Analysis
-
max time kernel
130s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13-12-2024 20:44
Behavioral task
behavioral1
Sample
malware_005D0000.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
malware_005D0000.exe
Resource
win10v2004-20241007-en
General
-
Target
malware_005D0000.exe
-
Size
164KB
-
MD5
890a58f200dfff23165df9e1b088e58f
-
SHA1
74e3d82f7ee81109e150dc41112cf95b3a4b5307
-
SHA256
5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93
-
SHA512
2ee3636833cd9b02f5e311401817b15514845d4c12c1416d7e345845f8084775bf8c5f8f32822066b75a6b627a93138a0b27deb99c8bbb1f8d640132a2d8de0d
-
SSDEEP
3072:Hp5SexkWi1Lbi4eTMlwDCnu/q2GB96W/y:JvGWwbnWJ/yB9
Malware Config
Extracted
C:\Users\lnb2t8g7-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FDE6B0E0A31A5F84
http://decryptor.top/FDE6B0E0A31A5F84
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sodinokibi family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: malware_005D0000.exe File opened (read-only) \??\N: malware_005D0000.exe File opened (read-only) \??\U: malware_005D0000.exe File opened (read-only) \??\V: malware_005D0000.exe File opened (read-only) \??\W: malware_005D0000.exe File opened (read-only) \??\Z: malware_005D0000.exe File opened (read-only) \??\F: malware_005D0000.exe File opened (read-only) \??\H: malware_005D0000.exe File opened (read-only) \??\J: malware_005D0000.exe File opened (read-only) \??\K: malware_005D0000.exe File opened (read-only) \??\L: malware_005D0000.exe File opened (read-only) \??\R: malware_005D0000.exe File opened (read-only) \??\T: malware_005D0000.exe File opened (read-only) \??\Y: malware_005D0000.exe File opened (read-only) \??\D: malware_005D0000.exe File opened (read-only) \??\B: malware_005D0000.exe File opened (read-only) \??\E: malware_005D0000.exe File opened (read-only) \??\M: malware_005D0000.exe File opened (read-only) \??\Q: malware_005D0000.exe File opened (read-only) \??\P: malware_005D0000.exe File opened (read-only) \??\S: malware_005D0000.exe File opened (read-only) \??\A: malware_005D0000.exe File opened (read-only) \??\G: malware_005D0000.exe File opened (read-only) \??\I: malware_005D0000.exe File opened (read-only) \??\O: malware_005D0000.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\li1.bmp" malware_005D0000.exe -
Drops file in Program Files directory 31 IoCs
description ioc Process File opened for modification \??\c:\program files\PingProtect.M2T malware_005D0000.exe File opened for modification \??\c:\program files\WaitInitialize.wav malware_005D0000.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\lnb2t8g7-readme.txt malware_005D0000.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\d60dff40.lock malware_005D0000.exe File created \??\c:\program files (x86)\lnb2t8g7-readme.txt malware_005D0000.exe File opened for modification \??\c:\program files\HidePublish.001 malware_005D0000.exe File opened for modification \??\c:\program files\TraceCopy.ppsm malware_005D0000.exe File opened for modification \??\c:\program files\CompletePublish.mpg malware_005D0000.exe File opened for modification \??\c:\program files\EnterRedo.zip malware_005D0000.exe File opened for modification \??\c:\program files\WriteAdd.asf malware_005D0000.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\lnb2t8g7-readme.txt malware_005D0000.exe File opened for modification \??\c:\program files\ClearJoin.easmx malware_005D0000.exe File opened for modification \??\c:\program files\MeasureUnregister.mp2v malware_005D0000.exe File opened for modification \??\c:\program files\OpenApprove.dwg malware_005D0000.exe File opened for modification \??\c:\program files\SplitExport.kix malware_005D0000.exe File opened for modification \??\c:\program files\WriteProtect.ttf malware_005D0000.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\d60dff40.lock malware_005D0000.exe File created \??\c:\program files\d60dff40.lock malware_005D0000.exe File opened for modification \??\c:\program files\LockUse.pdf malware_005D0000.exe File opened for modification \??\c:\program files\SearchUnlock.nfo malware_005D0000.exe File opened for modification \??\c:\program files\ShowMeasure.mov malware_005D0000.exe File created \??\c:\program files\lnb2t8g7-readme.txt malware_005D0000.exe File opened for modification \??\c:\program files\RestoreMerge.ogg malware_005D0000.exe File opened for modification \??\c:\program files\UnblockUnregister.wmv malware_005D0000.exe File created \??\c:\program files (x86)\d60dff40.lock malware_005D0000.exe File opened for modification \??\c:\program files\InitializeExport.vstm malware_005D0000.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\d60dff40.lock malware_005D0000.exe File opened for modification \??