Analysis
-
max time kernel
7s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2023 21:42
Static task
static1
Behavioral task
behavioral1
Sample
ar.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
ar.exe
Resource
win10v2004-20231020-en
General
-
Target
ar.exe
-
Size
56KB
-
MD5
ca960a5f89e3d82dc4dec752e912fdc3
-
SHA1
04b7b4939788b1055c0909eee3bc0e96cf483127
-
SHA256
b609555a43a2e1151f9ee7b028d0141034bfce25487ef2ec826d2af714e15ee5
-
SHA512
9615aa809568cadc119f415cf159ccbf835fbd62241293cdef9288a42c6c57c2a416d0b68f21e160432a01895eaf406025b3bd9bb0c9ae7e93ab934008a34689
-
SSDEEP
768:EvrNNeRBl5JFTXqwXrkgrn/9/HiDKGwRj4RcTdyH4pYT3nPKVU1EwDXEkMd:ONeRBl5PT/rx1mzwRMSTdLpJwDzM
Malware Config
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4044 bcdedit.exe 1920 bcdedit.exe -
Processes:
wbadmin.exepid process 3764 wbadmin.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Drops startup file 1 IoCs
Processes:
ar.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ar.exe ar.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ar.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ar = "C:\\Users\\Admin\\AppData\\Local\\ar.exe" ar.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ar = "C:\\Users\\Admin\\AppData\\Local\\ar.exe" ar.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
ar.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-3350690463-3549324357-1323838019-1000\desktop.ini ar.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3350690463-3549324357-1323838019-1000\desktop.ini ar.exe -
Drops file in Program Files directory 19 IoCs
Processes:
ar.exedescription ioc process File opened for modification C:\Program Files\InstallHide.sql ar.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll ar.exe File opened for modification C:\Program Files\7-Zip\7z.dll.id[7542AD9F-3501].[[email protected]].faust ar.exe File opened for modification C:\Program Files\7-Zip\7z.sfx ar.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe ar.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm ar.exe File created C:\Program Files\7-Zip\7-zip.chm.id[7542AD9F-3501].[[email protected]].faust ar.exe File created C:\Program Files\7-Zip\7-zip.dll.id[7542AD9F-3501].[[email protected]].faust ar.exe File created C:\Program Files\7-Zip\7zG.exe.id[7542AD9F-3501].[[email protected]].faust ar.exe File opened for modification C:\Program Files\7-Zip\7z.exe ar.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx ar.exe File created C:\Program Files\7-Zip\7zCon.sfx.id[7542AD9F-3501].[[email protected]].faust ar.exe File created C:\Program Files\7-Zip\7zFM.exe.id[7542AD9F-3501].[[email protected]].faust ar.exe File opened for modification C:\Program Files\7-Zip\7zG.exe ar.exe File created C:\Program Files\InstallHide.sql.id[7542AD9F-3501].[[email protected]].faust ar.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll ar.exe File created C:\Program Files\7-Zip\7-zip32.dll.id[7542AD9F-3501].[[email protected]].faust ar.exe File created C:\Program Files\7-Zip\7z.exe.id[7542AD9F-3501].[[email protected]].faust ar.exe File created C:\Program Files\7-Zip\7z.sfx.id[7542AD9F-3501].[[email protected]].faust ar.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2680 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
