sodinokibi | 139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

General

Target

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
Size

157KB
MD5

b488bdeeaeda94a273e4746db0082841
SHA1

5dac89d5ecc2794b3fc084416a78c965c2be0d2a
SHA256

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548
SHA512

2b62f0e0b017ed3d2dc7103d2020604f15f95449ba842bba18f886f9e1dcc977c459c53d1e6e7abfe6b99fc3dde24f5cc7a848c92443d1daf3574ef6f0263284

Score

10^/10

ransomware evasion spyware trojan sodinokibi persistence

Malware Config

Extracted

Path

C:\Recovery\i7bsz6dkt9.info.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got i7bsz6dkt9 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/581889A04001A92A Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/581889A04001A92A Page will ask you for the key, here it is: 2lbJ6KFBGJKJNHbGXuUljGMb7IVDa4YavjFrIHnpSVr71b9KOVh7fGDrAZKsHBMn Vav6UZ4LaFm1yduWaee5whswDFjl4SUInTECxllXZq32X24EK6WoLpXgEe93eoD6 G77lK+8NTrI867b8eI8WrDYwpjjVvh0TADqAXLzwsJpdYIOzG2z9QGxfbUeVmCXg qvsrBvWI3R/WMWNg+hvJKpCKp7Kh6feYgNLNc4PY4varkELCuTe3MdKQqqedS0lE ZpVABVJSsEDXXPLEbWoUAQ4kmeqA6QtUxZkN+AocAgkzuaiUltXlbt7pLTBcD4k4 PxUq4FExZv0NIAXeZ4W/rpya3+t1D2MEC5SDfrfgC+ltykhvgR0yZgNX6K46+Qo6 nJdVfl23ZGTl4eTbovd1kAqx6J3e5MOr9+z1pEnnQLlvvRJAw7R0PhsdazHOOAMD JWC01yB9Ml4fFmvdKBMQ5OQZinwSddxbFrG3hHp9SepEqNBC+JOQLu7EiwLa1uj6 BvIfg5xAfWKdagUCSpmbU53qNyhkKAmZ504r0AiYcN6nr4PFjkCCl+RLq4ymVR9i R76m+XVi+xmi8PX5tcrUlszAaMRU28lVbri4DzGhQWDCO64kQPCI2A6kqcfDHx2G uCfr3/EGNMkBOKALZZcmezlkNZZXuOjgDIgYV6Ojys3E8iZ5ebDYsIs9m/eJkint eLhkq6si228mpxFfhj+coDOp4Ktp4ShVV0DYwLnpRpPUQP3ksvUKE8VL1yJ8jdvX wqEA/F+2W19PlHdO1K4n67uDFjYBIZsrlQSGjp7aHm768W4dDR5l3NejPKpJ6EVi JmVGkqMqjKAyskhi/Q5TPQ1ssRZSTfqyWlrTsW+e8v7XVCTvak6ZDfl4ZUNjt32H s8vsg20O3YRFsSeB5b3NxAv5LyuYw2s2FmcNc5XMGJy3E0oA4OnGCB3z53f8pMl0 MFdDlaUyyqx00nJwAVE8dakthl4iTbztj2LDHX7RHkeHvNUN0XFUO9tn/fHFuuEe TRXuKkSbSWLdf3gtNVyT5+L+rjOgxRmX3IiGuiFbXNA55uzwnY7uO2OM0HezzWFF Yei5DoxtUFQVpCCkyX59AwzeqsBYy+AZ

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/581889A04001A92A

http://decryptor.top/581889A04001A92A

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1900 vssvc.exe
Token: SeRestorePrivilege 1900 vssvc.exe
Token: SeAuditPrivilege 1900 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1900	vssvc.exe
Token: SeRestorePrivilege	1900	vssvc.exe
Token: SeAuditPrivilege	1900	vssvc.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54362000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd155090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c543604000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1876 vssadmin.exe

