Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
13-09-2023 13:34
General
-
Target
78732997a6c9d975b97da85fc511533d44083a9f9da60dae8393274a59b7bfce_JC.exe
-
Size
494KB
-
MD5
5e86e15a56455a7b230d2a934ad129a5
-
SHA1
6b0a1beffe90cf58d1e442612458d18b59a852a4
-
SHA256
78732997a6c9d975b97da85fc511533d44083a9f9da60dae8393274a59b7bfce
-
SHA512
6dc0c23f825a36db50adf41795a2da3ae962ebd9eef07a923e629a8a32ac2a7aff87e19f1682a259cde6aa83c13c41e7e5ce4f7988680feaaedbe049208401e5
-
SSDEEP
12288:wWwjzdKu2piK6lVOx7j5S8U9a/tUvuNX7Y:Pwjzd+gE99XAC
Score
10/10
Malware Config
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Renames multiple (324) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Drops startup file 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 64 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\78732997a6c9d975b97da85fc511533d44083a9f9da60dae8393274a59b7bfce_JC.exe"C:\Users\Admin\AppData\Local\Temp\78732997a6c9d975b97da85fc511533d44083a9f9da60dae8393274a59b7bfce_JC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\78732997a6c9d975b97da85fc511533d44083a9f9da60dae8393274a59b7bfce_JC.exeC:\Users\Admin\AppData\Local\Temp\78732997a6c9d975b97da85fc511533d44083a9f9da60dae8393274a59b7bfce_JC.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\78732997a6c9d975b97da85fc511533d44083a9f9da60dae8393274a59b7bfce_JC.exeC:\Users\Admin\AppData\Local\Temp\78732997a6c9d975b97da85fc511533d44083a9f9da60dae8393274a59b7bfce_JC.exe2⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\78732997a6c9d975b97da85fc511533d44083a9f9da60dae8393274a59b7bfce_JC.exe"C:\Users\Admin\AppData\Local\Temp\78732997a6c9d975b97da85fc511533d44083a9f9da60dae8393274a59b7bfce_JC.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\78732997a6c9d975b97da85fc511533d44083a9f9da60dae8393274a59b7bfce_JC.exeC:\Users\Admin\AppData\Local\Temp\78732997a6c9d975b97da85fc511533d44083a9f9da60dae8393274a59b7bfce_JC.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\78732997a6c9d975b97da85fc511533d44083a9f9da60dae8393274a59b7bfce_JC.exeC:\Users\Admin\AppData\Local\Temp\78732997a6c9d975b97da85fc511533d44083a9f9da60dae8393274a59b7bfce_JC.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\78732997a6c9d975b97da85fc511533d44083a9f9da60dae8393274a59b7bfce_JC.exeC:\Users\Admin\AppData\Local\Temp\78732997a6c9d975b97da85fc511533d44083a9f9da60dae8393274a59b7bfce_JC.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\78732997a6c9d975b97da85fc511533d44083a9f9da60dae8393274a59b7bfce_JC.exeC:\Users\Admin\AppData\Local\Temp\78732997a6c9d975b97da85fc511533d44083a9f9da60dae8393274a59b7bfce_JC.exe4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[59BC5EC4-3483].[[email protected]].8baseFilesize
143.1MB
MD51eb6566d96bca773b7d08c714220fbd5
SHA192c649ad4a7f6f0b3f3faa6db1dee60f68185ae4
SHA2564455a59259ee5f3ada71f299489c28aeae2b5e0ee2900e03cacb1ddc1ca96498
SHA512911d3ad6025839b26f3679282b7e9a274c677f975eab41f302bb8f70caa3513777d7be3015f1a633a016821f2492f2fb3603cf85b3c5ed0194515070dd0ce064
-
memory/2232-18-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/2232-1-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/2232-2-0x0000000004B40000-0x0000000004B80000-memory.dmpFilesize
256KB
-
memory/2232-3-0x00000000004E0000-0x0000000000526000-memory.dmpFilesize
280KB
-
memory/2232-4-0x0000000000600000-0x0000000000646000-memory.dmpFilesize
280KB
-
memory/2232-5-0x00000000006E0000-0x0000000000714000-memory.dmpFilesize
208KB
-
memory/2232-6-0x0000000000760000-0x00000000007AC000-memory.dmpFilesize
304KB
-
memory/2232-0-0x0000000000110000-0x0000000000192000-memory.dmpFilesize
520KB
-
memory/2592-62-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-60-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-11-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-12-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2592-15-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-8-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-17-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-19-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-10273-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-4441-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-3567-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-303-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-212-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-61-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-45-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-48-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-47-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-49-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-51-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-50-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-9-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-64-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-7-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-70-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2592-10-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2616-35-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2616-297-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2616-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2740-33-0x0000000072F00000-0x00000000735EE000-memory.dmpFilesize
6.9MB
-
memory/2740-22-0x00000000007E0000-0x0000000000820000-memory.dmpFilesize
256KB
-
memory/2740-21-0x0000000072F00000-0x00000000735EE000-memory.dmpFilesize
6.9MB
-
memory/2740-20-0x0000000000110000-0x0000000000192000-memory.dmpFilesize
520KB