Analysis
-
max time kernel
139s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
03-05-2021 17:05
Static task
static1
Behavioral task
behavioral1
Sample
d599cfe7_by_Libranalysis.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
d599cfe7_by_Libranalysis.exe
Resource
win10v20210410
General
-
Target
d599cfe7_by_Libranalysis.exe
-
Size
161KB
-
MD5
d599cfe7691e8499941d7e4f0d51616c
-
SHA1
843070b5c802a5dbc9afbbdf03ee1153f3249165
-
SHA256
2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507
-
SHA512
f04a3e88dc69641e0682d6e74a7ac75f80e06924f3d25987e74674d9dabac040a70164cfa241078954274cb164c45bccdba3d06cd026934f66a12460a3add2e6
Malware Config
Extracted
C:\3m53gkg0-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2882DB172660CA09
http://decryptor.top/2882DB172660CA09
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
d599cfe7_by_Libranalysis.exedescription ioc process File renamed C:\Users\Admin\Pictures\ReadMeasure.tif => \??\c:\users\admin\pictures\ReadMeasure.tif.3m53gkg0 d599cfe7_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\ReceiveTest.tif => \??\c:\users\admin\pictures\ReceiveTest.tif.3m53gkg0 d599cfe7_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\SuspendInstall.crw => \??\c:\users\admin\pictures\SuspendInstall.crw.3m53gkg0 d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\users\admin\pictures\CompareSend.tiff d599cfe7_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\CompareCheckpoint.tif => \??\c:\users\admin\pictures\CompareCheckpoint.tif.3m53gkg0 d599cfe7_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\CompareSend.tiff => \??\c:\users\admin\pictures\CompareSend.tiff.3m53gkg0 d599cfe7_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\NewUnregister.tif => \??\c:\users\admin\pictures\NewUnregister.tif.3m53gkg0 d599cfe7_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\LimitRead.png => \??\c:\users\admin\pictures\LimitRead.png.3m53gkg0 d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\users\admin\pictures\ConfirmUndo.tiff d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\users\admin\pictures\EnterRegister.tiff d599cfe7_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\ConfirmUndo.tiff => \??\c:\users\admin\pictures\ConfirmUndo.tiff.3m53gkg0 d599cfe7_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\EnterRegister.tiff => \??\c:\users\admin\pictures\EnterRegister.tiff.3m53gkg0 d599cfe7_by_Libranalysis.exe -
Drops startup file 2 IoCs
Processes:
d599cfe7_by_Libranalysis.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\3m53gkg0-readme.txt d599cfe7_by_Libranalysis.exe File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\5c4c3ad0.lock d599cfe7_by_Libranalysis.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
d599cfe7_by_Libranalysis.exedescription ioc process File opened (read-only) \??\L: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\N: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\R: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\S: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\U: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\X: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\Z: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\A: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\H: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\I: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\G: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\T: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\Y: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\D: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\B: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\E: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\F: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\J: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\K: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\M: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\O: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\P: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\Q: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\V: d599cfe7_by_Libranalysis.exe File opened (read-only) \??\W: d599cfe7_by_Libranalysis.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
d599cfe7_by_Libranalysis.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kt8g3t0.bmp" d599cfe7_by_Libranalysis.exe -
Drops file in Program Files directory 33 IoCs
Processes:
d599cfe7_by_Libranalysis.exedescription ioc process File opened for modification \??\c:\program files\FindResize.nfo d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\FormatConvert.vssm d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\ReadLimit.wma d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\SearchFormat.pptx d599cfe7_by_Libranalysis.exe File created \??\c:\program files (x86)\5c4c3ad0.lock d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\ConvertFromWait.zip d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\ConvertResize.tmp d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\ExpandStep.aif d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\StopSend.ADTS d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\UnprotectConfirm.svg d599cfe7_by_Libranalysis.exe File created \??\c:\program files\5c4c3ad0.lock d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\SetRepair.TTS d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\TraceRegister.mp2v d599cfe7_by_Libranalysis.exe File created \??\c:\program files (x86)\3m53gkg0-readme.txt d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\InstallUpdate.ADTS d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\SavePop.snd d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\SetFind.gif d599cfe7_by_Libranalysis.exe File created \??\c:\program files\3m53gkg0-readme.txt d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\CheckpointResolve.txt d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\GetEdit.tif d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\HideAssert.MTS d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\HideSuspend.ttc d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\MoveUnprotect.mpp d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\StepProtect.emf d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\ConvertSplit.pdf d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\SetAdd.dib d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\RevokeSplit.7z d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\TestNew.mpg d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\WatchSave.pps d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\CompleteSet.tiff d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\CompressResume.xls d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\FindConvertFrom.svgz d599cfe7_by_Libranalysis.exe File opened for modification \??\c:\program files\RemoveShow.easmx d599cfe7_by_Libranalysis.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2408 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d599cfe7_by_Libranalysis.exepid process 3992 d599cfe7_by_Libranalysis.exe 3992 d599cfe7_by_Libranalysis.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3016 vssvc.exe Token: SeRestorePrivilege 3016 vssvc.exe Token: SeAuditPrivilege 3016 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d599cfe7_by_Libranalysis.execmd.exedescription pid process target process PID 3992 wrote to memory of 188 3992 d599cfe7_by_Libranalysis.exe cmd.exe PID 3992 wrote to memory of 188 3992 d599cfe7_by_Libranalysis.exe cmd.exe PID 3992 wrote to memory of 188 3992 d599cfe7_by_Libranalysis.exe cmd.exe PID 188 wrote to memory of 2408 188 cmd.exe vssadmin.exe PID 188 wrote to memory of 2408 188 cmd.exe vssadmin.exe PID 188 wrote to memory of 2408 188 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d599cfe7_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\d599cfe7_by_Libranalysis.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:188 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:2408
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016