Analysis

  • max time kernel
    82s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-05-2023 07:17

General

  • Target

    rundll64.exe

  • Size

    236KB

  • MD5

    4165a3dba3c7ac26b225f8623f70ebaa

  • SHA1

    587df43d63da7dfd726a4bb8f39877647cc07da0

  • SHA256

    523d97331fcef84ff767dbb01836766d8b1be9bbeb3d76e9fda3a02ad46fd976

  • SHA512

    43ad74651aad95f16bd17f6fea857534c6c6502cb0c06262092e7b10ab59a27b663565668d6fd4436c72a114f632ab6940fc4f1914d165eba7e5a8a8b5743b8e

  • SSDEEP

    6144:qb/A0SeQu0hL2cyBt2iOjese1HSCRhECwt6:q8D5P2ICsDCRhQ6

Malware Config

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Modifies Windows Firewall 1 TTPs 2 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\rundll64.exe
    "C:\Users\Admin\AppData\Local\Temp\rundll64.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\Users\Admin\AppData\Local\Temp\rundll64.exe
      "C:\Users\Admin\AppData\Local\Temp\rundll64.exe"
      2⤵
        PID:4364
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 460
          3⤵
          • Program crash
          PID:4692
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2152
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:4332
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          PID:772
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2156
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:4344
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3292
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:2032
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:3040
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:2052
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4364 -ip 4364
      1⤵
        PID:1212
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2660
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1008
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:2768
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
          • Checks SCSI registry key(s)
          PID:3900

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7-zip.dll

          Filesize

          76KB

          MD5

          4fcf65d3ad9691efc0f5963c0c85cc67

          SHA1

          0da9b686bba7d3ac17038068a26697568eddd563

          SHA256

          93b750cdaba989a539174cb4412e859a62f568a8d1ea1c5c8f1a257d5981404c

          SHA512

          23e1ccf0403f193119ab18321956e4887bce6d6352324ece0eb1577207d18a510efba26a71c6b6328f1ab9ed80ed97c5d2609fbb508009ed38ee694f2d591279

        • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf

          Filesize

          57B

          MD5

          ab9d8ef2ffa9145d6c325cefa41d5d4e

          SHA1

          0f2bf6d5e1a0209d19f8f6e7d08b3e2d9cf4c5ab

          SHA256

          65a16cb7861335d5ace3c60718b5052e44660726da4cd13bb745381b235a1785

          SHA512

          904f1892ec5c43c557199325fda79cacaee2e8f1b4a1d41b85c893d967c3209f0c58081c0c9a6083f85fd4866611dfeb490c11f3163c12f4f0579adda2c68100

        • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png

          Filesize

          138B

          MD5

          a2bb242dc046bacdc58e7fbbe03cce85

          SHA1

          052ab788f1646b958e0ea2c0ef47d00141fc1004

          SHA256

          486a8212c0d6860840d883981ca52daaad3bf3b2ab5be56cdc47ed9b42daba22

          SHA512

          d9bb4c0658f79fbcf22697c24bc32f4ef27ddf934e8f41cf73a2990d18cdb38379f6b61e50edef8ebdf5a2f59a0f8fa40e000b24f1c55a06cfa161db658326ad

        • C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml

          Filesize

          431B

          MD5

          2c16868331f82ff43059dcb0ea178af3

          SHA1

          983589535e05c495ffeae4b0b31ddcfafe92a763

          SHA256

          be9ceb4464b22203feffd3700c5570b7d6d44c5d0d357148e1e6d5be5e694376

          SHA512

          184653d3e40df84cd0052e5d9477201f276ce0e8cbb5e4b7bfac86fc7da325eef476982910be24c20725a6db6617fffd88998d6053c1b694718bc7ab0bde9ea1

        • C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-windows.xml

          Filesize

          411B

          MD5

          f7c78514872f9cb5585f8d69532cd2d0

          SHA1

          ff9dfbb62a3b48c85b6434ee831fb33a8dba9526

          SHA256

          5f7bcd85900e62abb00ce739eaad53d80170a4a6152d951b6825110d2fc17965

          SHA512

          50ee6ae916ea0e806b73c2e5bb727f6ee4837a696c5bd8559ede78148b40a5d5cdd135e28c8b5153a8fef568fd21ef0708ca198ace89e7120ffb84fd9bc91c01

        • C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml

          Filesize

          429B

          MD5

          d7d2fed9b7c55fe72a6cda66725cb7e8

          SHA1

          2cb154a1c4a0553658801a088edf87b5816cbbd2

          SHA256

          a6df5cb2b51fa56609c7daf08d28f0e41801b96f9514a9d179992a63afd516b5

          SHA512

          0ba4d570d624cc5aa6af629260668ad805285fcedd61002999734fe04cae47016cf52022c327cf22935ded99b30c52d9f041ead60a3425365116bf1bf4cbcf5e

        • C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml

          Filesize

          400B

          MD5

          a75d7d422fd00bf31208b013e74d8394

          SHA1

          3d59f8de55a42cc13fb2ebda6de3a5193f2ee561

          SHA256

          7a12e561363385e9dfeeab326368731c030ed4b374e7f5897ac819159d2884c5

          SHA512

          af3a1e15594a0bf08ae34a5948037ef492e71ee33d5d4ac9f24b18adf99a34563ab40ba8f47f2adff5d928f18d8a8cd60fc78e654e4d6cf962292d2f606def66

        • C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml

          Filesize

          437B

          MD5

          ceb1e6764a28b208d51a7801052118d7

          SHA1

          2719eea8bde44ff35dd7b274df167c103483b895

          SHA256

          99d48b66d590c07b14f4cd68adac79e92616afcf00503a846b6bf4599bfeabc0

          SHA512

          f4a2df6229bca6c6ef9ef9f432847683238715eddcb1f89c291da5f5900c9a3461204d8495c3450c8bae1c1a661424089554d316468ba1b039a2c50d6e69bf29

        • C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml

          Filesize

          463B

          MD5

          48e296d8287ae11c252e4277ee885161

          SHA1

          8a75b573549c2791d38acb3a4d215fa2153b37eb

          SHA256

          c94a9a55369ccc4b41a71b9c18b04e1778a0913447ca6b5a630135f7a7ac0c1b

          SHA512

          b17a5a8a6009bfde681829bd7be3b550d8b8bf6bfee19bdd55567163890550980ac0633fd956f117006892638f408c63449d4520b0716e6866ab0858cc3f743b

        • C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml

          Filesize

          473B

          MD5

          437687da72730cf42ce36bd093b78b3e

          SHA1

          693e31dc362426bc4d7a6b2954f7c80267476d66

          SHA256

          d0d0b1face19fe4a88c6b51f6ced55ae0e00ac548b75809d88089ad431da5d3a

          SHA512

          7d05e270926dcb452ce405dac9dab6e9e1a0dd247bc93f0940826eb4abecf827acb6f42ef32d3b6f6ac4b46b28d522e0b25f6b8b679affb9a198db8ba4fe2daa

        • C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml

          Filesize

          417B

          MD5

          9f89b49e6e4b81eb9a3ef6a5d8924461

          SHA1

          17ee8eae11a1fb327f3344cc549bef305de408c5

          SHA256

          d739aa103e35aa5efd0fe49dd14d9360b5a83261b164d6d3277a24fed97ff8fc

          SHA512

          ef2f26b00ee4dccdb28fc1bb6c960cab9ae6f72f126bee21104b865b8e7833b35a64abf464b71cc34e954a8ccdb805544729368caee2a84b8ab97914c30fa761

        • C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml

          Filesize

          405B

          MD5

          bb95a9de280c528c32806d0d5231de6d

          SHA1

          bbffb8596f1bc68df5603a10a3672a02ebd3ea8b

          SHA256

          a7ca0125b93e1a5681d5a9c294ec3a4e5680cc58e44fd223d2dac04232b7367c

          SHA512

          ac4cad4f24495aa6b0d5ed8aa439554f479cc2fdba4d5dd256f1983fa43a4121c8fdf79ad7ec9d9a396a73fd480bf2f5141ab5303d50c8b6d2ce47d158010a80

        • C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml

          Filesize

          407B

          MD5

          0188bed9647ab3c0f81dc3e4b5589baa

          SHA1

          05493cad7050ee0cba5255847941736898503dd3

          SHA256

          f5d3f822a8435f91f7a5d54b720aa637f8b8f8102c7670d1b52d98f2d0123beb

          SHA512

          20e40619e02c24acd461fe07a7d7e448bdd03f423221ecde05ec206eb7b520d3d500e3b5988122b97a8752fe2cc7b305417692ec73d4568dcf49b2c3c4fb8d0b

        • C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\invalid32x32.gif

          Filesize

          153B

          MD5

          d13b5ffdeb538f15ee1d30f2788601d5

          SHA1

          8dc4da8e4efca07472b08b618bc059dcbfd03efa

          SHA256

          f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876

          SHA512

          58e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46

        • C:\Program Files\Java\jre1.8.0_66\release

          Filesize

          527B

          MD5

          ff9a2d3be0b1b401f5bbae30ab62a24d

          SHA1

          29d8cda271ced9cf1d430029fa4ab0d6ba5948c0

          SHA256

          fd13695474bc8227057e56cb7013cea630c9ad3a2a134b7b412293f850c1df43

          SHA512

          0dd906600b44350136079b23488fd72b0f1a8a4eed594b26a692a725a62a741707b2811005dc11a389e5da89ebfd7040519342813035047bbee906a20beff2e1

