Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:28
Static task
static1
Behavioral task
behavioral1
Sample
a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe
Resource
win10v2004-20220414-en
General
-
Target
a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe
-
Size
853KB
-
MD5
ede5bbc69594ab35cd44eead5dc73752
-
SHA1
32734225f02f0fd4a375313183b692900ee5eeea
-
SHA256
a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183
-
SHA512
22b24fba0d320be89765d6fd9bde2226c2e928c4ef6e9476b69b1ee426c59072949c045c834b357ec747a679b2f613750d3058c46d89a1ec47bfa7622b0a543c
Malware Config
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
Processes:
ieinstal.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ieinstal.exe ieinstal.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ieinstal.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ieinstal = "C:\\Users\\Admin\\AppData\\Local\\ieinstal.exe" ieinstal.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\ieinstal = "C:\\Users\\Admin\\AppData\\Local\\ieinstal.exe" ieinstal.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
ieinstal.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-1083475884-596052423-1669053738-1000\desktop.ini ieinstal.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exedescription pid process target process PID 1972 set thread context of 1716 1972 a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe ieinstal.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 996 vssadmin.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ieinstal.exepid process 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe 1716 ieinstal.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ieinstal.exevssvc.exedescription pid process Token: SeDebugPrivilege 1716 ieinstal.exe Token: SeBackupPrivilege 808 vssvc.exe Token: SeRestorePrivilege 808 vssvc.exe Token: SeAuditPrivilege 808 vssvc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exeieinstal.execmd.exedescription pid process target process PID 1972 wrote to memory of 1716 1972 a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe ieinstal.exe PID 1972 wrote to memory of 1716 1972 a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe ieinstal.exe PID 1972 wrote to memory of 1716 1972 a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe ieinstal.exe PID 1972 wrote to memory of 1716 1972 a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe ieinstal.exe PID 1972 wrote to memory of 1716 1972 a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe ieinstal.exe PID 1972 wrote to memory of 1716 1972 a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe ieinstal.exe PID 1972 wrote to memory of 1716 1972 a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe ieinstal.exe PID 1972 wrote to memory of 1716 1972 a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe ieinstal.exe PID 1972 wrote to memory of 1716 1972 a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe ieinstal.exe PID 1716 wrote to memory of 1820 1716 ieinstal.exe cmd.exe PID 1716 wrote to memory of 1820 1716 ieinstal.exe cmd.exe PID 1716 wrote to memory of 1820 1716 ieinstal.exe cmd.exe PID 1716 wrote to memory of 1820 1716 ieinstal.exe cmd.exe PID 1820 wrote to memory of 996 1820 cmd.exe vssadmin.exe PID 1820 wrote to memory of 996 1820 cmd.exe vssadmin.exe PID 1820 wrote to memory of 996 1820 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe"C:\Users\Admin\AppData\Local\Temp\a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/996-64-0x0000000000000000-mapping.dmp
-
memory/1716-55-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1716-57-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1716-58-0x0000000000402E94-mapping.dmp
-
memory/1716-61-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1716-62-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1820-63-0x0000000000000000-mapping.dmp
-
memory/1972-54-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB