Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03-05-2021 18:04
Static task
static1
Behavioral task
behavioral1
Sample
d599cfe7_by_Libranalysis.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
d599cfe7_by_Libranalysis.exe
Resource
win10v20210408
General
-
Target
d599cfe7_by_Libranalysis.exe
-
Size
161KB
-
MD5
d599cfe7691e8499941d7e4f0d51616c
-
SHA1
843070b5c802a5dbc9afbbdf03ee1153f3249165
-
SHA256
2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507
-
SHA512
f04a3e88dc69641e0682d6e74a7ac75f80e06924f3d25987e74674d9dabac040a70164cfa241078954274cb164c45bccdba3d06cd026934f66a12460a3add2e6
Malware Config
Extracted
C:\6e1y1v9-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6B44EFE9392B6AD1
http://decryptor.top/6B44EFE9392B6AD1
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
d599cfe7_by_Libranalysis.exedescription ioc process File renamed C:\Users\Admin\Pictures\StopUninstall.tiff => \??\c:\users\admin\pictures\StopUninstall.tiff.6e1y1v9 d599cfe7_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\TraceSet.tif => \??\c:\users\admin\pictures\TraceSet.tif.6e1y1v9 d599cfe7_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\UnregisterMerge.raw => \??\c:\users\admin\pictures\UnregisterMerge.raw.6e1y1v9 d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\users\admin\pictures\RequestAdd.tiff d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\users\admin\pictures\StopUninstall.tiff d599cfe7_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\EnterExport.raw => \??\c:\users\admin\pictures\EnterExport.raw.6e1y1v9 d599cfe7_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\ReadOptimize.raw => \??\c:\users\admin\pictures\ReadOptimize.raw.6e1y1v9 d599cfe7_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\RequestAdd.tiff => \??\c:\users\admin\pictures\RequestAdd.tiff.6e1y1v9 d599cfe7_by_Libranalysis.exe -
Drops startup file 2 IoCs
Processes:
d599cfe7_by_Libranalysis.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\6e1y1v9-readme.txt d599cfe7_by_Libranalysis.exe File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\5c4c3ad0.lock d599cfe7_by_Libranalysis.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
d599cfe7_by_Libranalysis.exedescription ioc process File opened (read-only) \??\T: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\Y: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\I: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\M: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\R: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\S: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\Q: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\V: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\W: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\X: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\F: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\J: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\L: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\P: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\D: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\Z: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\B: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\E: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\K: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\U: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\O: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\A: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\G: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\H: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\N: d599cfe7_by_Libranalysis.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
d599cfe7_by_Libranalysis.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f8158p2mq5uo.bmp" d599cfe7_by_Libranalysis.exe -
Drops file in Program Files directory 22 IoCs
Processes:
d599cfe7_by_Libranalysis.exedescription ioc process File created \??\c:\program files (x86)\6e1y1v9-readme.txt d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\ConfirmEnter.WTV d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\RemoveEdit.DVR d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\TraceMerge.dxf d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\UndoNew.TTS d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\UseExport.htm d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\WatchOpen.css d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\AddSearch.jpg d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\CompressExpand.jpeg d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\PublishSubmit.cfg d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\SearchShow.xml d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\SkipStart.mp4v d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\UnlockWatch.aiff d599cfe7_by_Libranalysis.exe File created \??\c:\program files (x86)\5c4c3ad0.lock d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\ConvertToGrant.wm d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\InvokeCheckpoint.xltx d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\ResumeDismount.ini d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\UnlockUnprotect.rm d599cfe7_by_Libranalysis.exe File created \??\c:\program files\6e1y1v9-readme.txt d599cfe7_by_Libranalysis.exe File created \??\c:\program files\5c4c3ad0.lock d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\SelectMount.m3u d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\UnprotectWrite.pdf d599cfe7_by_Libranalysis.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1340 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d599cfe7_by_Libranalysis.exepid process 648 d599cfe7_by_Libranalysis.exe 648 d599cfe7_by_Libranalysis.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2120 vssvc.exe Token: SeRestorePrivilege 2120 vssvc.exe Token: SeAuditPrivilege 2120 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d599cfe7_by_Libranalysis.execmd.exedescription pid process target process PID 648 wrote to memory of 3828 648 d599cfe7_by_Libranalysis.exe cmd.exe PID 648 wrote to memory of 3828 648 d599cfe7_by_Libranalysis.exe cmd.exe PID 648 wrote to memory of 3828 648 d599cfe7_by_Libranalysis.exe cmd.exe PID 3828 wrote to memory of 1340 3828 cmd.exe vssadmin.exe PID 3828 wrote to memory of 1340 3828 cmd.exe vssadmin.exe PID 3828 wrote to memory of 1340 3828 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d599cfe7_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\d599cfe7_by_Libranalysis.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1340
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2120