Overview

overview

10

Static

static

cd89fd5bf3...d7.exe

windows7-x64

10

cd89fd5bf3...d7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2022 07:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd89fd5bf3049fad64718c190ae014b4c9c0d141e3550d63008c1c5c71d50bd7.exe

  • Size

    55KB

  • MD5

    fd0ef924c1edc067cd2298024a7057b0

  • SHA1

    0a32d7600869f37f0fbe2a5c996cda5111d4a4d1

  • SHA256

    cd89fd5bf3049fad64718c190ae014b4c9c0d141e3550d63008c1c5c71d50bd7

  • SHA512

    275efb2d22ceaed29c4c4563782f648663ea752a6b08d4472ba12d29dc76c57b2120c3a5984d08f5a0ebdd3abf68e6ea8af1325ff9eb24830c43c8c489ad44c0

  • SSDEEP

    1536:HNeRBl5PT/rx1mzwRMSTdLpJ47kmvBMRM:HQRrmzwR5JWk2+

Score
10/10
phobosevasionpersistenceransomwarespywarestealer

Malware Config

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd89fd5bf3049fad64718c190ae014b4c9c0d141e3550d63008c1c5c71d50bd7.exe
    "C:\Users\Admin\AppData\Local\Temp\cd89fd5bf3049fad64718c190ae014b4c9c0d141e3550d63008c1c5c71d50bd7.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:976
    • C:\Users\Admin\AppData\Local\Temp\cd89fd5bf3049fad64718c190ae014b4c9c0d141e3550d63008c1c5c71d50bd7.exe
      "C:\Users\Admin\AppData\Local\Temp\cd89fd5bf3049fad64718c190ae014b4c9c0d141e3550d63008c1c5c71d50bd7.exe"
      2⤵
        PID:4296
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4988
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2208
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4976
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:4120
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1552
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:3672
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5000
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:532
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          PID:4104
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        2⤵
          PID:2660
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          2⤵
            PID:3940
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:632
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} bootstatuspolicy ignoreallfailures
              3⤵
              • Modifies boot configuration data using bcdedit
              PID:1204
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic shadowcopy delete
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3672
            • C:\Windows\system32\wbadmin.exe
              wbadmin delete catalog -quiet
              3⤵
              • Deletes backup catalog
              PID:3900
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} recoveryenabled no
              3⤵
              • Modifies boot configuration data using bcdedit
              PID:4868
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
            2⤵
              PID:2156
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
            1⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1000
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3392
          • C:\Windows\system32\wbengine.exe
            "C:\Windows\system32\wbengine.exe"
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3748
          • C:\Windows\System32\vdsldr.exe
            C:\Windows\System32\vdsldr.exe -Embedding
            1⤵
              PID:1012
            • C:\Windows\System32\vds.exe
              C:\Windows\System32\vds.exe
              1⤵
              • Checks SCSI registry key(s)
              PID:1244
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              1⤵
              • Interacts with shadow copies
              PID:2028

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\Desktop\info.hta
              Filesize

              4KB

              MD5

              ea7354321d61c94a1027f2c015d2fecf

              SHA1

              8d49bae21c5315b85b5341f6a4a852ae991b3b63

              SHA256

              dca9e57b4afa9ea16317e18a222d95c69991bc672a58768685bc06dd956c642c

              SHA512

              190c3b98bd351359075d2d0e314eaaadc2bfb34ddaf7ba0ac7415aa9e23a4d1b638c77acac31df0b7dbcc7948d2ad9c96395b22bb43bd96d0a12e60842f858ec

              Download Submit

            • C:\info.hta
              Filesize

              4KB

              MD5

              ea7354321d61c94a1027f2c015d2fecf

              SHA1

              8d49bae21c5315b85b5341f6a4a852ae991b3b63

              SHA256

              dca9e57b4afa9ea16317e18a222d95c69991bc672a58768685bc06dd956c642c

              SHA512

              190c3b98bd351359075d2d0e314eaaadc2bfb34ddaf7ba0ac7415aa9e23a4d1b638c77acac31df0b7dbcc7948d2ad9c96395b22bb43bd96d0a12e60842f858ec

              Download Submit

            • C:\users\public\desktop\info.hta
              Filesize

              4KB

              MD5

              ea7354321d61c94a1027f2c015d2fecf

              SHA1

              8d49bae21c5315b85b5341f6a4a852ae991b3b63

              SHA256

              dca9e57b4afa9ea16317e18a222d95c69991bc672a58768685bc06dd956c642c

              SHA512

              190c3b98bd351359075d2d0e314eaaadc2bfb34ddaf7ba0ac7415aa9e23a4d1b638c77acac31df0b7dbcc7948d2ad9c96395b22bb43bd96d0a12e60842f858ec

              Download Submit

            • memory/532-135-0x0000000000000000-mapping.dmp

              Download

            • memory/632-145-0x0000000000000000-mapping.dmp

              Download

            • memory/1204-151-0x0000000000000000-mapping.dmp

              Download

            • memory/1552-140-0x0000000000000000-mapping.dmp

              Download

            • memory/2028-146-0x0000000000000000-mapping.dmp

              Download

            • memory/2156-144-0x0000000000000000-mapping.dmp

              Download

            • memory/2208-136-0x0000000000000000-mapping.dmp

              Download

            • memory/2660-142-0x0000000000000000-mapping.dmp

              Download

            • memory/3672-147-0x0000000000000000-mapping.dmp

              Download

            • memory/3672-141-0x0000000000000000-mapping.dmp

              Download

            • memory/3900-153-0x0000000000000000-mapping.dmp

              Download

            • memory/3940-143-0x0000000000000000-mapping.dmp

              Download

            • memory/4104-137-0x0000000000000000-mapping.dmp

              Download

            • memory/4120-139-0x0000000000000000-mapping.dmp

              Download

            • memory/4296-132-0x0000000000000000-mapping.dmp

              Download

            • memory/4868-152-0x0000000000000000-mapping.dmp

              Download

            • memory/4976-138-0x0000000000000000-mapping.dmp

              Download

            • memory/4988-133-0x0000000000000000-mapping.dmp

              Download

            • memory/5000-134-0x0000000000000000-mapping.dmp

              Download