Analysis

  • max time kernel
    52s
  • max time network
    53s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-03-2023 12:10

General

  • Target

    cmd.exe

  • Size

    55KB

  • MD5

    c80fa6946b999e10575655b52972e294

  • SHA1

    4b2b7d490c1f84bc210a2aa3bdb02929e2dbae1c

  • SHA256

    9fe80b59926a0d8fa97ce49a1ee7564a8a2464283d3df047a9af7eea2356d3f5

  • SHA512

    e80e94e3cb2518cb5b534fa4b6e7eec8e751343f41b5536faf788f607d53562c42879219117021a1b0df9f0f3f15a7a39890b5ed96e27b5c70841b7ec3594576

  • SSDEEP

    1536:EkcgYgbig9EhjWNMSTdwp++la/oPK5fOm3N:Ej8ijWNw++ldo

Malware Config

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Modifies Windows Firewall 1 TTPs 2 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:832
    • C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      2⤵
        PID:1152
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1440
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2232
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3904
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:988
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:2108
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:892
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5044
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:3232
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          PID:4672
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3632
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:756
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:272
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:4460

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\7-Zip\7-zip32.dll

        Filesize

        49KB

        MD5

        2f244a56091c9705794e92e6bcc38058

        SHA1

        3f2b518be764f29c66ba8564d1be8f4309cce747

        SHA256

        e322feefa8d4c76d8749f88c9b877e3e119418c4ac0b18a8cfb7260638cc588d

        SHA512

        3ee3835abfec9c2db4ba1f33b5e59db2400e712d5dd7cde82a12889ea1beab8ac85b923ec0447e81b3d2ce3ebd14922882653f5bcdcc81a29f225acfa4872572

      • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf

        Filesize

        57B

        MD5

        ab9d8ef2ffa9145d6c325cefa41d5d4e

        SHA1

        0f2bf6d5e1a0209d19f8f6e7d08b3e2d9cf4c5ab

        SHA256

        65a16cb7861335d5ace3c60718b5052e44660726da4cd13bb745381b235a1785

        SHA512

        904f1892ec5c43c557199325fda79cacaee2e8f1b4a1d41b85c893d967c3209f0c58081c0c9a6083f85fd4866611dfeb490c11f3163c12f4f0579adda2c68100

      • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png

        Filesize

        138B

        MD5

        a2bb242dc046bacdc58e7fbbe03cce85

        SHA1

        052ab788f1646b958e0ea2c0ef47d00141fc1004

        SHA256

        486a8212c0d6860840d883981ca52daaad3bf3b2ab5be56cdc47ed9b42daba22

        SHA512

        d9bb4c0658f79fbcf22697c24bc32f4ef27ddf934e8f41cf73a2990d18cdb38379f6b61e50edef8ebdf5a2f59a0f8fa40e000b24f1c55a06cfa161db658326ad

      • C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml

        Filesize

        431B

        MD5

        2c16868331f82ff43059dcb0ea178af3

        SHA1

        983589535e05c495ffeae4b0b31ddcfafe92a763

        SHA256

        be9ceb4464b22203feffd3700c5570b7d6d44c5d0d357148e1e6d5be5e694376

        SHA512

        184653d3e40df84cd0052e5d9477201f276ce0e8cbb5e4b7bfac86fc7da325eef476982910be24c20725a6db6617fffd88998d6053c1b694718bc7ab0bde9ea1

      • C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-windows.xml

        Filesize

        411B

        MD5

        f7c78514872f9cb5585f8d69532cd2d0

        SHA1

        ff9dfbb62a3b48c85b6434ee831fb33a8dba9526

        SHA256

        5f7bcd85900e62abb00ce739eaad53d80170a4a6152d951b6825110d2fc17965

        SHA512

        50ee6ae916ea0e806b73c2e5bb727f6ee4837a696c5bd8559ede78148b40a5d5cdd135e28c8b5153a8fef568fd21ef0708ca198ace89e7120ffb84fd9bc91c01

      • C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml

        Filesize

        429B

        MD5

        d7d2fed9b7c55fe72a6cda66725cb7e8

        SHA1

        2cb154a1c4a0553658801a088edf87b5816cbbd2

        SHA256

        a6df5cb2b51fa56609c7daf08d28f0e41801b96f9514a9d179992a63afd516b5

        SHA512

        0ba4d570d624cc5aa6af629260668ad805285fcedd61002999734fe04cae47016cf52022c327cf22935ded99b30c52d9f041ead60a3425365116bf1bf4cbcf5e

      • C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml

        Filesize

        400B

        MD5

        a75d7d422fd00bf31208b013e74d8394

        SHA1

        3d59f8de55a42cc13fb2ebda6de3a5193f2ee561

        SHA256

        7a12e561363385e9dfeeab326368731c030ed4b374e7f5897ac819159d2884c5

        SHA512

        af3a1e15594a0bf08ae34a5948037ef492e71ee33d5d4ac9f24b18adf99a34563ab40ba8f47f2adff5d928f18d8a8cd60fc78e654e4d6cf962292d2f606def66

