Analysis
-
max time kernel
124s -
max time network
156s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
20-08-2020 13:04
Static task
static1
Behavioral task
behavioral1
Sample
d91fb28bbaf54e85e5a87e608c2bb630e7be06815f17541d680823faab4a8fb5.bin.exe.dll
Resource
win7v200722
Behavioral task
behavioral2
Sample
d91fb28bbaf54e85e5a87e608c2bb630e7be06815f17541d680823faab4a8fb5.bin.exe.dll
Resource
win10
General
-
Target
d91fb28bbaf54e85e5a87e608c2bb630e7be06815f17541d680823faab4a8fb5.bin.exe.dll
-
Size
116KB
-
MD5
f8c9fd29c9cded8ceda5876b41666f70
-
SHA1
35d95ecbdb2045906e7d61f10495af1a009b413e
-
SHA256
d91fb28bbaf54e85e5a87e608c2bb630e7be06815f17541d680823faab4a8fb5
-
SHA512
c7f44b93315e606d75096e2fd54a826bd808e30ea9344f82ceb9238b608f6ff6e95619c7c40a7253b10d9b1ab8d4184be726d6f0c3f114e3986eac74a8491197
Malware Config
Extracted
C:\57d82d60c7-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4CAA9B11342EBA93
http://decryptor.cc/4CAA9B11342EBA93
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 157 IoCs
Processes:
rundll32.exeflow pid process 3 884 rundll32.exe 5 884 rundll32.exe 7 884 rundll32.exe 8 884 rundll32.exe 10 884 rundll32.exe 15 884 rundll32.exe 17 884 rundll32.exe 18 884 rundll32.exe 20 884 rundll32.exe 22 884 rundll32.exe 24 884 rundll32.exe 27 884 rundll32.exe 29 884 rundll32.exe 31 884 rundll32.exe 33 884 rundll32.exe 35 884 rundll32.exe 37 884 rundll32.exe 39 884 rundll32.exe 41 884 rundll32.exe 43 884 rundll32.exe 45 884 rundll32.exe 47 884 rundll32.exe 49 884 rundll32.exe 51 884 rundll32.exe 52 884 rundll32.exe 54 884 rundll32.exe 55 884 rundll32.exe 56 884 rundll32.exe 57 884 rundll32.exe 58 884 rundll32.exe 59 884 rundll32.exe 60 884 rundll32.exe 61 884 rundll32.exe 63 884 rundll32.exe 64 884 rundll32.exe 66 884 rundll32.exe 67 884 rundll32.exe 69 884 rundll32.exe 70 884 rundll32.exe 73 884 rundll32.exe 74 884 rundll32.exe 77 884 rundll32.exe 78 884 rundll32.exe 80 884 rundll32.exe 81 884 rundll32.exe 83 884 rundll32.exe 84 884 rundll32.exe 86 884 rundll32.exe 88 884 rundll32.exe 90 884 rundll32.exe 92 884 rundll32.exe 94 884 rundll32.exe 96 884 rundll32.exe 97 884 rundll32.exe 99 884 rundll32.exe 101 884 rundll32.exe 102 884 rundll32.exe 104 884 rundll32.exe 105 884 rundll32.exe 107 884 rundll32.exe 109 884 rundll32.exe 111 884 rundll32.exe 112 884 rundll32.exe 114 884 rundll32.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompareUnprotect.crw => \??\c:\users\admin\pictures\CompareUnprotect.crw.57d82d60c7 rundll32.exe -
Enumerates connected drives 3 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt rundll32.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2u1o08x.bmp" rundll32.exe -
Drops file in Program Files directory 30 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\MeasureNew.avi rundll32.exe File opened for modification \??\c:\program files\RestartRepair.txt rundll32.exe File opened for modification \??\c:\program files\SplitGrant.sql rundll32.exe File opened for modification \??\c:\program files\TraceMove.cr2 rundll32.exe File opened for modification \??\c:\program files\UpdateProtect.eprtx rundll32.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\57d82d60c7-readme.txt rundll32.exe File opened for modification \??\c:\program files\ConvertFromInstall.wmv rundll32.exe File opened for modification \??\c:\program files\ExitEnable.html rundll32.exe File created \??\c:\program files\microsoft sql server compact edition\57d82d60c7-readme.txt rundll32.exe File opened for modification \??\c:\program files\OptimizeUninstall.rmi rundll32.exe File opened for modification \??\c:\program files\PushNew.htm rundll32.exe File created \??\c:\program files\57d82d60c7-readme.txt rundll32.exe File opened for modification \??\c:\program files\ClearPush.css rundll32.exe File opened for modification \??\c:\program files\MoveSearch.avi rundll32.exe File created \??\c:\program files (x86)\57d82d60c7-readme.txt rundll32.exe File opened for modification \??\c:\program files\CompleteConnect.vsw rundll32.exe File opened for modification \??\c:\program files\SelectUnlock.m4v rundll32.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\57d82d60c7-readme.txt rundll32.exe File opened for modification \??\c:\program files\PublishSplit.temp rundll32.exe File opened for modification \??\c:\program files\RegisterRepair.reg rundll32.exe File opened for modification \??\c:\program files\MergeDismount.vssm rundll32.exe File opened for modification \??\c:\program files\ClearGrant.wmf rundll32.exe File opened for modification \??\c:\program files\DenyOptimize.ttf rundll32.exe File opened for modification \??\c:\program files\ConvertToDebug.htm rundll32.exe File opened for modification \??\c:\program files\ReceiveOpen.emz rundll32.exe File opened for modification \??\c:\program files\RequestConvertFrom.easmx rundll32.exe File opened for modification \??\c:\program files\EnterConvertTo.mpeg rundll32.exe File opened for modification \??\c:\program files\InitializeWait.xhtml rundll32.exe File opened for modification \??\c:\program files\ConvertFromNew.DVR rundll32.exe File opened for modification \??\c:\program files\DebugSkip.jfif rundll32.exe -
