Overview

overview

10

Static

static

de7350681f...e4.exe

windows7_x64

10

de7350681f...e4.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    100s
  • max time network
    196s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 02:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de7350681f5bacfaeceaff015c0ec34028ac1edaaec70ff4f3641006039d7de4.exe

  • Size

    195KB

  • MD5

    e6d10e0728948343745188e29e9e4c0a

  • SHA1

    e97a20c518c9ecbb2b05a52b815809224d418821

  • SHA256

    de7350681f5bacfaeceaff015c0ec34028ac1edaaec70ff4f3641006039d7de4

  • SHA512

    877b447fa337bd88b601ea7048ee76ee76afaec8749dd978d847827554571be9e18d22f4fa28b300b2317c61b30ca488c893458e00b3ac0f75bfb9121d422651

Score
10/10
phobosevasionpersistenceransomware

Malware Config

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 40 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de7350681f5bacfaeceaff015c0ec34028ac1edaaec70ff4f3641006039d7de4.exe
    "C:\Users\Admin\AppData\Local\Temp\de7350681f5bacfaeceaff015c0ec34028ac1edaaec70ff4f3641006039d7de4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Users\Admin\AppData\Local\Temp\de7350681f5bacfaeceaff015c0ec34028ac1edaaec70ff4f3641006039d7de4.exe
      "{path}"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3388
      • C:\Users\Admin\AppData\Local\Temp\de7350681f5bacfaeceaff015c0ec34028ac1edaaec70ff4f3641006039d7de4.exe
        "C:\Users\Admin\AppData\Local\Temp\de7350681f5bacfaeceaff015c0ec34028ac1edaaec70ff4f3641006039d7de4.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4264
        • C:\Users\Admin\AppData\Local\Temp\de7350681f5bacfaeceaff015c0ec34028ac1edaaec70ff4f3641006039d7de4.exe
          "{path}"
          4⤵
            PID:4108
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1712
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:1072
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3828
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} bootstatuspolicy ignoreallfailures
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:1996
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} recoveryenabled no
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:1876
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:4324
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4100
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3876
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
        PID:2628
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:4148
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
            PID:1772

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Command-Line Interface

          1
          T1059

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          File Deletion

          3
          T1107

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Inhibit System Recovery

          4
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\de7350681f5bacfaeceaff015c0ec34028ac1edaaec70ff4f3641006039d7de4.exe.log
            Filesize

            496B

            MD5

            cb76b18ebed3a9f05a14aed43d35fba6

            SHA1

            836a4b4e351846fca08b84149cb734cb59b8c0d6

            SHA256

            8d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349

            SHA512

            7631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c

            Download Submit
          • memory/1072-145-0x0000000000000000-mapping.dmp
            Download
          • memory/1712-144-0x0000000000000000-mapping.dmp
            Download
          • memory/1876-148-0x0000000000000000-mapping.dmp
            Download
          • memory/1996-147-0x0000000000000000-mapping.dmp
            Download
          • memory/2688-130-0x0000000075320000-0x00000000758D1000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/3388-132-0x0000000000400000-0x0000000000413000-memory.dmp
            Filesize

            76KB

            Download
          • memory/3388-134-0x0000000000400000-0x0000000000413000-memory.dmp
            Filesize

            76KB

            Download
          • memory/3388-131-0x0000000000000000-mapping.dmp
            Download
          • memory/3388-137-0x0000000000400000-0x0000000000413000-memory.dmp
            Filesize

            76KB

            Download
          • memory/3828-146-0x0000000000000000-mapping.dmp
            Download
          • memory/4108-143-0x0000000000400000-0x0000000000413000-memory.dmp
            Filesize

            76KB

            Download
          • memory/4108-139-0x0000000000000000-mapping.dmp
            Download
          • memory/4264-138-0x00000000753C0000-0x0000000075971000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/4264-135-0x0000000000000000-mapping.dmp
            Download
          • memory/4324-149-0x0000000000000000-mapping.dmp
            Download