General
-
Target
Sm5WHtYm.bat
-
Size
193B
-
Sample
200505-s7ybt5gp8e
-
MD5
89479f503f8853ef6d980710e78294c3
-
SHA1
816b60d4a2d1038ad57182c3356639a7f595e519
-
SHA256
94da60b220dfc957c34baa5386d0758c38afb21752e7bc55bf7a0ee19bd752b1
-
SHA512
ae9a1fb7b5f6e95e07cf2515e55dd6d4d98ae2b40af5995c645bf9c808b8326894ed1f98ebd678594f3ea259af28dffabf29419573e7923a9984a55ea419d61d
Static task
static1
Behavioral task
behavioral1
Sample
Sm5WHtYm.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
Sm5WHtYm.bat
Resource
win10v200430
Malware Config
Extracted
http://185.103.242.78/pastes/Sm5WHtYm
Extracted
C:\8372l6bpv-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/15CF157DDDA55355
http://decryptor.cc/15CF157DDDA55355
Targets
-
-
Target
Sm5WHtYm.bat
-
Size
193B
-
MD5
89479f503f8853ef6d980710e78294c3
-
SHA1
816b60d4a2d1038ad57182c3356639a7f595e519
-
SHA256
94da60b220dfc957c34baa5386d0758c38afb21752e7bc55bf7a0ee19bd752b1
-
SHA512
ae9a1fb7b5f6e95e07cf2515e55dd6d4d98ae2b40af5995c645bf9c808b8326894ed1f98ebd678594f3ea259af28dffabf29419573e7923a9984a55ea419d61d
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request
-
Enumerates connected drives
-
Drops file in System32 directory
-
Modifies service
-
Sets desktop wallpaper using registry
-