Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
09-08-2023 07:35
Static task
static1
Behavioral task
behavioral1
Sample
adb.vbs.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
adb.vbs.exe
Resource
win10-20230703-en
Behavioral task
behavioral3
Sample
adb.vbs.exe
Resource
win10v2004-20230703-en
General
-
Target
adb.vbs.exe
-
Size
116KB
-
MD5
b86ad4241b01376b3924a380f6f4c934
-
SHA1
10682d08a18715a79ee23b58fdb6ee44c4e28c61
-
SHA256
14c8e3f1f23d16c2c9a4272cd05d00461d27b372cc5f588b4bbfc6102bbed708
-
SHA512
54fd19cfc37255e7ddf3456d1a2989558522cf58e5eee6ca916c19542921fe3ba4e7a431a35e0e1edbfc37c5651d392e7c3c54eb408754c0488021b16fdf92c9
-
SSDEEP
1536:aTZINbRh0SKws6KTUkmHlntMvfWhbpfCqeICS4AKvQIFlswOmZFS0cnwpIGmQwB:FRix3PWhNlOVFmw5q0cifmQ
Malware Config
Extracted
C:\Users\627o399m-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5427461206FF740C
http://decryptor.cc/5427461206FF740C
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
adb.vbs.exedescription ioc process File opened (read-only) \??\Q: adb.vbs.exe File opened (read-only) \??\R: adb.vbs.exe File opened (read-only) \??\W: adb.vbs.exe File opened (read-only) \??\I: adb.vbs.exe File opened (read-only) \??\K: adb.vbs.exe File opened (read-only) \??\L: adb.vbs.exe File opened (read-only) \??\S: adb.vbs.exe File opened (read-only) \??\T: adb.vbs.exe File opened (read-only) \??\Z: adb.vbs.exe File opened (read-only) \??\D: adb.vbs.exe File opened (read-only) \??\F: adb.vbs.exe File opened (read-only) \??\G: adb.vbs.exe File opened (read-only) \??\H: adb.vbs.exe File opened (read-only) \??\P: adb.vbs.exe File opened (read-only) \??\E: adb.vbs.exe File opened (read-only) \??\M: adb.vbs.exe File opened (read-only) \??\U: adb.vbs.exe File opened (read-only) \??\N: adb.vbs.exe File opened (read-only) \??\O: adb.vbs.exe File opened (read-only) \??\V: adb.vbs.exe File opened (read-only) \??\X: adb.vbs.exe File opened (read-only) \??\Y: adb.vbs.exe File opened (read-only) \??\A: adb.vbs.exe File opened (read-only) \??\B: adb.vbs.exe File opened (read-only) \??\J: adb.vbs.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
adb.vbs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1h35.bmp" adb.vbs.exe -
Drops file in Program Files directory 21 IoCs
Processes:
adb.vbs.exedescription ioc process File created \??\c:\program files (x86)\microsoft sql server compact edition\627o399m-readme.txt adb.vbs.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\627o399m-readme.txt adb.vbs.exe File opened for modification \??\c:\program files\DenyPublish.contact adb.vbs.exe File opened for modification \??\c:\program files\InstallConvert.eps adb.vbs.exe File opened for modification \??\c:\program files\SearchSwitch.jfif adb.vbs.exe File opened for modification \??\c:\program files\UndoApprove.pdf adb.vbs.exe File opened for modification \??\c:\program files\UninstallInvoke.jpeg adb.vbs.exe File created \??\c:\program files\627o399m-readme.txt adb.vbs.exe File opened for modification \??\c:\program files\ReadApprove.odp adb.vbs.exe File opened for modification \??\c:\program files\SetAdd.jpg adb.vbs.exe File opened for modification \??\c:\program files\SuspendRegister.sql adb.vbs.exe File opened for modification \??\c:\program files\ShowInvoke.wav adb.vbs.exe File opened for modification \??\c:\program files\UseOut.aif adb.vbs.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\627o399m-readme.txt adb.vbs.exe File created \??\c:\program files (x86)\627o399m-readme.txt adb.vbs.exe File opened for modification \??\c:\program files\DenyClose.reg adb.vbs.exe File opened for modification \??\c:\program files\FindSave.vsdm adb.vbs.exe File opened for modification \??\c:\program files\GrantExport.jfif adb.vbs.exe File opened for modification \??\c:\program files\RepairResume.vssm adb.vbs.exe File opened for modification \??\c:\program files\GrantUnblock.au3 adb.vbs.exe File opened for modification \??\c:\program files\ResetOpen.mhtml adb.vbs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
adb.vbs.exepowershell.exepid process 2556 adb.vbs.exe 2064 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
adb.vbs.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2556 adb.vbs.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeBackupPrivilege 2384 vssvc.exe Token: SeRestorePrivilege 2384 vssvc.exe Token: SeAuditPrivilege 2384 vssvc.exe Token: SeTakeOwnershipPrivilege 2556 adb.vbs.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
adb.vbs.exedescription pid process target process PID 2556 wrote to memory of 2064 2556 adb.vbs.exe powershell.exe PID 2556 wrote to memory of 2064 2556 adb.vbs.exe powershell.exe PID 2556 wrote to memory of 2064 2556 adb.vbs.exe powershell.exe PID 2556 wrote to memory of 2064 2556 adb.vbs.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe"C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2988
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5a8e4c6d66dcf2f8ed6c783cbdb484045
SHA1c541214daa6eba88bbee248c45ce4343b569e68c
SHA256b27f45c2dc553ac92894ad07b5ea20cb74a05baa97cf2f20ecfd230b521e7e4d
SHA512c8b5a3ca36d7176c7828f2fb6cf5ef0f8affa30694c0cb5c97f053ab6a382b1614b9258f44f872f0c70e7b63444b8350eff271b91dd9646a7a1481610ad86630