sodinokibi | b8c1f3abe165e1bab5616f0b739f1cb53c642c40ffc92f9f26aec1a73eaf0de2

Analysis

max time kernel
287s
max time network
304s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

encoder3.exe
Size

164KB
MD5

7518ecf9cd7d3f204de349103bd95c54
SHA1

417df7e036285c9409affa1e9bef8634d8994869
SHA256

14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632
SHA512

71a181e597a5d9eae8ccd22683b650039f2506ba502b44a2da4f786e8884a1538603df9ab57d19c78d9777cb8f643ec78439346c32611776984acc569dbaba32
SSDEEP

3072:FHixaVZFiOCDJtOicNDWEzZQjnS2C/vbgnB:FHigLF5CCj5zZQDV0bq

Score

10^/10

sodinokibi discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\8615eeb78wWannadie.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 8615eeb78w. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0E906A35CB2ABC1B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/0E906A35CB2ABC1B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: gQ4oWCKJKQAn9tvXFUNHRYJgtXhavhIG/Q226IAAS1MMnPydK28nkHUZOvmMKt6i fXHVuhdQxtSmxXtadTkqzU7hVrynB+2wuobCAGgjMs1k9qeppQexulROBSf7p0Yv dqL6viAO74cj8n/aJhbCNpitD4L7EnRz1Xh0b6DhhIJa8aJzJmSTZAl7UhUmAVZc wwnu+7FcwipI/XEO+PqBoPIQk5Q89aba6vzk6IXwxzoblrnwK9h8M66H5bYj+iHd ir4R1QeGGBFIzr9tnRCDpdhi1w0R04/Uv0U/hJUABneLL5yu5A2L+6HnBjRzCrnb M0O+BfSnIVumxuBfF5laxYSl+HIZCbzLHMpP8AwXK5naKfIPZkVK2iUK0CItuLos mKWPk1Gi72uMmnP1FS4zZHTaHj6VErc2FVQ/O8wLLE01uuRr3SoIm7P1CSN97k1Q NuC+4NCN9tbURxbUr3U+Y7zC5M/aObQvouzxQPhQrBVC2u0dLvNT1UM8GxXq1ec6 mP0XVgPV6zH+HlV8j02+K5HtZsCiCdgDMGXoKjD7wBxlzuJ5PexwXbUy3suyfpnP 23hq26cm1RhQAU4S9e/Ym0XbcmyZUZ5vYNoz78/eEqenbxN4N4Q4qBlknbxYwI29 fosu0HNfkCvGQBigRGYpLDKJKCCaVnjEuc2KGP7FnJIqDqPwdJtNQO/kiObL2Eia sjJYX5wkjoGDfwANSS487wOCalGobwesbUwq1r5LLKo9kDPUOXe0ABYeoLVd5d6W UEGV9M4+0/urd8yA2w02ROulVjqga9ImC/zyw5vJMP0f/XBrvN7TXTEEX6K6kCxV 646VxYjEHoAa0dLN5onty+7WlLbRKH6dZ2Zde1I98rQ5rvZnH38bDTmAojBOSUhO lDjWKk7o+gU3HSrOSoVe4KW58a4xYJTDiTicRxKnDMKJmYtO3q7xOupVSrp138XT jJYeE9UcAdjDnSRcsAz98pX27P8iz1EbxqjQidl/6JOQxVgs6FttPNzuPINo6OD9 PYqWuDjOpQ+s1AjKSx420wohHr8n3Snh0WvPUWP3AsQxO49cxUqnnfbo//fjUT/M OQLtPHuq6aYdPjW516DmfcLUKCQEThhA5B9Zhm3vZkMz/6iaKlzmOXEyWt3tN1cJ xHf8/0KlM9DwKhKpTNCygyn1/ktw3652RDlVI6e+L2smEjCJJ6sbbFAHzlVN2ZtJ bCdzvjI1HVHM0S6G2LB3oAmXdVI= Extension name: 8615eeb78w ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0E906A35CB2ABC1B

http://decryptor.top/0E906A35CB2ABC1B

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Sodinokibi family
sodinokibi
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

