General
-
Target
0114183087da12ff757505a2a13eadf3.bat
-
Size
221B
-
Sample
200804-9zl3nv2v7e
-
MD5
0037a823920b7141736a18b53ea6858f
-
SHA1
6632e28571b04910e97f9305a13b57ea06ff09a4
-
SHA256
af6f3062596268dda5ce47e9bf6315f59cfa76b7aaaa809a76f6bdd69b4a6593
-
SHA512
39f35183c367850e5e63b63c1a6dc176498d5a80afb4b5314f8df7ac63f9b50519d76783cbc47e42068d54eee860d14515cbd6619f41c3061b9cde0b76e31a07
Static task
static1
Behavioral task
behavioral1
Sample
0114183087da12ff757505a2a13eadf3.bat
Resource
win7
Behavioral task
behavioral2
Sample
0114183087da12ff757505a2a13eadf3.bat
Resource
win10v200722
Malware Config
Extracted
http://185.103.242.78/pastes/0114183087da12ff757505a2a13eadf3
Extracted
C:\xwrf360-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9B3215501D5403EC
http://decryptor.cc/9B3215501D5403EC
Targets
-
-
Target
0114183087da12ff757505a2a13eadf3.bat
-
Size
221B
-
MD5
0037a823920b7141736a18b53ea6858f
-
SHA1
6632e28571b04910e97f9305a13b57ea06ff09a4
-
SHA256
af6f3062596268dda5ce47e9bf6315f59cfa76b7aaaa809a76f6bdd69b4a6593
-
SHA512
39f35183c367850e5e63b63c1a6dc176498d5a80afb4b5314f8df7ac63f9b50519d76783cbc47e42068d54eee860d14515cbd6619f41c3061b9cde0b76e31a07
Score10/10-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
ServiceHost packer
Detects ServiceHost packer used for .NET malware
-
Blacklisted process makes network request
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
-
Drops file in System32 directory
-
Modifies service
-
Sets desktop wallpaper using registry
-