Loading ...

Play interactive tourEdit tour

Analysis Report 46a40ec6_by_Libranalysis

Overview

General Information

Sample Name:46a40ec6_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:399463
MD5:46a40ec6d39b7530830f3047cdebaa1b
SHA1:a1540914b5ceb9e772ee5898e777f48e3cd57010
SHA256:08c2d24cb9c632f9aa84254bb673c9df04d4ac23ee07e840794e9438b06e9bd2
Infos:

Most interesting Screenshot:

Detection

Sodinokibi
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Found ransom note / readme
Multi AV Scanner detection for submitted file
Yara detected Sodinokibi Ransomware
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Found Tor onion address
Machine Learning detection for sample
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Checks for available system drives (often done to infect USB drives)
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to delete services
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Yara signature match

Classification

Startup

  • System is w10x64
  • 46a40ec6_by_Libranalysis.exe (PID: 6892 cmdline: 'C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exe' MD5: 46A40EC6D39B7530830F3047CDEBAA1B)
  • unsecapp.exe (PID: 4388 cmdline: C:\Windows\system32\wbem\unsecapp.exe -Embedding MD5: 9CBD3EC8D9E4F8CE54258B0573C66BEB)
  • cleanup

Malware Configuration

Threatname: Sodinokibi

{"prc": ["oracle", "onenote", "msaccess", "dbsnmp", "firefox", "ocssd", "excel", "wordpad", "isqlplussvc", "thebat", "dbeng50", "sql", "mspub", "visio", "steam", "outlook", "encsvc", "mydesktopservice", "powerpnt", "winword", "ocautoupds", "synctime", "agntsvc", "tbirdconfig", "thunderbird", "sqbcoreservice", "ocomm", "mydesktopqos", "infopath", "xfssvccon"], "sub": "7495", "svc": ["mepocs", "memtas", "svc$", "sophos", "sql", "vss", "veeam", "backup"], "wht": {"ext": ["diagcfg", "drv", "msu", "bat", "icl", "diagpkg", "adv", "rom", "hlp", "msi", "ani", "nomedia", "deskthemepack", "themepack", "key", "ocx", "mod", "nls", "com", "scr", "cur", "msc", "ps1", "icns", "lnk", "prf", "ics", "ldf", "theme", "rtp", "wpx", "diagcab", "msstyles", "bin", "idx", "ico", "shs", "386", "cmd", "mpa", "lock", "spl", "hta", "exe", "dll", "msp", "cab", "cpl", "sys"], "fls": ["bootsect.bak", "boot.ini", "ntuser.dat", "bootfont.bin", "ntldr", "ntuser.ini", "thumbs.db", "autorun.inf", "ntuser.dat.log", "desktop.ini", "iconcache.db"], "fld": ["windows.old", "msocache", "intel", "application data", "program files", "tor browser", "mozilla", "program files (x86)", "appdata", "windows", "programdata", "system volume information", "$recycle.bin", "perflogs", "google", "$windows.~bt", "$windows.~ws", "boot"]}, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA", "dmn": "the-virtualizer.com;aminaboutique247.com;thaysa.com;aunexis.ch;allentownpapershow.com;plotlinecreative.com;spinheal.ru;darrenkeslerministries.com;peterstrobos.com;sanyue119.com;extraordinaryoutdoors.com;airconditioning-waalwijk.nl;ledmes.ru;all-turtles.com;euro-trend.pl;ausbeverage.com.au;micro-automation.de;easytrans.com.au;sandd.nl;wien-mitte.co.at;bargningavesta.se;spylista.com;comarenterprises.com;teknoz.net;boulderwelt-muenchen-west.de;cactusthebrand.com;c2e-poitiers.com;jerling.de;zervicethai.co.th;macabaneaupaysflechois.com;bptdmaluku.com;opatrovanie-ako.sk;lapinlviasennus.fi;travelffeine.com;outcomeisincome.com;cite4me.org;verbisonline.com;ausair.com.au;sahalstore.com;delchacay.com.ar;blewback.com;bodyfulls.com;autodemontagenijmegen.nl;fairfriends18.de;stampagrafica.es;makeitcount.at;richard-felix.co.uk;modelmaking.nl;web.ion.ag;extensionmaison.info;lusak.at;zweerscreatives.nl;gantungankunciakrilikbandung.com;mbxvii.com;stormwall.se;takeflat.com;levihotelspa.fi;rushhourappliances.com;hairnetty.wordpress.com;slimidealherbal.com;mirjamholleman.nl;onlyresultsmarketing.com;fitnessingbyjessica.com;huesges-gruppe.de;mapawood.com;norpol-yachting.com;twohourswithlena.wordpress.com;ralister.co.uk;zewatchers.com;mardenherefordshire-pc.gov.uk;mir-na-iznanku.com;polymedia.dk;notmissingout.com;gasbarre.com;you-bysia.com.au;kuntokeskusrok.fi;delawarecorporatelaw.com;lionware.de;femxarxa.cat;shonacox.com;nachhilfe-unterricht.com;embracinghiscall.com;dsl-ip.de;agence-chocolat-noir.com;bingonearme.org;kostenlose-webcams.com;jorgobe.at;portoesdofarrobo.com;theletter.company;campusoutreach.org;heidelbergartstudio.gallery;xltyu.com;classycurtainsltd.co.uk;sojamindbody.com;solhaug.tk;mdacares.com;i-trust.dk;devstyle.org;pridoxmaterieel.nl;iwr.nl;pasivect.co.uk;tanzschule-kieber.de;controldekk.com;erstatningsadvokaterne.dk;tanciu.com;deepsouthclothingcompany.com;tux-espacios.com;irinaverwer.com;woodleyacademy.org;4youbeautysalon.com;drnice.de;stopilhan.com;edelman.jp;irishmachineryauctions.com;galserwis.pl;krlosdavid.com;miriamgrimm.de;kath-kirche-gera.de;muamuadolls.com;tennisclubetten.nl;bhwlawfirm.com;mediaplayertest.net;crowd-patch.co.uk;memaag.com;associationanalytics.com;quemargrasa.net;sarbatkhalsafoundation.org;copystar.co.uk;longislandelderlaw.com;myhealth.net.au;interactcenter.org;schmalhorst.de;pinkexcel.com;thenewrejuveme.com;seproc.hn;ecpmedia.vn;celeclub.org;sportverein-tambach.de;judithjansen.com;architecturalfiberglass.org;andersongilmour.co.uk;tradiematepro.com.au;ecoledansemulhouse.fr;puertamatic.es;grelot-home.com;centrospgolega.com;karacaoglu.nl;dezatec.es;chatizel-paysage.fr;promalaga.es;bsaship.com;lloydconstruction.com;fotoscondron.com;morawe-krueger.de;beyondmarcomdotcom.wordpress.com;noskierrenteria.com;punchbaby.com;autopfand24.de;harpershologram.wordpress.com;surespark.org.uk;alten-mebel63.ru;connectedace.com;cafemattmeera.com;securityfmm.com;heurigen-bauer.at;alhashem.net;triggi.de;filmstreamingvfcomplet.be;vyhino-zhulebino-24.ru;stacyloeb.com;alfa-stroy72.com;sexandfessenjoon.wordpress.com;zonamovie21.net;thefixhut.com;digi-talents.com;y-archive.com;kisplanning.com.au;dinslips.se;imadarchid.com;ouryoungminds.wordpress.com;bunburyfreightservices.com.au;aodaichandung.com;veybachcenter.de;qualitaetstag.de;schoolofpassivewealth.com;malychanieruchomoscipremium.com;deltacleta.cat;klusbeter.nl;waywithwords.net;pawsuppetlovers.com;mrsplans.net;resortmtn.com;imaginado.de;ino-professional.ru;mank.de;vdberg-autoimport.nl;courteney-cox.net;paymybill.guru;pelorus.group;autofolierung-lu.de;esope-formation.fr;pmc-services.de;wmiadmin.com;smhydro.com.pl;anteniti.com;blossombeyond50.com;smartypractice.com;joyeriaorindia.com;DupontSellsHomes.com;labobit.it;socialonemedia.com;jasonbaileystudio.com;presseclub-magdeburg.de;better.town;sachnendoc.com;calabasasdigest.com;trapiantofue.it;spd-ehningen.de;rhinosfootballacademy.com;revezlimage.com;ra-staudte.de;maratonaclubedeportugal.com;mylolis.com;worldhealthbasicinfo.com;trulynolen.co.uk;firstpaymentservices.com;craftleathermnl.com;htchorst.nl;paradicepacks.com;rumahminangberdaya.com;microcirc.net;hexcreatives.co;dekkinngay.com;durganews.com;coding-marking.com;lykkeliv.net;asteriag.com;cnoia.org;asiluxury.com;echtveilig.nl;gadgetedges.com;ncs-graphic-studio.com;eadsmurraypugh.com;fayrecreations.com;abogadosadomicilio.es;upplandsspar.se;cleliaekiko.online;bargningharnosand.se;parkcf.nl;simulatebrain.com;visiativ-industry.fr;pubweb.carnet.hr;webhostingsrbija.rs;winrace.no;mmgdouai.fr;highlinesouthasc.com;broseller.com;cirugiauretra.es;gasolspecialisten.se;thewellnessmimi.com;zenderthelender.com;chefdays.de;michaelsmeriglioracing.com;stupbratt.no;allamatberedare.se;burkert-ideenreich.de;edrcreditservices.nl;yourobgyn.net;praxis-foerderdiagnostik.de;theclubms.com;hotelzentral.at;milanonotai.it;harveybp.com;entopic.com;thomas-hospital.de;cursosgratuitosnainternet.com;ulyssemarketing.com;troegs.com;profectis.de;csgospeltips.se;rostoncastings.co.uk;gporf.fr;sabel-bf.com;happyeasterimages.org;lillegrandpalais.com;koken-voor-baby.nl;bouldercafe-wuppertal.de;rerekatu.com;nosuchthingasgovernment.com;sofavietxinh.com;hugoversichert.de;real-estate-experts.com;uimaan.fi;jsfg.com;christ-michael.net;saarland-thermen-resort.com;caffeinternet.it;no-plans.com;365questions.org;markelbroch.com;greenko.pl;waynela.com;chavesdoareeiro.com;botanicinnovations.com;renergysolution.com;www1.proresult.no;podsosnami.ru;westdeptfordbuyrite.com;ontrailsandboulevards.com;edgewoodestates.org;iyengaryogacharlotte.com;blgr.be;kalkulator-oszczednosci.pl;cuppacap.com;dw-css.de;latestmodsapks.com;bayoga.co.uk;catholicmusicfest.com;liliesandbeauties.org;blumenhof-wegleitner.at;projetlyonturin.fr;admos-gleitlager.de;songunceliptv.com;nataschawessels.com;buroludo.nl;craigvalentineacademy.com;moveonnews.com;praxis-management-plus.de;amerikansktgodis.se;bafuncs.org;pivoineetc.fr;acomprarseguidores.com;norovirus-ratgeber.de;zimmerei-fl.de;abogadoengijon.es;geekwork.pl;castillobalduz.es;colorofhorses.com;braffinjurylawfirm.com;latribuessentielle.com;fransespiegels.nl;rieed.de;kojima-shihou.com;artallnightdc.com;qualitus.com;lukeshepley.wordpress.com;shhealthlaw.com;hatech.io;pferdebiester.de;despedidascostablanca.es;pomodori-pizzeria.de;gaiam.nl;tecnojobsnet.com;leeuwardenstudentcity.nl;hashkasolutindo.com;samnewbyjax.com;charlesreger.com;southeasternacademyofprosthodontics.org;herbstfeststaefa.ch;gemeentehetkompas.nl;helenekowalsky.com;kojinsaisei.info;spsshomeworkhelp.com;sotsioloogia.ee;streamerzradio1.site;xn--thucmctc-13a1357egba.com;krcove-zily.eu;officehymy.com;behavioralmedicinespecialists.com;xlarge.at;tigsltd.com;schutting-info.nl;radaradvies.nl;mylovelybluesky.com;newyou.at;employeesurveys.com;centromarysalud.com;foretprivee.ca;35-40konkatsu.net;architekturbuero-wagner.net;pierrehale.com;thomasvicino.com;tsklogistik.eu;smogathon.com;calxplus.eu;danubecloud.com;desert-trails.com;besttechie.com;dubnew.com;hypozentrum.com;conexa4papers.trade;meusharklinithome.wordpress.com;zzyjtsgls.com;boldcitydowntown.com;tomoiyuma.com;chrissieperry.com;mooshine.com;johnsonfamilyfarmblog.wordpress.com;makeurvoiceheard.com;freie-baugutachterpraxis.de;executiveairllc.com;agence-referencement-naturel-geneve.net;serce.info.pl;accountancywijchen.nl;hmsdanmark.dk;polzine.net;haremnick.com;tonelektro.nl;kampotpepper.gives;strategicstatements.com;argos.wityu.fund;apprendrelaudit.com;div-vertriebsforschung.de;jvanvlietdichter.nl;bestbet.com;kirkepartner.dk;denovofoodsgroup.com;limassoldriving.com;humancondition.com;simplyblessedbykeepingitreal.com;milestoneshows.com;elimchan.com;tomaso.gr;rebeccarisher.com;eglectonk.online;igfap.com;partnertaxi.sk;testzandbakmetmening.online;theduke.de;jobcenterkenya.com;schlafsack-test.net;zflas.com;8449nohate.org;abl1.net;stemplusacademy.com;bildungsunderlebnis.haus;thee.network;kindersitze-vergleich.de;evologic-technologies.com;solinegraphic.com;adoptioperheet.fi;wolf-glas-und-kunst.de;corendonhotels.com;jacquin-maquettes.com;gratispresent.se;psnacademy.in;space.ua;physiofischer.de;dareckleyministries.com;softsproductkey.com;mousepad-direkt.de;leather-factory.co.jp;parkstreetauto.net;simpkinsedwards.co.uk;skanah.com;smokeysstoves.com;sloverse.com;zieglerbrothers.de;heliomotion.com;321play.com.hk;actecfoundation.org;idemblogs.com;thedresserie.com;balticdentists.com;bigler-hrconsulting.ch;transliminaltribe.wordpress.com;xoabigail.com;wychowanieprzedszkolne.pl;satyayoga.de;ceid.info.tr;ikads.org;modamilyon.com;stingraybeach.com;carriagehousesalonvt.com;hushavefritid.dk;bundabergeyeclinic.com.au;themadbotter.com;dr-seleznev.com;vorotauu.ru;qlog.de;insidegarage.pl;perbudget.com;basisschooldezonnewijzer.nl;bigasgrup.com;ogdenvision.com;rota-installations.co.uk;igorbarbosa.com;austinlchurch.com;fundaciongregal.org;theapifactory.com;bodyforwife.com;rozemondcoaching.nl;ohidesign.com;bouncingbonanza.com;iwelt.de;hrabritelefon.hr;ncuccr.org;pogypneu.sk;noesis.tech;stallbyggen.se;poultrypartners.nl;abogadosaccidentetraficosevilla.es;yousay.site;fax-payday-loans.com;coursio.com;wellplast.se;naturstein-hotte.de;myzk.site;bogdanpeptine.ro;mirjamholleman.nl;pt-arnold.de;alvinschwartz.wordpress.com;smithmediastrategies.com;x-ray.ca;dr-tremel-rednitzhembach.de;vancouver-print.ca;cuspdental.com;symphonyenvironmental.com;argenblogs.com.ar;paulisdogshop.de;scenepublique.net;icpcnj.org;linnankellari.fi;plastidip.com.ar;brandl-blumen.de;diversiapsicologia.es;manifestinglab.com;hotelsolbh.com.br;importardechina.info;pcp-nc.com;pointos.com;ditog.fr;assurancesalextrespaille.fr;bimnapratica.com;teresianmedia.org;webcodingstudio.com;babcockchurch.org;the-domain-trader.com;nurturingwisdom.com;zimmerei-deboer.de;global-kids.info;joseconstela.com;fatfreezingmachines.com;effortlesspromo.com;deoudedorpskernnoordwijk.nl;devok.info;berlin-bamboo-bikes.org;pv-design.de;deschl.net;farhaani.com;lefumetdesdombes.com;flexicloud.hk;nsec.se;syndikat-asphaltfieber.de;cityorchardhtx.com;musictreehouse.net;aniblinova.wordpress.com;devlaur.com;urclan.net;caribdoctor.org;sanaia.com;id-vet.com;toponlinecasinosuk.co.uk;ftlc.es;lmtprovisions.com;pay4essays.net;blacksirius.de;antenanavi.com;oneheartwarriors.at;miraclediet.fun;mezhdu-delom.ru;aarvorg.com;sla-paris.com;roygolden.com;restaurantesszimmer.de;igrealestate.com;alsace-first.com;kissit.ca;finde-deine-marke.de;turkcaparbariatrics.com;nuzech.com;kedak.de;compliancesolutionsstrategies.com;gopackapp.com;seitzdruck.com;jadwalbolanet.info;mountsoul.de;tandartspraktijkhartjegroningen.nl;1kbk.com.ua;n1-headache.com;smessier.com;buymedical.biz;tastewilliamsburg.com;talentwunder.com;ctrler.cn;pocket-opera.de;personalenhancementcenter.com;tetinfo.in;marcuswhitten.site;unetica.fr;c-a.co.in;anthonystreetrimming.com;humanityplus.org;pixelarttees.com;fiscalsort.com;groupe-cets.com;dnepr-beskid.com.ua;nvwoodwerks.com;strandcampingdoonbeg.com;frontierweldingllc.com;oslomf.no;slupetzky.at;stoneys.ch;daklesa.de;cheminpsy.fr;exenberger.at;kaminscy.com;pier40forall.org;ki-lowroermond.nl;4net.guru;rimborsobancario.net;wurmpower.at;marietteaernoudts.nl;lbcframingelectrical.com;maineemploymentlawyerblog.com;rehabilitationcentersinhouston.net;educar.org;imperfectstore.com;slwgs.org;marchand-sloboda.com;waermetauscher-berechnen.de;ymca-cw.org.uk;danholzmann.com;spacecitysisters.org;aselbermachen.com;quickyfunds.com;work2live.de;launchhubl.com;insp.bi;nativeformulas.com;highimpactoutdoors.net;withahmed.com;midmohandyman.com;ventti.com.ar;xn--logopdie-leverkusen-kwb.de;faizanullah.com;cerebralforce.net;blog.solutionsarchitect.guru;live-con-arte.de;wacochamber.com;purposeadvisorsolutions.com;mooreslawngarden.com;truenyc.co;jakekozmor.com;summitmarketingstrategies.com;parebrise-tla.fr;hardinggroup.com;tinyagency.com;bookspeopleplaces.com;vannesteconstruct.be;atalent.fi;mariposapropaneaz.com;naturavetal.hr;triactis.com;iyahayki.nl;nokesvilledentistry.com;kunze-immobilien.de;hiddencitysecrets.com.au;schraven.de;vibehouse.rw;ilive.lt;digivod.de;associacioesportivapolitg.cat;crowcanyon.com;operaslovakia.sk;leoben.at;onlybacklink.com;edv-live.de;mountaintoptinyhomes.com;smejump.co.th;vickiegrayimages.com;jandaonline.com;anybookreader.de;journeybacktolife.com;nandistribution.nl;forskolorna.org;familypark40.com;bowengroup.com.au;baylegacy.com;allfortheloveofyou.com;citymax-cr.com;dlc.berlin;teczowadolina.bytom.pl;victoriousfestival.co.uk;corelifenutrition.com;ncid.bc.ca;spectrmash.ru;freie-gewerkschaften.de;fannmedias.com;shsthepapercut.com;lachofikschiet.nl;hkr-reise.de;directwindowco.com;lecantou-coworking.com;ussmontanacommittee.us;psa-sec.de;deko4you.at;thedad.com;plv.media;lascuola.nl;ampisolabergeggi.it;commonground-stories.com;comparatif-lave-linge.fr;stemenstilte.nl;urist-bogatyr.ru;vetapharma.fr;hebkft.hu;enovos.de;ianaswanson.com;biapi-coaching.fr;herbayupro.com;atmos-show.com;homng.net;brigitte-erler.com;consultaractadenacimiento.com;smart-light.co.uk;vitavia.lt;levdittliv.se;sportiomsportfondsen.nl;glennroberts.co.nz;jiloc.com;foryourhealth.live;kadesignandbuild.co.uk;seagatesthreecharters.com;maryloutaylor.com;spargel-kochen.de;homecomingstudio.com;iwelt.de;dushka.ua;body-guards.it;vibethink.net;dutchcoder.nl;geisterradler.de;whittier5k.com;datacenters-in-europe.com;mercantedifiori.com;iqbalscientific.com;ora-it.de;brawnmediany.com;jameskibbie.com;huissier-creteil.com;alysonhoward.com;augenta.com;ecopro-kanto.com;hellohope.com;mediaclan.info;international-sound-awards.com;liveottelut.com;greenfieldoptimaldentalcare.com;ihr-news.jp;simpliza.com;juneauopioidworkgroup.org;kaliber.co.jp;hoteledenpadova.it;henricekupper.com;dirittosanitario.biz;fitovitaforum.com;abitur-undwieweiter.de;modestmanagement.com;em-gmbh.ch;shiftinspiration.com;brevitempore.net;carolinepenn.com;celularity.com;greenpark.ch;nicoleaeschbachorg.wordpress.com;patrickfoundation.net;quizzingbee.com;aakritpatel.com;ivfminiua.com;wraithco.com;ostheimer.at;osterberg.fi;rksbusiness.com;handi-jack-llc.com;dramagickcom.wordpress.com;jbbjw.com;naturalrapids.com;ai-spt.jp;sauschneider.info;milsing.hr;uranus.nl;d2marketing.co.uk;nhadatcanho247.com;testcoreprohealthuk.com;beautychance.se;falcou.fr;tuuliautio.fi;vitalyscenter.es;hihaho.com;starsarecircular.org;xtptrack.com;gamesboard.info;antonmack.de;polychromelabs.com;readberserk.com;navyfederalautooverseas.com;dublikator.com;bridgeloanslenders.com;corola.es;kmbshipping.co.uk;mbfagency.com;pmcimpact.com;bradynursery.com;atozdistribution.co.uk;bricotienda.com;huehnerauge-entfernen.de;tandartspraktijkheesch.nl;otto-bollmann.de;evangelische-pfarrgemeinde-tuniberg.de;healthyyworkout.com;evergreen-fishing.com;fizzl.ru;slashdb.com;abuelos.com;abogados-en-alicante.es;nmiec.com;wasmachtmeinfonds.at;cimanchesterescorts.co.uk;seevilla-dr-sturm.at;tenacitytenfold.com;ladelirante.fr;boosthybrid.com.au;tstaffing.nl;refluxreducer.com;d1franchise.com;panelsandwichmadrid.es;cortec-neuro.com;creative-waves.co.uk;otsu-bon.com;xn--singlebrsen-vergleich-nec.com;leda-ukraine.com.ua;1team.es;elpa.se;marketingsulweb.com;fitnessbazaar.com;hairstylesnow.site;vermoote.de;kamienny-dywan24.pl;mikeramirezcpa.com;forestlakeuca.org.au;denifl-consulting.at;rafaut.com;101gowrie.com;houseofplus.com;penco.ie;drfoyle.com;kao.at;neuschelectrical.co.za;saka.gr;montrium.com;lorenacarnero.com;darnallwellbeing.org.uk;dontpassthepepper.com;blogdecachorros.com;tarotdeseidel.com;nancy-informatique.fr;ahouseforlease.com;rosavalamedahr.com;facettenreich27.de;chandlerpd.com;lightair.com;marathonerpaolo.com;luckypatcher-apkz.com;smale-opticiens.nl;wari.com.pe;helikoptervluchtnewyork.nl;lange.host;craigmccabe.fun;shiresresidential.com;iwelt.de;kenhnoithatgo.com;woodworkersolution.com;smalltownideamill.wordpress.com;retroearthstudio.com;insigniapmg.com;iviaggisonciliegie.it;julis-lsa.de;myteamgenius.com;hvccfloorcare.com;mrxermon.de;toreria.es;backstreetpub.com;planchaavapor.net;upmrkt.co;layrshift.eu;dubscollective.com;olejack.ru;transportesycementoshidalgo.es;crediacces.com;walkingdeadnj.com;sweering.fr;liikelataamo.fi;geoffreymeuli.com;selfoutlet.com;jobmap.at;jeanlouissibomana.com;bastutunnan.se;trackyourconstruction.com;myhostcloud.com;bee4win.com;drinkseed.com;stoeferlehalle.de;degroenetunnel.com;artige.com;minipara.com;corona-handles.com;adultgamezone.com;webmaster-peloton.com;mytechnoway.com;mediaacademy-iraq.org;luxurytv.jp;ravensnesthomegoods.com;centuryrs.com;sportsmassoren.com;id-et-d.fr;blood-sports.net;boompinoy.com;aco-media.nl;asgestion.com;milltimber.aberdeen.sch.uk;merzi.info;roadwarrior.app;coding-machine.com;tophumanservicescourses.com;socstrp.org;hhcourier.com;fensterbau-ziegler.de;wsoil.com.sg;piajeppesen.dk;villa-marrakesch.de;monark.com;supportsumba.nl;oceanastudios.com;phantastyk.com;synlab.lt;sevenadvertising.com;bigbaguettes.eu;manutouchmassage.com;kevinjodea.com;philippedebroca.com;siliconbeach-realestate.com;zso-mannheim.de;justinvieira.com;loprus.pl;logopaedie-blomberg.de;sobreholanda.com;verifort-capital.de;romeguidedvisit.com;maasreusel.nl;cranleighscoutgroup.org;skiltogprint.no;finediningweek.pl;manijaipur.com;aurum-juweliere.de;porno-gringo.com;answerstest.ru;torgbodenbollnas.se;havecamerawilltravel2017.wordpress.com;mastertechengineering.com;lichencafe.com;dutchbrewingcoffee.com;love30-chanko.com;sterlingessay.com;nestor-swiss.ch;gmto.fr;littlebird.salon;almosthomedogrescue.dog;licor43.de;advokathuset.dk;commercialboatbuilding.com;i-arslan.de;katiekerr.co.uk;antiaginghealthbenefits.com;binder-buerotechnik.at;maureenbreezedancetheater.org;waveneyrivercentre.co.uk;autodujos.lt;seminoc.com;daniel-akermann-architektur-und-planung.ch;senson.fi;gastsicht.de;ilcdover.com;theshungiteexperience.com.au;sairaku.net;jenniferandersonwriter.com;birnam-wood.com;mepavex.nl;vihannesporssi.fi;instatron.net;rocketccw.com;123vrachi.ru;mindpackstudios.com;petnest.ir;ziegler-praezisionsteile.de;sipstroysochi.ru;offroadbeasts.com;trystana.com;dr-pipi.de;xn--fn-kka.no;mirjamholleman.nl;knowledgemuseumbd.com;pickanose.com;klimt2012.info;clos-galant.com;ligiercenter-sachsen.de;thailandholic.com;kamahouse.net;precisionbevel.com;platformier.com;xn--rumung-bua.online;tongdaifpthaiphong.net;run4study.com;body-armour.online;whyinterestingly.ru;goodgirlrecovery.com;dpo-as-a-service.com;eaglemeetstiger.de;amylendscrestview.com;bauertree.com;people-biz.com;solerluethi-allart.ch;oncarrot.com;jusibe.com;lescomtesdemean.be;schoellhammer.com;oemands.dk;danielblum.info;simoneblum.de;faroairporttransfers.net;tinkoff-mobayl.ru;cursoporcelanatoliquido.online;globedivers.wordpress.com;parking.netgateway.eu;coastalbridgeadvisors.com;yamalevents.com;mdk-mediadesign.de;berliner-versicherungsvergleich.de;noixdecocom.fr;videomarketing.pro;apolomarcas.com;gymnasedumanagement.com;parks-nuernberg.de;figura.team;chaotrang.com;charlottepoudroux-photographie.fr;theadventureedge.com;bristolaeroclub.co.uk;ilso.net;vesinhnha.com.vn;naswrrg.org;balticdermatology.lt;collaborativeclassroom.org;beaconhealthsystem.org;sporthamper.com;cyntox.com;madinblack.com;plantag.de;koko-nora.dk;lapmangfpt.info.vn;intecwi.com;kikedeoliveira.com;kingfamily.construction;boisehosting.net;kariokids.com;bouquet-de-roses.com;makeflowers.ru;croftprecision.co.uk;stefanpasch.me;mrsfieldskc.com;hokagestore.com;ccpbroadband.com;advizewealth.com;nacktfalter.de;vanswigchemdesign.com;ungsvenskarna.se;deprobatehelp.com;cwsitservices.co.uk;urmasiimariiuniri.ro;rollingrockcolumbia.com;analiticapublica.es;fotoideaymedia.es;groupe-frayssinet.fr;baumkuchenexpo.jp;lucidinvestbank.com;tampaallen.com;nakupunafoundation.org;drinkseed.com;vietlawconsultancy.com;remcakram.com;mank.de;tips.technology;biortaggivaldelsa.com;completeweddingkansas.com;ivivo.es;micahkoleoso.de;odiclinic.org;iwelt.de;drugdevice.org;bloggyboulga.net;new.devon.gov.uk;ftf.or.at;pcprofessor.com;reddysbakery.com;eraorastudio.com;carlosja.com;saxtec.com;crosspointefellowship.church;pasvenska.se;appsformacpc.com;epwritescom.wordpress.com;oneplusresource.org;mrtour.site;nijaplay.com;unim.su;mooglee.com;destinationclients.fr;grupocarvalhoerodrigues.com.br;haar-spange.com;stoeberstuuv.de;art2gointerieurprojecten.nl;danskretursystem.dk;aprepol.com;yassir.pro;carrybrands.nl;ruralarcoiris.com;bxdf.info;xn--fnsterputssollentuna-39b.se;higadograsoweb.com;allure-cosmetics.at;notsilentmd.org;expandet.dk;lebellevue.fr;kafu.ch;fibrofolliculoma.info;tulsawaterheaterinstallation.com;garage-lecompte-rouen.fr;homesdollar.com;artotelamsterdam.com;tanzprojekt.com;eco-southafrica.com;corelifenutrition.com;lenreactiv-shop.ru;lubetkinmediacompanies.com;girlillamarketing.com;sw1m.ru;innote.fi;candyhouseusa.com;americafirstcommittee.org;lapinvihreat.fi;schmalhorst.de;vloeren-nu.nl;gw2guilds.org;steampluscarpetandfloors.com;suncrestcabinets.ca;coffreo.biz;first-2-aid-u.com;aglend.com.au;galleryartfair.com;verytycs.com;walter-lemm.de;mirkoreisser.de;bordercollie-nim.nl;proudground.org;systemate.dk;12starhd.online;jyzdesign.com;campus2day.de;creamery201.com;friendsandbrgrs.com;todocaracoles.com;gonzalezfornes.es;filmvideoweb.com;sagadc.com;hannah-fink.de;bockamp.com;prochain-voyage.net;kosterra.com;raschlosser.de;itelagen.com;katketytaanet.fi;faronics.com;sinal.org;jolly-events.com;2ekeus.nl;kaotikkustomz.com;newstap.com.ng;arteservicefabbro.com;kidbucketlist.com.au;vox-surveys.com;conasmanagement.de;promesapuertorico.com;xn--vrftet-pua.biz;shadebarandgrillorlando.com;psc.de;live-your-life.jp;caribbeansunpoker.com;mymoneyforex.com;team-montage.dk;iphoneszervizbudapest.hu;camsadviser.com;baustb.de;ceres.org.au;lynsayshepherd.co.uk;izzi360.com;narcert.com;financescorecard.com;funjose.org.gt;siluet-decor.ru;bierensgebakkramen.nl;baptisttabernacle.com;oldschoolfun.net;christinarebuffetcourses.com;bbsmobler.se;ateliergamila.com;servicegsm.net;baronloan.org;maxadams.london;werkkring.nl;slimani.net", "dbg": false, "pid": "$2a$12$k6iq18BR3UU7uFyc.Pgy0e8GklmvcWyoi09nqzJkgxZN1vNGskAtC", "nbody": "LQAtAC0APQA9AD0AIABXAGUAbABjAG8AbQBlAC4AIABBAGcAYQBpAG4ALgAgAD0APQA9AC0ALQAtAA0ACgANAAoAWwArAF0AIABXAGgAYQB0AHMAIABIAGEAcABwAGUAbgA/ACAAWwArAF0ADQAKAA0ACgBZAG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAsACAAYQBuAGQAIABjAHUAcgByAGUAbgB0AGwAeQAgAHUAbgBhAHYAYQBpAGwAYQBiAGwAZQAuACAAWQBvAHUAIABjAGEAbgAgAGMAaABlAGMAawAgAGkAdAA6ACAAYQBsAGwAIABmAGkAbABlAHMAIABvAG4AIAB5AG8AdQByACAAcwB5AHMAdABlAG0AIABoAGEAcwAgAGUAeAB0AGUAbgBzAGkAbwBuACAAewBFAFgAVAB9AC4ADQAKAEIAeQAgAHQAaABlACAAdwBhAHkALAAgAGUAdgBlAHIAeQB0AGgAaQBuAGcAIABpAHMAIABwAG8AcwBzAGkAYgBsAGUAIAB0AG8AIAByAGUAYwBvAHYAZQByACAAKAByAGUAcwB0AG8AcgBlACkALAAgAGIAdQB0ACAAeQBvAHUAIABuAGUAZQBkACAAdABvACAAZgBvAGwAbABvAHcAIABvAHUAcgAgAGkAbgBzAHQAcgB1AGMAdABpAG8AbgBzAC4AIABPAHQAaABlAHIAdwBpAHMAZQAsACAAeQBvAHUAIABjAGEAbgB0ACAAcgBlAHQAdQByAG4AIAB5AG8AdQByACAAZABhAHQAYQAgACgATgBFAFYARQBSACkALgANAAoADQAKAFsAKwBdACAAVwBoAGEAdAAgAGcAdQBhAHIAYQBuAHQAZQBlAHMAPwAgAFsAKwBdAA0ACgANAAoASQB0AHMAIABqAHUAcwB0ACAAYQAgAGIAdQBzAGkAbgBlAHMAcwAuACAAVwBlACAAYQBiAHMAbwBsAHUAdABlAGwAeQAgAGQAbwAgAG4AbwB0ACAAYwBhAHIAZQAgAGEAYgBvAHUAdAAgAHkAbwB1ACAAYQBuAGQAIAB5AG8AdQByACAAZABlAGEAbABzACwAIABlAHgAYwBlAHAAdAAgAGcAZQB0AHQAaQBuAGcAIABiAGUAbgBlAGYAaQB0AHMALgAgAEkAZgAgAHcAZQAgAGQAbwAgAG4AbwB0ACAAZABvACAAbwB1AHIAIAB3AG8AcgBrACAAYQBuAGQAIABsAGkAYQBiAGkAbABpAHQAaQBlAHMAIAAtACAAbgBvAGIAbwBkAHkAIAB3AGkAbABsACAAbgBvAHQAIABjAG8AbwBwAGUAcgBhAHQAZQAgAHcAaQB0AGgAIAB1AHMALgAgAEkAdABzACAAbgBvAHQAIABpAG4AIABvAHUAcgAgAGkAbgB0AGUAcgBlAHMAdABzAC4ADQAKAFQAbwAgAGMAaABlAGMAawAgAHQAaABlACAAYQBiAGkAbABpAHQAeQAgAG8AZgAgAHIAZQB0AHUAcgBuAGkAbgBnACAAZgBpAGwAZQBzACwAIABZAG8AdQAgAHMAaABvAHUAbABkACAAZwBvACAAdABvACAAbwB1AHIAIAB3AGUAYgBzAGkAdABlAC4AIABUAGgAZQByAGUAIAB5AG8AdQAgAGMAYQBuACAAZABlAGMAcgB5AHAAdAAgAG8AbgBlACAAZgBpAGwAZQAgAGYAbwByACAAZgByAGUAZQAuACAAVABoAGEAdAAgAGkAcwAgAG8AdQByACAAZwB1AGEAcgBhAG4AdABlAGUALgANAAoASQBmACAAeQBvAHUAIAB3AGkAbABsACAAbgBvAHQAIABjAG8AbwBwAGUAcgBhAHQAZQAgAHcAaQB0AGgAIABvAHUAcgAgAHMAZQByAHYAaQBjAGUAIAAtACAAZgBvAHIAIAB1AHMALAAgAGkAdABzACAAZABvAGUAcwAgAG4AbwB0ACAAbQBhAHQAdABlAHIALgAgAEIAdQB0ACAAeQBvAHUAIAB3AGkAbABsACAAbABvAHMAZQAgAHkAbwB1AHIAIAB0AGkAbQBlACAAYQBuAGQAIABkAGEAdABhACwAIABjAGEAdQBzAGUAIABqAHUAcwB0ACAAdwBlACAAaABhAHYAZQAgAHQAaABlACAAcAByAGkAdgBhAHQAZQAgAGsAZQB5AC4AIABJAG4AIABwAHIAYQBjAHQAaQBzAGUAIAAtACAAdABpAG0AZQAgAGkAcwAgAG0AdQBjAGgAIABtAG8AcgBlACAAdgBhAGwAdQBhAGIAbABlACAAdABoAGEAbgAgAG0AbwBuAGUAeQAuAA0ACgANAAoAWwArAF0AIABIAG8AdwAgAHQAbwAgAGcAZQB0ACAAYQBjAGMAZQBzAHMAIABvAG4AIAB3AGUAYgBzAGkAdABlAD8AIABbACsAXQANAAoADQAKAFkAbwB1ACAAaABhAHYAZQAgAHQAdwBvACAAdwBhAHkAcwA6AA0ACgANAAoAMQApACAAWwBSAGUAYwBvAG0AbQBlAG4AZABlAGQAXQAgAFUAcwBpAG4AZwAgAGEAIABUAE8AUgAgAGIAcgBvAHcAcwBlAHIAIQANAAoAIAAgAGEAKQAgAEQAbwB3AG4AbABvAGEAZAAgAGEAbgBkACAAaQBuAHMAdABhAGwAbAAgAFQATwBSACAAYgByAG8AdwBzAGUAcgAgAGYAcgBvAG0AIAB0AGgAaQBzACAAcwBpAHQAZQA6ACAAaAB0AHQAcABzADoALwAvAHQAbwByAHAAcgBvAGoAZQBjAHQALgBvAHIAZwAvAA0ACgAgACAAYgApACAATwBwAGUAbgAgAG8AdQByACAAdwBlAGIAcwBpAHQAZQA6ACAAaAB0AHQAcAA6AC8ALwBhAHAAbABlAGIAegB1ADQANwB3AGcAYQB6AGEAcABkAHEAawBzADYAdgByAGMAdgA2AHoAYwBuAGoAcABwAGsAYgB4AGIAcgA2AHcAawBlAHQAZgA1ADYAbgBmADYAYQBxADIAbgBtAHkAbwB5AGQALgBvAG4AaQBvAG4ALwB7AFUASQBEAH0ADQAKAA0ACgAyACkAIABJAGYAIABUAE8AUgAgAGIAbABvAGMAawBlAGQAIABpAG4AIAB5AG8AdQByACAAYwBvAHUAbgB0AHIAeQAsACAAdAByAHkAIAB0AG8AIAB1AHMAZQAgAFYAUABOACEAIABCAHUAdAAgAHkAbwB1ACAAYwBhAG4AIAB1AHMAZQAgAG8AdQByACAAcwBlAGMAbwBuAGQAYQByAHkAIAB3AGUAYgBzAGkAdABlAC4AIABGAG8AcgAgAHQAaABpAHMAOgANAAoAIAAgAGEAKQAgAE8AcABlAG4AIAB5AG8AdQByACAAYQBuAHkAIABiAHIAbwB3AHMAZQByACAAKABDAGgAcgBvAG0AZQAsACAARgBpAHIAZQBmAG8AeAAsACAATwBwAGUAcgBhACwAIABJAEUALAAgAEUAZABnAGUAKQANAAoAIAAgAGIAKQAgAE8AcABlAG4AIABvAHUAcgAgAHMAZQBjAG8AbgBkAGEAcgB5ACAAdwBlAGIAcwBpAHQAZQA6ACAAaAB0AHQAcAA6AC8ALwBkAGUAYwBvAGQAZQByAC4AcgBlAC8AewBVAEkARAB9AA0ACgANAAoAVwBhAHIAbgBpAG4AZwA6ACAAcwBlAGMAbwBuAGQAYQByAHkAIAB3AGUAYgBzAGkAdABlACAAYwBhAG4AIABiAGUAIABiAGwAbwBjAGsAZQBkACwAIAB0AGgAYQB0AHMAIAB3AGgAeQAgAGYAaQByAHMAdAAgAHYAYQByAGkAYQBuAHQAIABtAHUAYwBoACAAYgBlAHQAdABlAHIAIABhAG4AZAAgAG0AbwByAGUAIABhAHYAYQBpAGwAYQBiAGwAZQAuAA0ACgANAAoAVwBoAGUAbgAgAHkAbwB1ACAAbwBwAGUAbgAgAG8AdQByACAAdwBlAGIAcwBpAHQAZQAsACAAcAB1AHQAIAB0AGgAZQAgAGYAbwBsAGwAbwB3AGkAbgBnACAAZABhAHQAYQAgAGkAbgAgAHQAaABlACAAaQBuAHAAdQB0ACAAZgBvAHIAbQA6AA0ACgBLAGUAeQA6AA0ACgANAAoADQAKAHsASwBFAFkAfQANAAoADQAKAA0ACgAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ADQAKAA0ACgAhACEAIQAgAEQAQQBOAEcARQBSACAAIQAhACEADQAKAEQATwBOAFQAIAB0AHIAeQAgAHQAbwAgAGMAaABhAG4AZwBlACAAZgBpAGwAZQBzACAAYgB5ACAAeQBvAHUAcgBzAGUAbABmACwAIABEAE8ATgBUACAAdQBzAGUAIABhAG4AeQAgAHQAaABpAHIAZAAgAHAAYQByAHQAeQAgAHMAbwBmAHQAdwBhAHIAZQAgAGYAbwByACAAcgBlAHMAdABvAHIAaQBuAGcAIAB5AG8AdQByACAAZABhAHQAYQAgAG8AcgAgAGEAbgB0AGkAdgBpAHIAdQBzACAAcwBvAGwAdQB0AGkAbwBuAHMAIAAtACAAaQB0AHMAIABtAGEAeQAgAGUAbgB0AGEAaQBsACAAZABhAG0AZwBlACAAbwBmACAAdABoAGUAIABwAHIAaQB2AGEAdABlACAAawBlAHkAIABhAG4AZAAsACAAYQBzACAAcgBlAHMAdQBsAHQALAAgAFQAaABlACAATABvAHMAcwAgAGEAbABsACAAZABhAHQAYQAuAA0ACgAhACEAIQAgACEAIQAhACAAIQAhACEADQAKAE8ATgBFACAATQBPAFIARQAgAFQASQBNAEUAOgAgAEkAdABzACAAaQBuACAAeQBvAHUAcgAgAGkAbgB0AGUAcgBlAHMAdABzACAAdABvACAAZwBlAHQAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYgBhAGMAawAuACAARgByAG8AbQAgAG8AdQByACAAcwBpAGQAZQAsACAAdwBlACAAKAB0AGgAZQAgAGIAZQBzAHQAIABzAHAAZQBjAGkAYQBsAGkAcwB0AHMAKQAgAG0AYQBrAGUAIABlAHYAZQByAHkAdABoAGkAbgBnACAAZgBvAHIAIAByAGUAcwB0AG8AcgBpAG4AZwAsACAAYgB1AHQAIABwAGwAZQBhAHMAZQAgAHMAaABvAHUAbABkACAAbgBvAHQAIABpAG4AdABlAHIAZgBlAHIAZQAuAA0ACgAhACEAIQAgACEAIQAhACAAIQAhACEAAAA=", "et": 0, "wipe": true, "wfld": ["backup"], "rdmcnt": 0, "nname": "{EXT}-readme.txt", "pk": "Rlt+C6D/gEdeFPKx3tCl9bN47HgPo+1UoMntjqnLK2g=", "net": false, "exp": true, "arn": false}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
46a40ec6_by_Libranalysis.exeMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
  • 0x51ba:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
  • 0xa267:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
  • 0xa853:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
  • 0x9a8c:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
  • 0xa256:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.812950203.00000000030F8000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
    00000001.00000003.646855790.00000000030F8000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
      00000001.00000002.916068522.0000000001361000.00000020.00020000.sdmpMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
      • 0x4dba:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
      • 0x9e67:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
      • 0xa453:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
      • 0x968c:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
      • 0x9e56:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F
      00000001.00000003.647040724.00000000030F8000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
        00000001.00000000.646522087.0000000001361000.00000020.00020000.sdmpMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
        • 0x4dba:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
        • 0x9e67:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
        • 0xa453:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
        • 0x968c:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
        • 0x9e56:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F
        Click to see the 7 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.46a40ec6_by_Libranalysis.exe.1360000.1.unpackMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
        • 0x51ba:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
        • 0xa267:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
        • 0xa853:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
        • 0x9a8c:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
        • 0xa256:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F
        1.0.46a40ec6_by_Libranalysis.exe.1360000.0.unpackMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
        • 0x51ba:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
        • 0xa267:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
        • 0xa853:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
        • 0x9a8c:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
        • 0xa256:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: 46a40ec6_by_Libranalysis.exeAvira: detected
        Found malware configurationShow sources
