Overview

overview

10

Static

static

Bolbi.vbs

windows7_x64

10

Bolbi.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    162s
  • max time network
    183s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 12:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bolbi.vbs

  • Size

    46KB

  • MD5

    99ec3237394257cb0b5c24affe458f48

  • SHA1

    5300e68423da9712280e601b51622c4b567a23a4

  • SHA256

    ec17f950f6ee9c0c237d93bc0b766aa6e2ab458c70320b534212043128177b51

  • SHA512

    af2394d18f672def6d5d7081def759093759205aac0390ca03591c58c15a02e463a68b583b6fc28ef1368922b4bd5f9072d570ee97a955250a478cdb093500cb

Score
10/10
discoveryevasionexploitpersistenceransomwaretrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Blocklisted process makes network request 3 IoCs
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 11 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 24 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • System policy modification 1 TTPs 22 IoCs
    evasion

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Bolbi.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Bolbi.vbs" /elevated
      2⤵
      • Blocklisted process makes network request
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • Modifies Control Panel
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1248
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1520
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters
          4⤵
            PID:1516
          • C:\Windows\system32\reg.exe
            reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f
            4⤵
              PID:1172
            • C:\Windows\system32\reg.exe
              reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f
              4⤵
                PID:516
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im explorer.exe
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:548
              • C:\Windows\explorer.exe
                explorer.exe
                4⤵
                • Modifies registry class
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:1472
              • C:\Windows\system32\takeown.exe
                takeown /f C:\Windows\System32\
                4⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:1740
              • C:\Windows\system32\icacls.exe
                icacls C:\Windows\System32 /Grant Users:F
                4⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                PID:1788
              • C:\Windows\system32\takeown.exe
                takeown /f C:\Windows\
                4⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:788
              • C:\Windows\system32\icacls.exe
                icacls C:\Windows\ /Grant Users:F
                4⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                PID:1952
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x550
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1612

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        2
        T1060

        Privilege Escalation

        Bypass User Account Control

        1
        T1088

        Defense Evasion

        Bypass User Account Control

        1
        T1088

        Disabling Security Tools

        1
        T1089

        Modify Registry

        5
        T1112

        File Permissions Modification

        1
        T1222

        Credential Access

        Discovery

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Defacement

        1
        T1491

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\Bolbi.txt
          Filesize

          29B

          MD5

          b37ed35ef479e43f406429bc36e68ec4

          SHA1

          5e3ec88d9d13d136af28dea0d3c2529f5b6e3b82

          SHA256

          cc2b26f9e750e05cd680ef5721d9269fe4c8d23cabf500a2ff9065b6b4f7e08c

          SHA512

          d1c1ea6292d8113ce8f02a9ad3921e2d8632f036bdfa243bd6600a173ac0b1fc659f91b43c8d9ec0beaabb87d9654f5f231e98fde27e4d9bdfd5862ca5cb13b7

          Download Submit
        • C:\Users\Public\Ghostroot\KillDora.bat
          Filesize

          482B

          MD5

          4f08159f1d70d41bf975e23230033a0f

          SHA1

          ea88d6fbdcf218e0e04a650d947250d8a3dfad40

          SHA256

          d6e7530e3879225bc21fc17859e5b5c71414375baac27bb361fd9162f4b49e0e

          SHA512

          958ac467e54d35c4ca5459853d661e49ea81efaa1ce3044114d577fcb757343a40ddb30b9f540cf9c100f05958a843bf312fa879c43bda7513643c824b318d6a

          Download Submit
        • memory/516-61-0x0000000000000000-mapping.dmp
          Download
        • memory/548-62-0x0000000000000000-mapping.dmp
          Download
        • memory/788-68-0x0000000000000000-mapping.dmp
          Download
        • memory/1172-60-0x0000000000000000-mapping.dmp
          Download
        • memory/1248-55-0x0000000000000000-mapping.dmp
          Download
        • memory/1472-63-0x0000000000000000-mapping.dmp
          Download
        • memory/1516-59-0x0000000000000000-mapping.dmp
          Download
        • memory/1520-57-0x0000000000000000-mapping.dmp
          Download
        • memory/1556-54-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1740-64-0x0000000000000000-mapping.dmp
          Download
        • memory/1788-66-0x0000000000000000-mapping.dmp
          Download
        • memory/1952-69-0x0000000000000000-mapping.dmp
          Download