sodinokibi | 5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93

Resubmissions

28/03/2025, 16:40

250328-t6ttcayvgx 10

25/03/2025, 14:22

250325-rpte5s1lt4 10

05/02/2025, 10:43

250205-msf7rssqgy 10

13/12/2024, 20:44

241213-zjezkaznfp 10

Analysis

max time kernel
118s
max time network
119s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware_005D0000.exe
Size

164KB
MD5

890a58f200dfff23165df9e1b088e58f
SHA1

74e3d82f7ee81109e150dc41112cf95b3a4b5307
SHA256

5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93
SHA512

2ee3636833cd9b02f5e311401817b15514845d4c12c1416d7e345845f8084775bf8c5f8f32822066b75a6b627a93138a0b27deb99c8bbb1f8d640132a2d8de0d
SSDEEP

3072:Hp5SexkWi1Lbi4eTMlwDCnu/q2GB96W/y:JvGWwbnWJ/yB9

Score

10^/10

sodinokibi discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\33q61-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 33q61. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9E804B933CC2BF58 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/9E804B933CC2BF58 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: xhxl7rFm6uVjw8ZN5AAXSN412c7GoeXELvapwi0uwZLPStyZ11QZo4JsmXEdJKBc Srz8jqN7dyCyaJIlawjnqL35FfR4WMZxMtBstVMVPAmY03pjHWDihoIGoG49n1HM l3VdQv4jq7tb+bean0PMEzTv3Rdj/u8Mi7P1BEmibijxRbOLRx/qBH3hgjiO5LSe YAvyvhJIJcVXG/vrDHyf2JxgS8yLPRI3H7XgAiMELbArZJAztkqOEhKbeoBW94Zo 6LlRXRhIr9SIq/a8Gwlfs2fnNW0sdnR2B4kod9wKsjB/OnXlkuGwip/dSKUHIb6P yS2T1bGU7XcTDXwR26VlK8yrpc3Dpo1QVdDdDNtukgtm4aRN5G1OWqaZUMuW+5W+ P1jbR7KW7tgkYonujOdCctm76mHKFQWnT3fdJB42sjn9qUXtiTcTokDCEWPeaOtw ETS/irfg0La3Gs6x+QdWCFcPhG9nRtOPRIkogCFfwFuZPJR6MF4iBynAiClM73Xj N8e7/7ha6QfthUhFA4MCGChSsmrzgxWvW0TZn//zF9hIvoFzzsGxyYs8f09hGqob wOGSVMACrvCITcj0sQv74mFA3kg299bLjkYOrHiYwnkomaUuNTDOUyDL1vBI1NDu fO9eVY5ZhDw4A/kyRmMYihQMYcMITrkHvhT5HoEB38QMJywcwL73oz+tGNhSsYa2 fKTyQWor9Dh8k1xxfSc8b/k/8kjKESw6xj46KRye3Hu9earAf8T3sCIGNxwR8zXT 1RnEkpcKY6aOW7flwjF95NosDRloCcuT9dcuXEtkoKNaCp6E7vNxOuc6/WPKUIHD nZo8EnueiOcgBvKlqWwor6r2bKdOI3Zysdjf4tHMMyx5JlSI4damB+g9iAuInqqw cpGNvIc9DGFa0splrcyUs++j2eIPe7snneO88vPWct1vM9DtI1p4cfOaJ9x44PDY fLCWR/Y8Ww2xXf+pSvaYJlCocscNM+lnLhkCXD9Q4wenLO3oHQvZ209/gF1iw7k0 BmWrFgBt/GE839F61LjEd6A86E518Mg584K9bA7klSdZfdwsqpqjSva9HHQS6lnT d7lUrDETyHjg5DP4zBNYT56mjklJETMjkI1BNB6eIdxq7HeWwj6zHzb8Jors8nDW e9XmG4Yo0nyxT4HLEMaiegkQ02VjJeI91KslHBNoqvCanJRpBRBUXEIceXyrjpdn T8Q74kr7Z1jGWfJp Extension name: 33q61 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9E804B933CC2BF58

