General
-
Target
wKmecP8k.bat
-
Size
198B
-
Sample
191216-t3y4krh43n
-
MD5
ae956bed6eeab863c79e3cb580bd0134
-
SHA1
aed4786822253bbe27f96ab4c02edbcb01af5304
-
SHA256
a2d1bfcdf15107fc32cacf9b39a4eb453610f20fc79328e3428c1551cf03e356
-
SHA512
2f6c713b6c9e76f9b0172c6e3597eae5915060d40f2a0a9776dfb41358d2c934c14c367351029824fac76f3162ec42f95a31e4ce57151aaa6d5e606bd6c626cb
Task
task1
Sample
wKmecP8k.bat
Resource
win7v191014
Malware Config
Extracted
http://185.103.242.78/pastes/wKmecP8k
Extracted
C:\o0371501r-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EC6570002F081545
http://decryptor.top/EC6570002F081545
Targets
-
-
Target
wKmecP8k.bat
-
Size
198B
-
MD5
ae956bed6eeab863c79e3cb580bd0134
-
SHA1
aed4786822253bbe27f96ab4c02edbcb01af5304
-
SHA256
a2d1bfcdf15107fc32cacf9b39a4eb453610f20fc79328e3428c1551cf03e356
-
SHA512
2f6c713b6c9e76f9b0172c6e3597eae5915060d40f2a0a9776dfb41358d2c934c14c367351029824fac76f3162ec42f95a31e4ce57151aaa6d5e606bd6c626cb
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Program crash
-
Adds Run entry to start application
-
Checks for installed software on the system
-
Discovering connected drives
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-