General
-
Target
FXjmVaAr.bat
-
Size
191B
-
Sample
191216-9wp86eee42
-
MD5
ebad7b94b99fb3386465e77210c54f52
-
SHA1
61750cae595d1c2e1dd2e0f8c555591fda091f01
-
SHA256
9c515a50aaef088617ac6f3f9396df6b091bcaa4ada69b8f9e265a22cba70fc8
-
SHA512
ae401bd8d48905954a295f53f151b13384f60ec54e5d63e0f444bcb0e64d88e42bada9d19bde9cb0d44e3762362abd6fd4b9dcad8baaf0622f097f82c3ea8b08
Task
task1
Sample
FXjmVaAr.bat
Resource
win7v191014
Malware Config
Extracted
http://185.103.242.78/pastes/FXjmVaAr
Extracted
C:\7m13v0-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9E4C9A8D522314F7
http://decryptor.top/9E4C9A8D522314F7
Targets
-
-
Target
FXjmVaAr.bat
-
Size
191B
-
MD5
ebad7b94b99fb3386465e77210c54f52
-
SHA1
61750cae595d1c2e1dd2e0f8c555591fda091f01
-
SHA256
9c515a50aaef088617ac6f3f9396df6b091bcaa4ada69b8f9e265a22cba70fc8
-
SHA512
ae401bd8d48905954a295f53f151b13384f60ec54e5d63e0f444bcb0e64d88e42bada9d19bde9cb0d44e3762362abd6fd4b9dcad8baaf0622f097f82c3ea8b08
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Program crash
-
Checks for installed software on the system
-
Discovering connected drives
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-