Analysis
-
max time kernel
34s -
max time network
32s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03-05-2021 17:05
Static task
static1
Behavioral task
behavioral1
Sample
fc12ec1b_by_Libranalysis.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
fc12ec1b_by_Libranalysis.exe
Resource
win10v20210408
General
-
Target
fc12ec1b_by_Libranalysis.exe
-
Size
143KB
-
MD5
fc12ec1b213c77784a3f52f8a4b97a24
-
SHA1
49d119a9b8ec4ef7cace0259144033358b154bcf
-
SHA256
4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f
-
SHA512
a5224870826d5511a919a3070ad1866d74015f40b1d69f4c7944e0551a7a5ab75532ba26cad289f86bdfaf96e3b61f024ab05a953f7afa18bd69c8d68b79de46
Malware Config
Extracted
C:\t8t2o54-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6FFE74DD5F2D1EB6
http://decoder.re/6FFE74DD5F2D1EB6
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
fc12ec1b_by_Libranalysis.exedescription ioc process File renamed C:\Users\Admin\Pictures\ReadOptimize.raw => \??\c:\users\admin\pictures\ReadOptimize.raw.t8t2o54 fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\users\admin\pictures\RequestAdd.tiff fc12ec1b_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\RequestAdd.tiff => \??\c:\users\admin\pictures\RequestAdd.tiff.t8t2o54 fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\users\admin\pictures\StopUninstall.tiff fc12ec1b_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\StopUninstall.tiff => \??\c:\users\admin\pictures\StopUninstall.tiff.t8t2o54 fc12ec1b_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\TraceSet.tif => \??\c:\users\admin\pictures\TraceSet.tif.t8t2o54 fc12ec1b_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\UnregisterMerge.raw => \??\c:\users\admin\pictures\UnregisterMerge.raw.t8t2o54 fc12ec1b_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\EnterExport.raw => \??\c:\users\admin\pictures\EnterExport.raw.t8t2o54 fc12ec1b_by_Libranalysis.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
fc12ec1b_by_Libranalysis.exedescription ioc process File opened (read-only) \??\H: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\M: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\O: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\P: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\T: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\Z: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\G: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\K: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\N: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\S: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\V: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\D: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\A: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\E: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\F: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\W: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\Y: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\B: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\I: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\J: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\L: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\Q: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\R: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\U: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\X: fc12ec1b_by_Libranalysis.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
fc12ec1b_by_Libranalysis.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\z2xtc21py.bmp" fc12ec1b_by_Libranalysis.exe -
Drops file in Program Files directory 20 IoCs
Processes:
fc12ec1b_by_Libranalysis.exedescription ioc process File opened for modification \??\c:\program files\ConfirmEnter.WTV fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\ConvertToGrant.wm fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\SelectMount.m3u fc12ec1b_by_Libranalysis.exe File created \??\c:\program files\t8t2o54-readme.txt fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\PublishSubmit.cfg fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\SearchShow.xml fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\UndoNew.TTS fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\UnlockWatch.aiff fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\InvokeCheckpoint.xltx fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\RemoveEdit.DVR fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\ResumeDismount.ini fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\SkipStart.mp4v fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\UnlockUnprotect.rm fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\UseExport.htm fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\WatchOpen.css fc12ec1b_by_Libranalysis.exe File created \??\c:\program files (x86)\t8t2o54-readme.txt fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\AddSearch.jpg fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\CompressExpand.jpeg fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\TraceMerge.dxf fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\UnprotectWrite.pdf fc12ec1b_by_Libranalysis.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
fc12ec1b_by_Libranalysis.exepid process 640 fc12ec1b_by_Libranalysis.exe 640 fc12ec1b_by_Libranalysis.exe 640 fc12ec1b_by_Libranalysis.exe 640 fc12ec1b_by_Libranalysis.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
fc12ec1b_by_Libranalysis.exevssvc.exedescription pid process Token: SeDebugPrivilege 640 fc12ec1b_by_Libranalysis.exe Token: SeTakeOwnershipPrivilege 640 fc12ec1b_by_Libranalysis.exe Token: SeBackupPrivilege 2252 vssvc.exe Token: SeRestorePrivilege 2252 vssvc.exe Token: SeAuditPrivilege 2252 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc12ec1b_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\fc12ec1b_by_Libranalysis.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:4088
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2252