General
-
Target
RKSMMKvy.bat
-
Size
193B
-
Sample
191216-8e2x7afq6x
-
MD5
35818e3d4c0b214106de897863a58fbc
-
SHA1
80162eb2b61656eb95a4cb0443b7df68fdf05a48
-
SHA256
b9269af79a7cd80e9d3f2d664b6ca4290dd45c34a17e274f97b15c16f96d6bbe
-
SHA512
826dd0496081d5e5cd294b5d02be64d6c959326b49f353e54a2956f0e507ea291ce653b178d4eff35896fe4f5c860a2592f72906475f4529a6af1695d9c64314
Task
task1
Sample
RKSMMKvy.bat
Resource
win7v191014
Malware Config
Extracted
http://185.103.242.78/pastes/RKSMMKvy
Extracted
C:\8pw8hwno77-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/30C76631120F4269
http://decryptor.top/30C76631120F4269
Targets
-
-
Target
RKSMMKvy.bat
-
Size
193B
-
MD5
35818e3d4c0b214106de897863a58fbc
-
SHA1
80162eb2b61656eb95a4cb0443b7df68fdf05a48
-
SHA256
b9269af79a7cd80e9d3f2d664b6ca4290dd45c34a17e274f97b15c16f96d6bbe
-
SHA512
826dd0496081d5e5cd294b5d02be64d6c959326b49f353e54a2956f0e507ea291ce653b178d4eff35896fe4f5c860a2592f72906475f4529a6af1695d9c64314
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Program crash
-
Adds Run entry to start application
-
Checks for installed software on the system
-
Discovering connected drives
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-