Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:28
Static task
static1
Behavioral task
behavioral1
Sample
a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe
Resource
win10v2004-20220414-en
General
-
Target
a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe
-
Size
853KB
-
MD5
ede5bbc69594ab35cd44eead5dc73752
-
SHA1
32734225f02f0fd4a375313183b692900ee5eeea
-
SHA256
a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183
-
SHA512
22b24fba0d320be89765d6fd9bde2226c2e928c4ef6e9476b69b1ee426c59072949c045c834b357ec747a679b2f613750d3058c46d89a1ec47bfa7622b0a543c
Malware Config
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 1872 created 3164 1872 svchost.exe ieinstal.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 208 bcdedit.exe 5020 bcdedit.exe -
Processes:
wbadmin.exepid process 4428 wbadmin.exe -
Drops startup file 1 IoCs
Processes:
ieinstal.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ieinstal.exe ieinstal.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ieinstal.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ieinstal = "C:\\Users\\Admin\\AppData\\Local\\ieinstal.exe" ieinstal.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ieinstal = "C:\\Users\\Admin\\AppData\\Local\\ieinstal.exe" ieinstal.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
ieinstal.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\desktop.ini ieinstal.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exedescription pid process target process PID 4772 set thread context of 3164 4772 a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe ieinstal.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ieinstal.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\be.txt ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt ieinstal.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Configuration\configuration.sqlite ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt ieinstal.exe File created C:\Program Files\7-Zip\Lang\ext.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll ieinstal.exe File created C:\Program Files\7-Zip\7z.sfx.id[39DD2004-2275].[[email protected]].help ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt ieinstal.exe File created C:\Program Files\7-Zip\Lang\br.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt ieinstal.exe File created C:\Program Files\7-Zip\Lang\ca.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File opened for modification C:\Program Files\7-Zip\History.txt ieinstal.exe File created C:\Program Files\7-Zip\Lang\az.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt ieinstal.exe File created C:\Program Files\7-Zip\Lang\gu.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File created C:\Program Files\7-Zip\Lang\lij.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File created C:\Program Files\7-Zip\7zG.exe.id[39DD2004-2275].[[email protected]].help ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt ieinstal.exe File created C:\Program Files\7-Zip\Lang\fr.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt ieinstal.exe File created C:\Program Files\7-Zip\Lang\eu.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt ieinstal.exe File created C:\Program Files\7-Zip\7-zip.chm.id[39DD2004-2275].[[email protected]].help ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt ieinstal.exe File created C:\Program Files\7-Zip\Lang\cs.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File created C:\Program Files\7-Zip\Lang\ja.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File created C:\Program Files\7-Zip\Lang\es.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt ieinstal.exe File created C:\Program Files\7-Zip\Lang\io.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File created C:\Program Files\7-Zip\Lang\kaa.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt ieinstal.exe File created C:\Program Files\7-Zip\7zCon.sfx.id[39DD2004-2275].[[email protected]].help ieinstal.exe File created C:\Program Files\7-Zip\Lang\fi.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt ieinstal.exe File created C:\Program Files\7-Zip\Lang\ko.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm ieinstal.exe File created C:\Program Files\7-Zip\7z.exe.id[39DD2004-2275].[[email protected]].help ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt ieinstal.exe File created C:\Program Files\7-Zip\Lang\ku.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File created C:\Program Files\7-Zip\Lang\is.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt ieinstal.exe File created C:\Program Files\7-Zip\7zFM.exe.id[39DD2004-2275].[[email protected]].help ieinstal.exe File created C:\Program Files\7-Zip\Lang\fa.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File created C:\Program Files\7-Zip\Lang\he.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt ieinstal.exe File created C:\Program Files\7-Zip\Lang\ga.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File created C:\Program Files\7-Zip\Lang\hi.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt ieinstal.exe File created C:\Program Files\7-Zip\Lang\de.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File created C:\Program Files\7-Zip\Lang\hu.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File opened for modification C:\Program Files\7-Zip\7z.sfx ieinstal.exe File created C:\Program Files\7-Zip\descript.ion.id[39DD2004-2275].