Analysis
-
max time kernel
103s -
max time network
108s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
09-08-2023 07:35
Static task
static1
Behavioral task
behavioral1
Sample
adb.vbs.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
adb.vbs.exe
Resource
win10-20230703-en
Behavioral task
behavioral3
Sample
adb.vbs.exe
Resource
win10v2004-20230703-en
General
-
Target
adb.vbs.exe
-
Size
116KB
-
MD5
b86ad4241b01376b3924a380f6f4c934
-
SHA1
10682d08a18715a79ee23b58fdb6ee44c4e28c61
-
SHA256
14c8e3f1f23d16c2c9a4272cd05d00461d27b372cc5f588b4bbfc6102bbed708
-
SHA512
54fd19cfc37255e7ddf3456d1a2989558522cf58e5eee6ca916c19542921fe3ba4e7a431a35e0e1edbfc37c5651d392e7c3c54eb408754c0488021b16fdf92c9
-
SSDEEP
1536:aTZINbRh0SKws6KTUkmHlntMvfWhbpfCqeICS4AKvQIFlswOmZFS0cnwpIGmQwB:FRix3PWhNlOVFmw5q0cifmQ
Malware Config
Extracted
C:\Recovery\y389ng9-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/21224F673EBCC2FE
http://decryptor.cc/21224F673EBCC2FE
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
adb.vbs.exedescription ioc process File opened (read-only) \??\I: adb.vbs.exe File opened (read-only) \??\K: adb.vbs.exe File opened (read-only) \??\R: adb.vbs.exe File opened (read-only) \??\U: adb.vbs.exe File opened (read-only) \??\F: adb.vbs.exe File opened (read-only) \??\X: adb.vbs.exe File opened (read-only) \??\Y: adb.vbs.exe File opened (read-only) \??\O: adb.vbs.exe File opened (read-only) \??\P: adb.vbs.exe File opened (read-only) \??\Q: adb.vbs.exe File opened (read-only) \??\S: adb.vbs.exe File opened (read-only) \??\V: adb.vbs.exe File opened (read-only) \??\W: adb.vbs.exe File opened (read-only) \??\D: adb.vbs.exe File opened (read-only) \??\E: adb.vbs.exe File opened (read-only) \??\G: adb.vbs.exe File opened (read-only) \??\M: adb.vbs.exe File opened (read-only) \??\N: adb.vbs.exe File opened (read-only) \??\T: adb.vbs.exe File opened (read-only) \??\A: adb.vbs.exe File opened (read-only) \??\B: adb.vbs.exe File opened (read-only) \??\H: adb.vbs.exe File opened (read-only) \??\J: adb.vbs.exe File opened (read-only) \??\L: adb.vbs.exe File opened (read-only) \??\Z: adb.vbs.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
adb.vbs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\n7m49.bmp" adb.vbs.exe -
Drops file in Program Files directory 29 IoCs
Processes:
adb.vbs.exedescription ioc process File opened for modification \??\c:\program files\CheckpointRegister.xls adb.vbs.exe File opened for modification \??\c:\program files\FindCompress.zip adb.vbs.exe File opened for modification \??\c:\program files\JoinCopy.midi adb.vbs.exe File opened for modification \??\c:\program files\SearchSubmit.mpe adb.vbs.exe File opened for modification \??\c:\program files\UnpublishDisconnect.eps adb.vbs.exe File opened for modification \??\c:\program files\GetSuspend.xsl adb.vbs.exe File opened for modification \??\c:\program files\GrantNew.avi adb.vbs.exe File opened for modification \??\c:\program files\LockSave.xlsb adb.vbs.exe File opened for modification \??\c:\program files\SaveLock.wma adb.vbs.exe File opened for modification \??\c:\program files\UnlockDismount.vb adb.vbs.exe File opened for modification \??\c:\program files\UnregisterUndo.sql adb.vbs.exe File opened for modification \??\c:\program files\JoinTrace.asx adb.vbs.exe File opened for modification \??\c:\program files\MountSearch.xltm adb.vbs.exe File opened for modification \??