\c:\program files\FindMeasure.mht malware_005D0000.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\lnb2t8g7-readme.txt malware_005D0000.exe File opened for modification \??\c:\program files\UnlockCheckpoint.search-ms malware_005D0000.exe File opened for modification \??\c:\program files\UnregisterRemove.iso malware_005D0000.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..etype-sakkalmajalla_31bf3856ad364e35_6.1.7600.16385_none_fb8092e2c0173c39.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..owmanager.resources_31bf3856ad364e35_6.1.7600.16385_es-es_05b98a45d5a86346_dwmcore.dll.mui_ebf60d96 malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_he-il_49429473d09ea38c_comctl32.dll.mui_0da4e682 malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-smartcardksp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_06eae3639ce15ec1.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ck-legacy.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a7b0ad52b3bcfdb6_wsock32.dll.mui_18b23987 malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-imm32_31bf3856ad364e35_6.1.7601.17514_none_c4d0cdd7c56b493e.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d2590890fddbcebf_winload.exe.mui_3bc5b827 malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..owmanager.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a8710044c87a79a8_dwmcore.dll.mui_ebf60d96 malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase-ndiswan_31bf3856ad364e35_6.1.7601.17514_none_515e96306dea528f.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-smartcardksp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_62d4dbcb5565c19c_scksp.dll.mui_05f14191 malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_it-it_12c3c2213e4d32d4.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1474adc65759a4dd_oleres.dll.mui_ff00d4cb malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_hr-hr_a77de2d787af8188.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_ega40737.fon_5e5746b1 malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_341a55f41ef1be52_mdminst.dll.mui_19a87063 malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_0a2f4680d5ae26b7.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_231366a72d1cda71_dnsapi.dll.mui_97465f8a malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_26cee700b53a673d_sdbinst.exe.mui_258ad624 malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-f..rcluster-clientcore_31bf3856ad364e35_6.1.7601.17514_none_934ef25796a1b53e.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_cs-cz_97769b281ba398b8.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..-microsoftsansserif_31bf3856ad364e35_6.1.7600.16385_none_850ef67c61bbadb6_micross.ttf_b13ae9de malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mssign32-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_48bc807ccad80bf9.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e237947b2c7fb685.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_01d05823a99ac86b_certcredprovider.dll.mui_b5ad161e malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..stringime.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e5ab11565b7c2b91.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_c622c1b2dbc95119.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_6.1.7600.16385_none_63dee2821fc69fce_brdgcfg.dll_9efdd2e3 malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_6bcef05d7f04260a.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..resources.resources_31bf3856ad364e35_6.1.7600.16385_es-es_57456b8ac702a51c.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_6.1.7600.16385_en-us_14569492a0cb0c5e_samsrv.dll.mui_32250491 malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mpr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ba5be41f9553aeb3.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_de-de_227521a01b1e0f11_prflbmsg.dll.mui_4caa0054 malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_244ae8599e6d81bb.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_de-de_84c970b54d5773ed_cliconf.chm_12e2bd62 malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_517d915ca0c7b0ce_w32time.dll.mui_b382d4b4 malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-t..-platform-libraries_31bf3856ad364e35_6.1.7601.17514_none_ec7854d0f990441d.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.1.7601.17514_none_b995c74af473511b.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_2e9f92abd2ce43b6_hhctrl.ocx_38c869db malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_es-es_63ed8c3a00aad07b_credui.dll.mui_34721171 malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1421f176a0f1fe03.