        Source: 46a40ec6_by_Libranalysis.exe.6892.1.memstrMalware Configuration Extractor: Sodinokibi {"prc": ["oracle", "onenote", "msaccess", "dbsnmp", "firefox", "ocssd", "excel", "wordpad", "isqlplussvc", "thebat", "dbeng50", "sql", "mspub", "visio", "steam", "outlook", "encsvc", "mydesktopservice", "powerpnt", "winword", "ocautoupds", "synctime", "agntsvc", "tbirdconfig", "thunderbird", "sqbcoreservice", "ocomm", "mydesktopqos", "infopath", "xfssvccon"], "sub": "7495", "svc": ["mepocs", "memtas", "svc$", "sophos", "sql", "vss", "veeam", "backup"], "wht": {"ext": ["diagcfg", "drv", "msu", "bat", "icl", "diagpkg", "adv", "rom", "hlp", "msi", "ani", "nomedia", "deskthemepack", "themepack", "key", "ocx", "mod", "nls", "com", "scr", "cur", "msc", "ps1", "icns", "lnk", "prf", "ics", "ldf", "theme", "rtp", "wpx", "diagcab", "msstyles", "bin", "idx", "ico", "shs", "386", "cmd", "mpa", "lock", "spl", "hta", "exe", "dll", "msp", "cab", "cpl", "sys"], "fls": ["bootsect.bak", "boot.ini", "ntuser.dat", "bootfont.bin", "ntldr", "ntuser.ini", "thumbs.db", "autorun.inf", "ntuser.dat.log", "desktop.ini", "iconcache.db"], "fld": ["windows.old", "msocache", "intel", "application data", "program files", "tor browser", "mozilla", "program files (x86)", "appdata", "windows", "programdata", "system volume information", "$recycle.bin", "perflogs", "google", "$windows.~bt", "$windows.~ws", "boot"]}, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA", "dmn": "the-virtualizer.com;aminaboutique247.com;thaysa.com;aunexis.ch;allentownpapershow.com;plotlinecreative.com;spinheal.ru;darrenkeslerministries.com;peterstrobos.com;sanyue119.com;extraordinaryoutdoors.com;airconditioning-waalwijk.nl;ledmes.ru;all-turtles.com;euro-trend.pl;ausbeverage.com.au;micro-automation.de;easytrans.com.au;sandd.nl;wien-mitte.co.at;bargningavesta.se;spylista.com;comarenterprises.com;teknoz.net;boulderwelt-muenchen-west.de;cactusthebrand.com;c2e-poitiers.com;jerling.de;zervicethai.co.th;macabaneaupaysflechois.com;bptdmaluku.com;opatrovanie-ako.sk;lapinlviasennus.fi;travelffeine.com;outcomeisincome.com;cite4me.org;verbisonline.com;ausair.com.au;sahalstore.com;delchacay.com.ar;blewback.com;bodyfulls.com;autodemontagenijmegen.nl;fairfriends18.de;stampagrafica.es;makeitcount.at;richard-felix.co.uk;modelmaking.nl;web.ion.ag;extensionmaison.info;lusak.at;zweerscreatives.nl;gantungankunciakrilikbandung.com;mbxvii.com;stormwall.se;takeflat.com;levihotelspa.fi;rushhourappliances.com;hairnetty.wordpress.com;slimidealherbal.com;mirjamholleman.nl;onlyresultsmarketing.com;fitnessingbyjessica.com;huesges-gruppe.de;mapawood.com;norpol-yachting.com;twohourswithlena.wordpress.com;ralister.co.uk;zewatchers.com;mardenherefordshire-pc.gov.uk;mir-na-iznanku.com;polymedia.dk;notmissingout.com;gasbarre.com;you-bysia.com.au;kuntokeskusrok.fi;delawarecorporatelaw.com;lionware.de;femxarxa.cat;shonacox.com;nachhilfe-unterricht.com;embraci
        Multi AV Scanner detection for submitted fileShow sources
        Source: 46a40ec6_by_Libranalysis.exeVirustotal: Detection: 73%Perma Link
        Source: 46a40ec6_by_Libranalysis.exeMetadefender: Detection: 44%Perma Link
        Source: 46a40ec6_by_Libranalysis.exeReversingLabs: Detection: 82%
        Machine Learning detection for sampleShow sources
        Source: 46a40ec6_by_Libranalysis.exeJoe Sandbox ML: detected
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_01365981 CryptAcquireContextW,CryptGenRandom,1_2_01365981
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_013660F9 CryptStringToBinaryW,CryptStringToBinaryW,1_2_013660F9
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_0136615A CryptBinaryToStringW,CryptBinaryToStringW,1_2_0136615A
        Source: 46a40ec6_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeDirectory created: c:\program files\pci8j8oug-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile created: C:\pci8j8oug-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile created: c:\program files\pci8j8oug-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile created: c:\program files (x86)\pci8j8oug-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile created: c:\recovery\pci8j8oug-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile created: c:\users\pci8j8oug-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile created: c:\program files (x86)\microsoft sql server\pci8j8oug-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile created: c:\users\default\pci8j8oug-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: z:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: x:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: v:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: t:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: r:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: p:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: n:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: l:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: j:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: h:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: f:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: b:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: y:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: w:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: u:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: s:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: q:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: o:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: m:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: k:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: i:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: g:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: e:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: c:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: a:Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_01367DA1 FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,1_2_01367DA1
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: C:\Program Files\Google\Chrome\NULLJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: C:\Program Files\Google\NULLJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: C:\Program Files\Google\Chrome\Application\NULLJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: C:\Program Files\Google\ChromeJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: C:\Program Files\Google\Chrome\Application\85.0.4183.121Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: C:\Program Files\Google\Chrome\ApplicationJump to behavior

        Networking:

        barindex
        Found Tor onion addressShow sources
        Source: 46a40ec6_by_Libranalysis.exe, 00000001.00000003.646956316.000000000307C000.00000004.00000040.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}
        Source: 46a40ec6_by_Libranalysis.exe, 00000001.00000002.918186145.000000000307C000.00000004.00000040.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/30E456597D896371
        Source: pci8j8oug-readme.txt3.1.drString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/30E456597D896371
        Source: 46a40ec6_by_Libranalysis.exe, 00000001.00000003.646956316.000000000307C000.00000004.00000040.sdmpString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/
        Source: 46a40ec6_by_Libranalysis.exe, 00000001.00000002.918186145.000000000307C000.00000004.00000040.sdmp, pci8j8oug-readme.txt3.1.drString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/30E456597D896371
        Source: 46a40ec6_by_Libranalysis.exe, 00000001.00000003.646956316.000000000307C000.00000004.00000040.sdmpString found in binary or memory: http://decoder.re/
        Source: 46a40ec6_by_Libranalysis.exe, 00000001.00000002.918186145.000000000307C000.00000004.00000040.sdmp, pci8j8oug-readme.txt3.1.drString found in binary or memory: http://decoder.re/30E456597D896371
        Source: 46a40ec6_by_Libranalysis.exe, 00000001.00000003.646956316.000000000307C000.00000004.00000040.sdmp, pci8j8oug-readme.txt3.1.drString found in binary or memory: https://torproject.org/