encoder3.exe

description	ioc	process
File opened (read-only)	\??\R:	encoder3.exe
File opened (read-only)	\??\S:	encoder3.exe
File opened (read-only)	\??\U:	encoder3.exe
File opened (read-only)	\??\X:	encoder3.exe
File opened (read-only)	\??\Y:	encoder3.exe
File opened (read-only)	\??\F:	encoder3.exe
File opened (read-only)	\??\I:	encoder3.exe
File opened (read-only)	\??\G:	encoder3.exe
File opened (read-only)	\??\J:	encoder3.exe
File opened (read-only)	\??\K:	encoder3.exe
File opened (read-only)	\??\B:	encoder3.exe
File opened (read-only)	\??\M:	encoder3.exe
File opened (read-only)	\??\N:	encoder3.exe
File opened (read-only)	\??\O:	encoder3.exe
File opened (read-only)	\??\P:	encoder3.exe
File opened (read-only)	\??\T:	encoder3.exe
File opened (read-only)	\??\V:	encoder3.exe
File opened (read-only)	\??\L:	encoder3.exe
File opened (read-only)	\??\E:	encoder3.exe
File opened (read-only)	\??\H:	encoder3.exe
File opened (read-only)	\??\Q:	encoder3.exe
File opened (read-only)	\??\W:	encoder3.exe
File opened (read-only)	\??\Z:	encoder3.exe
File opened (read-only)	\??\D:	encoder3.exe
File opened (read-only)	\??\A:	encoder3.exe

Drops file in System32 directory 1 IoCs

Processes:

encoder3.exe

description ioc process

File opened for modification C:\Windows\System32\CatRoot2\dberr.txt encoder3.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	encoder3.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

encoder3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kxd0h.bmp"	encoder3.exe

Drops file in Program Files directory 37 IoCs

Processes:

encoder3.exe

description	ioc	process
File opened for modification	\??\c:\program files\SendDeny.mpeg2	encoder3.exe
File opened for modification	\??\c:\program files\UseInstall.midi	encoder3.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\8615eeb78wWannadie.txt	encoder3.exe
File opened for modification	\??\c:\program files\InitializeShow.docm	encoder3.exe
File opened for modification	\??\c:\program files\MoveSave.pcx	encoder3.exe
File opened for modification	\??\c:\program files\ResetSync.emf	encoder3.exe
File opened for modification	\??\c:\program files\SelectSkip.tif	encoder3.exe
File opened for modification	\??\c:\program files\ConvertFromCompress.xps	encoder3.exe
File opened for modification	\??\c:\program files\NewRestore.TS	encoder3.exe
File opened for modification	\??\c:\program files\UninstallConvertFrom.ppsx	encoder3.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\8615eeb78wWannadie.txt	encoder3.exe
File opened for modification	\??\c:\program files\CompareStart.scf	encoder3.exe
File opened for modification	\??\c:\program files\NewLock.rle	encoder3.exe
File opened for modification	\??\c:\program files\PushPop.mpg	encoder3.exe
File opened for modification	\??\c:\program files\ResolveStart.ico	encoder3.exe
File opened for modification	\??\c:\program files\ResetNew.ppt	encoder3.exe
File opened for modification	\??\c:\program files\RestorePing.fon	encoder3.exe
File opened for modification	\??\c:\program files\UpdateNew.vsdx	encoder3.exe
File opened for modification	\??\c:\program files\DenyConvertTo.xps	encoder3.exe
File opened for modification	\??\c:\program files\FindResume.wpl	encoder3.exe
File opened for modification	\??\c:\program files\PushUndo.mpp	encoder3.exe
File opened for modification	\??\c:\program files\ReadEdit.mpg	encoder3.exe
File created	\??\c:\program files (x86)\8615eeb78wWannadie.txt	encoder3.exe
File opened for modification	\??\c:\program files\ConvertBackup.wav	encoder3.exe
File opened for modification	\??\c:\program files\FindDisable.xht	encoder3.exe
File opened for modification	\??\c:\program files\TestLimit.htm	encoder3.exe
File opened for modification	\??\c:\program files\WatchResolve.png	encoder3.exe
File opened for modification	\??\c:\program files\DisableRename.xlsb	encoder3.exe
File opened for modification	\??\c:\program files\ExitConnect.wax	encoder3.exe
File opened for modification	\??\c:\program files\JoinBlock.jpeg	encoder3.exe
File opened for modification	\??\c:\program files\MoveExpand.asx	encoder3.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\8615eeb78wWannadie.txt	encoder3.exe
File created	\??\c:\program files\8615eeb78wWannadie.txt	encoder3.exe
File opened for modification	\??\c:\program files\ExportWatch.xla	encoder3.exe
File opened for modification	\??\c:\program files\RepairDismount.mp3	encoder3.exe
File opened for modification	\??\c:\program files\RestoreExport.png	encoder3.exe
File opened for modification	\??\c:\program files\InvokeCopy.dot	encoder3.exe

