Analysis
-
max time kernel
99s -
max time network
107s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
10-08-2023 00:38
Static task
static1
Behavioral task
behavioral1
Sample
adb.vbs.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
adb.vbs.exe
Resource
win10-20230703-en
Behavioral task
behavioral3
Sample
adb.vbs.exe
Resource
win10v2004-20230703-en
General
-
Target
adb.vbs.exe
-
Size
116KB
-
MD5
b86ad4241b01376b3924a380f6f4c934
-
SHA1
10682d08a18715a79ee23b58fdb6ee44c4e28c61
-
SHA256
14c8e3f1f23d16c2c9a4272cd05d00461d27b372cc5f588b4bbfc6102bbed708
-
SHA512
54fd19cfc37255e7ddf3456d1a2989558522cf58e5eee6ca916c19542921fe3ba4e7a431a35e0e1edbfc37c5651d392e7c3c54eb408754c0488021b16fdf92c9
-
SSDEEP
1536:aTZINbRh0SKws6KTUkmHlntMvfWhbpfCqeICS4AKvQIFlswOmZFS0cnwpIGmQwB:FRix3PWhNlOVFmw5q0cifmQ
Malware Config
Extracted
C:\Recovery\9cfw9k82-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5D9FFE09A38E1DBA
http://decryptor.cc/5D9FFE09A38E1DBA
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
adb.vbs.exedescription ioc process File opened (read-only) \??\S: adb.vbs.exe File opened (read-only) \??\X: adb.vbs.exe File opened (read-only) \??\A: adb.vbs.exe File opened (read-only) \??\G: adb.vbs.exe File opened (read-only) \??\H: adb.vbs.exe File opened (read-only) \??\K: adb.vbs.exe File opened (read-only) \??\L: adb.vbs.exe File opened (read-only) \??\Q: adb.vbs.exe File opened (read-only) \??\F: adb.vbs.exe File opened (read-only) \??\E: adb.vbs.exe File opened (read-only) \??\M: adb.vbs.exe File opened (read-only) \??\Z: adb.vbs.exe File opened (read-only) \??\D: adb.vbs.exe File opened (read-only) \??\B: adb.vbs.exe File opened (read-only) \??\I: adb.vbs.exe File opened (read-only) \??\J: adb.vbs.exe File opened (read-only) \??\R: adb.vbs.exe File opened (read-only) \??\W: adb.vbs.exe File opened (read-only) \??\Y: adb.vbs.exe File opened (read-only) \??\N: adb.vbs.exe File opened (read-only) \??\O: adb.vbs.exe File opened (read-only) \??\P: adb.vbs.exe File opened (read-only) \??\T: adb.vbs.exe File opened (read-only) \??\U: adb.vbs.exe File opened (read-only) \??\V: adb.vbs.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
adb.vbs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v7h58.bmp" adb.vbs.exe -
Drops file in Program Files directory 35 IoCs
Processes:
adb.vbs.exedescription ioc process File opened for modification \??\c:\program files\SaveBackup.eps adb.vbs.exe File opened for modification \??\c:\program files\SuspendShow.mp2v adb.vbs.exe File opened for modification \??\c:\program files\UninstallLock.wdp adb.vbs.exe File opened for modification \??\c:\program files\UnlockSuspend.wma adb.vbs.exe File created \??\c:\program files (x86)\9cfw9k82-readme.txt adb.vbs.exe File opened for modification \??\c:\program files\UnregisterResize.wma adb.vbs.exe File opened for modification \??\c:\program files\DisconnectBackup.m1v adb.vbs.exe File opened for modification \??\c:\program files\EnterConfirm.M2T adb.vbs.exe File opened for modification \??\c:\program files\MergeRemove.xlt adb.vbs.exe File opened for modification \??\c:\program files\ReceiveMeasure.dotx adb.vbs.exe File opened for modification \??\c:\program files\ShowGroup.wma adb.vbs.exe File opened for modification \??\c:\program files\SwitchBackup.ini adb.vbs.exe File opened for modification \??\c:\program files\CompareImport.emf adb.vbs.exe File opened for modification \??\c:\program files\GetConvertFrom.3g2 adb.vbs.exe File created \??\c:\program files\9cfw9k82-readme.txt adb.vbs.exe File opened for modification \??\c:\program files\EditLimit.mpg adb.vbs.exe File opened for modification \??\c:\program files\PopDebug.wmv adb.vbs.exe File opened for modification \??\c:\program files\ResetPublish.cfg adb.vbs.exe File opened for modification \??\c:\program files\WriteUnblock.ini adb.vbs.exe File opened for modification \??\c:\program files\BlockFormat.mp3 adb.vbs.exe File opened for modification \??\c:\program files\OutRename.inf adb.vbs.exe File opened for modification \??\c:\program files\RestartResize.3gp adb.vbs.exe File opened for modification \??\c:\program files\RestoreBackup.dwg adb.vbs.exe File opened for modification \??\c:\program files\TraceDismount.wmv adb.vbs.exe File opened for modification \??\c:\program files\MergeRedo.dotm adb.vbs.exe File opened for modification \??\c:\program files\EditMeasure.3gpp adb.vbs.exe File opened for modification \??\c:\program files\OpenSubmit.txt adb.vbs.exe File opened for modification \??\c:\program files\ReceiveAssert.mp2v adb.vbs.exe File opened for modification \??\c:\program files\SendRegister.edrwx adb.vbs.exe File opened for modification \??\c:\program files\SwitchShow.xla adb.vbs.exe File opened for modification \??\c:\program files\ConvertFromConfirm.3gpp adb.vbs.exe File opened for modification \??\c:\program files\EditDebug.doc adb.vbs.exe File opened for modification \??\c:\program files\SyncDebug.dib adb.vbs.exe File opened for modification \??\c:\program files\UnlockSync.mpv2 adb.vbs.exe File opened for modification \??\c:\program files\DebugProtect.au3 adb.vbs.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
adb.vbs.exepowershell.exepid process 2872 adb.vbs.exe 2872 adb.vbs.exe 2516 powershell.exe 2516 powershell.exe 2516 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
adb.vbs.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2872 adb.vbs.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeBackupPrivilege 3864 vssvc.exe Token: SeRestorePrivilege 3864 vssvc.exe Token: SeAuditPrivilege 3864 vssvc.exe Token: SeTakeOwnershipPrivilege 2872 adb.vbs.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
adb.vbs.exedescription pid process target process PID 2872 wrote to memory of 2516 2872 adb.vbs.exe powershell.exe PID 2872 wrote to memory of 2516 2872 adb.vbs.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe"C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1776
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\9cfw9k82-readme.txtFilesize
7KB
MD553708047bbf3263c5ef20b7397d5a08e
SHA1f96505bb65c6fb546a6099db7fac9b723ca6f139
SHA256e8c96812146e3f1701b463193edd3f09fd6e73ea54ad7b5393a4d9c3fc8e581e
SHA512a4ae4df370fdc25b791e52714335782a158cfddc3f1c39ecf0c1fd4a1fe49166b9e2b64448c826a953fd921a533e5d9bc68689151878a823eeeb6b4a586ceaa7
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bxokyvzr.vv4.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Windows\System32\catroot2\dberr.txtFilesize
181KB
MD56717a70cdc8e2c8ef688461c50c3878b
SHA1901d4df1871868b7cd72594c663ae192669a93e4
SHA2564fab14b35d5af26348af243892dd0f61cd122caed0d864c6ffafed9bbb12e77d
SHA512352e38e4484c25294c5c00ce437e24e60ae1a3a142633dab36d63c5b837d968e79fd110edff7f40c29fd03703e3e5792e02c106a6e92b71edb900a255e74da2d
-
memory/2516-124-0x0000015F272D0000-0x0000015F272F2000-memory.dmpFilesize
136KB
-
memory/2516-132-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmpFilesize
9.9MB
-
memory/2516-134-0x0000015F27200000-0x0000015F27210000-memory.dmpFilesize
64KB
-
memory/2516-135-0x0000015F27200000-0x0000015F27210000-memory.dmpFilesize
64KB
-
memory/2516-136-0x0000015F3F6B0000-0x0000015F3F726000-memory.dmpFilesize
472KB
-
memory/2516-155-0x0000015F27200000-0x0000015F27210000-memory.dmpFilesize
64KB
-
memory/2516-159-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmpFilesize
9.9MB