sodinokibi | 5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93

Resubmissions

28/03/2025, 16:40

250328-t6ttcayvgx 10

25/03/2025, 14:22

250325-rpte5s1lt4 10

05/02/2025, 10:43

250205-msf7rssqgy 10

13/12/2024, 20:44

241213-zjezkaznfp 10

Analysis

max time kernel
118s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware_005D0000.exe
Size

164KB
MD5

890a58f200dfff23165df9e1b088e58f
SHA1

74e3d82f7ee81109e150dc41112cf95b3a4b5307
SHA256

5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93
SHA512

2ee3636833cd9b02f5e311401817b15514845d4c12c1416d7e345845f8084775bf8c5f8f32822066b75a6b627a93138a0b27deb99c8bbb1f8d640132a2d8de0d
SSDEEP

3072:Hp5SexkWi1Lbi4eTMlwDCnu/q2GB96W/y:JvGWwbnWJ/yB9

Score

10^/10

sodinokibi discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\oz27t9yev-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion oz27t9yev. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/87F4F990A1CD9F19 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/87F4F990A1CD9F19 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: aMErARLYnkLVeqk7+9NxR2vNq16BrxOrmaLB72sYer8P4BJv6S/AhqLXvb/8DOna MgZ0xYjjEVY8RhY7fppUMK2don19tw2QOLeHdtae0xF4aEvOYjIFf/PEvchxyuwK Hroer3uK5/9wP36J4Zhf82c2q9Asec52qpli8nI+gei9O85pRpg28OZvCG7Y7gna HLzKvIpSHBRI9yHzOJ0NXQAjLsw7xy+iVdPJtEdrAu6j+LEC/nhg/cpByYJtoNCQ /NlepJsAPxmYvA83YqCywxoa5uR4AX2Z8zgkBBN/IdpqbwLY6k7WaF1/NbNjCyBT mBFtFHrFv1d77DFyEyEdWRwNgqosXcviBFdTWamYwZ/4o375gij0zT42yvHDLpn4 0EEeNKPInFHcV+zta+aqryg7/PotOvscuPpTpgYITqT+lbfENloy2KOLYPRSaNEI WDZ7K9iqkFJyKZ6j++TiKHNiv3DZmkZuWQvy9BErAWQpipV6kGDz+IkydM2JXMh1 nYUwDVeNy5uhHndX/BGhJitVIGEyNBMdT7dCQpESWPeC5imXFHWxvjLSui8xQ3lV xk0lfKdTwBoYmi01scvP/bNyKwIsyEigjXt+sXvDohJQdwCVNjDbKaZsKe3fSz88 dCaFPVa85GfLeAg0HBD8/8LD90PTRtynnhVWlgeopKUVPrTozn7kB2cJuw2xN9ZU fxHA22rJld6wmMeueHwmC4raw/X2ZPuwPnD8BP049UNBGDS2IKpm0oiJarvHqxVs I3dcT0OZ86mUHWKvv9nAhL1CIuaNaSujGzN80GzzWW7kklPHZdzBdLgiuAvX4AWZ e6vMC2lOs7FpxuZ3LgWizTEz/7Vy+68cPubFpePggtwUAcT/YWu3Jzad+t7nxaBn HQbQYiw5ZadPeysfzfBhV7xllxGuF3C/0F8BBISxnpv+gwJDl9XFydXkopsuJ+sX CFlUoVDAikjufmsXL/7N+7A/tXdM8qgsAVz168Dnfv3HA33HQ2Px3xQI3yxGsT+s jXIjyzu0ehPwQCl0IX6JY4LDyLMw8VUxiVFMQNI7owie6s/Qh2LOl1PJ52lJGVD5 7WkuzHG3HG95KzJelapd+NHpEi8B/S3f6d16ZhH/cUYZxzvAI8YQVlwRsKnHJI1O km/c7ZhMfslTTOdjh23jJNWJSXk0wX3pawIWhYS6mkNVHCTE/as3DBPZsjmwryIL dwWN0qMKKu7AfP4NXTcbO/Ml2pU= Extension name: oz27t9yev ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/87F4F990A1CD9F19

