Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
28-04-2021 18:11
Static task
static1
Behavioral task
behavioral1
Sample
46a40ec6_by_Libranalysis.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
46a40ec6_by_Libranalysis.exe
Resource
win10v20210410
General
-
Target
46a40ec6_by_Libranalysis.exe
-
Size
121KB
-
MD5
46a40ec6d39b7530830f3047cdebaa1b
-
SHA1
a1540914b5ceb9e772ee5898e777f48e3cd57010
-
SHA256
08c2d24cb9c632f9aa84254bb673c9df04d4ac23ee07e840794e9438b06e9bd2
-
SHA512
64d3bd219e939100612242a35d36db8636a18eb962ce174284359178b6abb29c957bb1a0083015b948ff17c30e01ddd46c12824a83d0698b03372effeae0aa12
Malware Config
Extracted
C:\i4iar7-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8A061A5550273C8E
http://decoder.re/8A061A5550273C8E
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
46a40ec6_by_Libranalysis.exedescription ioc process File renamed C:\Users\Admin\Pictures\OptimizeDebug.tiff => \??\c:\users\admin\pictures\OptimizeDebug.tiff.i4iar7 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\users\admin\pictures\RepairGet.tiff 46a40ec6_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\ResumeRename.tif => \??\c:\users\admin\pictures\ResumeRename.tif.i4iar7 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\users\admin\pictures\WatchReceive.tiff 46a40ec6_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\WatchReceive.tiff => \??\c:\users\admin\pictures\WatchReceive.tiff.i4iar7 46a40ec6_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\JoinDisconnect.raw => \??\c:\users\admin\pictures\JoinDisconnect.raw.i4iar7 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\users\admin\pictures\OptimizeDebug.tiff 46a40ec6_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\SyncPing.tif => \??\c:\users\admin\pictures\SyncPing.tif.i4iar7 46a40ec6_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\UninstallReceive.tif => \??\c:\users\admin\pictures\UninstallReceive.tif.i4iar7 46a40ec6_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\RepairGet.tiff => \??\c:\users\admin\pictures\RepairGet.tiff.i4iar7 46a40ec6_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\ResolveExpand.tif => \??\c:\users\admin\pictures\ResolveExpand.tif.i4iar7 46a40ec6_by_Libranalysis.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
46a40ec6_by_Libranalysis.exedescription ioc process File opened (read-only) \??\A: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\F: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\G: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\H: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\O: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\P: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\R: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\B: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\K: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\Q: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\W: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\X: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\Y: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\E: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\M: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\N: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\S: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\U: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\V: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\I: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\J: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\L: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\T: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\Z: 46a40ec6_by_Libranalysis.exe File opened (read-only) \??\D: 46a40ec6_by_Libranalysis.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
46a40ec6_by_Libranalysis.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\m8055wa9856.bmp" 46a40ec6_by_Libranalysis.exe -
Drops file in Program Files directory 27 IoCs
Processes:
46a40ec6_by_Libranalysis.exedescription ioc process File opened for modification \??\c:\program files\MeasureRestart.xlsx 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\UnpublishUnprotect.m4a 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\StartLock.temp 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\UnlockRegister.ps1xml 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\UnpublishClose.dwfx 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\CompleteLimit.jpeg 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\ConfirmOpen.sql 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\InvokeRevoke.dwg 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\BlockCheckpoint.clr 46a40ec6_by_Libranalysis.exe File created \??\c:\program files (x86)\i4iar7-readme.txt 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\JoinOpen.xlt 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\UnpublishStart.i64 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\LimitJoin.asx 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\CompleteUpdate.tiff 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\FormatUnlock.svgz 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\InvokeSubmit.xltx 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\PushSkip.3gp2 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\ShowRestore.ADT 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\PopWait.mid 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\TestInvoke.mp2v 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\ResetConvertTo.vssx 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\StartRegister.ex_ 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\UndoSwitch.vsw 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\WaitAdd.wav 46a40ec6_by_Libranalysis.exe File created \??\c:\program files\i4iar7-readme.txt 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\OptimizeExport.xlsb 46a40ec6_by_Libranalysis.exe File opened for modification \??\c:\program files\PushExport.vsdm 46a40ec6_by_Libranalysis.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
46a40ec6_by_Libranalysis.exepid process 3892 46a40ec6_by_Libranalysis.exe 3892 46a40ec6_by_Libranalysis.exe 3892 46a40ec6_by_Libranalysis.exe 3892 46a40ec6_by_Libranalysis.exe 3892 46a40ec6_by_Libranalysis.exe 3892 46a40ec6_by_Libranalysis.exe 3892 46a40ec6_by_Libranalysis.exe 3892 46a40ec6_by_Libranalysis.exe 3892 46a40ec6_by_Libranalysis.exe 3892 46a40ec6_by_Libranalysis.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
46a40ec6_by_Libranalysis.exevssvc.exedescription pid process Token: SeDebugPrivilege 3892 46a40ec6_by_Libranalysis.exe Token: SeTakeOwnershipPrivilege 3892 46a40ec6_by_Libranalysis.exe Token: SeBackupPrivilege 204 vssvc.exe Token: SeRestorePrivilege 204 vssvc.exe Token: SeAuditPrivilege 204 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\46a40ec6_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\46a40ec6_by_Libranalysis.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2684
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:204