Analysis Overview
SHA256
c78d3d8c7b9d6f3adb63d8b89fa87b7fd62d9fb8bb38e828d81e622c87fdfd32
Threat Level: Known bad
The file 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.zip was found to be: Known bad.
Malicious Activity Summary
Phobos
Deletes shadow copies
Renames multiple (63) files with added filename extension
Modifies Windows Firewall
Drops startup file
Adds Run key to start application
Drops desktop.ini file(s)
Drops file in Program Files directory
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Uses Volume Shadow Copy service COM API
Suspicious behavior: EnumeratesProcesses
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-03-16 10:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-16 10:45
Reported
2024-03-16 10:46
Platform
win7-20240221-en
Max time kernel
18s
Max time network
19s
Command Line
Signatures
Phobos
Deletes shadow copies
Renames multiple (63) files with added filename extension
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46 = "C:\\Users\\Admin\\AppData\\Local\\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe" | C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46 = "C:\\Users\\Admin\\AppData\\Local\\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe" | C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | N/A |
Drops file in Program Files directory
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
"C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe"
C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
"C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
Network
Files
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[7D017904-2803].[[email protected]].eight
| MD5 | a3394e8ecb543eb76f3f6c67cd371c8c |
| SHA1 | 94a532a66ecce833f2df50cd2e04ad8b32c90bfa |
| SHA256 | 16c59bb4aefe19f81cbd4cfd90c0eb6e99c2c478c5d3507d2750ef577f2a9efa |
| SHA512 | 8bd1a92808e16e6291fab41ce84964fe91a02dca95faef9aa5a512faa9a21d88d5e20c567c9628ddb67a6f85b1adc7b56e3e819ce4b3f5d43120a5bf8aae647b |
memory/2500-441-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2500-465-0x0000000140000000-0x00000001405E8000-memory.dmp