Overview

overview

10

Static

static

3

wikilab.exe

windows7-x64

10

wikilab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    238s
  • max time network
    255s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-01-2024 09:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wikilab.exe

  • Size

    55KB

  • MD5

    88389a265bd9b1e9c59fb7053cf45b07

  • SHA1

    900b980b7ef5bbbc6a255cffd66900fb68802c25

  • SHA256

    f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd

  • SHA512

    da2ebf446db76590834e3b8e828e3895e0febdfa0ee34627b5c6c18cc10ccb85b83dd0410789845c980984eb1021a6c7050ebf1cbfd04e1ce904e0e40113e932

  • SSDEEP

    1536:ENeRBl5PT/rx1mzwRMSTdLpJMGl5dPZjlkWBFj:EQRrmzwR5J1VPZiW

Score
10/10
phobosevasionpersistenceransomware

Malware Config

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\wikilab.exe
    "C:\Users\Admin\AppData\Local\Temp\wikilab.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3500
    • C:\Users\Admin\AppData\Local\Temp\wikilab.exe
      "C:\Users\Admin\AppData\Local\Temp\wikilab.exe"
      2⤵
        PID:556
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1344
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:4672
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:3620
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2476

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[0B86E84F-3232].[[email protected]].eking
      Filesize

      512KB

      MD5

      d9cde65100a6d5efb796800fd32ee973

      SHA1

      a162ab9ab8aade43711448fd382b3aad1dcc21ad

      SHA256

      93a4d21754eb1258ae721d6943e93dfb50c9c663954aeab5c757c772f071383e

      SHA512

      bfe832026b0347e0744b42c4165affecd035938e64cc9aa9e73828f20c45d6301b4f392b5308b93b02ab4c06810d05e7aed4d6c715698d8ffcf7a92eb7fecb97

      Download Submit