Analysis
-
max time kernel
129s -
max time network
116s -
platform
windows7_x64 -
resource
win7 -
submitted
20-08-2020 13:04
Static task
static1
Behavioral task
behavioral1
Sample
f97175fdad804a02e6f24273b371184d816044eb2409dadaad683c07fd41e992.bin.exe.dll
Resource
win7
Behavioral task
behavioral2
Sample
f97175fdad804a02e6f24273b371184d816044eb2409dadaad683c07fd41e992.bin.exe.dll
Resource
win10v200722
General
-
Target
f97175fdad804a02e6f24273b371184d816044eb2409dadaad683c07fd41e992.bin.exe.dll
-
Size
116KB
-
MD5
53fd5fc16a31ab15167c9a804e3c7c14
-
SHA1
88b14c8f851f04c9d595ff3ae441bcf52489df08
-
SHA256
f97175fdad804a02e6f24273b371184d816044eb2409dadaad683c07fd41e992
-
SHA512
085c5f4a8ec87c5b714cd8b4016170aa97ef80b2ec70a175f10e3a7e6c83b76aa30bcf76923cc2621fba42ee7015e452814b7d0f42f3de2146c2284a0145d3c0
Malware Config
Extracted
C:\2f198om7d-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0A185E370551E4C6
http://decryptor.cc/0A185E370551E4C6
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 194 IoCs
Processes:
rundll32.exeflow pid process 2 1184 rundll32.exe 3 1184 rundll32.exe 5 1184 rundll32.exe 7 1184 rundll32.exe 8 1184 rundll32.exe 10 1184 rundll32.exe 11 1184 rundll32.exe 13 1184 rundll32.exe 14 1184 rundll32.exe 16 1184 rundll32.exe 18 1184 rundll32.exe 20 1184 rundll32.exe 22 1184 rundll32.exe 23 1184 rundll32.exe 25 1184 rundll32.exe 27 1184 rundll32.exe 29 1184 rundll32.exe 31 1184 rundll32.exe 32 1184 rundll32.exe 34 1184 rundll32.exe 35 1184 rundll32.exe 37 1184 rundll32.exe 38 1184 rundll32.exe 39 1184 rundll32.exe 41 1184 rundll32.exe 43 1184 rundll32.exe 45 1184 rundll32.exe 47 1184 rundll32.exe 49 1184 rundll32.exe 50 1184 rundll32.exe 52 1184 rundll32.exe 54 1184 rundll32.exe 55 1184 rundll32.exe 57 1184 rundll32.exe 60 1184 rundll32.exe 61 1184 rundll32.exe 63 1184 rundll32.exe 64 1184 rundll32.exe 66 1184 rundll32.exe 68 1184 rundll32.exe 69 1184 rundll32.exe 71 1184 rundll32.exe 72 1184 rundll32.exe 74 1184 rundll32.exe 75 1184 rundll32.exe 77 1184 rundll32.exe 78 1184 rundll32.exe 80 1184 rundll32.exe 81 1184 rundll32.exe 83 1184 rundll32.exe 85 1184 rundll32.exe 86 1184 rundll32.exe 88 1184 rundll32.exe 90 1184 rundll32.exe 91 1184 rundll32.exe 93 1184 rundll32.exe 95 1184 rundll32.exe 96 1184 rundll32.exe 98 1184 rundll32.exe 100 1184 rundll32.exe 101 1184 rundll32.exe 104 1184 rundll32.exe 105 1184 rundll32.exe 107 1184 rundll32.exe -
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\DenyExport.tiff => \??\c:\users\admin\pictures\DenyExport.tiff.2f198om7d rundll32.exe File renamed C:\Users\Admin\Pictures\MoveUnprotect.raw => \??\c:\users\admin\pictures\MoveUnprotect.raw.2f198om7d rundll32.exe File renamed C:\Users\Admin\Pictures\SetAdd.tif => \??\c:\users\admin\pictures\SetAdd.tif.2f198om7d rundll32.exe File renamed C:\Users\Admin\Pictures\ShowCopy.png => \??\c:\users\admin\pictures\ShowCopy.png.2f198om7d rundll32.exe File renamed C:\Users\Admin\Pictures\ReadFind.raw => \??\c:\users\admin\pictures\ReadFind.raw.2f198om7d rundll32.exe File renamed C:\Users\Admin\Pictures\TraceSkip.tif => \??\c:\users\admin\pictures\TraceSkip.tif.2f198om7d rundll32.exe File opened for modification \??\c:\users\admin\pictures\DenyExport.tiff rundll32.exe File opened for modification \??\c:\users\admin\pictures\TraceCompare.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\RegisterClear.raw => \??\c:\users\admin\pictures\RegisterClear.raw.2f198om7d rundll32.exe File renamed C:\Users\Admin\Pictures\SwitchResolve.png => \??\c:\users\admin\pictures\SwitchResolve.png.2f198om7d rundll32.exe File renamed C:\Users\Admin\Pictures\TraceCompare.tiff => \??\c:\users\admin\pictures\TraceCompare.tiff.2f198om7d rundll32.exe -
Enumerates connected drives 3 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt rundll32.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3j7m.bmp" rundll32.exe -