      • C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml

        Filesize

        437B

        MD5

        ceb1e6764a28b208d51a7801052118d7

        SHA1

        2719eea8bde44ff35dd7b274df167c103483b895

        SHA256

        99d48b66d590c07b14f4cd68adac79e92616afcf00503a846b6bf4599bfeabc0

        SHA512

        f4a2df6229bca6c6ef9ef9f432847683238715eddcb1f89c291da5f5900c9a3461204d8495c3450c8bae1c1a661424089554d316468ba1b039a2c50d6e69bf29

      • C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml

        Filesize

        463B

        MD5

        48e296d8287ae11c252e4277ee885161

        SHA1

        8a75b573549c2791d38acb3a4d215fa2153b37eb

        SHA256

        c94a9a55369ccc4b41a71b9c18b04e1778a0913447ca6b5a630135f7a7ac0c1b

        SHA512

        b17a5a8a6009bfde681829bd7be3b550d8b8bf6bfee19bdd55567163890550980ac0633fd956f117006892638f408c63449d4520b0716e6866ab0858cc3f743b

      • C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml

        Filesize

        473B

        MD5

        437687da72730cf42ce36bd093b78b3e

        SHA1

        693e31dc362426bc4d7a6b2954f7c80267476d66

        SHA256

        d0d0b1face19fe4a88c6b51f6ced55ae0e00ac548b75809d88089ad431da5d3a

        SHA512

        7d05e270926dcb452ce405dac9dab6e9e1a0dd247bc93f0940826eb4abecf827acb6f42ef32d3b6f6ac4b46b28d522e0b25f6b8b679affb9a198db8ba4fe2daa

      • C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml

        Filesize

        417B

        MD5

        9f89b49e6e4b81eb9a3ef6a5d8924461

        SHA1

        17ee8eae11a1fb327f3344cc549bef305de408c5

        SHA256

        d739aa103e35aa5efd0fe49dd14d9360b5a83261b164d6d3277a24fed97ff8fc

        SHA512

        ef2f26b00ee4dccdb28fc1bb6c960cab9ae6f72f126bee21104b865b8e7833b35a64abf464b71cc34e954a8ccdb805544729368caee2a84b8ab97914c30fa761

      • C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml

        Filesize

        405B

        MD5

        bb95a9de280c528c32806d0d5231de6d

        SHA1

        bbffb8596f1bc68df5603a10a3672a02ebd3ea8b

        SHA256

        a7ca0125b93e1a5681d5a9c294ec3a4e5680cc58e44fd223d2dac04232b7367c

        SHA512

        ac4cad4f24495aa6b0d5ed8aa439554f479cc2fdba4d5dd256f1983fa43a4121c8fdf79ad7ec9d9a396a73fd480bf2f5141ab5303d50c8b6d2ce47d158010a80

      • C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml

        Filesize

        407B

        MD5

        0188bed9647ab3c0f81dc3e4b5589baa

        SHA1

        05493cad7050ee0cba5255847941736898503dd3

        SHA256

        f5d3f822a8435f91f7a5d54b720aa637f8b8f8102c7670d1b52d98f2d0123beb

        SHA512

        20e40619e02c24acd461fe07a7d7e448bdd03f423221ecde05ec206eb7b520d3d500e3b5988122b97a8752fe2cc7b305417692ec73d4568dcf49b2c3c4fb8d0b

      • C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\invalid32x32.gif

        Filesize

        153B

        MD5

        d13b5ffdeb538f15ee1d30f2788601d5

        SHA1

        8dc4da8e4efca07472b08b618bc059dcbfd03efa

        SHA256

        f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876

        SHA512

        58e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46

      • C:\Program Files\Java\jre1.8.0_66\release

        Filesize

        527B

        MD5

        ff9a2d3be0b1b401f5bbae30ab62a24d

        SHA1

        29d8cda271ced9cf1d430029fa4ab0d6ba5948c0

        SHA256

        fd13695474bc8227057e56cb7013cea630c9ad3a2a134b7b412293f850c1df43

        SHA512

        0dd906600b44350136079b23488fd72b0f1a8a4eed594b26a692a725a62a741707b2811005dc11a389e5da89ebfd7040519342813035047bbee906a20beff2e1

      • C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml

        Filesize

        1KB

        MD5

        0b783b2c6d8aa254f3e90187725263aa

        SHA1

        df2e49e32c8e1d25b17d410addf35badc22ef90f

        SHA256

        590de671f8b144c3ec28a4e953a91685bb6c2a97c7c25c08d44003445bc2fe3e

        SHA512

        ef532a7213505f49d95b05cf27d64e1b45ef9ded6b057ba0501fb0b62631784f21f235a0842c58b2b27522e06bb383afefd3220c85064b729b45131692fa2461

      • C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml

        Filesize

        744B

        MD5

        809457c05fe696f5d34ac5ac8768cdd4

        SHA1

        a2c3e4966415100c7d24f7f3dc7e27d2a60d20c9

        SHA256

        1b66520d471367f736d50c070a2e2bba8ad88ac58743394a764b888e9cb6f6be

        SHA512

        cf38e01d3e174ff4b8070fb88ead7e787143ce7cf60b91365fafd01cacc1420337654083a14dfb2caa900141a578717f5d24fa3cadd17c1a992d09280fd8dc44

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

        Filesize

        24B

        MD5

        1681ffc6e046c7af98c9e6c232a3fe0a

        SHA1

        d3399b7262fb56cb9ed053d68db9291c410839c4

        SHA256

        9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0

        SHA512

        11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5