Overview

overview

10

Static

static

10

6275a839b5...3b.exe

windows7_x64

10

6275a839b5...3b.exe

windows10_x64

10

Resubmissions

17-01-2021 17:20

210117-42l4186m4a 10

17-01-2021 17:16

210117-436yb29wwa 10

11-01-2021 07:41

210111-s6ytr1ebc2 10

Analysis

  • max time kernel
    152s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    17-01-2021 17:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6275a839b5071bf445539c8652d2b13b.exe

  • Size

    1.0MB

  • MD5

    6275a839b5071bf445539c8652d2b13b

  • SHA1

    1e0946ea29e3eca33384ccab5a627d778a6e612d

  • SHA256

    f0aec57001a184ea82122a59c6e5be48042f75d6f11a40125995ba9531aab718

  • SHA512

    f31006c16dc31548283a4434ee4e13e878a24d10c1963d6b81083862a8cd544004612886e77774e3072481fee0411665d6db6ca8d5e25b9e8e72e7252603d677

Score
10/10
phobosevasionpersistenceransomware

Malware Config

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 6 IoCs
  • Drops file in Program Files directory 15528 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 261 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 72 IoCs
  • Suspicious use of SendNotifyMessage 72 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6275a839b5071bf445539c8652d2b13b.exe
    "C:\Users\Admin\AppData\Local\Temp\6275a839b5071bf445539c8652d2b13b.exe"
    1⤵
    • Adds Run key to start application
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:804
    • C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      2⤵
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1636
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:1504
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:268
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1216
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1548
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:928
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1104
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1656
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1348
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:232
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:1312

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Command-Line Interface

      1
      T1059

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      File Deletion

      3
      T1107

      Modify Registry

      2
      T1112

      Install Root Certificate

      1
      T1130

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Inhibit System Recovery

      4
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/268-20-0x0000000000000000-mapping.dmp
        Download
      • memory/804-2-0x0000000075AE1000-0x0000000075AE3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/804-3-0x00000000001B0000-0x00000000001B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/848-6-0x00000000000D0000-0x00000000000D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/848-7-0x0000000000000000-mapping.dmp
        Download
      • memory/848-8-0x0000000000110000-0x0000000000111000-memory.dmp
        Filesize

        4KB

        Download
      • memory/848-10-0x0000000000230000-0x0000000000231000-memory.dmp
        Filesize

        4KB

        Download
      • memory/848-18-0x0000000010530000-0x0000000010545000-memory.dmp
        Filesize

        84KB

        Download
      • memory/848-19-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

        Download
      • memory/928-23-0x0000000000000000-mapping.dmp
        Download
      • memory/1104-4-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1216-21-0x0000000000000000-mapping.dmp
        Download
      • memory/1504-13-0x0000000000000000-mapping.dmp
        Download
      • memory/1548-22-0x0000000000000000-mapping.dmp
        Download
      • memory/1608-5-0x000007FEF7800000-0x000007FEF7A7A000-memory.dmp
        Filesize

        2.5MB

        Download
      • memory/1636-12-0x0000000000000000-mapping.dmp
        Download