Drops file in Program Files directory 43 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\InstallWatch.asf rundll32.exe File created \??\c:\program files\microsoft sql server compact edition\2f198om7d-readme.txt rundll32.exe File opened for modification \??\c:\program files\RevokeUnblock.ppt rundll32.exe File opened for modification \??\c:\program files\SplitResume.wpl rundll32.exe File opened for modification \??\c:\program files\SuspendEnter.mpv2 rundll32.exe File opened for modification \??\c:\program files\UnregisterMerge.emf rundll32.exe File opened for modification \??\c:\program files\ConvertFromSuspend.TS rundll32.exe File opened for modification \??\c:\program files\ProtectFind.mid rundll32.exe File opened for modification \??\c:\program files\ResumeConvertTo.mp3 rundll32.exe File opened for modification \??\c:\program files\SplitEnable.tmp rundll32.exe File opened for modification \??\c:\program files\LimitUnblock.dwfx rundll32.exe File opened for modification \??\c:\program files\AddSuspend.xlt rundll32.exe File opened for modification \??\c:\program files\CloseGrant.vbs rundll32.exe File opened for modification \??\c:\program files\LockGrant.M2T rundll32.exe File opened for modification \??\c:\program files\OptimizeInvoke.rar rundll32.exe File opened for modification \??\c:\program files\SyncConnect.mhtml rundll32.exe File opened for modification \??\c:\program files\UnpublishInitialize.jtx rundll32.exe File created \??\c:\program files (x86)\2f198om7d-readme.txt rundll32.exe File opened for modification \??\c:\program files\ExportSuspend.tmp rundll32.exe File opened for modification \??\c:\program files\SkipEnter.jtx rundll32.exe File opened for modification \??\c:\program files\SwitchUnlock.ttc rundll32.exe File opened for modification \??\c:\program files\CompleteTrace.mid rundll32.exe File opened for modification \??\c:\program files\ApprovePop.rtf rundll32.exe File opened for modification \??\c:\program files\ConfirmWait.wmf rundll32.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\2f198om7d-readme.txt rundll32.exe File created \??\c:\program files\2f198om7d-readme.txt rundll32.exe File opened for modification \??\c:\program files\LimitSkip.vssm rundll32.exe File opened for modification \??\c:\program files\PopRestore.txt rundll32.exe File opened for modification \??\c:\program files\RepairDeny.wps rundll32.exe File opened for modification \??\c:\program files\SearchRegister.doc rundll32.exe File opened for modification \??\c:\program files\InstallSuspend.iso rundll32.exe File opened for modification \??\c:\program files\ExitProtect.pub rundll32.exe File opened for modification \??\c:\program files\GrantMove.clr rundll32.exe File opened for modification \??\c:\program files\InstallTrace.cr2 rundll32.exe File opened for modification \??\c:\program files\ExitOpen.tif rundll32.exe File opened for modification \??\c:\program files\CompleteLock.css rundll32.exe File opened for modification \??\c:\program files\PublishExport.mpe rundll32.exe File opened for modification \??\c:\program files\SubmitJoin.mht rundll32.exe File opened for modification \??\c:\program files\TestAdd.M2T rundll32.exe File opened for modification \??\c:\program files\UnregisterInstall.vstx rundll32.exe File opened for modification \??\c:\program files\UnregisterUpdate.vdw rundll32.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\2f198om7d-readme.txt rundll32.exe File opened for modification \??\c:\program files\ApprovePop.vbs rundll32.exe -
Processes:
rundll32.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000002000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
rundll32.exepowershell.exepid process 1184 rundll32.exe 828 powershell.exe 828 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1184 rundll32.exe Token: SeDebugPrivilege 828 powershell.exe Token: SeBackupPrivilege 1792 vssvc.exe Token: SeRestorePrivilege 1792 vssvc.exe Token: SeAuditPrivilege 1792 vssvc.exe Token: SeTakeOwnershipPrivilege 1184 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1156 wrote to memory of 1184 1156 rundll32.exe rundll32.exe PID 1156 wrote to memory of 1184 1156 rundll32.exe rundll32.exe PID 1156 wrote to memory of 1184 1156 rundll32.exe rundll32.exe PID 1156 wrote to memory of 1184 1156 rundll32.exe rundll32.exe PID 1156 wrote to memory of 1184 1156 rundll32.exe rundll32.exe PID 1156 wrote to memory of 1184 1156 rundll32.exe rundll32.exe PID 1156 wrote to memory of 1184 1156 rundll32.exe rundll32.exe PID 1184 wrote to memory of 828 1184 rundll32.exe powershell.exe PID 1184 wrote to memory of 828 1184 rundll32.exe powershell.exe PID 1184 wrote to memory of 828 1184 rundll32.exe powershell.exe PID 1184 wrote to memory of 828 1184 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f97175fdad804a02e6f24273b371184d816044eb2409dadaad683c07fd41e992.bin.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f97175fdad804a02e6f24273b371184d816044eb2409dadaad683c07fd41e992.bin.exe.dll,#12⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1456
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1792