Analysis
-
max time kernel
148s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
03-05-2021 17:05
Static task
static1
Behavioral task
behavioral1
Sample
c647b2da_by_Libranalysis.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
c647b2da_by_Libranalysis.exe
Resource
win10v20210408
General
-
Target
c647b2da_by_Libranalysis.exe
-
Size
116KB
-
MD5
c647b2da83ef8e1a790d1e0e25898780
-
SHA1
02871c02e581ad345f1c438b6c8c730cf2d2f534
-
SHA256
6c5ddbe058da35b2731fe10234520a6bb78604f860ed4188a1bd07e62fe4ec11
-
SHA512
f169ebc4ffbb3d0cf8f526e0cde89706b4521086ccb0f7653cd881b595aae2727891e8ea3eb6bace263d704b0ef9a0151094c03b7c1800cb5d4e54eaaf3453e7
Malware Config
Extracted
C:\p21mh6-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CED483BA5A4A89BF
http://decoder.re/CED483BA5A4A89BF
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c647b2da_by_Libranalysis.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run c647b2da_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\i1neMACrFU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c647b2da_by_Libranalysis.exe" c647b2da_by_Libranalysis.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
c647b2da_by_Libranalysis.exedescription ioc process File opened (read-only) \??\O: c647b2da_by_Libranalysis.exe File opened (read-only) \??\T: c647b2da_by_Libranalysis.exe File opened (read-only) \??\V: c647b2da_by_Libranalysis.exe File opened (read-only) \??\Y: c647b2da_by_Libranalysis.exe File opened (read-only) \??\P: c647b2da_by_Libranalysis.exe File opened (read-only) \??\R: c647b2da_by_Libranalysis.exe File opened (read-only) \??\S: c647b2da_by_Libranalysis.exe File opened (read-only) \??\A: c647b2da_by_Libranalysis.exe File opened (read-only) \??\G: c647b2da_by_Libranalysis.exe File opened (read-only) \??\I: c647b2da_by_Libranalysis.exe File opened (read-only) \??\J: c647b2da_by_Libranalysis.exe File opened (read-only) \??\L: c647b2da_by_Libranalysis.exe File opened (read-only) \??\W: c647b2da_by_Libranalysis.exe File opened (read-only) \??\Z: c647b2da_by_Libranalysis.exe File opened (read-only) \??\B: c647b2da_by_Libranalysis.exe File opened (read-only) \??\F: c647b2da_by_Libranalysis.exe File opened (read-only) \??\H: c647b2da_by_Libranalysis.exe File opened (read-only) \??\K: c647b2da_by_Libranalysis.exe File opened (read-only) \??\N: c647b2da_by_Libranalysis.exe File opened (read-only) \??\E: c647b2da_by_Libranalysis.exe File opened (read-only) \??\M: c647b2da_by_Libranalysis.exe File opened (read-only) \??\Q: c647b2da_by_Libranalysis.exe File opened (read-only) \??\U: c647b2da_by_Libranalysis.exe File opened (read-only) \??\X: c647b2da_by_Libranalysis.exe -
Drops file in Program Files directory 31 IoCs
Processes:
c647b2da_by_Libranalysis.exedescription ioc process File opened for modification \??\c:\program files\EnableWrite.TTS c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\SendAssert.iso c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\WriteSearch.wm c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\BackupCompare.emf c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\MergeSuspend.search-ms c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\StartInitialize.au c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\UnregisterEnter.asf c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\WaitAssert.nfo c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\ConvertToMount.otf c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\LimitPing.pot c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\ResolveSet.tmp c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\ResolveTest.mp2 c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\ConnectUpdate.rar c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\FormatMeasure.cfg c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\FormatWatch.xml c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\InitializeSearch.reg c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\RegisterInvoke.mpeg3 c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\RepairAdd.iso c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\BackupPing.mid c647b2da_by_Libranalysis.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\p21mh6-readme.txt c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\UseProtect.rtf c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\ExportUnprotect.vstx c647b2da_by_Libranalysis.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\p21mh6-readme.txt c647b2da_by_Libranalysis.exe File created \??\c:\program files (x86)\p21mh6-readme.txt c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\ConvertToApprove.vstm c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\PingDisconnect.mp3 c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\SplitConvert.potx c647b2da_by_Libranalysis.exe File created \??\c:\program files\p21mh6-readme.txt c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\DismountSplit.wmf c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\StartConfirm.TTS c647b2da_by_Libranalysis.exe File opened for modification \??\c:\program files\AssertApprove.css c647b2da_by_Libranalysis.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
c647b2da_by_Libranalysis.exepid process 940 c647b2da_by_Libranalysis.exe 940 c647b2da_by_Libranalysis.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
c647b2da_by_Libranalysis.exevssvc.exedescription pid process Token: SeDebugPrivilege 940 c647b2da_by_Libranalysis.exe Token: SeTakeOwnershipPrivilege 940 c647b2da_by_Libranalysis.exe Token: SeBackupPrivilege 868 vssvc.exe Token: SeRestorePrivilege 868 vssvc.exe Token: SeAuditPrivilege 868 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c647b2da_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\c647b2da_by_Libranalysis.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:484
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:868
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/940-60-0x0000000075051000-0x0000000075053000-memory.dmpFilesize
8KB