        Spam, unwanted Advertisements and Ransom Demands:

        barindex
        Found ransom note / readmeShow sources
        Source: C:\pci8j8oug-readme.txtDropped file: ---=== Welcome. Again. ===---[+] Whats Happen? [+]Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension pci8j8oug.By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).[+] What guarantees? [+]Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.[+] How to get access on website? [+]You have two ways:1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/30E456597D8963712) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/30E456597D896371Warning: secondary website can be blocked, thats why first variant much bJump to dropped file
        Yara detected Sodinokibi RansomwareShow sources
        Source: Yara matchFile source: 00000001.00000003.812950203.00000000030F8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.646855790.00000000030F8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.647040724.00000000030F8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.646938772.00000000030F8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.646977922.00000000030F8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.647095256.00000000030F8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.646900362.00000000030F8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.647011219.00000000030F8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.647076289.00000000030F8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 46a40ec6_by_Libranalysis.exe PID: 6892, type: MEMORY
        Contains functionalty to change the wallpaperShow sources
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_01364CE2 GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetDeviceCaps,MulDiv,CreateFontW,SelectObject,SetBkMode,SetTextColor,GetStockObject,FillRect,SetPixel,DrawTextW,SystemParametersInfoW,DeleteObject,DeleteObject,DeleteDC,ReleaseDC,1_2_01364CE2
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_01365A70 NtShutdownSystem,ExitWindowsEx,1_2_01365A70
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_01363FC9 OpenSCManagerW,EnumServicesStatusExW,RtlGetLastWin32Error,CloseServiceHandle,CloseServiceHandle,EnumServicesStatusExW,OpenServiceW,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,1_2_01363FC9
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_01365A70 NtShutdownSystem,ExitWindowsEx,1_2_01365A70
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_0136C0431_2_0136C043
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_0136B3AE1_2_0136B3AE
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_013693991_2_01369399
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_01368C181_2_01368C18
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_01368E761_2_01368E76
        Source: 46a40ec6_by_Libranalysis.exe, 00000001.00000002.915672039.0000000000FE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamempr.dll.muij% vs 46a40ec6_by_Libranalysis.exe
        Source: 46a40ec6_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 46a40ec6_by_Libranalysis.exe, type: SAMPLEMatched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
        Source: 00000001.00000002.916068522.0000000001361000.00000020.00020000.sdmp, type: MEMORYMatched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
        Source: 00000001.00000000.646522087.0000000001361000.00000020.00020000.sdmp, type: MEMORYMatched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
        Source: 1.2.46a40ec6_by_Libranalysis.exe.1360000.1.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
        Source: 1.0.46a40ec6_by_Libranalysis.exe.1360000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
        Source: classification engineClassification label: mal100.rans.evad.winEXE@2/7@0/0
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_013652F0 GetDriveTypeW,GetDiskFreeSpaceExW,1_2_013652F0
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_0136590A CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,1_2_0136590A
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile created: c:\program files\pci8j8oug-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile created: c:\users\pci8j8oug-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeMutant created: \Sessions\1\BaseNamedObjects\Global\2DF65726-6A41-E3E2-8FF3-0D43B3D09962
        Source: 46a40ec6_by_Libranalysis.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\CIMV2 : SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : \\computer\root\CIMV2:Win32_Process.Handle="5612"::GetOwner
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : \\computer\root\CIMV2:Win32_Process.Handle="5612"::GetOwner
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : \\computer\root\CIMV2:Win32_Process.Handle="3976"::GetOwner
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : \\computer\root\CIMV2:Win32_Process.Handle="3976"::GetOwner
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : \\computer\root\CIMV2:Win32_Process.Handle="4700"::GetOwner
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : \\computer\root\CIMV2:Win32_Process.Handle="4700"::GetOwner
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: 46a40ec6_by_Libranalysis.exeVirustotal: Detection: 73%
        Source: 46a40ec6_by_Libranalysis.exeMetadefender: Detection: 44%
        Source: 46a40ec6_by_Libranalysis.exeReversingLabs: Detection: 82%
        Source: unknownProcess created: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exe 'C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exe'
        Source: unknownProcess created: C:\Windows\System32\wbem\unsecapp.exe C:\Windows\system32\wbem\unsecapp.exe -Embedding
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeDirectory created: c:\program files\pci8j8oug-readme.txtJump to behavior
        Source: 46a40ec6_by_Libranalysis.exeStatic PE information: section name: .xl7f
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile created: C:\pci8j8oug-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile created: c:\program files\pci8j8oug-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile created: c:\program files (x86)\pci8j8oug-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile created: c:\recovery\pci8j8oug-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile created: c:\users\pci8j8oug-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile created: c:\program files (x86)\microsoft sql server\pci8j8oug-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile created: c:\users\default\pci8j8oug-readme.txtJump to behavior
        Source: C:\Windows\System32\wbem\unsecapp.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior

        Malware Analysis System Evasion:

        barindex
        Contains functionality to detect sleep reduction / modificationsShow sources
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_01365DD31_2_01365DD3
        Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)Show sources
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\CIMV2 : SELECT * FROM __InstanceModificationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Service'
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : \\computer\root\CIMV2:Win32_Service.Name="VSS"::StopService
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : \\computer\root\CIMV2:Win32_Service.Name="VSS"::StopService
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_01365D29 rdtsc 1_2_01365D29
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_01367C40 CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,OpenThread,SetThreadToken,Thread32Next,1_2_01367C40
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: OpenSCManagerW,EnumServicesStatusExW,RtlGetLastWin32Error,CloseServiceHandle,CloseServiceHandle,EnumServicesStatusExW,OpenServiceW,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,1_2_01363FC9
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeWindow / User API: threadDelayed 10000Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exe TID: 6896Thread sleep count: 10000 > 30Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_01367DA1 FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,1_2_01367DA1
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_013658D6 GetSystemInfo,1_2_013658D6
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: C:\Program Files\Google\Chrome\NULLJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: C:\Program Files\Google\NULLJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: C:\Program Files\Google\Chrome\Application\NULLJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: C:\Program Files\Google\ChromeJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: C:\Program Files\Google\Chrome\Application\85.0.4183.121Jump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeFile opened: C:\Program Files\Google\Chrome\ApplicationJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_01365D29 rdtsc 1_2_01365D29
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_01367C40 CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,OpenThread,SetThreadToken,Thread32Next,1_2_01367C40
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_013655F9 mov eax, dword ptr fs:[00000030h]1_2_013655F9
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_013658ED mov ecx, dword ptr fs:[00000030h]1_2_013658ED
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_01364F5C HeapCreate,GetProcessHeap,1_2_01364F5C
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: OpenProcess,QueryFullProcessImageNameW,PathFindFileNameW, svchost.exe1_2_01365115
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_01367660 AllocateAndInitializeSid,SetEntriesInAclW,SetNamedSecurityInfoW,1_2_01367660
        Source: 46a40ec6_by_Libranalysis.exe, 00000001.00000002.916361317.0000000001520000.00000002.00000001.sdmp, unsecapp.exe, 00000012.00000002.915856738.000001BD7DC50000.00000002.00000001.sdmpBinary or memory string: Program Manager
        Source: 46a40ec6_by_Libranalysis.exe, 00000001.00000002.916361317.0000000001520000.00000002.00000001.sdmp, unsecapp.exe, 00000012.00000002.915856738.000001BD7DC50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: 46a40ec6_by_Libranalysis.exe, 00000001.00000002.916361317.0000000001520000.00000002.00000001.sdmp, unsecapp.exe, 00000012.00000002.915856738.000001BD7DC50000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: 46a40ec6_by_Libranalysis.exe, 00000001.00000002.916361317.0000000001520000.00000002.00000001.sdmp, unsecapp.exe, 00000012.00000002.915856738.000001BD7DC50000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_01365235 cpuid 1_2_01365235
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\46a40ec6_by_Libranalysis.exeCode function: 1_2_0136569F GetUserNameW,1_2_0136569F

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Replication Through Removable Media1Windows Management Instrumentation11Windows Service1Windows Service1Masquerading3OS Credential DumpingQuery Registry1Replication Through Removable Media1Archive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
        Default AccountsService Execution1Boot or Logon Initialization ScriptsProcess Injection12Virtualization/Sandbox Evasion2LSASS MemorySecurity Software Discovery24Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothProxy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDefacement1
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSProcess Discovery3Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsPeripheral Device Discovery11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncAccount Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Service Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingFile and Directory Discovery3Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
        Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Information Discovery25Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.