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_en-us_02e9e13998201d43_erofflps.txt_649e76ed malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cef288146d0ec16c_psbase.dll.mui_c28690ab malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_26cee700b53a673d_apphelp.dll.mui_59096153 malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-efs-util-library_31bf3856ad364e35_6.1.7600.16385_none_46efb78b042229ec_efsutil.dll_19519f5a malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-cryptui-dll.resources_31bf3856ad364e35_6.1.7601.17514_en-us_618833a5b4f8d33b.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-cryptui-dll.resources_31bf3856ad364e35_6.1.7601.17514_it-it_ee32fccf7f23c0c0.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-smartcardksp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_efb448111f69bd7c_basecsp.dll.mui_04bea7ac malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_de-de_766749e698668441.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-x..ollmentui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_38b2b0e8fba01a4b.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f5d83b1064d90ccb.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..orerframe.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3c186b53d67e9899_explorerframe.dll.mui_074caeb5 malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_6.1.7601.17514_none_2b4a7558412a624a_ikeext.dll_3ac4406c malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mpr.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e92c2c565299ae13.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-sendmail.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_91cbec40d69be922.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.1.7601.17514_none_d961938b8cd1e885_dhcpcsvc.dll_8155446a malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-eventlog-api.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c62fc9b9abd00916.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ca5f33128c54b8a1.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6084741c7167c84b.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_fffad235455db1eb_provsvc.dll.mui_3a2926ae malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d72a84d3502b0701_consent.exe.mui_2eb3b9db malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..-encoding.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c464d2bacfbc42a4.manifest malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4e286816448a8f66_bootmgr.exe.mui_c434701f malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-hk_38fe497fea9b41b8_bootmgfw.efi.mui_a6e78cfa malware_005D0000.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..e-library.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9d2ef62bea869408.manifest malware_005D0000.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malware_005D0000.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2988 vssadmin.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 malware_005D0000.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 malware_005D0000.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1688 malware_005D0000.exe 1688 malware_005D0000.exe 1688 malware_005D0000.exe 1688 malware_005D0000.exe 1688 malware_005D0000.exe 1688 malware_005D0000.exe 1688 malware_005D0000.exe 1688 malware_005D0000.exe 1688 malware_005D0000.exe 1688 malware_005D0000.exe 1688 malware_005D0000.exe 1688 malware_005D0000.exe 1688 malware_005D0000.exe 1688 malware_005D0000.exe 1688 malware_005D0000.exe 1688 malware_005D0000.exe 1688 malware_005D0000.exe 1688 malware_005D0000.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 584 vssvc.exe Token: SeRestorePrivilege 584 vssvc.exe Token: SeAuditPrivilege 584 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2512 1688 malware_005D0000.exe 30 PID 1688 wrote to memory of 2512 1688 malware_005D0000.exe 30 PID 1688 wrote to memory of 2512 1688 malware_005D0000.exe 30 PID 1688 wrote to memory of 2512 1688 malware_005D0000.exe 30 PID 2512 wrote to memory of 2988 2512 cmd.exe 32 PID 2512 wrote to memory of 2988 2512 cmd.exe 32 PID 2512 wrote to memory of 2988 2512 cmd.exe 32 PID 2512 wrote to memory of 2988 2512 cmd.exe 32 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\malware_005D0000.exe"C:\Users\Admin\AppData\Local\Temp\malware_005D0000.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2988
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:584
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
6KB
MD565e7562343457f767ad4ee8710baa55d
SHA1aa84df7905d3ffc30feb936b344866ec9f695f3d
SHA2569c17e500ef17ab6a491c997dfd8f60adf2644e3989d633c044bd2a131fd0d0c4
SHA5129bffe9a3b04e2e5922c8294fd997f123a283caccc099706f37b3a1626198eb96ac5eddda340d27bb20a263252156ebbac9df0ea84760ffb98ac3d3903330a45d