http://decryptor.top/87F4F990A1CD9F19

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Sodinokibi family
sodinokibi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	malware_005D0000.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	malware_005D0000.exe
File opened (read-only)	\??\P:	malware_005D0000.exe
File opened (read-only)	\??\W:	malware_005D0000.exe
File opened (read-only)	\??\Y:	malware_005D0000.exe
File opened (read-only)	\??\D:	malware_005D0000.exe
File opened (read-only)	\??\F:	malware_005D0000.exe
File opened (read-only)	\??\J:	malware_005D0000.exe
File opened (read-only)	\??\L:	malware_005D0000.exe
File opened (read-only)	\??\N:	malware_005D0000.exe
File opened (read-only)	\??\R:	malware_005D0000.exe
File opened (read-only)	\??\S:	malware_005D0000.exe
File opened (read-only)	\??\E:	malware_005D0000.exe
File opened (read-only)	\??\I:	malware_005D0000.exe
File opened (read-only)	\??\K:	malware_005D0000.exe
File opened (read-only)	\??\M:	malware_005D0000.exe
File opened (read-only)	\??\T:	malware_005D0000.exe
File opened (read-only)	\??\U:	malware_005D0000.exe
File opened (read-only)	\??\B:	malware_005D0000.exe
File opened (read-only)	\??\H:	malware_005D0000.exe
File opened (read-only)	\??\O:	malware_005D0000.exe
File opened (read-only)	\??\Q:	malware_005D0000.exe
File opened (read-only)	\??\V:	malware_005D0000.exe
File opened (read-only)	\??\X:	malware_005D0000.exe
File opened (read-only)	\??\Z:	malware_005D0000.exe
File opened (read-only)	\??\A:	malware_005D0000.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a08tly74w1k.bmp"	malware_005D0000.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\oz27t9yev-readme.txt	malware_005D0000.exe
File opened for modification	\??\c:\program files\DisconnectConvert.htm	malware_005D0000.exe
File created	\??\c:\program files\oz27t9yev-readme.txt	malware_005D0000.exe
File created	\??\c:\program files (x86)\d60dff40.lock	malware_005D0000.exe
File opened for modification	\??\c:\program files\chrome_installer.log	malware_005D0000.exe
File opened for modification	\??\c:\program files\DebugRestore.xps	malware_005D0000.exe
File opened for modification	\??\c:\program files\FindSubmit.wmf	malware_005D0000.exe
File opened for modification	\??\c:\program files\RestoreWrite.raw	malware_005D0000.exe
File opened for modification	\??\c:\program files\SyncResize.M2V	malware_005D0000.exe
File opened for modification	\??\c:\program files\CheckpointRead.eprtx	malware_005D0000.exe
File opened for modification	\??\c:\program files\CloseUndo.tmp	malware_005D0000.exe
File opened for modification	\??\c:\program files\LimitRename.mp2	malware_005D0000.exe
File opened for modification	\??\c:\program files\msedge_installer.log	malware_005D0000.exe
File opened for modification	\??\c:\program files\TestClose.ini	malware_005D0000.exe
File created	\??\c:\program files\d60dff40.lock	malware_005D0000.exe
File opened for modification	\??\c:\program files\InstallConnect.dwg	malware_005D0000.exe
File opened for modification	\??\c:\program files\UnpublishConvertTo.kix	malware_005D0000.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-oleacc_31bf3856ad364e35_10.0.19041.746_none_52d2b2ecb593c243.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1202_en-us_e2d6f3ca6473453d_dsreg.dll.mui_5d9efc7e	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_21b80f3a6591f527.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_de-de_0528803147204d22.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6db5c466b45bc552_sens.dll.mui_64739194	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-gb_c3d871e478025c14_comctl32.dll.mui_0da4e682	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b04a9ba801ea7788_gpapi.dll.mui_ef0a9748	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-homegroup-listsvc_31bf3856ad364e35_10.0.19041.1_none_2eed0e5c4e448d11.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9ab96313e8d638bb_iscsi.psd1_8e91985d	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_nl-nl_32602d1a95f90be1_bootmgr.exe.mui_c434701f	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_fi-fi_47d83bc872f1a26d.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..onment-core-tcbboot_31bf3856ad364e35_10.0.19041.1288_none_75442af2fe19577c.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_10f39c85cfff2cb8.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_eb14f252120fd1e9.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_fi-fi_183a9d4d0231f3a9.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_fr-ca_144d58e904c27e07.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_nb-no_63be8058058cb0d0.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_th-th_3317fe13b72381e1_comctl32.dll.mui_0da4e682	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_de-de_7ce61c7d809eedfd.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_10.0.19041.1266_none_727d8ac8ed2b3e80.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_et-ee_5acfcbd46d6163cc.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_10.0.19041.1202_none_574a25a5ee347454.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_cf0c9a6c765a64f5_winload.efi.mui_35ee487d	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directui-resourcesrs2_31bf3856ad364e35_10.0.19041.1_none_11f3e33d012053e7_windows.ui.xaml.resources.rs2.dll_516fc7db	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..etype-lucidaconsole_31bf3856ad364e35_10.0.19041.1_none_b537ffbd18185517_lucon.ttf_76ed00f1	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ldap-client_31bf3856ad364e35_10.0.19041.546_none_d1358e97b53afe52_wldap32.dll_09c99dc1	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip-driver_31bf3856ad364e35_10.0.19041.264_none_b5da2694160ff24d.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b103cf1329c78478.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_tr-tr_04ea76acd588f047.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_sl-si_b2af6b1bb9e4108d.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_it-it_78c65fb1166338c9_appidsvc.dll.mui_6717e231	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_el-gr_6c7fbc7e2aa0f999.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_10.0.19041.1_de-de_1f58f2b5ab00b734_clfs.sys.mui_1310ba12	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_aba5dc4fb44efa50_wudfpf.sys.mui_f61e9e86	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directui-resourcesth_31bf3856ad364e35_10.0.19041.1_none_855a8e9fccc3545c_windows.ui.xaml.resources.th.dll_d0ba450a	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.610_none_a556313cd729d07d.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ncrypt-dll_31bf3856ad364e35_10.0.19041.662_none_3bbdfd78507f28c7_ncrypt.dll_0f36c580	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shlwapi_31bf3856ad364e35_10.0.19041.1023_none_6eb1689259d35752.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_zh-tw_984baa246cdd2b6c_bootmgfw.efi.mui_a6e78cfa	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_638e961dd6edabb1_trustedsignalcredprov.dll.mui_5edc427b	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_f1e103d17e2d973d_ngcsvc.dll.mui_96312421	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..n-cmdline.resources_31bf3856ad364e35_10.0.19041.906_en-us_adc1f5c62c383715_dsregcmd.exe.mui_8ce2c638	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b988e3f5244c4507_ncprov.dll.mui_40240de1	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.19041.1_en-us_65e4d1beb3d1f96f_winhttp.dll.mui_f661192f	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-csrss_31bf3856ad364e35_10.0.19041.546_none_4131d52a7745babe.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-dui70_31bf3856ad364e35_10.0.19041.1_none_17fa67a6d1d90f6d.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..type-yugothicmedium_31bf3856ad364e35_10.0.19041.1_none_1a55062504172381.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rpc-local_31bf3856ad364e35_10.0.19041.1_none_69ebac9ae471d5da.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_08c2373a33a21a40.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-windowsuiimmersive_31bf3856ad364e35_10.0.19041.1202_none_a690000a893f966b_windows.ui.immersive.dll_549e9b42	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-drv.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_a6382fa8181d9ef8.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1_none_ef1691668a233417.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..-configuration-data_31bf3856ad364e35_10.0.19041.1_none_c2b22947f3ad87c2.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ntdll_31bf3856ad364e35_10.0.19041.207_none_415109dc8f3c6aa6.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_fi-fi_d3af63f17d8b58b9.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_63994a974590744a_bootmgfw.efi.mui_a6e78cfa	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directcomposition_31bf3856ad364e35_10.0.19041.1266_none_123a7540f6f47a8e.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.746_none_e5e33ba764e4ddec_bridge.sys_4e5f368e	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_en-us_a9b6dfbebdc913fa_scarddlg.dll.mui_300ae9df	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_43bc59294854e061_dsregtask.dll.mui_5e1b9353	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_th-th_eb6ac73ca2a758db_comctl32.dll.mui_0da4e682	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msasn1_31bf3856ad364e35_10.0.19041.1_none_879fcda0791faba1.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-fileinfominifilter_31bf3856ad364e35_10.0.19041.1_none_8ca608a8d0ab598e_fileinfo.sys_9be2dfcd	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_it-it_a349f4a6799ca6da_listsvc.dll.mui_27f0fc85	malware_005D0000.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	malware_005D0000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
884	malware_005D0000.exe
884	malware_005D0000.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 556	884	malware_005D0000.exe	92
PID 884 wrote to memory of 556	884	malware_005D0000.exe	92
PID 884 wrote to memory of 556	884	malware_005D0000.exe	92

C:\Users\Admin\AppData\Local\Temp\malware_005D0000.exe
C:\Users\Admin\AppData\Local\Temp\malware_005D0000.exe bcdedit /set shutdown /r /f /t 2
1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\oz27t9yev-readme.txt

Filesize
6KB

MD5
92758722fadc6e817d43bab890628840

SHA1
ea876f4a3e4a2857cf50f77131bace168ae684ef

SHA256
a4368618c9da25e21ff4c7123e31f78cde460b5794ae7287968d6087aac3a835

SHA512
4e57b467688c64278dbabea85329f426a774b0498b4559d61bac3f993be3a083d43ba5cf621d62cf4627c838c474d31d1ab64e1893b608d7c83a7ce2e741002d

Download Submit