Analysis
-
max time kernel
182s -
max time network
194s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-05-2022 19:23
Static task
static1
Behavioral task
behavioral1
Sample
ec17f950f6ee9c0c237d93bc0b766aa6e2ab458c70320b534212043128177b51.vbs
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ec17f950f6ee9c0c237d93bc0b766aa6e2ab458c70320b534212043128177b51.vbs
Resource
win10v2004-20220414-en
General
-
Target
ec17f950f6ee9c0c237d93bc0b766aa6e2ab458c70320b534212043128177b51.vbs
-
Size
46KB
-
MD5
99ec3237394257cb0b5c24affe458f48
-
SHA1
5300e68423da9712280e601b51622c4b567a23a4
-
SHA256
ec17f950f6ee9c0c237d93bc0b766aa6e2ab458c70320b534212043128177b51
-
SHA512
af2394d18f672def6d5d7081def759093759205aac0390ca03591c58c15a02e463a68b583b6fc28ef1368922b4bd5f9072d570ee97a955250a478cdb093500cb
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
wscript.exeflow pid process 5 1224 wscript.exe 6 1224 wscript.exe 8 1224 wscript.exe 10 1224 wscript.exe 11 1224 wscript.exe -
Modifies Installed Components in the registry 2 TTPs
-
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 1604 icacls.exe 904 takeown.exe 1352 icacls.exe 1720 takeown.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 1352 icacls.exe 1720 takeown.exe 1604 icacls.exe 904 takeown.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe -
Processes:
wscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\ghostroot\\8ydfdsE.jpg" wscript.exe -
Drops file in Windows directory 1 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Windows\System32 wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 848 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\s1159 = "Bolbi" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\s2359 = "Bolbi" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop wscript.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International wscript.exe -
Modifies registry class 11 IoCs
Processes:
explorer.execmd.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = "exefile" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pif cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "dllfile" cmd.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.scr cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.scr\ = "dllfile" cmd.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 wscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1592 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
taskkill.exetakeown.exeexplorer.exeAUDIODG.EXEtakeown.exedescription pid process Token: SeDebugPrivilege 848 taskkill.exe Token: SeTakeOwnershipPrivilege 904 takeown.exe Token: SeShutdownPrivilege 1592 explorer.exe Token: SeShutdownPrivilege 1592 explorer.exe Token: SeShutdownPrivilege 1592 explorer.exe Token: SeShutdownPrivilege 1592 explorer.exe Token: SeShutdownPrivilege 1592 explorer.exe Token: SeShutdownPrivilege 1592 explorer.exe Token: SeShutdownPrivilege 1592 explorer.exe Token: SeShutdownPrivilege 1592 explorer.exe Token: SeShutdownPrivilege 1592 explorer.exe Token: SeShutdownPrivilege 1592 explorer.exe Token: 33 1784 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1784 AUDIODG.EXE Token: 33 1784 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1784 AUDIODG.EXE Token: SeTakeOwnershipPrivilege 1720 takeown.exe Token: SeShutdownPrivilege 1592 explorer.exe Token: SeShutdownPrivilege 1592 explorer.exe -
Suspicious use of FindShellTrayWindow 23 IoCs
Processes:
explorer.exepid process 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe -
Suspicious use of SendNotifyMessage 23 IoCs
Processes:
explorer.exepid process 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
WScript.exewscript.execmd.exedescription pid process target process PID 1776 wrote to memory of 1224 1776 WScript.exe wscript.exe PID 1776 wrote to memory of 1224 1776 WScript.exe wscript.exe PID 1776 wrote to memory of 1224 1776 WScript.exe wscript.exe PID 1224 wrote to memory of 1496 1224 wscript.exe cmd.exe PID 1224 wrote to memory of 1496 1224 wscript.exe cmd.exe PID 1224 wrote to memory of 1496 1224 wscript.exe cmd.exe PID 1496 wrote to memory of 1892 1496 cmd.exe rundll32.exe PID 1496 wrote to memory of 1892 1496 cmd.exe rundll32.exe PID 1496 wrote to memory of 1892 1496 cmd.exe rundll32.exe PID 1496 wrote to memory of 1164 1496 cmd.exe reg.exe PID 1496 wrote to memory of 1164 1496 cmd.exe reg.exe PID 1496 wrote to memory of 1164 1496 cmd.exe reg.exe PID 1496 wrote to memory of 360 1496 cmd.exe reg.exe PID 1496 wrote to memory of 360 1496 cmd.exe reg.exe PID 1496 wrote to memory of 360 1496 cmd.exe reg.exe PID 1496 wrote to memory of 848 1496 cmd.exe taskkill.exe PID 1496 wrote to memory of 848 1496 cmd.exe taskkill.exe PID 1496 wrote to memory of 848 1496 cmd.exe taskkill.exe PID 1496 wrote to memory of 1592 1496 cmd.exe explorer.exe PID 1496 wrote to memory of 1592 1496 cmd.exe explorer.exe PID 1496 wrote to memory of 1592 1496 cmd.exe explorer.exe PID 1496 wrote to memory of 904 1496 cmd.exe takeown.exe PID 1496 wrote to memory of 904 1496 cmd.exe takeown.exe PID 1496 wrote to memory of 904 1496 cmd.exe takeown.exe PID 1496 wrote to memory of 1352 1496 cmd.exe icacls.exe PID 1496 wrote to memory of 1352 1496 cmd.exe icacls.exe PID 1496 wrote to memory of 1352 1496 cmd.exe icacls.exe PID 1496 wrote to memory of 1720 1496 cmd.exe takeown.exe PID 1496 wrote to memory of 1720 1496 cmd.exe takeown.exe PID 1496 wrote to memory of 1720 1496 cmd.exe takeown.exe PID 1496 wrote to memory of 1604 1496 cmd.exe icacls.exe PID 1496 wrote to memory of 1604 1496 cmd.exe icacls.exe PID 1496 wrote to memory of 1604 1496 cmd.exe icacls.exe -
System policy modification 1 TTPs 22 IoCs
Processes:
wscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "ATTENTION!" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Your PC has been wrecked by Bolbi!" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPinningToTaskbar = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoPinnedList = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms, = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" wscript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec17f950f6ee9c0c237d93bc0b766aa6e2ab458c70320b534212043128177b51.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\ec17f950f6ee9c0c237d93bc0b766aa6e2ab458c70320b534212043128177b51.vbs" /elevated2⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f4⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe4⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\ /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x48c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\Bolbi.txtFilesize
29B
MD5b37ed35ef479e43f406429bc36e68ec4
SHA15e3ec88d9d13d136af28dea0d3c2529f5b6e3b82
SHA256cc2b26f9e750e05cd680ef5721d9269fe4c8d23cabf500a2ff9065b6b4f7e08c
SHA512d1c1ea6292d8113ce8f02a9ad3921e2d8632f036bdfa243bd6600a173ac0b1fc659f91b43c8d9ec0beaabb87d9654f5f231e98fde27e4d9bdfd5862ca5cb13b7
-
C:\Users\Public\Ghostroot\KillDora.batFilesize
482B
MD54f08159f1d70d41bf975e23230033a0f
SHA1ea88d6fbdcf218e0e04a650d947250d8a3dfad40
SHA256d6e7530e3879225bc21fc17859e5b5c71414375baac27bb361fd9162f4b49e0e
SHA512958ac467e54d35c4ca5459853d661e49ea81efaa1ce3044114d577fcb757343a40ddb30b9f540cf9c100f05958a843bf312fa879c43bda7513643c824b318d6a
-
C:\Users\Public\ghostroot\8ydfdsE.jpgFilesize
59KB
MD51e8cd861c7919b862a9c47abae3dcce3
SHA14d44512ae2da33a9355463231184bbbfdc4396f2
SHA256cba3db7504d0b98a3bc5bebc7d4479360f4535378a9ee113c2269811d0a8d6d9
SHA512ee06887355aeff3fe2865bcde6050d8d139668e78bb352a6a0f32b36446887dab78e50a88c0762e3b3d36dd3288546a6283e2f19a7873f01733666046be60e48
-
memory/360-62-0x0000000000000000-mapping.dmp
-
memory/848-63-0x0000000000000000-mapping.dmp
-
memory/904-65-0x0000000000000000-mapping.dmp
-
memory/1164-61-0x0000000000000000-mapping.dmp
-
memory/1224-55-0x0000000000000000-mapping.dmp
-
memory/1352-67-0x0000000000000000-mapping.dmp
-
memory/1496-57-0x0000000000000000-mapping.dmp
-
memory/1592-64-0x0000000000000000-mapping.dmp
-
memory/1604-70-0x0000000000000000-mapping.dmp
-
memory/1720-69-0x0000000000000000-mapping.dmp
-
memory/1776-54-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmpFilesize
8KB
-
memory/1892-59-0x0000000000000000-mapping.dmp