sodinokibi | b7ae1fa5ac7ee65dffd93e9defd51b2e39a1030620560fe9eff51315e75c8885

General

Target

file.dll
Size

164KB
MD5

0192dd37e2473913dddf82b3912f928e
SHA1

d4ca6df549db7bb747ba63df70720cea68679b07
SHA256

b7ae1fa5ac7ee65dffd93e9defd51b2e39a1030620560fe9eff51315e75c8885
SHA512

939e359de10339bdf5a23990bc76e41a82d199a425931ceb0c2870babdb2204dd3dad567801e8be45d1df9500d438fe30b8b1274c7c785b64846e919b2f2c88c

Score

10^/10

sodinokibi persistence ransomware

Malware Config

Extracted

Path

C:\yg2vdd-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension yg2vdd. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FDC946F48489C9D9 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/FDC946F48489C9D9 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: yFJ27M1ZFtq09beXraSeJnlcx3j0fTcbGvV/Cgx2RkOtZjsApVBFUywqEjVY4UEd 2UHwDL18xIyTSkzOuHGqr3+BFAcX4szMz1eMFMkPLMknIdKqggBXSJCcQZZFCs6O ZZogN2DebV6VdPjeJAJcL0s9yR6YniK3KsW+ttMJnrh5MselqwxdCJPhOwhsheMu hAJ9YE/NKrmXAeZAnXt0DxYNPX0eJDoHwKOSFWyZ0CVhpIZYvs4lIWXpaSitbhM1 726GNWEH3GWCMiz8WqS7FOdxqSppl4ylfNI/3ctkaYLMheWiNMBwYj5e5PdUJCHY m9Rryi3nAMKU4Pq3KYWJ6x8nBP5cml7sbq5AWFr3Jm4PIC24JXTIEmiATbZsEJwJ 3u/y4YRPPYERQteB8AU61kB1NASkJ5mgHI4oZ/W+c5X9y3i886KgXnRkb3CKbiK8 6V7aqcyzGupmjcP4Qx3l0o+bGRtr1zmiQa2ZaDnIVTCby9TqiEzLFE5Xsf1ECO24 KVIFvL/+pK6mzN9gD5wFMZa3Q4vkn7uQIstjXRShyx4POEuOtQCGbOrxncRLXnJH gNhMnwUZ7Dtv3QYNuuDZBQ5AC5N1Okw0I9gMp0SpQNyklOjik/BHH0gQDvMb4KXd S9EcznsmXu1MxP31auho3+RiclCrPFqFm+VPirNxxpViCIFy3RTJ0I8rPKPLH7wL k3WPsUdp1C4DIsn3Sub//YKO7XM5K8wdtUzACvCwM0TQwharyPcORULIi0zT4gcm 8BBbnpUx9kmDlgqNfpkPRKlmrijC1yKkxTD5OnAHHfLrDT/k8fPGrDB7sN2hhkC7 Gc83ZA90ANPrANST31R72DboZUFOCgoyFAUSmwg9ib85lvvtI64d5ji2/OW2ZJkC KpJExA/B6EPe5KrnSdv/uKuU2VA05J4tUCyubugWs/PfjQ3D7xV6bkasT1n4BWjj Za+qxo6j91q9WbvZA8UuyM0zW2tCUe90Rg76Oymf0It3B5wx55F7emGE2ZVUWlyV fWb9+FHURh5AivCoTil9xMsWdJdIoD8iyTTW2gLp6/Yaa51EmA5sqA8BGPVOn3e4 Bu0QPvFpH5eb77I0S2SXNuF9BOTW89th7SLefuHMa2S0fKcSn7UGpHcxIIk= Extension name: yg2vdd ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FDC946F48489C9D9

http://decryptor.cc/FDC946F48489C9D9

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Blacklisted process makes network request 101 IoCs

Processes:

rundll32.exe

flow	pid	process
18	3600	rundll32.exe
20	3600	rundll32.exe
22	3600	rundll32.exe
24	3600	rundll32.exe
26	3600	rundll32.exe
28	3600	rundll32.exe
30	3600	rundll32.exe
31	3600	rundll32.exe
33	3600	rundll32.exe
35	3600	rundll32.exe
37	3600	rundll32.exe
40	3600	rundll32.exe
42	3600	rundll32.exe
44	3600	rundll32.exe
46	3600	rundll32.exe
49	3600	rundll32.exe
51	3600	rundll32.exe
53	3600	rundll32.exe
55	3600	rundll32.exe
57	3600	rundll32.exe
59	3600	rundll32.exe
61	3600	rundll32.exe
63	3600	rundll32.exe
65	3600	rundll32.exe
68	3600	rundll32.exe
70	3600	rundll32.exe
72	3600	rundll32.exe
74	3600	rundll32.exe
75	3600	rundll32.exe
76	3600	rundll32.exe
78	3600	rundll32.exe
80	3600	rundll32.exe
83	3600	rundll32.exe
85	3600	rundll32.exe
87	3600	rundll32.exe
89	3600	rundll32.exe
91	3600	rundll32.exe
93	3600	rundll32.exe
95	3600	rundll32.exe
97	3600	rundll32.exe
99	3600	rundll32.exe
101	3600	rundll32.exe
103	3600	rundll32.exe
105	3600	rundll32.exe
107	3600	rundll32.exe
108	3600	rundll32.exe
110	3600	rundll32.exe
112	3600	rundll32.exe
114	3600	rundll32.exe
116	3600	rundll32.exe
118	3600	rundll32.exe
120	3600	rundll32.exe
122	3600	rundll32.exe
124	3600	rundll32.exe
126	3600	rundll32.exe
128	3600	rundll32.exe
130	3600	rundll32.exe
132	3600	rundll32.exe
134	3600	rundll32.exe
136	3600	rundll32.exe
138	3600	rundll32.exe
140	3600	rundll32.exe
142	3600	rundll32.exe
144	3600	rundll32.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

rundll32.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CompressConfirm.tif => \??\c:\users\admin\pictures\CompressConfirm.tif.yg2vdd	rundll32.exe
File renamed	C:\Users\Admin\Pictures\RenameDebug.raw => \??\c:\users\admin\pictures\RenameDebug.raw.yg2vdd	rundll32.exe
File renamed	C:\Users\Admin\Pictures\WriteExport.crw => \??\c:\users\admin\pictures\WriteExport.crw.yg2vdd	rundll32.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\D:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0kk.bmp"	rundll32.exe

Drops file in Program Files directory 22 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	\??\c:\program files\FindDisconnect.edrwx	rundll32.exe
File opened for modification	\??\c:\program files\JoinApprove.mpeg	rundll32.exe
File opened for modification	\??\c:\program files\ProtectUse.001	rundll32.exe
File opened for modification	\??\c:\program files\RevokeRestart.pot	rundll32.exe
File opened for modification	\??\c:\program files\ConvertToRegister.xml	rundll32.exe
File created	\??\c:\program files (x86)\yg2vdd-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\AssertMove.aifc	rundll32.exe
File opened for modification	\??\c:\program files\NewRegister.dib	rundll32.exe
File opened for modification	\??\c:\program files\PushSelect.contact	rundll32.exe
File opened for modification	\??\c:\program files\RequestResolve.txt	rundll32.exe
File opened for modification	\??\c:\program files\UndoExit.dwfx	rundll32.exe
File opened for modification	\??\c:\program files\WriteRequest.AAC	rundll32.exe
File created	\??\c:\program files\yg2vdd-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\ResizeStart.rm	rundll32.exe
File opened for modification	\??\c:\program files\WriteLock.jtx	rundll32.exe
File opened for modification	\??\c:\program files\CopyClear.tif	rundll32.exe
File opened for modification	\??\c:\program files\ClearProtect.asp	rundll32.exe
File opened for modification	\??\c:\program files\RepairPush.iso	rundll32.exe
File opened for modification	\??\c:\program files\TraceGroup.ppt	rundll32.exe
File opened for modification	\??\c:\program files\UninstallUnregister.htm	rundll32.exe
File opened for modification	\??\c:\program files\WatchEnter.mhtml	rundll32.exe
File opened for modification	\??\c:\program files\AddRemove.dxf	rundll32.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b688518680400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c0000000100000004000000000800000400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	rundll32.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

rundll32.exepowershell.exe

pid process

3600 rundll32.exe
3600 rundll32.exe
3132 powershell.exe
3132 powershell.exe
3132 powershell.exe

pid	process
3600	rundll32.exe
3600	rundll32.exe
3132	powershell.exe
3132	powershell.exe
3132	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

rundll32.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3600	rundll32.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeBackupPrivilege	800	vssvc.exe
Token: SeRestorePrivilege	800	vssvc.exe
Token: SeAuditPrivilege	800	vssvc.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3988 wrote to memory of 3600	3988	rundll32.exe	rundll32.exe
PID 3988 wrote to memory of 3600	3988	rundll32.exe	rundll32.exe
PID 3988 wrote to memory of 3600	3988	rundll32.exe	rundll32.exe
PID 3600 wrote to memory of 3132	3600	rundll32.exe	powershell.exe
PID 3600 wrote to memory of 3132	3600	rundll32.exe	powershell.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#1
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3132-1-0x0000000000000000-mapping.dmp

Download
memory/3132-2-0x00007FFCBF860000-0x00007FFCC024C000-memory.dmp

Filesize
9.9MB

Download
memory/3132-3-0x0000020919A80000-0x0000020919A81000-memory.dmp

Filesize
4KB

Download
memory/3132-4-0x000002091BE40000-0x000002091BE41000-memory.dmp

Filesize
4KB

Download
memory/3600-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads