Analysis
-
max time kernel
162s -
max time network
183s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:35
Static task
static1
Behavioral task
behavioral1
Sample
Bolbi.vbs
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Bolbi.vbs
Resource
win10v2004-20220414-en
General
-
Target
Bolbi.vbs
-
Size
46KB
-
MD5
99ec3237394257cb0b5c24affe458f48
-
SHA1
5300e68423da9712280e601b51622c4b567a23a4
-
SHA256
ec17f950f6ee9c0c237d93bc0b766aa6e2ab458c70320b534212043128177b51
-
SHA512
af2394d18f672def6d5d7081def759093759205aac0390ca03591c58c15a02e463a68b583b6fc28ef1368922b4bd5f9072d570ee97a955250a478cdb093500cb
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
wscript.exeflow pid process 5 1248 wscript.exe 7 1248 wscript.exe 8 1248 wscript.exe -
Modifies Installed Components in the registry 2 TTPs
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1740 takeown.exe 1788 icacls.exe 788 takeown.exe 1952 icacls.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1740 takeown.exe 1788 icacls.exe 788 takeown.exe 1952 icacls.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe -
Processes:
wscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\ghostroot\\8ydfdsE.jpg" wscript.exe -
Drops file in Windows directory 1 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Windows\System32 wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 548 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\s1159 = "Bolbi" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\s2359 = "Bolbi" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop wscript.exe -
Modifies registry class 11 IoCs
Processes:
cmd.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "dllfile" cmd.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.scr\ = "dllfile" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pif cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.scr cmd.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = "exefile" cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1472 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
taskkill.exeexplorer.exetakeown.exeAUDIODG.EXEtakeown.exedescription pid process Token: SeDebugPrivilege 548 taskkill.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: SeTakeOwnershipPrivilege 1740 takeown.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: 33 1612 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1612 AUDIODG.EXE Token: 33 1612 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1612 AUDIODG.EXE Token: SeTakeOwnershipPrivilege 788 takeown.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: SeShutdownPrivilege 1472 explorer.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
Processes:
explorer.exepid process 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
explorer.exepid process 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
WScript.exewscript.execmd.exedescription pid process target process PID 1556 wrote to memory of 1248 1556 WScript.exe wscript.exe PID 1556 wrote to memory of 1248 1556 WScript.exe wscript.exe PID 1556 wrote to memory of 1248 1556 WScript.exe wscript.exe PID 1248 wrote to memory of 1520 1248 wscript.exe cmd.exe PID 1248 wrote to memory of 1520 1248 wscript.exe cmd.exe PID 1248 wrote to memory of 1520 1248 wscript.exe cmd.exe PID 1520 wrote to memory of 1516 1520 cmd.exe rundll32.exe PID 1520 wrote to memory of 1516 1520 cmd.exe rundll32.exe PID 1520 wrote to memory of 1516 1520 cmd.exe rundll32.exe PID 1520 wrote to memory of 1172 1520 cmd.exe reg.exe PID 1520 wrote to memory of 1172 1520 cmd.exe reg.exe PID 1520 wrote to memory of 1172 1520 cmd.exe reg.exe PID 1520 wrote to memory of 516 1520 cmd.exe reg.exe PID 1520 wrote to memory of 516 1520 cmd.exe reg.exe PID 1520 wrote to memory of 516 1520 cmd.exe reg.exe PID 1520 wrote to memory of 548 1520 cmd.exe taskkill.exe PID 1520 wrote to memory of 548 1520 cmd.exe taskkill.exe PID 1520 wrote to memory of 548 1520 cmd.exe taskkill.exe PID 1520 wrote to memory of 1472 1520 cmd.exe explorer.exe PID 1520 wrote to memory of 1472 1520 cmd.exe explorer.exe PID 1520 wrote to memory of 1472 1520 cmd.exe explorer.exe PID 1520 wrote to memory of 1740 1520 cmd.exe takeown.exe PID 1520 wrote to memory of 1740 1520 cmd.exe takeown.exe PID 1520 wrote to memory of 1740 1520 cmd.exe takeown.exe PID 1520 wrote to memory of 1788 1520 cmd.exe icacls.exe PID 1520 wrote to memory of 1788 1520 cmd.exe icacls.exe PID 1520 wrote to memory of 1788 1520 cmd.exe icacls.exe PID 1520 wrote to memory of 788 1520 cmd.exe takeown.exe PID 1520 wrote to memory of 788 1520 cmd.exe takeown.exe PID 1520 wrote to memory of 788 1520 cmd.exe takeown.exe PID 1520 wrote to memory of 1952 1520 cmd.exe icacls.exe PID 1520 wrote to memory of 1952 1520 cmd.exe icacls.exe PID 1520 wrote to memory of 1952 1520 cmd.exe icacls.exe -
System policy modification 1 TTPs 22 IoCs
Processes:
wscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "ATTENTION!" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoPinnedList = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms, = "1" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Your PC has been wrecked by Bolbi!" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPinningToTaskbar = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Bolbi.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Bolbi.vbs" /elevated2⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f4⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe4⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\ /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5501⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\Bolbi.txtFilesize
29B
MD5b37ed35ef479e43f406429bc36e68ec4
SHA15e3ec88d9d13d136af28dea0d3c2529f5b6e3b82
SHA256cc2b26f9e750e05cd680ef5721d9269fe4c8d23cabf500a2ff9065b6b4f7e08c
SHA512d1c1ea6292d8113ce8f02a9ad3921e2d8632f036bdfa243bd6600a173ac0b1fc659f91b43c8d9ec0beaabb87d9654f5f231e98fde27e4d9bdfd5862ca5cb13b7
-
C:\Users\Public\Ghostroot\KillDora.batFilesize
482B
MD54f08159f1d70d41bf975e23230033a0f
SHA1ea88d6fbdcf218e0e04a650d947250d8a3dfad40
SHA256d6e7530e3879225bc21fc17859e5b5c71414375baac27bb361fd9162f4b49e0e
SHA512958ac467e54d35c4ca5459853d661e49ea81efaa1ce3044114d577fcb757343a40ddb30b9f540cf9c100f05958a843bf312fa879c43bda7513643c824b318d6a
-
memory/516-61-0x0000000000000000-mapping.dmp
-
memory/548-62-0x0000000000000000-mapping.dmp
-
memory/788-68-0x0000000000000000-mapping.dmp
-
memory/1172-60-0x0000000000000000-mapping.dmp
-
memory/1248-55-0x0000000000000000-mapping.dmp
-
memory/1472-63-0x0000000000000000-mapping.dmp
-
memory/1516-59-0x0000000000000000-mapping.dmp
-
memory/1520-57-0x0000000000000000-mapping.dmp
-
memory/1556-54-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmpFilesize
8KB
-
memory/1740-64-0x0000000000000000-mapping.dmp
-
memory/1788-66-0x0000000000000000-mapping.dmp
-
memory/1952-69-0x0000000000000000-mapping.dmp