Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
19-12-2022 09:27
General
-
Target
84ad231f0d74cd4bed8da0fbfc6801fc77424ee74a560e0d3175aa37b4ecab23.exe
-
Size
55KB
-
MD5
578244d3c1afbe8009f04bbc9eb54076
-
SHA1
83c1841f67d81d90aec1217766721bbb6856973e
-
SHA256
84ad231f0d74cd4bed8da0fbfc6801fc77424ee74a560e0d3175aa37b4ecab23
-
SHA512
0a2b657dfb30ad60fca8c94fac6182b1273404a3163bd65328588e43d6440c3da7c9bd1fc9b1e5f75496f58304051108763e3fb30dddca8b589ef8fcdbb54481
-
SSDEEP
1536:ENeRBl5PT/rx1mzwRMSTdLpJtsbChoirP:EQRrmzwR5JqcZ
Malware Config
Extracted
C:\users\public\desktop\info.hta
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
-
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\84ad231f0d74cd4bed8da0fbfc6801fc77424ee74a560e0d3175aa37b4ecab23.exe"C:\Users\Admin\AppData\Local\Temp\84ad231f0d74cd4bed8da0fbfc6801fc77424ee74a560e0d3175aa37b4ecab23.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\84ad231f0d74cd4bed8da0fbfc6801fc77424ee74a560e0d3175aa37b4ecab23.exe"C:\Users\Admin\AppData\Local\Temp\84ad231f0d74cd4bed8da0fbfc6801fc77424ee74a560e0d3175aa37b4ecab23.exe"2⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD54076c8058ad2f0d1e40671964d12693d
SHA179286788e22af19d7fdbd03f0c1ee89241b5c50f
SHA25656449591116c929b1b2b0d6e35978ef573c5e74b6b4b30e6d2f7c78552a3f175
SHA512e46baecb9244091c0eb8524af90fb1111db6dbe20c388c431644a2606169b9f08a1b961c2d4e165d7f5318e16f4e4a5aca65a5bce05c3a6f7b47f9e5894c68ad
-
Filesize
5KB
MD54076c8058ad2f0d1e40671964d12693d
SHA179286788e22af19d7fdbd03f0c1ee89241b5c50f
SHA25656449591116c929b1b2b0d6e35978ef573c5e74b6b4b30e6d2f7c78552a3f175
SHA512e46baecb9244091c0eb8524af90fb1111db6dbe20c388c431644a2606169b9f08a1b961c2d4e165d7f5318e16f4e4a5aca65a5bce05c3a6f7b47f9e5894c68ad
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-