\c:\program files\MoveClear.potx adb.vbs.exe File opened for modification \??\c:\program files\StartEnable.dxf adb.vbs.exe File opened for modification \??\c:\program files\SuspendSet.css adb.vbs.exe File opened for modification \??\c:\program files\SuspendSwitch.3gp adb.vbs.exe File opened for modification \??\c:\program files\RevokeConvertFrom.001 adb.vbs.exe File created \??\c:\program files\y389ng9-readme.txt adb.vbs.exe File opened for modification \??\c:\program files\ConnectSelect.ttf adb.vbs.exe File opened for modification \??\c:\program files\InstallDebug.mpv2 adb.vbs.exe File opened for modification \??\c:\program files\WaitStart.htm adb.vbs.exe File opened for modification \??\c:\program files\SubmitCompress.wps adb.vbs.exe File created \??\c:\program files (x86)\y389ng9-readme.txt adb.vbs.exe File opened for modification \??\c:\program files\ConvertFromInvoke.vssm adb.vbs.exe File opened for modification \??\c:\program files\TestFind.mid adb.vbs.exe File opened for modification \??\c:\program files\StartWatch.vssx adb.vbs.exe File opened for modification \??\c:\program files\StepProtect.vb adb.vbs.exe File opened for modification \??\c:\program files\UnprotectSearch.vdw adb.vbs.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
adb.vbs.exepowershell.exepid process 2472 adb.vbs.exe 2472 adb.vbs.exe 524 powershell.exe 524 powershell.exe 524 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
adb.vbs.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2472 adb.vbs.exe Token: SeDebugPrivilege 524 powershell.exe Token: SeBackupPrivilege 312 vssvc.exe Token: SeRestorePrivilege 312 vssvc.exe Token: SeAuditPrivilege 312 vssvc.exe Token: SeTakeOwnershipPrivilege 2472 adb.vbs.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
adb.vbs.exedescription pid process target process PID 2472 wrote to memory of 524 2472 adb.vbs.exe powershell.exe PID 2472 wrote to memory of 524 2472 adb.vbs.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe"C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\y389ng9-readme.txtFilesize
7KB
MD5315a645f7839ddbcd016707e1b4d45ee
SHA15daf7c0c9d77b570cf79b05ab76480c554d96533
SHA2566096b71a6e304b55b1a9b7fe95d817bac6873074044eb8ca031d9ecf09208d7c
SHA5120b1635340d8f16eeacae8fa9d5814552efa56600deefd4e843c1b03e203d241ed93d3a26a8469e4c2a89561e4a4241b1061298793372762faa1ec47a47fd146b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ild5rgem.5rx.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Windows\System32\catroot2\dberr.txtFilesize
181KB
MD5a0857f2a9a01a6355b6b1f741ea937b6
SHA1a8b8baaee9163756ab9d33b59dd42c9d00981017
SHA25618ff76c2ea7e0f81d846b674c2f314b4d257ce2c1fe042593e3f22b0845c1019
SHA5120f245aa721fc25a9487c45d61626439ae9ac46f57eaf4c34953e7252f0672fec4d20a1e82266d9ed7ab4b212bc690038d16d5a018ee43b675a84c4c9cf91d967
-
memory/524-124-0x0000018DF6480000-0x0000018DF64A2000-memory.dmpFilesize
136KB
-
memory/524-131-0x00007FFF6DE70000-0x00007FFF6E85C000-memory.dmpFilesize
9.9MB
-
memory/524-132-0x0000018DDDD30000-0x0000018DDDD40000-memory.dmpFilesize
64KB
-
memory/524-133-0x0000018DDDD30000-0x0000018DDDD40000-memory.dmpFilesize
64KB
-
memory/524-136-0x0000018DF6730000-0x0000018DF67A6000-memory.dmpFilesize
472KB
-
memory/524-155-0x0000018DDDD30000-0x0000018DDDD40000-memory.dmpFilesize
64KB
-
memory/524-159-0x00007FFF6DE70000-0x00007FFF6E85C000-memory.dmpFilesize
9.9MB