Overview

overview

10

Static

static

3

b.exe

windows7-x64

10

b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    171s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-03-2024 21:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b.exe

  • Size

    281KB

  • MD5

    2809e15a3a54484e042fe65fffd17409

  • SHA1

    4a8f0331abaf8f629b3c8220f0d55339cfa30223

  • SHA256

    518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c

  • SHA512

    698e16fd67861377e2ccaace4d0e1a619a8b7c68e8aefc4090e9d1cbbcdfb8d8aede76f9e63f81479f5a035e8008699a4d7175da6248e6e49eb7c81b3dba30c3

  • SSDEEP

    3072:D5IwIMZKkczttW5ivhjqKO1I9Goh6F4mAqeormMkpCWlunhNGA5yjszVIEe9:NIMsztZZ+KQqGo5QfmLpCoun6W

Score
10/10
phobosevasionpersistenceransomwarespywarestealer

Malware Config

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (118) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\b.exe
    "C:\Users\Admin\AppData\Local\Temp\b.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3860
    • C:\Users\Admin\AppData\Local\Temp\b.exe
      "C:\Users\Admin\AppData\Local\Temp\b.exe"
      2⤵
        PID:4604
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 460
          3⤵
          • Program crash
          PID:3888
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3916
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:1020
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1928
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1556
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:3136
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:2720
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3948
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:3924
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          PID:4732
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4604 -ip 4604
      1⤵
        PID:100
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3332
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1228
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:1948
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
          • Checks SCSI registry key(s)
          PID:1484

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        Persistence

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Indicator Removal

        3
        T1070

        File Deletion

        3
        T1070.004

        Impair Defenses

        1
        T1562

        Disable or Modify System Firewall

        1
        T1562.004

        Modify Registry

        1
        T1112

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        2
        T1012

        Peripheral Device Discovery

        1
        T1120

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Inhibit System Recovery

        4
        T1490

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[8F96111C-3483].[[email protected]].8base
          Filesize

          2.7MB

          MD5

          fe16992248b8614c45c0284d57508f2e

          SHA1

          15ed8e15f85617b322b54711e3d4567426fe6ef2

          SHA256

          7d9378864a157a2c87663ccbc0253290fab95c792da5463d80562191f20fe890

          SHA512

          d8fcfc6712b68506230b4e8e81a0620eb6fb14037978be5d32d6a3a2e68a3c1ab2d0dd3f30572a2cda62734ea4aabc0b451ee805a36173b3fdbf96ec0b9385f5

          Download Submit
        • memory/3860-1515-0x0000000000400000-0x000000000092B000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/3860-2198-0x0000000000400000-0x000000000092B000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/3860-3-0x0000000000400000-0x000000000092B000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/3860-234-0x0000000000400000-0x000000000092B000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/3860-2215-0x0000000000400000-0x000000000092B000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/3860-1-0x0000000000A90000-0x0000000000AA5000-memory.dmp
          Filesize

          84KB

          Download
        • memory/3860-209-0x0000000000400000-0x000000000092B000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/3860-244-0x0000000000400000-0x000000000092B000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/3860-2253-0x0000000000400000-0x000000000092B000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/3860-2-0x0000000002690000-0x000000000269F000-memory.dmp
          Filesize

          60KB

          Download
        • memory/3860-219-0x0000000000400000-0x000000000092B000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/3860-524-0x0000000000400000-0x000000000092B000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/3860-661-0x0000000000400000-0x000000000092B000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/3860-1265-0x0000000000400000-0x000000000092B000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/3860-0-0x0000000000A90000-0x0000000000AA5000-memory.dmp
          Filesize

          84KB

          Download
        • memory/3860-2143-0x0000000000400000-0x000000000092B000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/3860-2186-0x0000000000400000-0x000000000092B000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/3860-241-0x0000000000400000-0x000000000092B000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/4604-6-0x0000000000400000-0x000000000092B000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/4604-5-0x0000000002450000-0x000000000245F000-memory.dmp
          Filesize

          60KB

          Download