Resubmissions

20-04-2024 11:55

240420-n3tfhsgg61 10

20-04-2024 11:12

240420-na6v5sfb59 10

Analysis

  • max time kernel
    1799s
  • max time network
    1801s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-04-2024 11:55

General

  • Target

    43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe

  • Size

    55KB

  • MD5

    4e93c194b641d9b849f270531ec14d20

  • SHA1

    8b5a21254a0c10e3ca2570eeba490755197b544e

  • SHA256

    43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc

  • SHA512

    0c6dba53321b00a7b17bde84598de18cad9ecdae1a36209b6f13a99df96abe86987c2cbef132c6bc0ce80de75b4ad15351abd8c0c8e5c83bc17bb4f64713f2ec

  • SSDEEP

    1536:YNeRBl5PT/rx1mzwRMSTdLpJZtqoQOcO:YQRrmzwR5JAOF

Malware Config

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
  • Renames multiple (523) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe
    "C:\Users\Admin\AppData\Local\Temp\43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3184
    • C:\Users\Admin\AppData\Local\Temp\43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe
      "C:\Users\Admin\AppData\Local\Temp\43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe"
      2⤵
        PID:180
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3420
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:3820
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1988
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1252
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:3196
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:304
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3956
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:2000
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          PID:460
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        2⤵
          PID:3540
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          2⤵
            PID:5500
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
            2⤵
              PID:3656
            • C:\Windows\SysWOW64\mshta.exe
              "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
              2⤵
                PID:4392
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3632
                • C:\Windows\system32\vssadmin.exe
                  vssadmin delete shadows /all /quiet
                  3⤵
                  • Interacts with shadow copies
                  PID:5776
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic shadowcopy delete
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4456
                • C:\Windows\system32\bcdedit.exe
                  bcdedit /set {default} bootstatuspolicy ignoreallfailures
                  3⤵
                  • Modifies boot configuration data using bcdedit
                  PID:4592
                • C:\Windows\system32\bcdedit.exe
                  bcdedit /set {default} recoveryenabled no
                  3⤵
                  • Modifies boot configuration data using bcdedit
                  PID:5736
                • C:\Windows\system32\wbadmin.exe
                  wbadmin delete catalog -quiet
                  3⤵
                  • Deletes backup catalog
                  PID:4296
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4632
            • C:\Windows\system32\wbengine.exe
              "C:\Windows\system32\wbengine.exe"
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3532
            • C:\Windows\System32\vdsldr.exe
              C:\Windows\System32\vdsldr.exe -Embedding
              1⤵
                PID:1324
              • C:\Windows\System32\vds.exe
                C:\Windows\System32\vds.exe
                1⤵
                • Checks SCSI registry key(s)
                PID:2292
              • C:\Windows\System32\WaaSMedicAgent.exe
                C:\Windows\System32\WaaSMedicAgent.exe 2b7173d71b5cc2df64965f9eee329797 dw0sDglxOUG5OVM917MhDA.0.1.0.0.0
                1⤵
                  PID:460
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                  1⤵
                    PID:3196
                  • C:\Windows\system32\rundll32.exe
                    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
                    1⤵
                      PID:5368
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k UnistackSvcGroup
                      1⤵
                        PID:4152