http://decryptor.top/9E804B933CC2BF58

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Sodinokibi family
sodinokibi
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	malware_005D0000.exe
File opened (read-only)	\??\T:	malware_005D0000.exe
File opened (read-only)	\??\V:	malware_005D0000.exe
File opened (read-only)	\??\X:	malware_005D0000.exe
File opened (read-only)	\??\Y:	malware_005D0000.exe
File opened (read-only)	\??\P:	malware_005D0000.exe
File opened (read-only)	\??\Q:	malware_005D0000.exe
File opened (read-only)	\??\I:	malware_005D0000.exe
File opened (read-only)	\??\M:	malware_005D0000.exe
File opened (read-only)	\??\D:	malware_005D0000.exe
File opened (read-only)	\??\F:	malware_005D0000.exe
File opened (read-only)	\??\N:	malware_005D0000.exe
File opened (read-only)	\??\O:	malware_005D0000.exe
File opened (read-only)	\??\U:	malware_005D0000.exe
File opened (read-only)	\??\Z:	malware_005D0000.exe
File opened (read-only)	\??\A:	malware_005D0000.exe
File opened (read-only)	\??\B:	malware_005D0000.exe
File opened (read-only)	\??\H:	malware_005D0000.exe
File opened (read-only)	\??\J:	malware_005D0000.exe
File opened (read-only)	\??\K:	malware_005D0000.exe
File opened (read-only)	\??\L:	malware_005D0000.exe
File opened (read-only)	\??\S:	malware_005D0000.exe
File opened (read-only)	\??\W:	malware_005D0000.exe
File opened (read-only)	\??\E:	malware_005D0000.exe
File opened (read-only)	\??\G:	malware_005D0000.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e975.bmp"	malware_005D0000.exe

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\33q61-readme.txt	malware_005D0000.exe
File opened for modification	\??\c:\program files\AddOut.aif	malware_005D0000.exe
File opened for modification	\??\c:\program files\ClearHide.mhtml	malware_005D0000.exe
File opened for modification	\??\c:\program files\EditProtect.ppsx	malware_005D0000.exe
File opened for modification	\??\c:\program files\EnableFind.crw	malware_005D0000.exe
File opened for modification	\??\c:\program files\EnableUnregister.TTS	malware_005D0000.exe
File opened for modification	\??\c:\program files\OutMove.tif	malware_005D0000.exe
File opened for modification	\??\c:\program files\StopConnect.fon	malware_005D0000.exe
File opened for modification	\??\c:\program files\CompareOptimize.vsdx	malware_005D0000.exe
File opened for modification	\??\c:\program files\PingReceive.ogg	malware_005D0000.exe
File opened for modification	\??\c:\program files\ProtectImport.fon	malware_005D0000.exe
File opened for modification	\??\c:\program files\RemoveRegister.png	malware_005D0000.exe
File opened for modification	\??\c:\program files\SelectDisconnect.xls	malware_005D0000.exe
File opened for modification	\??\c:\program files\StopSet.bmp	malware_005D0000.exe
File opened for modification	\??\c:\program files\DisconnectCompress.wmv	malware_005D0000.exe
File opened for modification	\??\c:\program files\GrantLimit.emf	malware_005D0000.exe
File opened for modification	\??\c:\program files\UnprotectInstall.mp3	malware_005D0000.exe
File opened for modification	\??\c:\program files\MoveUpdate.au	malware_005D0000.exe
File opened for modification	\??\c:\program files\PushGrant.odt	malware_005D0000.exe
File opened for modification	\??\c:\program files\RenameInvoke.xsl	malware_005D0000.exe
File opened for modification	\??\c:\program files\ResumeBackup.dotx	malware_005D0000.exe
File opened for modification	\??\c:\program files\SuspendUninstall.wmv	malware_005D0000.exe
File opened for modification	\??\c:\program files\UninstallLock.kix	malware_005D0000.exe
File created	\??\c:\program files\33q61-readme.txt	malware_005D0000.exe
File opened for modification	\??\c:\program files\DisconnectSkip.jpeg	malware_005D0000.exe
File opened for modification	\??\c:\program files\UnblockMount.edrwx	malware_005D0000.exe
File opened for modification	\??\c:\program files\UndoMeasure.potx	malware_005D0000.exe
File created	\??\c:\program files\d60dff40.lock	malware_005D0000.exe
File opened for modification	\??\c:\program files\WriteSet.fon	malware_005D0000.exe
File opened for modification	\??\c:\program files\CopyRestart.css	malware_005D0000.exe
File opened for modification	\??\c:\program files\InitializeExport.mpeg	malware_005D0000.exe
File opened for modification	\??\c:\program files\RegisterConnect.mov	malware_005D0000.exe
File opened for modification	\??\c:\program files\TraceInstall.sql	malware_005D0000.exe
File created	\??\c:\program files (x86)\d60dff40.lock	malware_005D0000.exe
File opened for modification	\??\c:\program files\HideDismount.xsl	malware_005D0000.exe
File opened for modification	\??\c:\program files\ReceiveRestore.asf	malware_005D0000.exe
File opened for modification	\??\c:\program files\SelectAssert.ogg	malware_005D0000.exe
File opened for modification	\??\c:\program files\ShowStop.js	malware_005D0000.exe
File opened for modification	\??\c:\program files\UnregisterUnpublish.xhtml	malware_005D0000.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_es-es_6b53dae8d8ddfcf3.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.22000.1_none_53a7ba91b32fb1a9_vga860.fon_07129997	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.22000.1_none_6ab2f68ac6259fcc_cga40866.fon_2c80a06e	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi32full_31bf3856ad364e35_10.0.22000.469_none_512e6ceaac88c254.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..em-extras.resources_31bf3856ad364e35_10.0.22000.1_en-us_b90b3bb33f439ac7_scarddlg.dll.mui_300ae9df	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.22000.1_fr-fr_ec8c42c4162da8f6_scardsvr.dll.mui_5f6fb64f	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_10.0.22000.1_en-us_5a9a6815e2fc3c68_wuaueng.dll.mui_297f975d	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_ko-kr_3dc2a2f0886dd1c4_comctl32.dll.mui_0da4e682	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-codeintegrity_31bf3856ad364e35_10.0.22000.469_none_9bbaeab88a05af56_driver.stl_8a4e6441	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-netapi32_31bf3856ad364e35_10.0.22000.434_none_889282df86c1d6bc_netapi32.dll_8b1e859a	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.22000.318_none_ce876b9e12f802ea.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..ndactivitymoderator_31bf3856ad364e35_10.0.22000.1_none_35ecce41512043d5.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.22000.1_tr-tr_a7d0184ea946a4c2.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_fi-fi_521c166ce2741823_comctl32.dll.mui_0da4e682	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.22000.1_it-it_22595b5e9f92577d_webclnt.dll.mui_e8f04040	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_10.0.22000.1_fr-fr_44af30e47628b65e_afd.sys.mui_ff192075	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.22000.1_vi-vn_1026b218b3bab51d_comctl32.dll.mui_0da4e682	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-uxtheme_31bf3856ad364e35_10.0.22000.120_none_ab9e7604c01ddcd5.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wintrust-dll_31bf3856ad364e35_10.0.22000.194_none_f52066aa53d44fb9.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.22000.348_lv-lv_358d84cb9426d912_bootmgr.exe.mui_c434701f	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.22000.1_fr-fr_e17f7bc9486fc671_fidocredprov.dll.mui_4ca89266	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_10.0.22000.1_ja-jp_231ab56f82de16e5.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-onecore-pnp-umpnpmgr.resources_31bf3856ad364e35_10.0.22000.1_es-es_bbf13ec78d894ed9.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-atlthunk_31bf3856ad364e35_10.0.22000.1_none_e42a29f4d5e6e44d.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.22000.1_sl-si_247416abdd8c4dbf.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.22000.348_hu-hu_a8ae1885ca22dd32.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.22000.1_none_4709e8e306e61afd.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..em-extras.resources_31bf3856ad364e35_10.0.22000.1_de-de_101a65ba50658f02_scarddlg.dll.mui_300ae9df	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ore-bootmanager-efi_31bf3856ad364e35_10.0.22000.469_none_82c3e25221a5a628.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.22000.1_it-it_fa316d4dd0311f21_dnsapi.dll.mui_97465f8a	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_nb-no_265524256092fd80_comctl32.dll.mui_0da4e682	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_10.0.22000.1_none_44d03112f42ebbff_bcrypt.dll_e2f091ac	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.22000.1_fr-fr_45a97f7b4493ac0c_efssvc.dll.mui_03cc4e41	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_10.0.22000.1_uk-ua_18391f46132ca3b8.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.22000.1_it-it_e56b59c899f5955c_apphelp.dll.mui_59096153	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-inkcontrols_31bf3856ad364e35_10.0.22000.51_none_bae9d00ab4e255fe_windows.ui.xaml.inkcontrols.dll_523c865d	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.22000.1_it-it_c20a9f5ccafd821c.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_bg-bg_c4d5f2e518b0fbcb.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_en-gb_abacf9bdf20a808f.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.22000.1_pt-pt_0faafaf6fbf89740_memtest.efi.mui_71e15c22	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.22000.1_none_642405877f385889_kmddsp.tsp_c999e400	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.22000.1_it-it_84ff4342bb72b7ff.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.22000.1_none_3b0bf3364e41c5b0_iscsisession.cdxml_9cd8900b	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.22000.348_fr-ca_59b3e287ea9b743c_bootmgr.exe.mui_c434701f	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.22000.1_cs-cz_c9d6a9aaa8dacd67.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.22000.1_ja-jp_fbac9fe2a612e943_winload.efi.mui_35ee487d	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ng-client-overrides_31bf3856ad364e35_10.0.22000.469_none_14dc986178475884_power.settings.idleresiliency.ppkg_de8e690f	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.22000.1_fr-fr_958e679b2e9cb6c6_sppsvc.exe.mui_40875a72	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_10.0.22000.1_ja-jp_1d003865a25774d9.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.22000.1_en-us_ba05ba347fa53f17_userdeviceregistration.ngc.dll.mui_d2c6ca95	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msasn1_31bf3856ad364e35_10.0.22000.1_none_1d9db370aa2a769b_msasn1.dll_e56dbc57	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.22000.1_fr-fr_bff80d3f3e019371_rasautou.exe.mui_55686a97	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.22000.1_es-es_3ec805ca559db00f.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_10.0.22000.1_it-it_35f433a26311a315_w32time.dll.mui_b382d4b4	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msvcp110_31bf3856ad364e35_10.0.22000.1_none_4e4e92fdaa3fe2ce_msvcp110_win.dll_397cf9b6	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.22000.1_fr-fr_6f5f2a8edbc5f1ea_winresume.efi.mui_f412814e	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..ype-segoeui_regular_31bf3856ad364e35_10.0.22000.1_none_cace965f9c24f7bd_segoeui.ttf_b39275ad	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_10.0.22000.132_none_a0a12e478fbe7df4_lsm.dll_ecbd5548	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-advapi32_31bf3856ad364e35_10.0.22000.434_none_e8fb63c940147335_advapi32.dll_9512793c	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-kernel32_31bf3856ad364e35_10.0.22000.434_none_9970f7600fde4333_kernel32.dll_ef9eca7e	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_10.0.22000.1_fr-fr_35d3a15237092502_mountmgr.sys.mui_71b54a25	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.22000.282_none_9b06b1e2dce2b324_dnsapi.dll_c81f5791	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.22000.348_lt-lt_f034dcec1001fd32_bootmgfw.efi.mui_a6e78cfa	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.22000.1_ja-jp_21dbdceef8e9ae1f.manifest	malware_005D0000.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	malware_005D0000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5884	malware_005D0000.exe
5884	malware_005D0000.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5884 wrote to memory of 2800	5884	malware_005D0000.exe	78
PID 5884 wrote to memory of 2800	5884	malware_005D0000.exe	78
PID 5884 wrote to memory of 2800	5884	malware_005D0000.exe	78

C:\Users\Admin\AppData\Local\Temp\malware_005D0000.exe
C:\Users\Admin\AppData\Local\Temp\malware_005D0000.exe bcdedit /set shutdown /r /f /t 2
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\33q61-readme.txt

Filesize
6KB

MD5
4e5188cd9f09aab64857c84470f36b5d

SHA1
9ea9671fa31137f3d491d36690c502eae50bab1d

SHA256
ec969bcf64351b1f7fc6ca47424fa490ae025c485a7c9b27e26530076444b628

SHA512
f69a2716952a94a334d9a52cb0564b8664bd77b3bea01fdbbcd984276f492265d2227139239a0a7cb1cef009b7c3f7d77c97a910c28b1c02ac924ec5603c27c5

Download Submit