Analysis
-
max time kernel
10s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
01-10-2023 06:19
General
-
Target
b3e80316dc1e01af60bcea7218ab5ebfe81432643d29ab46b22e3b11658606d5.exe
-
Size
485KB
-
MD5
ef5f692e2fa2217e1da225e8270dd704
-
SHA1
17ec78fad167f76fc93f6b4e723071c3774ac092
-
SHA256
b3e80316dc1e01af60bcea7218ab5ebfe81432643d29ab46b22e3b11658606d5
-
SHA512
2cd9f42fb1a8b29017b1b792676bffdee07ac332c1d7eef7e11e0fe0dfb5257774602c628df7e2241d820364bc547b0e8a48ccdc738982b301b2bf90f0ae14e0
-
SSDEEP
12288:FvLDhgtIO1ogNfJEoohlHr8yfu52/BCP04:BLDOFCLHGY/sJ
Malware Config
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Program crash 1 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3e80316dc1e01af60bcea7218ab5ebfe81432643d29ab46b22e3b11658606d5.exe"C:\Users\Admin\AppData\Local\Temp\b3e80316dc1e01af60bcea7218ab5ebfe81432643d29ab46b22e3b11658606d5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b3e80316dc1e01af60bcea7218ab5ebfe81432643d29ab46b22e3b11658606d5.exeC:\Users\Admin\AppData\Local\Temp\b3e80316dc1e01af60bcea7218ab5ebfe81432643d29ab46b22e3b11658606d5.exe2⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b3e80316dc1e01af60bcea7218ab5ebfe81432643d29ab46b22e3b11658606d5.exe"C:\Users\Admin\AppData\Local\Temp\b3e80316dc1e01af60bcea7218ab5ebfe81432643d29ab46b22e3b11658606d5.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b3e80316dc1e01af60bcea7218ab5ebfe81432643d29ab46b22e3b11658606d5.exeC:\Users\Admin\AppData\Local\Temp\b3e80316dc1e01af60bcea7218ab5ebfe81432643d29ab46b22e3b11658606d5.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 1645⤵
- Program crash
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
143.1MB
MD52c71a6befc78eda6e30aebd104f32f61
SHA1a1527d33b6d582b9f610ed8b27ab6b5f7f37312b
SHA25616cb86c7f6183dd4426db19cfb1a6796eb3cd3d2551e24df4aa18be2cedf5755
SHA5127a214ba0711588c7734860d65a48c28f481b1a4340a4b5d0aed4394c501644edf82b5ee685cad2a870ddb033344aa19773a6a2b8ff94a20204bb5d1794d851b6
-
Filesize
304KB
-
Filesize
256KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
208KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
512KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
512KB
-
Filesize
4KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
4KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB