Analysis
-
max time kernel
138s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
10-08-2023 00:38
Static task
static1
Behavioral task
behavioral1
Sample
adb.vbs.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
adb.vbs.exe
Resource
win10-20230703-en
Behavioral task
behavioral3
Sample
adb.vbs.exe
Resource
win10v2004-20230703-en
General
-
Target
adb.vbs.exe
-
Size
116KB
-
MD5
b86ad4241b01376b3924a380f6f4c934
-
SHA1
10682d08a18715a79ee23b58fdb6ee44c4e28c61
-
SHA256
14c8e3f1f23d16c2c9a4272cd05d00461d27b372cc5f588b4bbfc6102bbed708
-
SHA512
54fd19cfc37255e7ddf3456d1a2989558522cf58e5eee6ca916c19542921fe3ba4e7a431a35e0e1edbfc37c5651d392e7c3c54eb408754c0488021b16fdf92c9
-
SSDEEP
1536:aTZINbRh0SKws6KTUkmHlntMvfWhbpfCqeICS4AKvQIFlswOmZFS0cnwpIGmQwB:FRix3PWhNlOVFmw5q0cifmQ
Malware Config
Extracted
C:\Recovery\5096oaz7g-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F9647201020B5202
http://decryptor.cc/F9647201020B5202
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
adb.vbs.exedescription ioc process File opened (read-only) \??\R: adb.vbs.exe File opened (read-only) \??\U: adb.vbs.exe File opened (read-only) \??\W: adb.vbs.exe File opened (read-only) \??\Y: adb.vbs.exe File opened (read-only) \??\A: adb.vbs.exe File opened (read-only) \??\H: adb.vbs.exe File opened (read-only) \??\I: adb.vbs.exe File opened (read-only) \??\Q: adb.vbs.exe File opened (read-only) \??\P: adb.vbs.exe File opened (read-only) \??\S: adb.vbs.exe File opened (read-only) \??\T: adb.vbs.exe File opened (read-only) \??\X: adb.vbs.exe File opened (read-only) \??\G: adb.vbs.exe File opened (read-only) \??\K: adb.vbs.exe File opened (read-only) \??\N: adb.vbs.exe File opened (read-only) \??\O: adb.vbs.exe File opened (read-only) \??\Z: adb.vbs.exe File opened (read-only) \??\D: adb.vbs.exe File opened (read-only) \??\F: adb.vbs.exe File opened (read-only) \??\J: adb.vbs.exe File opened (read-only) \??\V: adb.vbs.exe File opened (read-only) \??\B: adb.vbs.exe File opened (read-only) \??\E: adb.vbs.exe File opened (read-only) \??\L: adb.vbs.exe File opened (read-only) \??\M: adb.vbs.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
adb.vbs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\53127j8dy.bmp" adb.vbs.exe -
Drops file in Program Files directory 33 IoCs
Processes:
adb.vbs.exedescription ioc process File opened for modification \??\c:\program files\BackupSend.mid adb.vbs.exe File opened for modification \??\c:\program files\EnableConnect.xlsb adb.vbs.exe File opened for modification \??\c:\program files\MergeExpand.vdw adb.vbs.exe File opened for modification \??\c:\program files\ProtectConvertFrom.fon adb.vbs.exe File opened for modification \??\c:\program files\StopCopy.ADTS adb.vbs.exe File opened for modification \??\c:\program files\ReadDisable.css adb.vbs.exe File opened for modification \??\c:\program files\TraceUnblock.vst adb.vbs.exe File created \??\c:\program files\5096oaz7g-readme.txt adb.vbs.exe File opened for modification \??\c:\program files\GroupPop.eps adb.vbs.exe File opened for modification \??\c:\program files\ResolveResize.pcx adb.vbs.exe File opened for modification \??\c:\program files\SubmitUnblock.shtml adb.vbs.exe File created \??\c:\program files (x86)\5096oaz7g-readme.txt adb.vbs.exe File opened for modification \??\c:\program files\UnlockRead.xla adb.vbs.exe File opened for modification \??\c:\program files\ConnectDisconnect.bmp adb.vbs.exe File opened for modification \??\c:\program files\DenyCompress.emz adb.vbs.exe File opened for modification \??\c:\program files\RequestTrace.pot adb.vbs.exe File opened for modification \??\c:\program files\SuspendConnect.zip adb.vbs.exe File opened for modification \??\c:\program files\UnlockGet.clr adb.vbs.exe File opened for modification \??\c:\program files\ComparePing.txt adb.vbs.exe File opened for modification \??\c:\program files\EnterReset.csv adb.vbs.exe File opened for modification \??\c:\program files\ExpandDisconnect.mp2v adb.vbs.exe File opened for modification \??\c:\program files\JoinBackup.xps adb.vbs.exe File opened for modification \??\c:\program files\SaveRemove.snd adb.vbs.exe File opened for modification \??\c:\program files\ConnectWatch.TS adb.vbs.exe File opened for modification \??\c:\program files\ConvertToSend.dotx adb.vbs.exe File opened for modification \??\c:\program files\GrantAdd.ods adb.vbs.exe File opened for modification \??\c:\program files\GroupRedo.mpeg adb.vbs.exe File opened for modification \??\c:\program files\InstallGet.ps1xml adb.vbs.exe File opened for modification \??\c:\program files\MeasureConvertFrom.gif adb.vbs.exe File opened for modification \??\c:\program files\NewReceive.rle adb.vbs.exe File opened for modification \??\c:\program files\AssertResume.vbe adb.vbs.exe File opened for modification \??\c:\program files\CompleteUninstall.TTS adb.vbs.exe File opened for modification \??\c:\program files\UnlockMeasure.dot adb.vbs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
adb.vbs.exepowershell.exepid process 3180 adb.vbs.exe 3180 adb.vbs.exe 4492 powershell.exe 4492 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
adb.vbs.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3180 adb.vbs.exe Token: SeDebugPrivilege 4492 powershell.exe Token: SeBackupPrivilege 4192 vssvc.exe Token: SeRestorePrivilege 4192 vssvc.exe Token: SeAuditPrivilege 4192 vssvc.exe Token: SeTakeOwnershipPrivilege 3180 adb.vbs.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
adb.vbs.exedescription pid process target process PID 3180 wrote to memory of 4492 3180 adb.vbs.exe powershell.exe PID 3180 wrote to memory of 4492 3180 adb.vbs.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe"C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3916
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4192
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\5096oaz7g-readme.txtFilesize
7KB
MD5ee695905298749c0812d45485a57bf91
SHA1302ad49e2701e3ac8228d3c213d36bfc33244ef7
SHA256cf3a575f5e8b134dcd19f21b348a15f5fef0c8ba6ce7d96e3e5d961d7a767b61
SHA5127cd42033eb1c7d3e9a9fc0d349cf8cf2ff4669bb67087491051a0f1ccaf65261700529dfa072ce48c96c463aeceb3d5329e2678e6026da4c32b60ac00087b2bd
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ubuc1vzl.bto.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/4492-142-0x0000026A31820000-0x0000026A31842000-memory.dmpFilesize
136KB
-
memory/4492-143-0x00007FF9A92A0000-0x00007FF9A9D61000-memory.dmpFilesize
10.8MB
-
memory/4492-145-0x0000026A30E00000-0x0000026A30E10000-memory.dmpFilesize
64KB
-
memory/4492-144-0x0000026A30E00000-0x0000026A30E10000-memory.dmpFilesize
64KB
-
memory/4492-146-0x0000026A30E00000-0x0000026A30E10000-memory.dmpFilesize
64KB
-
memory/4492-149-0x00007FF9A92A0000-0x00007FF9A9D61000-memory.dmpFilesize
10.8MB