sodinokibi | 5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93

Resubmissions

05-02-2025 10:43

250205-msf7rssqgy 10

13-12-2024 20:44

241213-zjezkaznfp 10

Analysis

max time kernel
280s
max time network
296s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2025 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware_005D0000.exe
Size

164KB
MD5

890a58f200dfff23165df9e1b088e58f
SHA1

74e3d82f7ee81109e150dc41112cf95b3a4b5307
SHA256

5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93
SHA512

2ee3636833cd9b02f5e311401817b15514845d4c12c1416d7e345845f8084775bf8c5f8f32822066b75a6b627a93138a0b27deb99c8bbb1f8d640132a2d8de0d
SSDEEP

3072:Hp5SexkWi1Lbi4eTMlwDCnu/q2GB96W/y:JvGWwbnWJ/yB9

Score

10^/10

sodinokibi discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\zp959-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion zp959. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EA4E63C223FAD034 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/EA4E63C223FAD034 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: bc2CI3WSK/I0/7xWjLDpRIG/ebPGL668XeNMqq4mKAgY6ElvZ0U3lorJWRVYijjq 092p4zQ60Z3AKuvWW+KZw6CEk5O1HMH2c6TvmcXSFl1uCIgYsN223zJiDVmIiGdk J19kFNRZwvTmeCRfj+/eFaN7pgiIMvI/l8+PWlkDBYJ5R6O0b52pvtF83B+rvkI8 4muGfNiJIPlAWQa32mhkw2KZsbbrNzfqIphXL0AXnixLKgPBPmiTfZSKvfMju+om YL7nmzDD9Sl8p2FydxjsYOOSacR+flgD9V4JQwf1Q75OjCxzDRomN8xdDe5yEDnr Q+ZSI74Dc50lYVpHA6hNfGeokdanLIDvJljaL+jmV7BE2u4Tvf0szZ/+gpli3kjk ML9uAFjbNkq2hPLoUvqZs7A1GGYstDPaAzVe9jVaOVFvZQ9LVzWxfMCne6iuQpU2 APUPQei7NCMOXwxAhYMX1MHRq4ZRzARFCvZQPHg4XPK23YMceoSo3t9l7GS5Z94d fa/39wtuwYHlPJdxxXmFO89Z3pWmaUCip+B8C940n9gpuchUfFfwREuZ40WUPt2d J6i/uGw87a3j/rMLjxnFR1a4+gN7jKgCj0ziPf7YKC+7QAAJX4wb52LqT0HMv6CJ YOKiNP9mZddox1TjePNMJMhVmcBi6pbIT0G52ZTFzlB0I5ZkvVToVOGiHovYZWbO MxIoYZQl6jh+tctZBREWQx2kFCtPI/cFkdwfwPnUyyBo+Kr00iycU0eLUsc7io5Q gohD6WBVaObbZVod4VieEOw7s58uTOOng8LBiLp5rLy5xaoX5ikKwVH0RVcYD2CI QKsCLv4g8jPrc8TJpuhSzr1o0Xnuy76YXaG8alLk0d/uwOlmPEeO1eJojbT8r1U2 0FNH8Q8o9Ld1YH4Ol0dM2E1w7TsCaTxfSt8QehvPv6yxh53nngBRI+yI2Ti9qd2/ Vp639Z+sFBDQsgVx039CcllgpkLQPfxblw/5RM9vjzIwV+tRrDDbz9/ty1WXXj/O aOtLlNyH71kPyvl0TMRhv/55TD9kiGNlDexcz2col+ddDI8DPyuYDCK6xoFAuQaZ uxGyd4lwsjQssDy9AyjNEkFMiFf/mdwEzNUTeWaArkh3A6I4rKt2weCYo2F4xGC1 mODgsRiAq2Q7z5XHmcjUJWJ37uzuv+1VwgbS/Bi1d+nUk2k3asDzCVstL61qAPlZ GIwm3L2xkxUlCxBI Extension name: zp959 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EA4E63C223FAD034

http://decryptor.top/EA4E63C223FAD034

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Sodinokibi family
sodinokibi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	malware_005D0000.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	malware_005D0000.exe
File opened (read-only)	\??\F:	malware_005D0000.exe
File opened (read-only)	\??\G:	malware_005D0000.exe
File opened (read-only)	\??\I:	malware_005D0000.exe
File opened (read-only)	\??\J:	malware_005D0000.exe
File opened (read-only)	\??\Q:	malware_005D0000.exe
File opened (read-only)	\??\R:	malware_005D0000.exe
File opened (read-only)	\??\V:	malware_005D0000.exe
File opened (read-only)	\??\W:	malware_005D0000.exe
File opened (read-only)	\??\Z:	malware_005D0000.exe
File opened (read-only)	\??\B:	malware_005D0000.exe
File opened (read-only)	\??\L:	malware_005D0000.exe
File opened (read-only)	\??\O:	malware_005D0000.exe
File opened (read-only)	\??\S:	malware_005D0000.exe
File opened (read-only)	\??\T:	malware_005D0000.exe
File opened (read-only)	\??\D:	malware_005D0000.exe
File opened (read-only)	\??\U:	malware_005D0000.exe
File opened (read-only)	\??\A:	malware_005D0000.exe
File opened (read-only)	\??\E:	malware_005D0000.exe
File opened (read-only)	\??\H:	malware_005D0000.exe
File opened (read-only)	\??\K:	malware_005D0000.exe
File opened (read-only)	\??\N:	malware_005D0000.exe
File opened (read-only)	\??\M:	malware_005D0000.exe
File opened (read-only)	\??\P:	malware_005D0000.exe
File opened (read-only)	\??\Y:	malware_005D0000.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\74x3y806dd1.bmp"	malware_005D0000.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\UnblockExport.mov	malware_005D0000.exe
File created	\??\c:\program files\zp959-readme.txt	malware_005D0000.exe
File created	\??\c:\program files (x86)\zp959-readme.txt	malware_005D0000.exe
File opened for modification	\??\c:\program files\MergeSplit.doc	malware_005D0000.exe
File opened for modification	\??\c:\program files\RemoveProtect.easmx	malware_005D0000.exe
File opened for modification	\??\c:\program files\ResolveRestore.dwfx	malware_005D0000.exe
File opened for modification	\??\c:\program files\RestoreAdd.pcx	malware_005D0000.exe
File opened for modification	\??\c:\program files\TestReset.zip	malware_005D0000.exe
File created	\??\c:\program files\d60dff40.lock	malware_005D0000.exe
File created	\??\c:\program files (x86)\d60dff40.lock	malware_005D0000.exe
File opened for modification	\??\c:\program files\DenyLock.mp2	malware_005D0000.exe
File opened for modification	\??\c:\program files\EnterLimit.mpe	malware_005D0000.exe
File opened for modification	\??\c:\program files\InstallExpand.m4v	malware_005D0000.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ntmarta_31bf3856ad364e35_10.0.19041.546_none_597fc8a7ee70e8c9_ntmarta.dll_cd048e61	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_ar-sa_4244e753a064bf19_comctl32.dll.mui_0da4e682	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_de-de_0001043e8ed2b2d9.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_da-dk_7f2a1321ccbad7ec_msimsg.dll.mui_72e8994f	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua-onecore.resources_31bf3856ad364e35_10.0.19041.1_de-de_848402175f135dad.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.746_none_936e34e4ece273a7.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_bg-bg_8af479c5386ed751.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.19041.1288_none_dbd2bd89b002cded_bootspaces.dll_5d79a0db	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smartcardsubsystem_31bf3856ad364e35_10.0.19041.844_none_f5f48bc2c8c3f7a0_scdeviceenum.dll_01ce0fa9	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ldap-client_31bf3856ad364e35_10.0.19041.546_none_db8a38e9e99bc04d.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ntdll_31bf3856ad364e35_10.0.19041.1288_none_d7f32f1de5be2a2a_ntdll.dll_ae4ef39c	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ore-bootmanager-efi_31bf3856ad364e35_10.0.19041.1266_none_fc46bc5d51913141.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sechost_31bf3856ad364e35_10.0.19041.906_none_65e76b262ba5060e.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_28f87d0444103fde_fontsub.dll_367a1189	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5b5a0fc040a75c4e_winresume.exe.mui_ff8b5358	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_es-es_2511db3abd9629f0_msimsg.dll.mui_72e8994f	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tm_31bf3856ad364e35_10.0.19041.1202_none_c1d5764939090b5e_tm.sys_d7defcbe	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_pl-pl_34114e40f674dea5_bootmgfw.efi.mui_a6e78cfa	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_2a26e680672acb82_wininit.exe.mui_997435f5	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_it-it_8aee78c9c9067008.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..sition-coreservices_31bf3856ad364e35_10.0.19041.264_none_1aca864646957638_wiatrace.dll_dfb4e972	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_bg-bg_ba921840a92e8615.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.19041.1_es-es_0f152ce0e82a41ba_srpapi.dll.mui_2693a558	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..opinstallcomponents_31bf3856ad364e35_10.0.19041.662_none_d0ad3eafc6e540ad_umpnpmgr.mof_112f9e6c	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.19041.264_none_7f6ca9c048dc8aa4.