                      Network

                      MITRE ATT&CK Matrix ATT&CK v13

                      Execution

                      Command and Scripting Interpreter

                      1
                      T1059

                      Persistence

                      Create or Modify System Process

                      1
                      T1543

                      Windows Service

                      1
                      T1543.003

                      Boot or Logon Autostart Execution

                      1
                      T1547

                      Registry Run Keys / Startup Folder

                      1
                      T1547.001

                      Privilege Escalation

                      Create or Modify System Process

                      1
                      T1543

                      Windows Service

                      1
                      T1543.003

                      Boot or Logon Autostart Execution

                      1
                      T1547

                      Registry Run Keys / Startup Folder

                      1
                      T1547.001

                      Defense Evasion

                      Indicator Removal

                      3
                      T1070

                      File Deletion

                      3
                      T1070.004

                      Impair Defenses

                      1
                      T1562

                      Disable or Modify System Firewall

                      1
                      T1562.004

                      Modify Registry

                      1
                      T1112

                      Credential Access

                      Unsecured Credentials

                      1
                      T1552

                      Credentials In Files

                      1
                      T1552.001

                      Discovery

                      Query Registry

                      3
                      T1012

                      System Information Discovery

                      3
                      T1082

                      Peripheral Device Discovery

                      1
                      T1120

                      Collection

                      Data from Local System

                      1
                      T1005

                      Impact

                      Inhibit System Recovery

                      4
                      T1490

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[4C1E254C-2822].[frankmoffit@aol.com].eight
                        Filesize

                        2.7MB

                        MD5

                        7dbbc55d58f46a7da8240d87bb8e80a2

                        SHA1

                        d532dbb29bced360bc8f7b65e59e2d4b7d265858

                        SHA256

                        a414d1e8d03678e768a7b70501de1374538cce4223e3673e6e235cadbf81ad73

                        SHA512

                        0a6ff48a99eb7de2cabf65c1f8aab44ec876e9dfa257cd116b6832e13beb1aa05c6befa49bf15061eabeb3bbfef44d185aa497db7545195b7d28a0b38f77127c

                      • C:\info.hta
                        Filesize

                        4KB

                        MD5

                        466bca1f2dc7a488d0b837bd1b9f0de9

                        SHA1

                        5e444d3eaa91392aea5a9619cf44f41de4c86fe0

                        SHA256

                        2b8481607f7b0d1096d5ed0cd8422248a7b94d003a862d7ed374056f33eeed8e

                        SHA512

                        d5d5ff90002921891c5082f92155ebb610858a2ede4bdb86882299262dae001dc1d7de438bb2360db5cd8b45446f6ded67169b0b2c3a1d8589823c22fece9050

                      • memory/4152-12498-0x000002224B440000-0x000002224B450000-memory.dmp
                        Filesize

                        64KB

                      • memory/4152-12514-0x000002224B540000-0x000002224B550000-memory.dmp
                        Filesize

                        64KB

                      • memory/4152-12533-0x0000022253770000-0x0000022253771000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12535-0x00000222538B0000-0x00000222538B1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12537-0x00000222538B0000-0x00000222538B1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12538-0x00000222538C0000-0x00000222538C1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12539-0x00000222538C0000-0x00000222538C1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12540-0x00000222538C0000-0x00000222538C1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12541-0x00000222538E0000-0x00000222538E1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12542-0x00000222538E0000-0x00000222538E1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12543-0x00000222538E0000-0x00000222538E1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12544-0x00000222538E0000-0x00000222538E1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12545-0x00000222538E0000-0x00000222538E1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12546-0x00000222538E0000-0x00000222538E1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12547-0x00000222538E0000-0x00000222538E1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12548-0x00000222538E0000-0x00000222538E1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12549-0x00000222538E0000-0x00000222538E1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12550-0x00000222538E0000-0x00000222538E1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12551-0x00000222538E0000-0x00000222538E1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12552-0x00000222538E0000-0x00000222538E1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12553-0x00000222538E0000-0x00000222538E1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12554-0x00000222538E0000-0x00000222538E1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12555-0x00000222538E0000-0x00000222538E1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12556-0x00000222538E0000-0x00000222538E1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12557-0x00000222538E0000-0x00000222538E1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12558-0x00000222538E0000-0x00000222538E1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12559-0x00000222538F0000-0x00000222538F1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12560-0x00000222538F0000-0x00000222538F1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12561-0x0000022253C00000-0x0000022253C01000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12562-0x0000022253950000-0x0000022253951000-memory.dmp
                        Filesize

                        4KB

                      • memory/4152-12563-0x0000022253950000-0x0000022253951000-memory.dmp
                        Filesize

                        4KB