Overview

overview

10

Static

static

3

43f846c12c...fc.exe

windows7-x64

10

43f846c12c...fc.exe

windows10-2004-x64

10

Resubmissions

20-04-2024 11:55

240420-n3tfhsgg61 10

20-04-2024 11:12

240420-na6v5sfb59 10

Analysis

  • max time kernel
    516s
  • max time network
    362s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-04-2024 11:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe

  • Size

    55KB

  • MD5

    4e93c194b641d9b849f270531ec14d20

  • SHA1

    8b5a21254a0c10e3ca2570eeba490755197b544e

  • SHA256

    43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc

  • SHA512

    0c6dba53321b00a7b17bde84598de18cad9ecdae1a36209b6f13a99df96abe86987c2cbef132c6bc0ce80de75b4ad15351abd8c0c8e5c83bc17bb4f64713f2ec

  • SSDEEP

    1536:YNeRBl5PT/rx1mzwRMSTdLpJZtqoQOcO:YQRrmzwR5JAOF

Score
10/10
phobosevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Public\Desktop\info.txt

Ransom Note
Your computer is infected with a virus. Files are locked* but not corrupted. Send an email [email protected] and you will definitely be helped to recover. *you can send us a couple of files and we will return the restored ones to prove that only we can do it IMPORTANT: 1. the infection was due to vulnerabilities in your software 2. if you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 3. only communication through our email can guarantee file recovery for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 4. if we do not respond to you within 24 hours, send a message to the email [email protected] or [email protected] or telegram acc - @phobos_support 5. if you need an alternative communication channel - write a request by e-mail 6. our goal is to return your data, but if you do not contact us, we will not succeed

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
    ransomwareevasion
  • Renames multiple (311) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe
    "C:\Users\Admin\AppData\Local\Temp\43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Users\Admin\AppData\Local\Temp\43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe
      "C:\Users\Admin\AppData\Local\Temp\43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe"
      2⤵
        PID:2836
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:1876
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          PID:1640
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2420
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1628
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:2300
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1376
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:412
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
        2⤵
        • Modifies Internet Explorer settings
        PID:2068
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
        2⤵
        • Modifies Internet Explorer settings
        PID:1928
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
        2⤵
        • Modifies Internet Explorer settings
        PID:2236
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"
        2⤵
        • Modifies Internet Explorer settings
        PID:2620
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3036
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2308
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1940
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1780
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1604
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:2804
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1752
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:612
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:2792
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:2800
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\info.txt
          1⤵
          • Opens file in notepad (likely ransom note)
          • Suspicious use of FindShellTrayWindow
          PID:2352
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\info.txt
          1⤵
          • Opens file in notepad (likely ransom note)
          PID:2664

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        Persistence

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Indicator Removal

        3
        T1070

        File Deletion

        3
        T1070.004

        Impair Defenses

        1
        T1562

        Disable or Modify System Firewall

        1
        T1562.004

        Modify Registry

        2
        T1112

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Inhibit System Recovery

        4
        T1490

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.id[8687F67B-2822].[[email protected]].eight
          Filesize

          6.3MB

          MD5

          fec9f363338a0a18af924fbfde8f54e1

          SHA1

          d6d7bc302563814d806d871f086bbbb457ead0c2

          SHA256

          035e745af1152aaf4e96fc5930833eba2b7641e029610ca3f012f8c4eb35d013

          SHA512

          92c1d7f1cb6571e3c155f993605c53eff2daeb4c4de0cedc921c16ad6d4beeebc2740d3b5cfca92058bcf4dd18467771f6fe95c2fb3d40a35daca1006169aae5

          Download Submit
        • C:\Users\Public\Desktop\info.hta
          Filesize

          4KB

          MD5

          ab147b392041db54c5e5e087120edfcb

          SHA1

          880281c5777836ad5ce48243ba0521119add8e15

          SHA256

          08a7c1b65e09959f29be885ff848ee1eff5f835243dbfaebe9878dd5e9091be0

          SHA512

          c52d964684e4ec3cce65aaabb300ad10d08d903fb6dabd9c57ab8561803c8312126d7bde02793d9b5770bedb36e60cf2526d270afa9d6c4bb064a0d1a3c4e5c5

          Download Submit
        • C:\Users\Public\Desktop\info.txt
          Filesize

          1022B

          MD5

          9759739b4f831310f978f6ae27d7daad

          SHA1

          9d5f2d3817dac06a738c2da001c09681782dfcc9

          SHA256

          141ece3c0893d25ab67f953e045802ac0f9e407d2d2185db8e44010e60d3a2aa

          SHA512

          4a96fe560bff541422439f3ff14dbc560b2f862d117aa4a966a4bd7aee50cdb3bf470ab1581d0171424c11c154eb4350bb856baad464c7d1f0ab9d3a410ce622

          Download Submit