ffYWAw9fcUdmwIXo+M9VQHDxmst

Score

10^/10

sodinokibi ransomware

Malware Config

Extracted

Path

C:\Recovery\9xfuulq-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 9xfuulq. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. If you have any questions, or experiencing troubles with the test decryption, you can use our chat on the website, our stuff support will help you as quick as possible. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F0A11F0CC03D1866 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/F0A11F0CC03D1866 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: eUXKmgaSo16xFEgjZwQCmPz/F25xLfJgpQUqGi8vk8tRRU1abX+4YwD88NQBnZqN xt1i9oZ2sRRoLlR3qaDydhoSmdsvSDhxqC0Ges5lkrMRBzOihlMzliKGQSWVD0uU YmPQH7Tk/+AnQOsOL3r1w2IxJvxQjC38sOUxO6E2JOHU7q/NsEv0tYkxvKzEfdri PT9HmlIrYTGLRY26ucQ14exq44L+BXbHybdusRMMp+Vhf9hRfRSklrt1rNaVJrqd v9/ozpJSMnOB7z1Uh5svKNEUr7iIKwh/P4eGc/Hg+Z8G0jQmY/fwtDTW0LvC+TaP QLhH0UEYNwoVj087cqDAQv1ivBg7Ao6aVtC8pFDpsXir9KttiE0TL6sXVqjT39Y6 PI4zUfSC6dQOLPouNQs9rLImiWBU2x7EYwo1bNFTq3PVjIIiPKw/I5lqwOXsqRWh BICSdxJ/6QClZ3RwI5lmdSF0GjJ4eisl6gP0kqWKMzXp/NvOigTOQ6DqefZQba3R LW6M6928gT6rTds7VnO2vqFjOJ2ZbnvX7rrl1orVWwZoQJZD1vhVgkUFebZQsC+6 77JSQdEmH73wKY0oieqkn/m4Odggb821gtxTSWq+mTN13jxC3tGnUMFk/QttQeby YnOs2tUs1JiRegZBZ2zwFscuH23o9dGxCaTz4rsIT5IfL2tlIrvf/rKg1FOkVY5k H8UvRV4X3F3RwFMWGwNL8KJTBxb0gFsljHBjSnk7dg0JIc6Y6/BctTrFEzTM76ZB p/CDNinJjA21egU+wHi/QR3UiU+AglPqxRhBxTfZzfEyWVpbrkiVX5s9pgBsrEwy 2cFnOK1pHFcVe6JXkQ3aGHqenKNQXJ1xirxwubSVwK/1G0ylmc14IISOJZFVWS2X vi0EtCYZPmJd/lMExUnQtUrj44bu7YHoSXyT9YfKUf+a2bYVzEWoe6oe9n3R6M2P 2oJ2gIhZ2tQsd5tVwShUQnVlvysVMSEpZUJfMdZac6A/hkH48vvjVIkSlNZamxnQ V/rY85DFZ1kMceSIMIVst7y5PerIoBV4mFtreW0Jj/PVuhOdoBpGYxz1Tn3oIYKY pLRWSRaqqv1sCBTa1ypia5SsTC72tmZ2Mp2bn2cDciv5uJxcpoIHFEB3xo6sprPD 88Vta018WNYXVF5t4O2djLc9K4WnbBgMAfvvHQ/BwBVzqM0144hzLpy8JCF6CX/4 Ew7KTS7vgPYVt1uc Extension name: 9xfuulq ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F0A11F0CC03D1866

http://decryptor.top/F0A11F0CC03D1866

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\O:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\A:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\T:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\R:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\U:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\D:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\L:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\Q:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\V:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\W:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\P:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\S:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\G:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\X:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\M:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\F:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\I:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\H:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\J:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\K:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\N:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\Y:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\Z:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened (read-only)	\??\E:	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\h91z45pnb.bmp"	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\9xfuulq-readme.txt	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened for modification	\??\c:\program files\BackupFind.jpg	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened for modification	\??\c:\program files\DebugPublish.snd	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File created	\??\c:\program files\9xfuulq-readme.txt	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened for modification	\??\c:\program files\CheckpointRedo.xlt	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened for modification	\??\c:\program files\EditComplete.vsdm	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened for modification	\??\c:\program files\EditReceive.aifc	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened for modification	\??\c:\program files\OutRead.nfo	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UnregisterBackup.clr	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\9xfuulq-readme.txt	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\9xfuulq-readme.txt	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened for modification	\??\c:\program files\AddStep.AAC	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RestoreWatch.dotm	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SaveReceive.jtx	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened for modification	\??\c:\program files\TraceJoin.mhtml	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\9xfuulq-readme.txt	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened for modification	\??\c:\program files\PushInitialize.vsd	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened for modification	\??\c:\program files\HideJoin.xltm	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RepairUnblock.DVR	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ClearMove.aif	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2936	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
3020	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeBackupPrivilege	2736	vssvc.exe
Token: SeRestorePrivilege	2736	vssvc.exe
Token: SeAuditPrivilege	2736	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 3020	2936	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe	28
PID 2936 wrote to memory of 3020	2936	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe	28
PID 2936 wrote to memory of 3020	2936	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe	28
PID 2936 wrote to memory of 3020	2936	13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe	28

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\13d4c1451da6fa284c08c669a7d0e7c1_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\9xfuulq-readme.txt

Filesize
7KB

MD5
36f6ba89862209dc0d8567cbb64e8719

SHA1
0ecfb9131b15bfe0ce3c85ad24f71c80b6d628ef

SHA256
dff88f9dc854ef2624fac009533bcaa6f4e15b2a1f4285b4fd2d0cc48665103e

SHA512
8cbcdd22a32fc08bcbac9d76834e1d90dcebbb3e20667a51a4bba3e0ca4dc8026f3ef347e8c33ca013a59582d84bdf85d72f66258d1d7c8fcd12cb67af5ceba8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
98e9533ce9466386ae97669272fa92d6

SHA1
681388fac3189b660da15f7956c2edfe24f9e070

SHA256
f6ca33ec558f82dfa3510b8708bb23c044a173007ca04866f1efe0cbf030742b

SHA512
87568ba564b17c355e1dd0b7ad466786d16041d07609be349b68295765474aee3f6fc565f4b49dc093aba9ed58f41464f809d387717be73a1eefc8c31e522269

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar437D.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
193KB

MD5
cb962fcebf48e120fdb9d3d7d67ce92e

SHA1
8037c1f034b637addc9e84908cc53e5f385ca5df

SHA256
11577d21f91ade88f3c97bd3da7027d804462fdf959f7980316dda79b72a5887

SHA512
9074321644e2b82f6f61648b8885475c9f707ee9db7474e8b07d8f00448e69bf476fddf801ec5d249705e8487ddb27d14ac09239f1ac150151fcfaa4c51b350e

Download Submit
memory/3020-5-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/3020-11-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/3020-12-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/3020-9-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/3020-10-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/3020-8-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/3020-4-0x000007FEF57BE000-0x000007FEF57BF000-memory.dmp

Filesize
4KB

Download
memory/3020-6-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/3020-7-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads