Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
05-08-2020 12:35
Static task
static1
Behavioral task
behavioral1
Sample
evil.exe
Resource
win7
Behavioral task
behavioral2
Sample
evil.exe
Resource
win10v200722
General
-
Target
evil.exe
-
Size
157KB
-
MD5
cbf729eace9735977cf545be8f37a28f
-
SHA1
a247e58c2671283b0889db953af284517d75668b
-
SHA256
80bbe933cc68fd5837b0ba84f17b9f796918125c52321d3d504468e837239765
-
SHA512
115f1f3ae9900eda0d1c19fdb7b7a35d0cf4392831a54190c9c51ffe67463f888a58a4ce4edfd8cea72bd4359be755e82f5b1a6d1ccc2a324b8db37e95b32bb9
Malware Config
Extracted
C:\odt\mof2o3o9.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/703CE496AE2B5312
Signatures
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
evil.exedescription ioc process File renamed C:\Users\Admin\Pictures\FormatMerge.png => C:\Users\Admin\Pictures\FormatMerge.png.mof2o3o9 evil.exe File renamed C:\Users\Admin\Pictures\GetBlock.crw => C:\Users\Admin\Pictures\GetBlock.crw.mof2o3o9 evil.exe File renamed C:\Users\Admin\Pictures\ResolveGrant.raw => C:\Users\Admin\Pictures\ResolveGrant.raw.mof2o3o9 evil.exe File renamed C:\Users\Admin\Pictures\SyncDismount.raw => C:\Users\Admin\Pictures\SyncDismount.raw.mof2o3o9 evil.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
evil.execmd.exedescription pid process target process PID 1928 wrote to memory of 640 1928 evil.exe cmd.exe PID 1928 wrote to memory of 640 1928 evil.exe cmd.exe PID 1928 wrote to memory of 640 1928 evil.exe cmd.exe PID 640 wrote to memory of 1000 640 cmd.exe vssadmin.exe PID 640 wrote to memory of 1000 640 cmd.exe vssadmin.exe PID 640 wrote to memory of 1000 640 cmd.exe vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 468 vssvc.exe Token: SeRestorePrivilege 468 vssvc.exe Token: SeAuditPrivilege 468 vssvc.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1000 vssadmin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
evil.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9zb7f8p11b.bmp" evil.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
evil.exepid process 1928 evil.exe 1928 evil.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Windows directory 2108 IoCs
Processes:
evil.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..etype-lucidaconsole_31bf3856ad364e35_10.0.15063.0_none_105acb72b1898804_lucon.ttf_76ed00f1 evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_10.0.15063.0_en-us_2655bd395ad3f038_sens.dll.mui_64739194 evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_zh-cn_862002b5f3ade598.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_10.0.15063.0_en-us_2fe8c1faaca6f250_samsrv.dll.mui_32250491 evil.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ru-ru_453845783036acd5.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_et-ee_67d1f793253502c0.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_ro-ro_d6a49a3e7445e0ae_bootmgr.efi.mui_be5d0075 evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_he-il_404f12a54e01d1c8_comctl32.dll.mui_0da4e682 evil.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-phone_31bf3856ad364e35_10.0.15063.0_none_ec0ee8641d359fdf_windows.ui.xaml.phone.dll_f3375243 evil.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.15063.0_en-us_7f2aa019e80ba70a_userdeviceregistration.ngc.dll.mui_d2c6ca95 evil.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msasn1_31bf3856ad364e35_10.0.15063.0_none_e2c299561290de8e_msasn1.dll_e56dbc57 evil.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-oleacc_31bf3856ad364e35_10.0.15063.0_none_85ed41598f9336e6.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.15063.0_none_d8c07703ded57c9e.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ldap-client_31bf3856ad364e35_10.0.15063.0_none_0ea4cb22c39b2f3e_wldap32.dll_09c99dc1 evil.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_sl-si_55950d3867c13540_comctl32.dll.mui_0da4e682 evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-dfsclient_31bf3856ad364e35_10.0.15063.0_none_98ae07171eea9e46.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_cs-cz_14df7debb094c606_msimsg.dll.mui_72e8994f evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_nl-nl_1141baa620971e6b_msimsg.dll.mui_72e8994f evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_ko-kr_2be6bd0c24508f49_comctl32.dll.mui_0da4e682 evil.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_en-us_0f2e55c68b9b08e2_certprop.dll.mui_602eaab4 evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.15063.0_none_bcd50e80524ea2f0_ucrtbase.dll_a00b9625 evil.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_lv-lv_72e9ed34808e8431_msimsg.dll.mui_72e8994f evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_sr-..-rs_1d6a7473dd864fbc_bootmgfw.efi.mui_a6e78cfa evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_ega40850.fon_5e8f5479 evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ngc-kspsvc_31bf3856ad364e35_10.0.15063.0_none_790e90d47316785c.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip-driver_31bf3856ad364e35_10.0.15063.0_none_e90c5eeaeffd537f_tcpip.sys_3339bd51 evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.15063.0_none_d6b9fc078f9b4d5a_mpsvc.dll_2d2efa15 evil.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_da-dk_2c356fb707873159_memtest.exe.mui_77b8cbcc evil.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_10.0.15063.0_none_c7862ae75f80dbe7.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..se-platform-service_31bf3856ad364e35_10.0.15063.0_none_e5fbbfb47ce3ad1f.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ndowmanager-process_31bf3856ad364e35_10.0.15063.0_none_44fadb58fe4497d9.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_sv-se_3d51cb70dfbd2866.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-coresystemminpnp_31bf3856ad364e35_10.0.15063.0_none_25c594c5597fd699.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_10.0.15063.0_none_e71b894d9eb700bd_wship6.dll_db4127c3 evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_fi-fi_f892f9b169daaca2_comctl32.dll.mui_0da4e682 evil.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.15063.0_none_505ddd3c336d55b8.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-maps_31bf3856ad364e35_10.0.15063.0_none_b2b63099374d63dc_windows.ui.xaml.maps.dll_b092594a evil.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.15063.0_none_781ef03933a1cb3c_bootnxt_07e7ea74 evil.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_sr-..-rs_fbc5757cdcd2dc71.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.15063.0_en-us_6a6c9bb281748302_applockercsp.dll.mui_d2a0df70 evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_bebc164cdf01a737.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-transactionmanagerapi_31bf3856ad364e35_10.0.15063.0_none_67eb29450cc6d505_ktmw32.dll_835a43ee evil.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-maps_31bf3856ad364e35_10.0.15063.0_none_b2b63099374d63dc.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_10.0.15063.0_none_d3bbda919a7b39f1_mswsock.dll_e2ad0f2d evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_lt-lt_05f11f02c39a39ea_bootmgfw.efi.mui_a6e78cfa evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ndowmanager-process_31bf3856ad364e35_10.0.15063.0_none_44fadb58fe4497d9_dwm.exe_04cf416e evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_en-gb_50ad0e299c666e9f.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_cvgafix.fon_c20a9ed9 evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.15063.0_none_bcbd1290a09b9a77_iprtrmgr.dll_50f5fe79 evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_es-es_5977f50474c0ba78_comctl32.dll.mui_0da4e682 evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_hu-hu_439feb4b4bf29ff6.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_cs-cz_8efb8f901141355a.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_pt-pt_d6f50d621285b042.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ko-kr_ce5152af8ee877a4.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_sv-se_7507d03f69e9add9_bootmgr.efi.mui_be5d0075 evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ntdll_31bf3856ad364e35_10.0.15063.0_none_69eab77b34fc657e.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-uxtheme_31bf3856ad364e35_10.0.15063.0_none_b6f8740d3f5e547a.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_nb-no_b6e3d3e4670da360.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_da-dk_21e0c564d3266f5e.manifest evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga860.fon_07129997 evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-volsnap_31bf3856ad364e35_10.0.15063.0_none_703dcec1da3ef92f_volsnap.sys_d7206f48 evil.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.15063.0_en-us_60ce145177b6c10a_wininit.exe.mui_997435f5 evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..rservice-extensions_31bf3856ad364e35_10.0.15063.0_none_dda2d70f5ef170e7_umpoext.dll_fd62cdf4 evil.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_en-gb_5223dd027971150e.manifest evil.exe -
Processes:
evil.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB evil.exe Set value (data) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 03000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db1400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e1040000000100000010000000adab5c4df031fb9299f71ada7e18f6130f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb965c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf20000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f evil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\evil.exe"C:\Users\Admin\AppData\Local\Temp\evil.exe"1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Drops file in Windows directory
- Modifies system certificate store
PID:1928 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1000
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:468