Drops file in Windows directory 64 IoCs

Processes:

encoder3.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d2d_31bf3856ad364e35_7.1.7601.16492_none_f6dafd66fdb9c254.manifest	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-gdi-painting_31bf3856ad364e35_6.1.7600.16385_none_d360c9c235bd1868_mf3216.dll_8fba6fd3	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ed2f3d463b92b5d0_listsvc.dll.mui_27f0fc85	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-shell32_31bf3856ad364e35_6.1.7601.17514_none_ca4f304d289b7800.manifest	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_de-de_44c5489bf5781bbc_mdminst.dll.mui_19a87063	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..owmanager.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_34be759892c77101_dwmcore.dll.mui_ebf60d96	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7002897809b71b0c_dnsapi.dll.mui_97465f8a	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-hbaapi_31bf3856ad364e35_6.1.7601.17514_none_b18e5ca4be201fbf.manifest	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1b97e2a0cf19a74b_hh.exe.mui_2744e397	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_sr-..-cs_73d552d28e4165e3_comdlg32.dll.mui_ac8e62f4	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_accc80812c85f01f_dhcpcsvc6.dll.mui_b45c7567	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-feclient_31bf3856ad364e35_6.1.7600.16385_none_beb0674eb8e86a51_feclient-ppdlic.xrm-ms_690f532f	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-small_31bf3856ad364e35_6.1.7600.16385_none_d7839341959a2de0_smallee.fon_f45d00ca	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-halftone-ui.resources_31bf3856ad364e35_6.1.7601.17514_en-us_7113e0d248e375bc.manifest	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mup_31bf3856ad364e35_6.1.7600.16385_none_08e73ad57234cf5f_mup.sys_ea6a9c41	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18633fbb02ac1dfc_netlogon.dll.mui_ecbeb9bd	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_53d84073101f061e_iscsidsc.mfl_20ed5374	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_6.1.7600.16385_it-it_24f0d0f9c3af26a9.manifest	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f7fe9ec9f7f467dd.manifest	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-e..e-library.resources_31bf3856ad364e35_6.1.7600.16385_de-de_694f3c78860517ad.manifest	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-t..stringime.resources_31bf3856ad364e35_6.1.7600.16385_it-it_16373efc6d49a7e0.manifest	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6e9ba25f21709c15.manifest	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_14400aaa57809682_ole32.dll.mui_5035d60a	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_app932.fon_e93b0656	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-720_31bf3856ad364e35_6.1.7600.16385_none_2ae4fd74b4dd3f24_c_720.nls_c0c94414	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-e..gine-isam.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6bafe41ed67f87e5_esent.dll.mui_e30e3b90	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-eventlog-api.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7fcb925a71347245.manifest	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_en-us_9c23fd3941bcc44e_user32.dll.mui_14652dbb	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-security-schannel_31bf3856ad364e35_6.1.7601.17514_none_8a90facfa04322fd_schannel.dll_7364eaa8	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_77f9a2307a488167_msimsg.dll.mui_72e8994f	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_de-de_fc571f848681e778_msimsg.dll.mui_72e8994f	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cf00a033363ace4b_newdev.exe.mui_6ce4084e	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d7cf58e8c6d01cfa.manifest	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e15c2094ca55f651_iscsicli.exe.mui_64c0a23c	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..entication-usermode_31bf3856ad364e35_6.1.7600.16385_none_39f81956d5a8018f_ntmarta.dll_cd048e61	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ba0c82eccf526351_rascfg.dll.mui_0b036e1f	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f3e1442ff9f968b0_shsvcs.dll.mui_b69fccab	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_7.5.7601.17514_de-de_cbb7ab3e0c08b4c7_wuaueng.dll.mui_297f975d	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_et-ee_e688c09ad25cd01b_comdlg32.dll.mui_ac8e62f4	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-installer-handler_31bf3856ad364e35_6.1.7600.16385_none_3acf7ac36580942c_msihnd.dll_f541a087	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..rk-msimtf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9802324a8a1458f5_msimtf.dll.mui_e40b8b25	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_da98436802c4e6bb.manifest	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_es-es_22a4d52071836cc1_wudfplatform.dll.mui_d815d31a	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c08b90a4bb1ab825_spp.dll.mui_42138158	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ca302e6ca7955c8f.manifest	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-a..es-interface-router_31bf3856ad364e35_6.1.7601.17514_none_59fd7093dccb4652_activeds.tlb_662648dd	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_networking-mpssvc-svc.resources_31bf3856ad364e35_6.1.7601.17514_de-de_e07f4824fddc38e6.manifest	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-smartcardsubsystem_31bf3856ad364e35_6.1.7601.17514_none_76234513809272a3_sccls.dll_921efb66	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_53b2bc0371bdfaf0_rasauto.dll.mui_12fa2c50	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_99076bac95fbcc5d.manifest	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-kernelbase.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_80e9298bf792ff3e_kernelbase.dll.mui_16288a65	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..eprotocol.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b7063688072591d4_irclass.dll.mui_c67cedc8	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-consolehost.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a0ecdb6b28479a55.manifest	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-shacct.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d586284d0a31a5e5.manifest	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-utsaah_31bf3856ad364e35_6.1.7601.17514_none_8a6cbec4ba3b0202_utsaahi.ttf_0df5fad5	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_6.1.7600.16385_it-it_86a68a63a4aaf841.manifest	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..ollmentui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_949ca950b4247d26.manifest	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_df7c5af777ec4541_devobj.dll_89511196	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-kernel32.resources_31bf3856ad364e35_6.1.7600.16385_it-it_300f28a13d812fbe_kernel32.dll.mui_c29170cd	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b0eb241dcc51f079_adtschema.dll.mui_208d0981	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-950_31bf3856ad364e35_6.1.7600.16385_none_2ad25e7ab4eac30b.manifest	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac553040a56eff44.manifest	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_6.1.7601.17514_none_c910d80f114e267a_vdsutil.dll_f2ef43cf	encoder3.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8f94aa63624b0ac8_wer.dll.mui_e68ddae7	encoder3.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

encoder3.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language encoder3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	encoder3.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

encoder3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	encoder3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	encoder3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	encoder3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	encoder3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

encoder3.exepowershell.exe

pid process

2728 encoder3.exe
2684 powershell.exe

pid	process
2728	encoder3.exe
2684	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeBackupPrivilege	2700	vssvc.exe
Token: SeRestorePrivilege	2700	vssvc.exe
Token: SeAuditPrivilege	2700	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

encoder3.exe

description	pid	process	target process
PID 2728 wrote to memory of 2684	2728	encoder3.exe	powershell.exe
PID 2728 wrote to memory of 2684	2728	encoder3.exe	powershell.exe
PID 2728 wrote to memory of 2684	2728	encoder3.exe	powershell.exe
PID 2728 wrote to memory of 2684	2728	encoder3.exe	powershell.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\encoder3.exe
"C:\Users\Admin\AppData\Local\Temp\encoder3.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2648

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\8615eeb78wWannadie.txt

Filesize
6KB

MD5
c59954d3b1a9ccb223e27dd4d78aa7e4

SHA1
e20d46c5befc5edb4e6a3da4a0f8d788c1fd43c2

SHA256
b9387ff81ce270cb88bb918fe8bb28d2db4946435cc4672fcaf84d389b9c6869

SHA512
2d58b9582965c39f377b091e53fa439a561d79752257e7c9f11105aa57e6b54818aa5ea9648a136c88a1a7ed414f0d1531fbd721150ab615f85efd7f8d6de05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFC3C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar94A6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
191KB

MD5
4666c90c9b5997c057e5787b1dbefeef

SHA1
315715466d6761c4255563a8b4e23596ea42f7b3

SHA256
f191bf8d155bab301e052fb85c6f0eb5f34bcda468c603361532aa3ad64302d4

SHA512
91385abbc4559356684c4020a736854f97299075f6536c0604725d6a8a822259f04cede1a8ef34238bc857fd06b8aadc059aea73b7126b171f51f3905f46d66e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2684-7-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/2684-10-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/2684-11-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/2684-9-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/2684-8-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/2684-4-0x000007FEF62FE000-0x000007FEF62FF000-memory.dmp

Filesize
4KB

Download
memory/2684-6-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2684-5-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download