Processes:
rundll32.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85A408C09C193E5D51587DCDD61330FD8CDE37BF rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85A408C09C193E5D51587DCDD61330FD8CDE37BF\Blob = 43000000010000000000000004000000010000001000000074014a91b108c458ce47cdf0dd1153080f0000000100000014000000ff99b1116eca7b69f516900dea2d12202453b5111900000001000000100000000790dd35d0de1a5516689a62748c58eb03000000010000001400000085a408c09c193e5d51587dcdd61330fd8cde37bf1d000000010000001000000048c1184e28125121aeeef1a32ce0d46714000000010000001400000031c3791bbaf553d717e0897a2d176c0ab32b9d33090000000100000016000000301406082b0601050507030406082b060105050703010b0000000100000036000000440065007500740073006300680065002000540065006c0065006b006f006d00200052006f006f0074002000430041002000320000002000000001000000a30300003082039f30820287a003020102020126300d06092a864886f70d01010505003071310b3009060355040613024445311c301a060355040a131344657574736368652054656c656b6f6d204147311f301d060355040b1316542d54656c655365632054727573742043656e746572312330210603550403131a44657574736368652054656c656b6f6d20526f6f742043412032301e170d3939303730393132313130305a170d3139303730393233353930305a3071310b3009060355040613024445311c301a060355040a131344657574736368652054656c656b6f6d204147311f301d060355040b1316542d54656c655365632054727573742043656e746572312330210603550403131a44657574736368652054656c656b6f6d20526f6f74204341203230820122300d06092a864886f70d01010105000382010f003082010a0282010100ab0ba335e08b2914b11485af3c10e4396f355d4aaeddea618d9549f46f64a31a6066a4a9402284d9d4a5e578930e6801adb94d5c3aced3b8a84240dfcfa3ba82596a921bac1c9ada082b2527f9692347f1e0eb2c7a9bf51302d07e347cc29e3c0059abf5da0cf5323c2bac50dad6c3de8394caa80c99320e0848565b6afbdae1585801495f72413c1506018e5dadaab893b4cd9eeba7e86a2d5234db3aef5c7551dadbf331f9ee719832c45415440cf99b55edaddf1808a0a3868a49ee53058f194cd5de58799bd26a1c42abc5d5a7cf680f96e4e161987661c8917cd63e00e2915087e19d0ae6ad97d21dc63a7dcbbcda0334d58e5b01f56a07b716b66e4a7f0203010001a3423040301d0603551d0e0416041431c3791bbaf553d717e0897a2d176c0ab32b9d33300f0603551d13040830060101ff020105300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100946459ad3964e729eb13fe5ac38b1357c80424f07477c060e367fbe989a683bf96827c6ed4c33def9e806ebb29b4987ab13b54eb3917477e1a8e0bfc1f31593104b2ce17f32cc7623655e222d88955b49848aa64fad61c36d844785a5a233a5797f57a304fae9f6a4c4b2b8ea003e33ee0a9d4d27bd2b3a8e2723cad9eff8059e49b45b4f63bb0cd39199832e5ea216190e431218e34b1f72f354a8510dae78a3721be5963e0f285883153d45414857079f42e067727752f1fb88af9fec5bad836e483ece765b7bf635af346af819437d4418cd623d61ecff5681b4463a25abaa73559a1e570059b0e235799940a6dba3963288692f31884d8fbd1cf05566457 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b19000000010000001000000082218ffb91733e64136be5719f57c3a1040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be034140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d41800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
rundll32.exepowershell.exepid process 884 rundll32.exe 1460 powershell.exe 1460 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 884 rundll32.exe Token: SeDebugPrivilege 1460 powershell.exe Token: SeBackupPrivilege 1848 vssvc.exe Token: SeRestorePrivilege 1848 vssvc.exe Token: SeAuditPrivilege 1848 vssvc.exe Token: SeTakeOwnershipPrivilege 884 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 612 wrote to memory of 884 612 rundll32.exe rundll32.exe PID 612 wrote to memory of 884 612 rundll32.exe rundll32.exe PID 612 wrote to memory of 884 612 rundll32.exe rundll32.exe PID 612 wrote to memory of 884 612 rundll32.exe rundll32.exe PID 612 wrote to memory of 884 612 rundll32.exe rundll32.exe PID 612 wrote to memory of 884 612 rundll32.exe rundll32.exe PID 612 wrote to memory of 884 612 rundll32.exe rundll32.exe PID 884 wrote to memory of 1460 884 rundll32.exe powershell.exe PID 884 wrote to memory of 1460 884 rundll32.exe powershell.exe PID 884 wrote to memory of 1460 884 rundll32.exe powershell.exe PID 884 wrote to memory of 1460 884 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d91fb28bbaf54e85e5a87e608c2bb630e7be06815f17541d680823faab4a8fb5.bin.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d91fb28bbaf54e85e5a87e608c2bb630e7be06815f17541d680823faab4a8fb5.bin.exe.dll,#12⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1616
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1848