Analysis

  • max time kernel
    161s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 00:34

General

  • Target

    9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf.exe

  • Size

    1.7MB

  • MD5

    a6ab201ae407fbe4a5da5f20dc38412b

  • SHA1

    b3f8caf67f36730ad87031d206db91c861980615

  • SHA256

    9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf

  • SHA512

    eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b

  • SSDEEP

    24576:fp1vJ+VbHGsD+KBrdrDeZYeGMqrK5Nt9Z64JrQTwkMZddfy6Tsqp+RjfMst:x3KpyJrQTwo6Tszgs

Malware Config

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Renames multiple (346) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Modifies Windows Firewall 1 TTPs 2 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf.exe
    "C:\Users\Admin\AppData\Local\Temp\9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4592
    • C:\Users\Admin\AppData\Local\Temp\9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf.exe
      C:\Users\Admin\AppData\Local\Temp\9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf.exe
      2⤵
        PID:1540
      • C:\Users\Admin\AppData\Local\Temp\9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf.exe
        C:\Users\Admin\AppData\Local\Temp\9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf.exe
        2⤵
        • Drops startup file
        • Adds Run key to start application
        • Drops desktop.ini file(s)
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:392
        • C:\Users\Admin\AppData\Local\Temp\9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf.exe
          "C:\Users\Admin\AppData\Local\Temp\9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1920
          • C:\Users\Admin\AppData\Local\Temp\9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf.exe
            C:\Users\Admin\AppData\Local\Temp\9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf.exe
            4⤵
              PID:4424
            • C:\Users\Admin\AppData\Local\Temp\9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf.exe
              C:\Users\Admin\AppData\Local\Temp\9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf.exe
              4⤵
                PID:1140
              • C:\Users\Admin\AppData\Local\Temp\9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf.exe
                C:\Users\Admin\AppData\Local\Temp\9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf.exe
                4⤵
                  PID:4432
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:4544
                • C:\Windows\system32\netsh.exe
                  netsh advfirewall set currentprofile state off
                  4⤵
                  • Modifies Windows Firewall
                  PID:4944
                • C:\Windows\system32\netsh.exe
                  netsh firewall set opmode mode=disable
                  4⤵
                  • Modifies Windows Firewall
                  PID:4476
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:5116
                • C:\Windows\system32\vssadmin.exe
                  vssadmin delete shadows /all /quiet
                  4⤵
                  • Interacts with shadow copies
                  PID:2688
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic shadowcopy delete
                  4⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4224
                • C:\Windows\system32\bcdedit.exe
                  bcdedit /set {default} bootstatuspolicy ignoreallfailures
                  4⤵
                  • Modifies boot configuration data using bcdedit
                  PID:4008
                • C:\Windows\system32\bcdedit.exe
                  bcdedit /set {default} recoveryenabled no
                  4⤵
                  • Modifies boot configuration data using bcdedit
                  PID:2920
                • C:\Windows\system32\wbadmin.exe
                  wbadmin delete catalog -quiet
                  4⤵
                  • Deletes backup catalog
                  PID:3880
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2312
          • C:\Windows\system32\wbengine.exe
            "C:\Windows\system32\wbengine.exe"
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3092
          • C:\Windows\System32\vdsldr.exe
            C:\Windows\System32\vdsldr.exe -Embedding
            1⤵
              PID:2144
            • C:\Windows\System32\vds.exe
              C:\Windows\System32\vds.exe
              1⤵
              • Checks SCSI registry key(s)
              PID:3688

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[13C09B8D-3483].[[email protected]].8base

              Filesize

              2.7MB

              MD5

              e62020cea36f01900e4752d612cb24f2

              SHA1

              9fb0925611053562897db4c1b4dfd120121c6e23

              SHA256

              9909247f37001105ebefb861df178e286936e0b61674216e02efe2aae8399e88

              SHA512

              d2205a787559cffc6f619bc2892869780856b7507c06437bb12f0e2d73fd9d783f582bd4167e05f22de5ae21603c40d0d581eba55dcb149a1a424b1e3767fc47

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf.exe.log

              Filesize

              927B

              MD5

              4a911455784f74e368a4c2c7876d76f4

              SHA1

              a1700a0849ffb4f26671eb76da2489946b821c34

              SHA256

              264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c

              SHA512

              4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

            • memory/392-39-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

            • memory/392-2088-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

            • memory/392-2064-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

            • memory/392-1001-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

            • memory/392-428-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

            • memory/392-7-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

            • memory/392-10-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

            • memory/392-11-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

            • memory/392-30-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

            • memory/392-41-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

            • memory/392-37-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

            • memory/392-36-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

            • memory/392-34-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

            • memory/392-32-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

            • memory/392-50-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

            • memory/1920-15-0x0000000005A50000-0x0000000005A60000-memory.dmp

              Filesize

              64KB

            • memory/1920-14-0x0000000074910000-0x00000000750C0000-memory.dmp

              Filesize

              7.7MB

            • memory/1920-19-0x0000000074910000-0x00000000750C0000-memory.dmp

              Filesize

              7.7MB

            • memory/4432-20-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

            • memory/4592-3-0x0000000005420000-0x0000000005430000-memory.dmp

              Filesize

              64KB

            • memory/4592-4-0x00000000054A0000-0x00000000054D4000-memory.dmp

              Filesize

              208KB

            • memory/4592-0-0x0000000074870000-0x0000000075020000-memory.dmp

              Filesize

              7.7MB

            • memory/4592-2-0x00000000053C0000-0x0000000005406000-memory.dmp

              Filesize

              280KB

            • memory/4592-12-0x0000000074870000-0x0000000075020000-memory.dmp

              Filesize

              7.7MB

            • memory/4592-1-0x0000000000800000-0x00000000009B2000-memory.dmp

              Filesize

              1.7MB

            • memory/4592-6-0x0000000005B50000-0x00000000060F4000-memory.dmp

              Filesize

              5.6MB

            • memory/4592-5-0x00000000054E0000-0x000000000552C000-memory.dmp

              Filesize

              304KB