Analysis
-
max time kernel
36s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
22/04/2024, 21:11
General
-
Target
Bolbi.vbs
-
Size
1.1MB
-
MD5
584f03161a17b36b2f5163dd85bc0b77
-
SHA1
04dad07d0146ff09c0dacc3f248dbda16055a609
-
SHA256
ee2a2b418e82683de196beb5d4f6cb213e7579d783b06b9949f4a988f515b324
-
SHA512
530ef231a0fea29700d8bbffa5ed40b4cc05b96323fcbd853e86f050362d84f8a5250387f86a47ec0f103a76b00bada9c352a3c6c76736740984732c184003ff
-
SSDEEP
24576:gjSdueeKiZeXA940z802o5mNBriKgcdgUixQsUgk:gjSduKCeA2oqdJqfk
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 5 IoCs
-
Modifies registry class 8 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Bolbi.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Bolbi.vbs" /elevated2⤵
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- System policy modification
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Public\ghostroot\Player.vbs3⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat3⤵
-
C:\Windows\system32\gpupdate.exegpupdate.exe /force4⤵
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1336,i,11993726072816792203,5379939194682326223,131072 /prefetch:21⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1336,i,11993726072816792203,5379939194682326223,131072 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1336,i,11993726072816792203,5379939194682326223,131072 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2224 --field-trial-handle=1336,i,11993726072816792203,5379939194682326223,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2236 --field-trial-handle=1336,i,11993726072816792203,5379939194682326223,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=2408 --field-trial-handle=1336,i,11993726072816792203,5379939194682326223,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=2760 --field-trial-handle=1336,i,11993726072816792203,5379939194682326223,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1468 --field-trial-handle=1336,i,11993726072816792203,5379939194682326223,131072 /prefetch:21⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --mojo-platform-channel-handle=3480 --field-trial-handle=1336,i,11993726072816792203,5379939194682326223,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3684 --field-trial-handle=1336,i,11993726072816792203,5379939194682326223,131072 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3848 --field-trial-handle=1336,i,11993726072816792203,5379939194682326223,131072 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3872 --field-trial-handle=1336,i,11993726072816792203,5379939194682326223,131072 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3868 --field-trial-handle=1336,i,11993726072816792203,5379939194682326223,131072 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 --field-trial-handle=1336,i,11993726072816792203,5379939194682326223,131072 /prefetch:81⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Bolbi.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Bolbi.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files\Microsoft Games\solitaire\solitaire.exe"C:\Program Files\Microsoft Games\solitaire\solitaire.exe"1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding1⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD50accb3fc627a1ff4a03f76160fd5b132
SHA12a667746c2ce38f43a40f86a7a784fdfeef8a930
SHA2562484931ef1da1ed4862005b71be226226b0650226eaace4be4804aa51c593764
SHA512564d260223092cae64de02e1970b1e497343605ffad1d130a18efeac25b026ae0b0884c6503ca70ca3b021aa79c971220d760dbc6170cacd1cf48f8d6afc9d5c
-
Filesize
1KB
MD548dd6cae43ce26b992c35799fcd76898
SHA18e600544df0250da7d634599ce6ee50da11c0355
SHA2567bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a
SHA512c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31
-
Filesize
29B
MD5b37ed35ef479e43f406429bc36e68ec4
SHA15e3ec88d9d13d136af28dea0d3c2529f5b6e3b82
SHA256cc2b26f9e750e05cd680ef5721d9269fe4c8d23cabf500a2ff9065b6b4f7e08c
SHA512d1c1ea6292d8113ce8f02a9ad3921e2d8632f036bdfa243bd6600a173ac0b1fc659f91b43c8d9ec0beaabb87d9654f5f231e98fde27e4d9bdfd5862ca5cb13b7
-
Filesize
918B
MD545fcae4003de1832e478518394c3c0c8
SHA147c663c601b426748601e4b81c3bcf6a35c12b06
SHA2562244d7c88dc24a9630f1845fda5ab0a3677190d9ce9a0493f58c5d976160eb11
SHA512aa3bab3c6eaa809a55c62e6626edf20e9d8cf97a65e957f4e4d550dc3105a4f28eb3b438fb67cd75105922bd55129f72e2e15355ece892905102dda0050396e9
-
Filesize
528B
MD5b2ca858d3b7c50e46c226c7db3501cfd
SHA13410bd8c9e09d694f10bba0051b634009c3f9c2e
SHA256b64d2e53ebcddb6c36cc5429c5483a01abac40def4a3a027f89104156328d41b
SHA5120880c6dd1fe3aa3e00f50d0467281142eb229cea5b8f1e1a0203a681cdb40aef80039fc08fcad6e0608bc4277af7aa65cb0cb84fcc9494d1d76d4116a93a22ca
-
Filesize
501KB
MD541c89eebb86e4f4b1b0033d8e0214026
SHA12010f7fc5e3086fef00c42d8660e1534bc95177e
SHA2569dd0d4b5d11a686f9320a306d78b37404a5397e2e0d79628363db348ae9b1c48
SHA51270d8879dd2b840b014c6301927aa43263b40925d8523bed252dc5719fd9a7228c986edece441b402cc64537ca0583d781e9a88431f88188aecb3973824b9f621
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1024KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
64KB