Analysis
-
max time kernel
103s -
max time network
108s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
-
submitted
09-08-2023 07:35
General
-
Target
adb.vbs.exe
-
Size
116KB
-
MD5
b86ad4241b01376b3924a380f6f4c934
-
SHA1
10682d08a18715a79ee23b58fdb6ee44c4e28c61
-
SHA256
14c8e3f1f23d16c2c9a4272cd05d00461d27b372cc5f588b4bbfc6102bbed708
-
SHA512
54fd19cfc37255e7ddf3456d1a2989558522cf58e5eee6ca916c19542921fe3ba4e7a431a35e0e1edbfc37c5651d392e7c3c54eb408754c0488021b16fdf92c9
-
SSDEEP
1536:aTZINbRh0SKws6KTUkmHlntMvfWhbpfCqeICS4AKvQIFlswOmZFS0cnwpIGmQwB:FRix3PWhNlOVFmw5q0cifmQ
Malware Config
Extracted
C:\Recovery\y389ng9-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/21224F673EBCC2FE
http://decryptor.cc/21224F673EBCC2FE
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 29 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe"C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\y389ng9-readme.txtFilesize
7KB
MD5315a645f7839ddbcd016707e1b4d45ee
SHA15daf7c0c9d77b570cf79b05ab76480c554d96533
SHA2566096b71a6e304b55b1a9b7fe95d817bac6873074044eb8ca031d9ecf09208d7c
SHA5120b1635340d8f16eeacae8fa9d5814552efa56600deefd4e843c1b03e203d241ed93d3a26a8469e4c2a89561e4a4241b1061298793372762faa1ec47a47fd146b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ild5rgem.5rx.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Windows\System32\catroot2\dberr.txtFilesize
181KB
MD5a0857f2a9a01a6355b6b1f741ea937b6
SHA1a8b8baaee9163756ab9d33b59dd42c9d00981017
SHA25618ff76c2ea7e0f81d846b674c2f314b4d257ce2c1fe042593e3f22b0845c1019
SHA5120f245aa721fc25a9487c45d61626439ae9ac46f57eaf4c34953e7252f0672fec4d20a1e82266d9ed7ab4b212bc690038d16d5a018ee43b675a84c4c9cf91d967
-
memory/524-124-0x0000018DF6480000-0x0000018DF64A2000-memory.dmpFilesize
136KB
-
memory/524-131-0x00007FFF6DE70000-0x00007FFF6E85C000-memory.dmpFilesize
9.9MB
-
memory/524-132-0x0000018DDDD30000-0x0000018DDDD40000-memory.dmpFilesize
64KB
-
memory/524-133-0x0000018DDDD30000-0x0000018DDDD40000-memory.dmpFilesize
64KB
-
memory/524-136-0x0000018DF6730000-0x0000018DF67A6000-memory.dmpFilesize
472KB
-
memory/524-155-0x0000018DDDD30000-0x0000018DDDD40000-memory.dmpFilesize
64KB
-
memory/524-159-0x00007FFF6DE70000-0x00007FFF6E85C000-memory.dmpFilesize
9.9MB