General
-
Target
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.zip
-
Size
17KB
-
Sample
220211-w8cc7aefcj
-
MD5
c05d45bb045c196472c7bc51f90389a3
-
SHA1
197d33bda32ecc09aec730b7ba91a70d859a7a41
-
SHA256
90561835c00d32961a5d49e4fc883e70a1685119e0618b93f7256c1b7e9baa0f
-
SHA512
11f4d4cef7111a026250596725e8253c5462a489e238b011d683310892fcd7a9f906886b6a4b74463d3c3065484dc87366e735b426314f399f9aba1621178407
Static task
static1
Behavioral task
behavioral1
Sample
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe
Resource
win10v2004-en-20220112
Malware Config
Extracted
C:\Users\Admin\Desktop\4agrfsh5tx7-HOW-TO-DECRYPT.txt
sodinokibi
http://wwylgcvegp33t2ytnsqa6klroq3kz643q5ceinkqb7x6232g3guit2id.onion
http://decryptor.top/913AED0B5FE1497D
Extracted
C:\Users\Admin\Desktop\4agrfsh5tx7-HOW-TO-DECRYPT.txt
sodinokibi
http://wwylgcvegp33t2ytnsqa6klroq3kz643q5ceinkqb7x6232g3guit2id.onion
http://decryptor.top/913AED0B5FE1497D
Targets
-
-
Target
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe
-
Size
107KB
-
MD5
40c01e02dd940c2b3ca1466799da68fd
-
SHA1
daa2b8467edff06bf3f8cc926534bc088049a092
-
SHA256
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96
-
SHA512
831b89e00addfbd4e78d90e61ae6874ad6fbe4482099dbd894c4f23236edf72b5d0c86dec72a4f592f84b60e3d3f0797c1f1ae86aaa78d62a5d96ab6070ab2c5
Score10/10-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-