General
-
Target
2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe
-
Size
179KB
-
Sample
230209-rx1t7afg7z
-
MD5
d3624ff1fd9a8d7866a1578359716a55
-
SHA1
66813f8263a1c8a53e8d6fece8a307e2ba5fa342
-
SHA256
60c49baa290de5336e5903286d1e8ff8b8b833046a63be00966695dc9d3f6dbb
-
SHA512
97da304352f0a37071ae935879af3531e33dd580e50f768521e2e12986f155d7a1b09e755cef20f720f3e9bb9608258e2fd37f32e5aca5cf611cfa4dfa8e0ee9
-
SSDEEP
3072:rNKQ4JTBg0Q8F63VETed7/kBazzFbUL7npOStSWQ:rNn4FQS63VE6F/M4q30TJ
Behavioral task
behavioral1
Sample
2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
C:\q29go-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9D90AD6D62A20EAD
http://decryptor.top/9D90AD6D62A20EAD
Targets
-
-
Target
2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe
-
Size
179KB
-
MD5
d3624ff1fd9a8d7866a1578359716a55
-
SHA1
66813f8263a1c8a53e8d6fece8a307e2ba5fa342
-
SHA256
60c49baa290de5336e5903286d1e8ff8b8b833046a63be00966695dc9d3f6dbb
-
SHA512
97da304352f0a37071ae935879af3531e33dd580e50f768521e2e12986f155d7a1b09e755cef20f720f3e9bb9608258e2fd37f32e5aca5cf611cfa4dfa8e0ee9
-
SSDEEP
3072:rNKQ4JTBg0Q8F63VETed7/kBazzFbUL7npOStSWQ:rNn4FQS63VE6F/M4q30TJ
Score10/10-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-