Analysis
-
max time kernel
149s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03-05-2021 18:04
Static task
static1
Behavioral task
behavioral1
Sample
fc12ec1b_by_Libranalysis.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
fc12ec1b_by_Libranalysis.exe
Resource
win10v20210408
General
-
Target
fc12ec1b_by_Libranalysis.exe
-
Size
143KB
-
MD5
fc12ec1b213c77784a3f52f8a4b97a24
-
SHA1
49d119a9b8ec4ef7cace0259144033358b154bcf
-
SHA256
4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f
-
SHA512
a5224870826d5511a919a3070ad1866d74015f40b1d69f4c7944e0551a7a5ab75532ba26cad289f86bdfaf96e3b61f024ab05a953f7afa18bd69c8d68b79de46
Malware Config
Extracted
C:\8ors6ek4-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/56975D3FCF91CF78
http://decoder.re/56975D3FCF91CF78
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
fc12ec1b_by_Libranalysis.exedescription ioc process File renamed C:\Users\Admin\Pictures\SendRemove.crw => \??\c:\users\admin\pictures\SendRemove.crw.8ors6ek4 fc12ec1b_by_Libranalysis.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
fc12ec1b_by_Libranalysis.exedescription ioc process File opened (read-only) \??\V: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\W: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\B: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\F: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\L: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\N: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\P: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\Y: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\G: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\I: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\J: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\R: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\S: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\T: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\Z: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\D: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\A: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\K: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\M: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\Q: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\U: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\X: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\E: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\H: fc12ec1b_by_Libranalysis.exe File opened (read-only) \??\O: fc12ec1b_by_Libranalysis.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
fc12ec1b_by_Libranalysis.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\795.bmp" fc12ec1b_by_Libranalysis.exe -
Drops file in Program Files directory 21 IoCs
Processes:
fc12ec1b_by_Libranalysis.exedescription ioc process File opened for modification \??\c:\program files\SplitCheckpoint.vsdx fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\StartUnprotect.dot fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\MountSubmit.ADT fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\PingUpdate.au fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\RepairOut.inf fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\ResetLimit.cfg fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\RevokeReset.mpe fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\SendUpdate.vdw fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\UseOpen.ini fc12ec1b_by_Libranalysis.exe File created \??\c:\program files\8ors6ek4-readme.txt fc12ec1b_by_Libranalysis.exe File created \??\c:\program files (x86)\8ors6ek4-readme.txt fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\ExportNew.inf fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\GrantUninstall.xlsb fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\ResizeUpdate.TTS fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\SuspendRedo.dib fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\EnableRestart.iso fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\GroupResize.snd fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\RequestSuspend.svg fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\ResizeConfirm.mov fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\RestoreLimit.scf fc12ec1b_by_Libranalysis.exe File opened for modification \??\c:\program files\RevokeUnprotect.odp fc12ec1b_by_Libranalysis.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
fc12ec1b_by_Libranalysis.exepid process 572 fc12ec1b_by_Libranalysis.exe 572 fc12ec1b_by_Libranalysis.exe 572 fc12ec1b_by_Libranalysis.exe 572 fc12ec1b_by_Libranalysis.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
fc12ec1b_by_Libranalysis.exevssvc.exedescription pid process Token: SeDebugPrivilege 572 fc12ec1b_by_Libranalysis.exe Token: SeTakeOwnershipPrivilege 572 fc12ec1b_by_Libranalysis.exe Token: SeBackupPrivilege 3264 vssvc.exe Token: SeRestorePrivilege 3264 vssvc.exe Token: SeAuditPrivilege 3264 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc12ec1b_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\fc12ec1b_by_Libranalysis.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3748
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3264