pid	process
1876	vssadmin.exe

Drops file in Windows directory 3276 IoCs

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..eprotocol.resources_31bf3856ad364e35_6.1.7600.16385_en-us_70a1ff28cc89fb03.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_6.1.7600.16385_none_63dee2821fc69fce_bridgemigplugin.dll_4c0b8021	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_09cf3ec67e6c6b50_rasserveroc-dl.man_78016e78	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c4612d3f03b3254c_rascfg.dll.mui_0b036e1f	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-riched32_31bf3856ad364e35_6.1.7601.17514_none_9f081dc1e0ddbddb_riched20.dll_fb578f95	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_sr-..-cs_4596701e6fa56fc9.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-eventlog-api_31bf3856ad364e35_6.1.7600.16385_none_0825f3c37efb390e.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-courier_31bf3856ad364e35_6.1.7600.16385_none_5283fef09ca6fa1a_coue1257.fon_265fc768	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a1e732964dd24c7b_vdsutil.dll.mui_0caf9b0e	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_he-il_8bea70024ec7fc32.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-857_31bf3856ad364e35_6.1.7600.16385_none_2adc8eeeb4e35a81.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-oleacc_31bf3856ad364e35_6.1.7600.16385_none_c679af753c14c22a.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_vga869.fon_09ec4cfe	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_cs-cz_a9a74ccae735a589_comdlg32.dll.mui_ac8e62f4	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_ro-ro_0577819b021e44a4.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_sv-se_a3dab79bf7c211cf.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-fmifs_31bf3856ad364e35_6.1.7600.16385_none_b303632c4b483c6c.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_fi-fi_be3e81707c8573d5.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-cryptui-dll.resources_31bf3856ad364e35_6.1.7601.17514_en-us_05699821fc9b6205_cryptui.dll.mui_9728c1dd	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c10af1bed239c523.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_31dc108b13bfe951_bootmgr.efi.mui_be5d0075	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-partitionmanager_31bf3856ad364e35_6.1.7601.17514_none_3fc218fad10f1ad4.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9b5fe635ea4f5d2f_webclnt.dll.mui_e8f04040	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-aclui_31bf3856ad364e35_6.1.7600.16385_none_54e0b44114fa502d.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_he-il_d3a012aba7980adc.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_hu-hu_331cad24945b592a_msimsg.dll.mui_72e8994f	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-wmpdui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7972be107f211c50.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-simsun_31bf3856ad364e35_6.1.7600.16385_none_56fe10b1895fd80b_simsun.ttc_eba56c14	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-852_31bf3856ad364e35_6.1.7600.16385_none_2add00d6b4e2da5c.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_be8acdd10de3b1a6_netbt.sys_9226f314	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-imageres.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7a6c8b69bbb7da85_imageres.dll.mui_3e41dee6	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-lua_31bf3856ad364e35_6.1.7601.17514_none_047062a1736af5b9_consent.exe_9075a1c2	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rpc-local_31bf3856ad364e35_6.1.7601.17514_none_1220a4865bb3d9a0_rpcrt4.dll_5aa847dd	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f8bce8b9508ba1f6.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-security-schannel_31bf3856ad364e35_6.1.7601.17514_none_8a90facfa04322fd.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c620663a0d83d04f_winmm.dll.mui_224f6445	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..truetype-couriernew_31bf3856ad364e35_6.1.7600.16385_none_32383eb7c6ebfd9b_couri.ttf_21733c5a	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-small_31bf3856ad364e35_6.1.7600.16385_none_d7839341959a2de0_smaf1255.fon_c01687ed	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-unimodem-config_31bf3856ad364e35_6.1.7600.16385_none_f4d7f7b17ffe522a_uicom.dll_d72e5b75	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_sk-sk_3165765b03216fd8_msimsg.dll.mui_72e8994f	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f39c285e7fbf22f0_sccls.dll.mui_f104be47	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-shdocvw.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c79917aabb8f3414.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-tai_le_31bf3856ad364e35_6.1.7600.16385_none_8b27023f8ebb68a4.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7214f10d6056e81a_uxtheme.dll.mui_15ce9297	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6079f415110c0210_hosts_d78df635	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_31dc108b13bfe951_bootmgfw.efi.mui_a6e78cfa	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-bootvid_31bf3856ad364e35_6.1.7600.16385_none_946e6d209fe56342.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..entication-usermode_31bf3856ad364e35_6.1.7600.16385_none_9616b4da8e0572c5_ntmarta.dll_cd048e61	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_it-it_d5d42323872d6f8c_msimsg.dll.mui_72e8994f	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_es-es_85e455db744936f4_mlang.dll.mui_2904864a	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.7601.17514_none_83801b5eed6392d9.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_nb-no_95998ca48a79e748_bootmgfw.efi.mui_a6e78cfa	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_hr-hr_a77de2d787af8188.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_2e9f92abd2ce43b6_hhctrl.ocx_38c869db	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft.windows.s..se.scsi_port_driver_31bf3856ad364e35_6.1.7601.17514_none_43a6335240be578b.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.1.7601.17514_none_ae2511475093798f_ole32.dll_e9dcc2e3	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_e99ba0bb58b4fbd1.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_vga857.fon_0c23d887	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4fbac3e2381c9426_scarddlg.dll.mui_300ae9df	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-transactionmanagerapi_31bf3856ad364e35_6.1.7600.16385_none_b2cc41b2eda92244.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-oleaccrc_31bf3856ad364e35_6.1.7600.16385_none_d51ee0f5a114246d.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17514_none_0ec53a83a7cb8472_lsasrv.mof_56db6a17	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_ar-sa_ce00766f323410b7.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

pid process

1832 139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

pid	process
1832	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.execmd.exe

description	pid	process	target process
PID 1832 wrote to memory of 1852	1832	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe	cmd.exe
PID 1832 wrote to memory of 1852	1832	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe	cmd.exe
PID 1832 wrote to memory of 1852	1832	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe	cmd.exe
PID 1832 wrote to memory of 1852	1832	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe	cmd.exe
PID 1852 wrote to memory of 1876	1852	cmd.exe	vssadmin.exe
PID 1852 wrote to memory of 1876	1852	cmd.exe	vssadmin.exe
PID 1852 wrote to memory of 1876	1852	cmd.exe	vssadmin.exe
PID 1852 wrote to memory of 1876	1852	cmd.exe	vssadmin.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3uk64zt.bmp"	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Discovering connected drives 3 TTPs 5 IoCs

ransomware

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

description	ioc	process
File opened (read-only)	\??\E:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\F:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\A:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\B:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\C:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
"C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe"
1⤵
- Modifies system certificate store
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Sets desktop wallpaper using registry
- Discovering connected drives
PID:1832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1876