[[email protected]].help ieinstal.exe File created C:\Program Files\7-Zip\Lang\eo.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt ieinstal.exe File created C:\Program Files\7-Zip\Lang\bn.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt ieinstal.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx ieinstal.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe ieinstal.exe File created C:\Program Files\7-Zip\Lang\ar.txt.id[39DD2004-2275].[[email protected]].help ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt ieinstal.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt ieinstal.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 444 vssadmin.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ieinstal.exepid process 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe 3164 ieinstal.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
svchost.exeieinstal.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeTcbPrivilege 1872 svchost.exe Token: SeTcbPrivilege 1872 svchost.exe Token: SeDebugPrivilege 3164 ieinstal.exe Token: SeBackupPrivilege 1348 vssvc.exe Token: SeRestorePrivilege 1348 vssvc.exe Token: SeAuditPrivilege 1348 vssvc.exe Token: SeIncreaseQuotaPrivilege 4336 WMIC.exe Token: SeSecurityPrivilege 4336 WMIC.exe Token: SeTakeOwnershipPrivilege 4336 WMIC.exe Token: SeLoadDriverPrivilege 4336 WMIC.exe Token: SeSystemProfilePrivilege 4336 WMIC.exe Token: SeSystemtimePrivilege 4336 WMIC.exe Token: SeProfSingleProcessPrivilege 4336 WMIC.exe Token: SeIncBasePriorityPrivilege 4336 WMIC.exe Token: SeCreatePagefilePrivilege 4336 WMIC.exe Token: SeBackupPrivilege 4336 WMIC.exe Token: SeRestorePrivilege 4336 WMIC.exe Token: SeShutdownPrivilege 4336 WMIC.exe Token: SeDebugPrivilege 4336 WMIC.exe Token: SeSystemEnvironmentPrivilege 4336 WMIC.exe Token: SeRemoteShutdownPrivilege 4336 WMIC.exe Token: SeUndockPrivilege 4336 WMIC.exe Token: SeManageVolumePrivilege 4336 WMIC.exe Token: 33 4336 WMIC.exe Token: 34 4336 WMIC.exe Token: 35 4336 WMIC.exe Token: 36 4336 WMIC.exe Token: SeIncreaseQuotaPrivilege 4336 WMIC.exe Token: SeSecurityPrivilege 4336 WMIC.exe Token: SeTakeOwnershipPrivilege 4336 WMIC.exe Token: SeLoadDriverPrivilege 4336 WMIC.exe Token: SeSystemProfilePrivilege 4336 WMIC.exe Token: SeSystemtimePrivilege 4336 WMIC.exe Token: SeProfSingleProcessPrivilege 4336 WMIC.exe Token: SeIncBasePriorityPrivilege 4336 WMIC.exe Token: SeCreatePagefilePrivilege 4336 WMIC.exe Token: SeBackupPrivilege 4336 WMIC.exe Token: SeRestorePrivilege 4336 WMIC.exe Token: SeShutdownPrivilege 4336 WMIC.exe Token: SeDebugPrivilege 4336 WMIC.exe Token: SeSystemEnvironmentPrivilege 4336 WMIC.exe Token: SeRemoteShutdownPrivilege 4336 WMIC.exe Token: SeUndockPrivilege 4336 WMIC.exe Token: SeManageVolumePrivilege 4336 WMIC.exe Token: 33 4336 WMIC.exe Token: 34 4336 WMIC.exe Token: 35 4336 WMIC.exe Token: 36 4336 WMIC.exe Token: SeBackupPrivilege 3484 wbengine.exe Token: SeRestorePrivilege 3484 wbengine.exe Token: SeSecurityPrivilege 3484 wbengine.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exesvchost.exeieinstal.execmd.exedescription pid process target process PID 4772 wrote to memory of 3164 4772 a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe ieinstal.exe PID 4772 wrote to memory of 3164 4772 a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe ieinstal.exe PID 4772 wrote to memory of 3164 4772 a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe ieinstal.exe PID 4772 wrote to memory of 3164 4772 a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe ieinstal.exe PID 4772 wrote to memory of 3164 4772 a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe ieinstal.exe PID 1872 wrote to memory of 4092 1872 svchost.exe ieinstal.exe PID 1872 wrote to memory of 4092 1872 svchost.exe ieinstal.exe PID 1872 wrote to memory of 4092 1872 svchost.exe ieinstal.exe PID 3164 wrote to memory of 3124 3164 ieinstal.exe cmd.exe PID 3164 wrote to memory of 3124 3164 ieinstal.exe cmd.exe PID 3124 wrote to memory of 444 3124 cmd.exe vssadmin.exe PID 3124 wrote to memory of 444 3124 cmd.exe vssadmin.exe PID 3124 wrote to memory of 4336 3124 cmd.exe WMIC.exe PID 3124 wrote to memory of 4336 3124 cmd.exe WMIC.exe PID 3124 wrote to memory of 208 3124 cmd.exe bcdedit.exe PID 3124 wrote to memory of 208 3124 cmd.exe bcdedit.exe PID 3124 wrote to memory of 5020 3124 cmd.exe bcdedit.exe PID 3124 wrote to memory of 5020 3124 cmd.exe bcdedit.exe PID 3124 wrote to memory of 4428 3124 cmd.exe wbadmin.exe PID 3124 wrote to memory of 4428 3124 cmd.exe wbadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe"C:\Users\Admin\AppData\Local\Temp\a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x494 0x3c01⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/208-139-0x0000000000000000-mapping.dmp
-
memory/444-137-0x0000000000000000-mapping.dmp
-
memory/3124-136-0x0000000000000000-mapping.dmp
-
memory/3164-130-0x0000000000000000-mapping.dmp
-
memory/3164-131-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3164-133-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3164-135-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/4092-134-0x0000000000000000-mapping.dmp
-
memory/4336-138-0x0000000000000000-mapping.dmp
-
memory/4428-141-0x0000000000000000-mapping.dmp
-
memory/5020-140-0x0000000000000000-mapping.dmp