sodinokibi | 5ce9cc906365d7b8b504d946dd31f3a37c290972ad6966972689524abaa6d12a | Triage

Sharing

General

Target

j6tiKu2h.bat
Size

197B
Sample

200210-cj8nlrxwk6
MD5

050369defab123655788bb4b8aab241f
SHA1

807cb1878569950049819f6a8122a760bf41624c
SHA256

5ce9cc906365d7b8b504d946dd31f3a37c290972ad6966972689524abaa6d12a
SHA512

55df33527936776d38b1a893f6e6f621eca96dad1b2d90903213697b7a0d50e274212818b20c06e00fb8d597a11231d6181d53d605e9d0c5b1983d034bf73026

Score

10^/10

sodinokibi evasion persistence ransomware spyware trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/j6tiKu2h

Targets

- Target
  
  j6tiKu2h.bat
- Size
  
  197B
- MD5
  
  050369defab123655788bb4b8aab241f
- SHA1
  
  807cb1878569950049819f6a8122a760bf41624c
- SHA256
  
  5ce9cc906365d7b8b504d946dd31f3a37c290972ad6966972689524abaa6d12a
- SHA512
  
  55df33527936776d38b1a893f6e6f621eca96dad1b2d90903213697b7a0d50e274212818b20c06e00fb8d597a11231d6181d53d605e9d0c5b1983d034bf73026
Score

10^/10

persistence ransomware evasion spyware trojan sodinokibi
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality
  ransomware sodinokibi
- Blacklisted process makes network request
- Program crash
- Discovering connected drives
  ransomware
- Modifies system certificate store
  evasion spyware trojan
- Drops file in System32 directory
- Modifies service
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

persistenceransomwareevasionspywaretrojansodinokibi

behavioral2