Analysis
-
max time kernel
141s -
max time network
141s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
17-06-2020 12:45
Static task
static1
Behavioral task
behavioral1
Sample
_____.js
Resource
win7
Behavioral task
behavioral2
Sample
_____.js
Resource
win10v200430
General
-
Target
_____.js
-
Size
345KB
-
MD5
9f220cdc2f8bb7de9e73b801ff6294c7
-
SHA1
2edd8dbbe2a83042a4d0a26cbdf4731f6560c7b5
-
SHA256
1aa695ccfb3d46f59bb777cc175e93ee12b0c80dadb89aa2b6ba7395cc9d5048
-
SHA512
b0857157adced890cb9670937921e5424bbd6bca4f38bbbb282610a0710f2b916a82cead1739fd70d5b927d8d89d6b3f234b91fcdbcd7dab6087f729fb623c04
Malware Config
Extracted
C:\6336f8tzx-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DC496AA01492357F
http://decryptor.top/DC496AA01492357F
Signatures
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exe6178.execmd.exedescription pid process target process PID 4004 wrote to memory of 428 4004 wscript.exe 6178.exe PID 4004 wrote to memory of 428 4004 wscript.exe 6178.exe PID 4004 wrote to memory of 428 4004 wscript.exe 6178.exe PID 428 wrote to memory of 1748 428 6178.exe cmd.exe PID 428 wrote to memory of 1748 428 6178.exe cmd.exe PID 428 wrote to memory of 1748 428 6178.exe cmd.exe PID 1748 wrote to memory of 2224 1748 cmd.exe vssadmin.exe PID 1748 wrote to memory of 2224 1748 cmd.exe vssadmin.exe PID 1748 wrote to memory of 2224 1748 cmd.exe vssadmin.exe -
Drops file in Windows directory 2108 IoCs
Processes:
6178.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_es-es_8fb72afa21e2997c_bootmgr.efi.mui_be5d0075 6178.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.15063.0_none_781ef03933a1cb3c_updaterevokesipolicy.p7b_76fe3620 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_577e152805b98c1f.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_10.0.15063.0_none_de38492263599171_ikeext.dll_3ac4406c 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_ar-sa_91f9f4c8478981a6_comctl32.dll.mui_0da4e682 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.15063.0_en-us_c99395587677579e_combase.dll.mui_6db10b33 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_10.0.15063.0_en-us_259417a878463055_samsrv.dll.mui_32250491 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.0_none_108e4f62dfe5d999_comctl32.dll_9c499789 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase.resources_31bf3856ad364e35_10.0.15063.0_en-us_31d27467b2b5145e.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-c..temminpnp.resources_31bf3856ad364e35_10.0.15063.0_en-us_a6e97d54ff3ddacf.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_en-gb_f48e72a5e408fd69.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..wmanager-compositor_31bf3856ad364e35_10.0.15063.0_none_20ead682ac8d69e0.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_en-us_628a7399cbefe45f.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-m..lecore-ras-base-vpn_31bf3856ad364e35_10.0.15063.0_none_ac03f6041976ffc4_rasapi32.dll_5418d87b 6178.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ar-sa_67778a441a2f274e_msimsg.dll.mui_72e8994f 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_10.0.15063.0_en-us_848d8c2152ade85d_provsvc.dll.mui_3a2926ae 6178.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-twinapi-appcore_31bf3856ad364e35_10.0.15063.0_none_cf047f912b10e6d0.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_2856dfb73a0bd794.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.15063.0_none_a69f8cf95bf4534e_dnsrslvr.dll_faf65b7a 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..update-genuineintel_31bf3856ad364e35_10.0.15063.0_none_cdd3e59aeb1c07ac_mcupdate_genuineintel.dll_940e6a7f 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.15063.0_en-us_8ab04126569c4047_wmpdui.dll.mui_92411657 6178.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_tr-tr_2f831b67bffff9cc.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_fr-ca_2ae4eb43198d1604_bootmgr.efi.mui_be5d0075 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.15063.0_en-us_87ac933f1cd28fdb_winload.exe.mui_3bc5b827 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_fi-fi_f892f9b169daaca2.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.15063.0_none_2948eb6ce79ec07c_rasdiag.dll_341d4299 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_j8514sys.fon_cfb116c0 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-ndiswan_31bf3856ad364e35_10.0.15063.0_none_044c69fa901981b6_ndiswan.sys_4be8047f 6178.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-userpowermanagement_31bf3856ad364e35_10.0.15063.0_none_be8221ec6a07dad4.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.15063.0_en-us_60ce145177b6c10a_wininit.exe.mui_997435f5 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_es-mx_91ee18a020767d27.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.15063.0_none_d6b9fc078f9b4d5a_mpsvc.dll_2d2efa15 6178.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ole-automation_31bf3856ad364e35_10.0.15063.0_none_d868ae1968a9ae8b.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.15063.0_en-us_8e4cd2143a97567e.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_es-mx_704919a91fc309dc_comctl32.dll.mui_0da4e682 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_10.0.15063.0_none_e819281ea9bc03bf.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_zh-cn_ef72388408dd81e9_bootmgr.efi.mui_be5d0075 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ne-client-overrides_31bf3856ad364e35_10.0.15063.0_none_43849a6a5b3b562b_power.energyestimationengine.display.ppkg_44353cf6 6178.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.15063.0_none_58d42528ff7de282.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-session0viewer_31bf3856ad364e35_10.0.15063.0_none_f2fac13b7f7cb7da.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.15063.0_en-us_dd56529205f2b805_tcpipcfg.dll.mui_a5479fc1 6178.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-network-qos-pacer_31bf3856ad364e35_10.0.15063.0_none_08712adee4c9a72d_wshqos.dll_f1749d15 6178.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_da-dk_2e5a9c3cb5ade268_bootmgr.exe.mui_c434701f 6178.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_d3bf5352148cac82.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_it-it_88c1f6eda95c9eb3.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ndowmanager-process_31bf3856ad364e35_10.0.15063.0_none_44fadb58fe4497d9.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_vgaf1256.fon_9bd7a63b 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga949.fon_0fa0b40b 6178.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_10.0.15063.0_none_2d4b965de989e709.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.15063.0_none_2948eb6ce79ec07c_pad.inf_dbf42768 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_f6cd78d08120cf1d_memtest.efi.mui_71e15c22 6178.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msxml60_31bf3856ad364e35_10.0.15063.0_none_a3d67fce0405ea82_msxml6.dll_ebe15265 6178.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_he-il_e2b9a848b899ba23.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_tr-tr_56267d09fac4d7b0_memtest.efi.mui_71e15c22 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_zh-tw_f36e75da064e5e59.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_b324b5ac254d7072.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_uk-ua_83b5c737a2b4f712.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rpc-local_31bf3856ad364e35_10.0.15063.0_none_cf6322a2b243cac2_rpcrt4.dll_5aa847dd 6178.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_da-dk_fb3d63c29861917a_comctl32.dll.mui_0da4e682 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-branding-engine_31bf3856ad364e35_10.0.15063.0_none_fa7db1d69e32c652_winsku.dll_6e6c7799 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shlwapi_31bf3856ad364e35_10.0.15063.0_none_0aed8b3ddd7da4b2_shlwapi.dll_1eec0a2e 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_nb-no_14793e40fc75bb05.manifest 6178.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_zh-cn_862002b5f3ade598_comctl32.dll.mui_0da4e682 6178.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-dui70_31bf3856ad364e35_10.0.15063.0_none_0ca9ed867e8c0f29_dui70.dll_5f097b0b 6178.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2224 vssadmin.exe -
Drops file in Program Files directory 21 IoCs
Processes:
6178.exedescription ioc process File opened for modification \??\c:\program files\SplitMerge.ini 6178.exe File opened for modification \??\c:\program files\WaitJoin.xls 6178.exe File created \??\c:\program files\6336f8tzx-readme.txt 6178.exe File opened for modification \??\c:\program files\ConvertFromBackup.pps 6178.exe File opened for modification \??\c:\program files\LockRedo.kix 6178.exe File opened for modification \??\c:\program files\SubmitResolve.dotx 6178.exe File opened for modification \??\c:\program files\UnlockGet.mpe 6178.exe File opened for modification \??\c:\program files\UnprotectDismount.crw 6178.exe File opened for modification \??\c:\program files\UpdateConnect.odt 6178.exe File opened for modification \??\c:\program files\CompressGet.wps 6178.exe File opened for modification \??\c:\program files\SearchReceive.tiff 6178.exe File opened for modification \??\c:\program files\SetPush.ex_ 6178.exe File created \??\c:\program files (x86)\a73a6b0b.lock 6178.exe File opened for modification \??\c:\program files\SwitchOptimize.wm 6178.exe File opened for modification \??\c:\program files\SyncConvert.dotm 6178.exe File opened for modification \??\c:\program files\RepairRead.nfo 6178.exe File opened for modification \??\c:\program files\SuspendRead.rtf 6178.exe File opened for modification \??\c:\program files\WaitExit.MTS 6178.exe File created \??\c:\program files\a73a6b0b.lock 6178.exe File created \??\c:\program files (x86)\6336f8tzx-readme.txt 6178.exe File opened for modification \??\c:\program files\MeasureSearch.pdf 6178.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Executes dropped EXE 1 IoCs
Processes:
6178.exepid process 428 6178.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2484 vssvc.exe Token: SeRestorePrivilege 2484 vssvc.exe Token: SeAuditPrivilege 2484 vssvc.exe -
Enumerates connected drives 3 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6178.exepid process 428 6178.exe 428 6178.exe -
Processes:
6178.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C 6178.exe Set value (data) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 6178.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB 6178.exe Set value (data) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 03000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db1400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e1040000000100000010000000adab5c4df031fb9299f71ada7e18f6130f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb965c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf20000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f 6178.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
6178.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\j1k.bmp" 6178.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\_____.js1⤵
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\6178.exe"C:\Users\Admin\6178.exe"2⤵
- Suspicious use of WriteProcessMemory
- Drops file in Windows directory
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
- Sets desktop wallpaper using registry
PID:428 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
PID:2224
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:2484