sodinokibi | 29b2a12ef2c75d6bb1bdbb4536e478a386dc4082a0756adc219bbd25c724bd1c | Triage

Sharing

General

Target

hvQ21ebW.bat
Size

191B
Sample

200210-zhad2w5n5s
MD5

7eb2eb2bf474386d8d7eef5ee2aaf3ef
SHA1

c9789a38150044b9ca8a4b9d350df691611f1861
SHA256

29b2a12ef2c75d6bb1bdbb4536e478a386dc4082a0756adc219bbd25c724bd1c
SHA512

827139be92e830cc7e7d6ac935327fe8960508ecb5e59cf338fb3cd2cc7cda12ae5686f15709bf5fec2cfb399912a9803f7b372601802bcd27e928072638b512

Score

10^/10

sodinokibi persistence ransomware

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/hvQ21ebW

Targets

- Target
  
  hvQ21ebW.bat
- Size
  
  191B
- MD5
  
  7eb2eb2bf474386d8d7eef5ee2aaf3ef
- SHA1
  
  c9789a38150044b9ca8a4b9d350df691611f1861
- SHA256
  
  29b2a12ef2c75d6bb1bdbb4536e478a386dc4082a0756adc219bbd25c724bd1c
- SHA512
  
  827139be92e830cc7e7d6ac935327fe8960508ecb5e59cf338fb3cd2cc7cda12ae5686f15709bf5fec2cfb399912a9803f7b372601802bcd27e928072638b512
Score

10^/10

ransomware sodinokibi persistence
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality
  ransomware sodinokibi
- Blacklisted process makes network request
- Program crash
- Discovering connected drives
  ransomware
- Modifies service
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

ransomwaresodinokibipersistence

behavioral2