        • C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml

          Filesize

          1KB

          MD5

          0b783b2c6d8aa254f3e90187725263aa

          SHA1

          df2e49e32c8e1d25b17d410addf35badc22ef90f

          SHA256

          590de671f8b144c3ec28a4e953a91685bb6c2a97c7c25c08d44003445bc2fe3e

          SHA512

          ef532a7213505f49d95b05cf27d64e1b45ef9ded6b057ba0501fb0b62631784f21f235a0842c58b2b27522e06bb383afefd3220c85064b729b45131692fa2461

        • C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml

          Filesize

          744B

          MD5

          809457c05fe696f5d34ac5ac8768cdd4

          SHA1

          a2c3e4966415100c7d24f7f3dc7e27d2a60d20c9

          SHA256

          1b66520d471367f736d50c070a2e2bba8ad88ac58743394a764b888e9cb6f6be

          SHA512

          cf38e01d3e174ff4b8070fb88ead7e787143ce7cf60b91365fafd01cacc1420337654083a14dfb2caa900141a578717f5d24fa3cadd17c1a992d09280fd8dc44

        • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

          Filesize

          42B

          MD5

          c183857770364b05c2011bdebb914ed3

          SHA1

          040e5ac904de86328cca053a15596e118fc5da24

          SHA256

          094c4931fdb2f2af417c9e0322a9716006e8211fe9017f671ac6e3251300acca

          SHA512

          8ac7790c0687f86d2d0ca82cfc9921c8cd6e6f5392594317d5ee6f3661500de58ebd5ef6300a412c23ed1cd2748c5eadeeb9719f32758590bd4168a0259bbd70

        • C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK

          Filesize

          114B

          MD5

          301657e2669b4c76979a15f801cc2adf

          SHA1

          f7430efc590e79b847ab97b6e429cd07ef886726

          SHA256

          802bbf1167e97e336bc7e1d1574466db744c7021efe0f0ff01ff7e352c44f56b

          SHA512

          e94480d20b6665599c4ed1bc3fc6949c9be332fd91a14cef14b3e263ab1000666e706b51869bc93b4f479bb6389351674e707e79562020510c1b6dfe4b90cc51

        • C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK

          Filesize

          113B

          MD5

          b9205d5c0a413e022f6c36d4bdfa0750

          SHA1

          f16acd929b52b77b7dad02dbceff25992f4ba95e

          SHA256

          951b1c95584b91fd8776e1d26b25d745ad5d508f6337686b9f7131d7c2f7096a

          SHA512

          0e67910bcf0f9ccde5464c63b9c850a12a759227d16b040d98986d54253f9f34322318e56b8feb86c5fb2270ed87f31252f7f68493ee759743909bd75e4bb544

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

          Filesize

          24B

          MD5

          1681ffc6e046c7af98c9e6c232a3fe0a

          SHA1

          d3399b7262fb56cb9ed053d68db9291c410839c4

          SHA256

          9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0

          SHA512

          11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

        • memory/1016-2122-0x0000000000400000-0x00000000047C2000-memory.dmp

          Filesize

          67.8MB

        • memory/1016-1019-0x0000000000400000-0x00000000047C2000-memory.dmp

          Filesize

          67.8MB

        • memory/1016-133-0x0000000000030000-0x000000000003C000-memory.dmp

          Filesize

          48KB

        • memory/1016-459-0x0000000000400000-0x00000000047C2000-memory.dmp

          Filesize

          67.8MB

        • memory/1016-6360-0x0000000000400000-0x00000000047C2000-memory.dmp

          Filesize

          67.8MB

        • memory/1016-4272-0x0000000000400000-0x00000000047C2000-memory.dmp

          Filesize

          67.8MB

        • memory/1016-9510-0x0000000000400000-0x00000000047C2000-memory.dmp

          Filesize

          67.8MB

        • memory/1016-134-0x00000000001C0000-0x00000000001CF000-memory.dmp

          Filesize

          60KB

        • memory/1016-11247-0x0000000000400000-0x00000000047C2000-memory.dmp

          Filesize

          67.8MB

        • memory/4364-135-0x0000000000400000-0x00000000047C2000-memory.dmp

          Filesize

          67.8MB