7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438

General

Target

aaefc048_by_Libranalysis.exe
Size

3.8MB
MD5

aaefc0480def364bddc8b77efd1e9298
SHA1

985c945b1959453084e4f5e8eedf1cce03cd6b43
SHA256

7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438
SHA512

197d81e5a47e845048bbb7a358fa7842df85542dddba82266bd91448aebb196a32081537c47885311c3f30b00b2028ae812b2e1c878a040ac65e654fa8bcee88

Score

8^/10

persistence ransomware

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

aaefc048_by_Libranalysis.exe

description	ioc	process
File created	C:\windows\SysWOW64\drivers\spo0lve.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	aaefc048_by_Libranalysis.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aaefc048_by_Libranalysis.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\AppData\\Local\\Temp/aaefc048_by_Libranalysis.exe"	aaefc048_by_Libranalysis.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

aaefc048_by_Libranalysis.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pigdesk.bmp"	aaefc048_by_Libranalysis.exe

Drops file in Program Files directory 64 IoCs

Processes:

aaefc048_by_Libranalysis.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	aaefc048_by_Libranalysis.exe
File created	C:\Program Files\Windows Defender\MSASCuiL.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aaefc048_by_Libranalysis.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Roses.htm	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe	aaefc048_by_Libranalysis.exe
File created	C:\Program Files\Windows Defender\MSASCui.exe	aaefc048_by_Libranalysis.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Green Bubbles.htm	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe	aaefc048_by_Libranalysis.exe
File created	C:\Program Files\Windows Media Player\wmlaunch.exe	aaefc048_by_Libranalysis.exe
File created	C:\Program Files\Windows NT\Accessories\wordpad.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	aaefc048_by_Libranalysis.exe
File created	C:\Program Files\Windows Defender\MpCmdRun.exe	aaefc048_by_Libranalysis.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	aaefc048_by_Libranalysis.exe
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	aaefc048_by_Libranalysis.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveDrop32x32.gif	aaefc048_by_Libranalysis.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\MySharePoints.ico	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\javafx-src.zip	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\splash.gif	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\splash.gif	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_MoveNoDrop32x32.gif	aaefc048_by_Libranalysis.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	aaefc048_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	aaefc048_by_Libranalysis.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

aaefc048_by_Libranalysis.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "2"	aaefc048_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\TileWallpaper = "2"	aaefc048_by_Libranalysis.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

aaefc048_by_Libranalysis.exe

pid	process
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe
3944	aaefc048_by_Libranalysis.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

aaefc048_by_Libranalysis.exe

pid process

3944 aaefc048_by_Libranalysis.exe
3944 aaefc048_by_Libranalysis.exe

C:\Users\Admin\AppData\Local\Temp\aaefc048_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\aaefc048_by_Libranalysis.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3944