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.19041.1288_none_dbd2bd89b002cded_bootuwf.dll_c8bed798	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog_31bf3856ad364e35_10.0.19041.1266_none_518a2f9fc80a85ad.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad_vgafixe.fon_dea8b251	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ne-client-overrides_31bf3856ad364e35_10.0.19041.1052_none_a74b8f64d78e3b2f_power.energyestimationengine.standbyactivation.ppkg_21aafe77	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ng-client-overrides_31bf3856ad364e35_10.0.19041.1266_none_8e5f726ca832e39d_power.settings.display.ppkg_7381929e	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_58e8f7e62ee6159d.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_bg-bg_72e4e16994b25d0f.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-lsatrustlet_31bf3856ad364e35_10.0.19041.1288_none_5961108733e967c9.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_10.0.19041.1_de-de_a4ec8a1390c7dcbf_shsvcs.dll.mui_b69fccab	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-maps_31bf3856ad364e35_10.0.19041.264_none_7f83f8425d6002aa.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.19041.264_none_53476533f18dc602.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-raspptp_31bf3856ad364e35_10.0.19041.488_none_77bf24d746c4ccde_raspptp.sys_25e89db1	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_176364e83131332c_ncprov.dll.mui_40240de1	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_cs-cz_880ae1a68c30b37b.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directory-services-sam_31bf3856ad364e35_10.0.19041.1202_none_310330998a8ba7fa_samlib.dll_caeebf04	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wintrust-dll_31bf3856ad364e35_10.0.19041.1_none_aff3f19b6dcf2d79.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_cs-cz_f172b704a150188c_bootmgfw.efi.mui_a6e78cfa	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ne-client-overrides_31bf3856ad364e35_10.0.19041.1052_none_a74b8f64d78e3b2f_power.energyestimationengine.storage.ppkg_960e5b21	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c68aa74741937c24_userdeviceregistration.ngc.dll.mui_d2c6ca95	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_qps-ploc_2b765c956db488cf.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_59dedd2b6ac5922c.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_es-es_30fd7ead5bbfd3f0_rtm.dll.mui_55e4e990	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_6c2a09eceb1bb17b.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_10.0.19041.84_none_ae156ee654cf8c31.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4fc41e05a1187ab0.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..r-library.resources_31bf3856ad364e35_10.0.19041.1_de-de_e0f84b0cde8f6c39_credprov2fahelper.dll.mui_71e4ecb5	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_8a83f8a2672d374c_wmiutils.dll.mui_42583eaf	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_10.0.19041.546_none_11ab5f5f99fc8eda_cryptsp.dll_ae5341e1	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_it-it_a83e66a954bae1fd.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-user32_31bf3856ad364e35_10.0.19041.264_none_b56eb776009e9963.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_1aebdebe097e4aa4.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_43bc59294854e061_dsreg.dll.mui_5d9efc7e	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9ab96313e8d638bb_iscsitargetportal.cdxml_98b1c4de	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_fi-fi_d3af63f17d8b58b9_bootmgfw.efi.mui_a6e78cfa	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.19041.1_en-us_f55c02126ffbdd03.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msasn1_31bf3856ad364e35_10.0.19041.1_none_879fcda0791faba1.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_lt-lt_ef598ca8aecfa1ed_bootmgr.exe.mui_c434701f	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_de-de_8398f19094835129_winresume.exe.mui_ff8b5358	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-imm32_31bf3856ad364e35_10.0.19041.546_none_3a4f6516d93a4779.manifest	malware_005D0000.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	malware_005D0000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1812	malware_005D0000.exe
1812	malware_005D0000.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 1872	1812	malware_005D0000.exe	89
PID 1812 wrote to memory of 1872	1812	malware_005D0000.exe	89
PID 1812 wrote to memory of 1872	1812	malware_005D0000.exe	89

C:\Users\Admin\AppData\Local\Temp\malware_005D0000.exe
C:\Users\Admin\AppData\Local\Temp\malware_005D0000.exe TSKILL 0 /malware_005D0000.bin
1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\zp959-readme.txt

Filesize
6KB

MD5
c325aac106f27d81f105070bcb75a8a9

SHA1
63c63b32b6fc85d0546b95db6b0df996217cdfaf

SHA256
e505204eb6077129822f4acbf56071b4da08ae7954cca995b5821a5920b96c9a

SHA512
d7cc5dcd687444b25a673e6a0ceceebe413e86ee218ce323b5458c3cb33c068ed60a557132fbe50ac7e826d938fce7a4f8e8cbc64a19d43c3db3a1488ab71957

Download Submit