Overview

overview

10

Static

static

3

lsess.exe

windows7-x64

10

lsess.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    03-02-2024 08:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lsess.exe

  • Size

    55KB

  • MD5

    fd0ef924c1edc067cd2298024a7057b0

  • SHA1

    0a32d7600869f37f0fbe2a5c996cda5111d4a4d1

  • SHA256

    cd89fd5bf3049fad64718c190ae014b4c9c0d141e3550d63008c1c5c71d50bd7

  • SHA512

    275efb2d22ceaed29c4c4563782f648663ea752a6b08d4472ba12d29dc76c57b2120c3a5984d08f5a0ebdd3abf68e6ea8af1325ff9eb24830c43c8c489ad44c0

  • SSDEEP

    1536:HNeRBl5PT/rx1mzwRMSTdLpJ47kmvBMRM:HQRrmzwR5JWk2+

Score
10/10
phobosevasionpersistenceransomwarespywarestealer

Malware Config

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
    ransomwareevasion
  • Renames multiple (310) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\lsess.exe
    "C:\Users\Admin\AppData\Local\Temp\lsess.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Users\Admin\AppData\Local\Temp\lsess.exe
      "C:\Users\Admin\AppData\Local\Temp\lsess.exe"
      2⤵
        PID:2904
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:2696
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          PID:1236
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3048
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2704
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2832
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1936
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:2292
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:3000
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
        2⤵
        • Modifies Internet Explorer settings
        PID:112
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
        2⤵
        • Modifies Internet Explorer settings
        PID:536
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
        2⤵
        • Modifies Internet Explorer settings
        PID:1920
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1764
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:496
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:696
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1984
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1940
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:2700
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"
        2⤵
        • Modifies Internet Explorer settings
        PID:2696
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2508
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1780
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:1648
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:1672

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        Persistence

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Indicator Removal

        3
        T1070

        File Deletion

        3
        T1070.004

        Impair Defenses

        1
        T1562

        Disable or Modify System Firewall

        1
        T1562.004

        Modify Registry

        2
        T1112

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Inhibit System Recovery

        4
        T1490

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.id[F9039F51-3413].[[email protected]].Elbie
          Filesize

          6.3MB

          MD5

          8d388a8b471269efc81a1234d74740fa

          SHA1

          9dd942b6b0d205628a69a072c157b7caa0894563

          SHA256

          4f200c8256de7da21a8c8e5fb2b9af21b799e93bc51a2d86fd6192038c6d5fd9

          SHA512

          397432f2d8b23d03b44e818715cfe4dcaff89b91a532992093057f9705b217e08d304b3c361d330536d8a57355970598a7d3770bacfa5bcadfec52bfca79f79b

          Download Submit
        • C:\info.hta
          Filesize

          4KB

          MD5

          8299b8b85e838bfc9d93c2d217528211

          SHA1

          cb5393f9c3cab29cb54944c1e44dbfe5da064560

          SHA256

          406a2665a1e53ce4723a738ef28323f338e1958e26478b6a3cf546a43d9a3389

          SHA512

          94a7a85a9fcdf4024fc083b408c5722fdb5fdd17f1a81ef8b20c2eebf0b1c21e68ebb23f373b857a77e6adbef6212f49beef9a29e7ce9e3cff17714a90b6eda0

          Download Submit