Overview

overview

10

Static

static

Bolbi.vbs

windows7-x64

10

Bolbi.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-09-2022 10:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bolbi.vbs

  • Size

    46KB

  • MD5

    99ec3237394257cb0b5c24affe458f48

  • SHA1

    5300e68423da9712280e601b51622c4b567a23a4

  • SHA256

    ec17f950f6ee9c0c237d93bc0b766aa6e2ab458c70320b534212043128177b51

  • SHA512

    af2394d18f672def6d5d7081def759093759205aac0390ca03591c58c15a02e463a68b583b6fc28ef1368922b4bd5f9072d570ee97a955250a478cdb093500cb

  • SSDEEP

    384:m71ThEgivcqpCghtpCAhDnVLri57VurlgRL1xCLI05ej+1DPpUo/i/vFCbWZkraB:m7BGV95hIG1/d49gsCDsl

Score
10/10
discoveryevasionexploitpersistenceransomwaretrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 5 IoCs
  • Disables cmd.exe use via registry modification 1 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 11 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 23 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • System policy modification 1 TTPs 31 IoCs
    evasion

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Bolbi.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Bolbi.vbs" /elevated
      2⤵
      • UAC bypass
      • Blocklisted process makes network request
      • Disables cmd.exe use via registry modification
      • Sets file execution options in registry
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies system certificate store
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1988
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:816
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters
          4⤵
            PID:1972
          • C:\Windows\system32\reg.exe
            reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f
            4⤵
              PID:1040
            • C:\Windows\system32\reg.exe
              reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f
              4⤵
                PID:1976
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im explorer.exe
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1952
              • C:\Windows\explorer.exe
                explorer.exe
                4⤵
                • Modifies Installed Components in the registry
                • Drops file in Windows directory
                • Modifies registry class
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:1664
              • C:\Windows\system32\takeown.exe
                takeown /f C:\Windows\System32\
                4⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:856
              • C:\Windows\system32\icacls.exe
                icacls C:\Windows\System32 /Grant Users:F
                4⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                PID:340
              • C:\Windows\system32\takeown.exe
                takeown /f C:\Windows\
                4⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:1100
              • C:\Windows\system32\icacls.exe
                icacls C:\Windows\ /Grant Users:F
                4⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                PID:1076
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x58c
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2028

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        3
        T1060

        Privilege Escalation

        Bypass User Account Control

        1
        T1088

        Defense Evasion

        Bypass User Account Control

        1
        T1088

        Disabling Security Tools

        1
        T1089

        Modify Registry

        7
        T1112

        File Permissions Modification

        1
        T1222

        Install Root Certificate

        1
        T1130

        Credential Access

        Discovery

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Defacement

        1
        T1491

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\Bolbi.txt
          Filesize

          29B

          MD5

          b37ed35ef479e43f406429bc36e68ec4

          SHA1

          5e3ec88d9d13d136af28dea0d3c2529f5b6e3b82

          SHA256

          cc2b26f9e750e05cd680ef5721d9269fe4c8d23cabf500a2ff9065b6b4f7e08c

          SHA512

          d1c1ea6292d8113ce8f02a9ad3921e2d8632f036bdfa243bd6600a173ac0b1fc659f91b43c8d9ec0beaabb87d9654f5f231e98fde27e4d9bdfd5862ca5cb13b7

          Download Submit
        • C:\Users\Public\Ghostroot\KillDora.bat
          Filesize

          482B

          MD5

          4f08159f1d70d41bf975e23230033a0f

          SHA1

          ea88d6fbdcf218e0e04a650d947250d8a3dfad40

          SHA256

          d6e7530e3879225bc21fc17859e5b5c71414375baac27bb361fd9162f4b49e0e

          SHA512

          958ac467e54d35c4ca5459853d661e49ea81efaa1ce3044114d577fcb757343a40ddb30b9f540cf9c100f05958a843bf312fa879c43bda7513643c824b318d6a

          Download Submit
        • memory/340-66-0x0000000000000000-mapping.dmp
          Download
        • memory/784-54-0x000007FEFB871000-0x000007FEFB873000-memory.dmp
          Filesize

          8KB

          Download
        • memory/816-57-0x0000000000000000-mapping.dmp
          Download
        • memory/856-64-0x0000000000000000-mapping.dmp
          Download
        • memory/1040-60-0x0000000000000000-mapping.dmp
          Download
        • memory/1076-69-0x0000000000000000-mapping.dmp
          Download
        • memory/1100-68-0x0000000000000000-mapping.dmp
          Download
        • memory/1664-63-0x0000000000000000-mapping.dmp
          Download
        • memory/1952-62-0x0000000000000000-mapping.dmp
          Download
        • memory/1972-59-0x0000000000000000-mapping.dmp
          Download
        • memory/1976-61-0x0000000000000000-mapping.dmp
          Download
        • memory/1988-55-0x0000000000000000-mapping.dmp
          Download