ar.exepid process 4392 ar.exe 4392 ar.exe 4392 ar.exe 4392 ar.exe 4392 ar.exe 4392 ar.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ar.exedescription pid process Token: SeDebugPrivilege 4392 ar.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ar.execmd.execmd.exedescription pid process target process PID 4392 wrote to memory of 4312 4392 ar.exe cmd.exe PID 4392 wrote to memory of 4312 4392 ar.exe cmd.exe PID 4392 wrote to memory of 1604 4392 ar.exe cmd.exe PID 4392 wrote to memory of 1604 4392 ar.exe cmd.exe PID 1604 wrote to memory of 1608 1604 cmd.exe netsh.exe PID 1604 wrote to memory of 1608 1604 cmd.exe netsh.exe PID 4312 wrote to memory of 2680 4312 cmd.exe vssadmin.exe PID 4312 wrote to memory of 2680 4312 cmd.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ar.exe"C:\Users\Admin\AppData\Local\Temp\ar.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ar.exe"C:\Users\Admin\AppData\Local\Temp\ar.exe"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\7-Zip\7-zip.chmFilesize
105KB
MD5c3da131680360820f9dfe4ec9ec6dac7
SHA16dc1dcae815fa4641e6cb1ca006a7a85060ecfe2
SHA25661bd3501384b5ffaa3ea51bd7398148fa533190da9dbc5df19c6d2a8820166e3
SHA512c60a047f622fa817c559cecd73099db6eb6dc646b5cc6a664fa167bcb01370e95d9c0734eaea3c2b03e54785796f5cff8fc851ac5316ef0e4bf2d7446306cd29
-
C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.mdFilesize
2KB
MD5ddc4cb14453391bcb5f4d645b2916a6c
SHA1c4738d174c90c285e17bf51a9218256f45f96ea7
SHA2560c19ba9eeecab3cbbdf38da08c3fa0266f10ce8166e056715931efc543335eeb
SHA51234a32b92ffb2945608439653b5ecacba49fd3312ba5487ba14796c75b07655f0d8f735453dac117d46d204d3f810126f8a189f82c015fa8bb6ea37d9b8e0e30f
-
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txtFilesize
190B
MD5c5b7a97bda04c48435a145f2d1f9bb42
SHA1bd94219a79987af3e4d4ce45b07edc2230aaf655
SHA25607ec9bf950252d0254d4d778698c2e4173f36dbc3f57f51f34d1b85a07c2eab0
SHA5127eb1a26cf8ef725ba6d1934ca4802f70cc22539017334c1d7a6873afeea6236bcd643b52630f7fa9d8a9e692f718ba42cc704ed5f8df17757028be63c3efad80
-
C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gifFilesize
153B
MD5d13b5ffdeb538f15ee1d30f2788601d5
SHA18dc4da8e4efca07472b08b618bc059dcbfd03efa
SHA256f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876
SHA51258e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46
-
C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xmlFilesize
744B
MD5809457c05fe696f5d34ac5ac8768cdd4
SHA1a2c3e4966415100c7d24f7f3dc7e27d2a60d20c9
SHA2561b66520d471367f736d50c070a2e2bba8ad88ac58743394a764b888e9cb6f6be
SHA512cf38e01d3e174ff4b8070fb88ead7e787143ce7cf60b91365fafd01cacc1420337654083a14dfb2caa900141a578717f5d24fa3cadd17c1a992d09280fd8dc44
-
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXKFilesize
114B
MD5301657e2669b4c76979a15f801cc2adf
SHA1f7430efc590e79b847ab97b6e429cd07ef886726
SHA256802bbf1167e97e336bc7e1d1574466db744c7021efe0f0ff01ff7e352c44f56b
SHA512e94480d20b6665599c4ed1bc3fc6949c9be332fd91a14cef14b3e263ab1000666e706b51869bc93b4f479bb6389351674e707e79562020510c1b6dfe4b90cc51
-
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXKFilesize
113B
MD5b9205d5c0a413e022f6c36d4bdfa0750
SHA1f16acd929b52b77b7dad02dbceff25992f4ba95e
SHA256951b1c95584b91fd8776e1d26b25d745ad5d508f6337686b9f7131d7c2f7096a
SHA5120e67910bcf0f9ccde5464c63b9c850a12a759227d16b040d98986d54253f9f34322318e56b8feb86c5fb2270ed87f31252f7f68493ee759743909bd75e4bb544
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.dbFilesize
24B
MD51681ffc6e046c7af98c9e6c232a3fe0a
SHA1d3399b7262fb56cb9ed053d68db9291c410839c4
SHA2569d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0
SHA51211bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5