sodinokibi | 5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93

Resubmissions

28/03/2025, 16:40

250328-t6ttcayvgx 10

25/03/2025, 14:22

250325-rpte5s1lt4 10

05/02/2025, 10:43

250205-msf7rssqgy 10

13/12/2024, 20:44

241213-zjezkaznfp 10

Analysis

max time kernel
275s
max time network
290s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware_005D0000.exe
Size

164KB
MD5

890a58f200dfff23165df9e1b088e58f
SHA1

74e3d82f7ee81109e150dc41112cf95b3a4b5307
SHA256

5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93
SHA512

2ee3636833cd9b02f5e311401817b15514845d4c12c1416d7e345845f8084775bf8c5f8f32822066b75a6b627a93138a0b27deb99c8bbb1f8d640132a2d8de0d
SSDEEP

3072:Hp5SexkWi1Lbi4eTMlwDCnu/q2GB96W/y:JvGWwbnWJ/yB9

Score

10^/10

sodinokibi discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\137c0xq23-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 137c0xq23. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/863FD4F194485FB8 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/863FD4F194485FB8 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: E43TzCYZ3rj2f4Lrlai2DZw2fVoUyoB316+oyITIqkE4amkYU8RYqgJLEPmbFg1T TvZiHRvLa0jh8x5A5omNzbYnfA7hh0iDxtFjMIIWoqVjGdauSKBMwS19Dz3+L8s8 OlpLhqBDylsdDgXUw3lPnoBke/Vaym7o5poU9qfFTcIPTZ9FMydWPrUgKqnmEt5e u5WVUx9kJ2x19DTkctaHdoyvfUXtOSyMBdN9lpA0COJyjAsTBZBbN8lJWiFBOSXE Bj+U5gpC0pkrdWGgYYdwHgMgCPbPxQ5bBad/oFEqDMD4ef/4aE8+7b55oTskyUvg 9cTOKCzT9EL8hsuG5M3yHk0an4guCcfjyRh7s3NQZM//pPtbd3YE8qkDjNQ0SotY OfATZ3s3L6p0U7ToP20HM7y90A3fvJp1NshBmz8wE9knqGKp0/Na3TuCzQSA6S19 MN/VTOa6rPibyAmnPORTXwbpMrC6aBrQtuSiOnP4OEHHvr5YgjiY9nW/TtGL9YlV dLzbXppd7cQjIeKhNSMGzGNCZIdWJpnH/nsdnuwM68VlBac6UgJgT0/Dmv2Wo2Th 7njBLywRUpQyP5ITbT0UC6h0U0slDUgAU+KKND790m0wmEvPMgpmUWDZnMOunDts MpPqx26bXIvOWCEIkEpBb5xTB14QaRCB/ihDH8zfR7CA7V160A23Z43maugDeSPy I9K9Q8run/4LwJFApAqlU7CnoaVWBBpqhoEy+jdygLVxhoyG65YZLSTR5koojRKK +YzvbaYD8O29VW2GgFu3fh7as39miGfU28lbIq/4zh1JlYmilcJC5KNsP0KrBuax RzssXCbP+s7YYqrcpgKpcrnDk4FV9ruXdvW5AyMq0xvX00pbY2/J5zNMP2qD0dPh BTdmA4OAfVvGyw79+2nXs6WQz9V7SzAIKA8EmRJK+NzAAnSkfqgqEc/NSEcdOk4r ebROLh0E2W6HMVUXu1PQ5TTt+327Bs3OQI8QGV+zbt3+IGfdZjpxF3P3cPofAegr 55L5XOGVQ9Bx9JbcVzHvEgdGb66UBaPtK3ZzXhXO9nxsALaTPTg+sBeWJfGzJN6R mfTbJ2Z+G2gYlVLRslLu1MSA3Ng/IVT3WJ/Bd7r4lz79b+cYOGHpbZ9S7Z7ylHT1 drYVSqlt89qlfUEE7cE/Q1ZL6ycaN0x0tn0tEQst1+iiM8+weBuNB14jD9rrdh9Z QuXQprK2NP3z8UOQ/pfkgdsfSyw= Extension name: 137c0xq23 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/863FD4F194485FB8

http://decryptor.top/863FD4F194485FB8

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Sodinokibi family
sodinokibi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	malware_005D0000.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	malware_005D0000.exe
File opened (read-only)	\??\T:	malware_005D0000.exe
File opened (read-only)	\??\X:	malware_005D0000.exe
File opened (read-only)	\??\A:	malware_005D0000.exe
File opened (read-only)	\??\B:	malware_005D0000.exe
File opened (read-only)	\??\Q:	malware_005D0000.exe
File opened (read-only)	\??\W:	malware_005D0000.exe
File opened (read-only)	\??\F:	malware_005D0000.exe
File opened (read-only)	\??\E:	malware_005D0000.exe
File opened (read-only)	\??\G:	malware_005D0000.exe
File opened (read-only)	\??\H:	malware_005D0000.exe
File opened (read-only)	\??\I:	malware_005D0000.exe
File opened (read-only)	\??\J:	malware_005D0000.exe
File opened (read-only)	\??\K:	malware_005D0000.exe
File opened (read-only)	\??\M:	malware_005D0000.exe
File opened (read-only)	\??\Y:	malware_005D0000.exe
File opened (read-only)	\??\O:	malware_005D0000.exe
File opened (read-only)	\??\P:	malware_005D0000.exe
File opened (read-only)	\??\R:	malware_005D0000.exe
File opened (read-only)	\??\S:	malware_005D0000.exe
File opened (read-only)	\??\U:	malware_005D0000.exe
File opened (read-only)	\??\V:	malware_005D0000.exe
File opened (read-only)	\??\Z:	malware_005D0000.exe
File opened (read-only)	\??\D:	malware_005D0000.exe
File opened (read-only)	\??\N:	malware_005D0000.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\61w0j646.bmp"	malware_005D0000.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\SetUse.xlsb	malware_005D0000.exe
File opened for modification	\??\c:\program files\UninstallPing.tiff	malware_005D0000.exe
File created	\??\c:\program files\d60dff40.lock	malware_005D0000.exe
File created	\??\c:\program files (x86)\137c0xq23-readme.txt	malware_005D0000.exe
File opened for modification	\??\c:\program files\chrome_installer.log	malware_005D0000.exe
File opened for modification	\??\c:\program files\DebugAssert.wpl	malware_005D0000.exe
File opened for modification	\??\c:\program files\RegisterMount.ps1xml	malware_005D0000.exe
File opened for modification	\??\c:\program files\RenameSplit.css	malware_005D0000.exe
File opened for modification	\??\c:\program files\ConfirmSplit.emf	malware_005D0000.exe
File opened for modification	\??\c:\program files\EditCopy.M2T	malware_005D0000.exe
File opened for modification	\??\c:\program files\InstallDismount.docx	malware_005D0000.exe
File opened for modification	\??\c:\program files\msedge_installer.log	malware_005D0000.exe
File opened for modification	\??\c:\program files\RenameInvoke.3gp2	malware_005D0000.exe
File opened for modification	\??\c:\program files\RenameSwitch.wdp	malware_005D0000.exe
File created	\??\c:\program files\137c0xq23-readme.txt	malware_005D0000.exe
File created	\??\c:\program files (x86)\d60dff40.lock	malware_005D0000.exe
File opened for modification	\??\c:\program files\EnterClear.xlt	malware_005D0000.exe
File opened for modification	\??\c:\program files\CompressRegister.js	malware_005D0000.exe
File opened for modification	\??\c:\program files\SearchRevoke.odt	malware_005D0000.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_it-it_b93490b34d8c4a73_winload.exe.mui_3bc5b827	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.19041.1266_none_0a518745d856f00f_dnsrslvr.dll_faf65b7a	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..eelawadeeui_regular_31bf3856ad364e35_10.0.19041.1_none_15844d67340cfd5a.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ne-client-overrides_31bf3856ad364e35_10.0.19041.1052_none_a74b8f64d78e3b2f_power.energyestimationengine.storage.ppkg_960e5b21	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c859c559627601c9_storagehealth.adml_00c6b7b3	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_cs-cz_1dee5804823a393a.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_ab83828872bfa667.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_da-dk_8eac972b9796148b_bootmgfw.efi.mui_a6e78cfa	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..wmanager-compositor_31bf3856ad364e35_10.0.19041.1288_none_7a49f980f48daa96_dwmcore.dll.mun_ebf60d69	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-qos-pacer_31bf3856ad364e35_10.0.19041.546_none_cb01ee53d6697641.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-rasl2tp_31bf3856ad364e35_10.0.19041.488_none_77ac529b46dc3a08.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_it-it_3661a8e887f4017f_scfilter.sys.mui_cebab716	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-volsnap_31bf3856ad364e35_10.0.19041.1_none_151b030c40cdc642.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_nb-no_1c114980f11087ca_comctl32.dll.mui_0da4e682	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9ab96313e8d638bb_iscsium.dll_edf4260f	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b641f2883587d6aa_axinstsv.dll.mui_be092a2d	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_10.0.19041.1_es-es_53c339fa60537c35.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_es-es_fcde5a75fe44e11c.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-themeservice.resources_31bf3856ad364e35_10.0.19041.1_en-us_17595b70920d941a_themeservice.dll.mui_9e71f1ab	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-version_31bf3856ad364e35_10.0.19041.546_none_f2f7962fafb5066b.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..sition-coreservices_31bf3856ad364e35_10.0.19041.450_none_107cae8412302d3e_wiatrace.dll_dfb4e972	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase.resources_31bf3856ad364e35_10.0.19041.1_es-es_d67b0596196ad316.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.19041.1_en-us_fb569e49a9e4cc22.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ore-bootmanager-efi_31bf3856ad364e35_10.0.19041.1_none_3d71f65b3bbd6193.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_fr-fr_03c776435c2d9d9f.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-inkcontrols_31bf3856ad364e35_10.0.19041.1023_none_4d8202ac4e35281f_windows.ui.xaml.inkcontrols.dll_523c865d	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_cs-cz_cfb8187da0acdc81.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_fi-fi_b1f4c56a7ce81cae_comctl32.dll.mui_0da4e682	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_it-it_f9852e0df4948a55.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_it-it_f9852e0df4948a55_memtest.efi.mui_71e15c22	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_et-ee_704c52b0a2cbb688_comctl32.dll.mui_0da4e682	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_nl-nl_303b0094e7d25ad2_memtest.exe.mui_77b8cbcc	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015_wowreg32.exe_94fc2d06	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_he-il_f9b0de5e610f41d4.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.systemcompatible_6595b64144ccf1df_6.0.19041.1_none_049f5dd81797f4f9.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-deviceguard-gpext_31bf3856ad364e35_10.0.19041.1_none_20ce8bc197e8d685.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_cf5a1f9c5633f046_rpcepmap.dll.mui_349798e1	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_es-es_9e7575a7f032231a_fidocredprov.dll.mui_4ca89266	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..entication-usermode_31bf3856ad364e35_10.0.19041.546_none_226fb48607847890_authz.dll_c0d80602	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a82483f2ca370f3a.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_tr-tr_650dd7439c5150ec_comctl32.dll.mui_0da4e682	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_en-us_7725a91f1043b62d_gpsvc.dll.mui_0c160ac2	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_sl-si_e4613bab44d6f02b.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..onal-keyboard-kbdus_31bf3856ad364e35_10.0.19041.1_none_3ef7d405e850df76.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_pt-br_14aa9a5df45b367e.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-crypt32-dll_31bf3856ad364e35_10.0.19041.1202_none_d02feec5930a1e75.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_uk-ua_f56a5c19a1463e18.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase-core_31bf3856ad364e35_10.0.19041.1_none_f22c316c97d7c109.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base_31bf3856ad364e35_10.0.19041.1288_none_82b5dd00dbb53a5c_wintypes.dll_96e015b1	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directmanipulation_31bf3856ad364e35_10.0.19041.1202_none_c1dc44cb56c475d7_directmanipulation.dll_07c179b4	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.19041.1_it-it_8f7ee59fb65a0495.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_it-it_a349f4a6799ca6da_listsvc.dll.mui_27f0fc85	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.19041.1_es-es_e57fef51be54a1f0_netlogon.dll.mui_ecbeb9bd	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.19041.1_it-it_725f5b9788589dd0.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shcore_31bf3856ad364e35_10.0.19041.1266_none_3b39b089d666f64f.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_it-it_ad9e9ef8adfd68d5.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..se-platform-service_31bf3856ad364e35_10.0.19041.1151_none_49b7fb8af93e9473.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-etw-ese_31bf3856ad364e35_10.0.19041.1_none_854be02225b9bfa7.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_et-ee_2e542ad48c77431e_bootmgfw.efi.mui_a6e78cfa	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..y-biometrics-client_31bf3856ad364e35_10.0.19041.1_none_6809ce232425e1f9.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b2a2923fc0594488.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_10.0.19041.546_none_a9ac4cc29056cfd1_wshtcpip.dll_7ee2ca52	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_es-mx_cd63778c71e5e529.manifest	malware_005D0000.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_it-it_580bf62c3d55fd5e.manifest	malware_005D0000.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	malware_005D0000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4836	malware_005D0000.exe
4836	malware_005D0000.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 3320	4836	malware_005D0000.exe	91
PID 4836 wrote to memory of 3320	4836	malware_005D0000.exe	91
PID 4836 wrote to memory of 3320	4836	malware_005D0000.exe	91

C:\Users\Admin\AppData\Local\Temp\malware_005D0000.exe
"C:\Users\Admin\AppData\Local\Temp\malware_005D0000.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\137c0xq23-readme.txt

Filesize
6KB

MD5
acf729018ea42485b9cc4fe6e025fe4b

SHA1
8af82b1603aa21901ac7973a0bd058bcf0b76c61

SHA256
e3d94292f81976d91f144844f82d67e6408aedbef8d705940561e707d9ec5ec9

SHA512
1ff113898ca9209bbc2195de4edbc071fd9fc41386dee6a736281b1e42763427c6dbfd634925b826c9261ea3466d24902143bfe36300832de97e2f1022b80ea9

Download Submit