Overview

overview

10

Static

static

3

43f846c12c...fc.exe

windows7-x64

10

43f846c12c...fc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 11:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe

  • Size

    55KB

  • MD5

    4e93c194b641d9b849f270531ec14d20

  • SHA1

    8b5a21254a0c10e3ca2570eeba490755197b544e

  • SHA256

    43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc

  • SHA512

    0c6dba53321b00a7b17bde84598de18cad9ecdae1a36209b6f13a99df96abe86987c2cbef132c6bc0ce80de75b4ad15351abd8c0c8e5c83bc17bb4f64713f2ec

  • SSDEEP

    1536:YNeRBl5PT/rx1mzwRMSTdLpJZtqoQOcO:YQRrmzwR5JAOF

Score
10/10
phobosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
    ransomwareevasion
  • Renames multiple (519) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe
    "C:\Users\Admin\AppData\Local\Temp\43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:468
    • C:\Users\Admin\AppData\Local\Temp\43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe
      "C:\Users\Admin\AppData\Local\Temp\43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe"
      2⤵
        PID:1052
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2904
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:1536
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3140
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:3008
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:2088
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:4392
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2400
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:3472
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          PID:3796
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        2⤵
          PID:756
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          2⤵
            PID:4952
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
            2⤵
              PID:100
            • C:\Windows\SysWOW64\mshta.exe
              "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
              2⤵
                PID:3280
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3680
                • C:\Windows\system32\vssadmin.exe
                  vssadmin delete shadows /all /quiet
                  3⤵
                  • Interacts with shadow copies
                  PID:2400
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic shadowcopy delete
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4572
                • C:\Windows\system32\bcdedit.exe
                  bcdedit /set {default} bootstatuspolicy ignoreallfailures
                  3⤵
                  • Modifies boot configuration data using bcdedit
                  PID:2024
                • C:\Windows\system32\bcdedit.exe
                  bcdedit /set {default} recoveryenabled no
                  3⤵
                  • Modifies boot configuration data using bcdedit
                  PID:308
                • C:\Windows\system32\wbadmin.exe
                  wbadmin delete catalog -quiet
                  3⤵
                  • Deletes backup catalog
                  PID:4524
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1108
            • C:\Windows\system32\wbengine.exe
              "C:\Windows\system32\wbengine.exe"
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:380
            • C:\Windows\System32\vdsldr.exe
              C:\Windows\System32\vdsldr.exe -Embedding
              1⤵
                PID:2576
              • C:\Windows\System32\vds.exe
                C:\Windows\System32\vds.exe
                1⤵
                • Checks SCSI registry key(s)
                PID:3204
              • C:\Windows\SysWOW64\mshta.exe
                "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                1⤵
                  PID:4360

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Command and Scripting Interpreter

                1
                T1059

                Windows Management Instrumentation

                1
                T1047

                Persistence

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Privilege Escalation

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Defense Evasion

                Impair Defenses

                1
                T1562

                Disable or Modify System Firewall

                1
                T1562.004

                Indicator Removal

                3
                T1070

                File Deletion

                3
                T1070.004

                Modify Registry

                1
                T1112

                Credential Access

                Unsecured Credentials

                1
                T1552

                Credentials In Files

                1
                T1552.001

                Discovery

                Peripheral Device Discovery

                1
                T1120

                Query Registry

                3
                T1012

                System Information Discovery

                3
                T1082

                Lateral Movement

                Collection

                Data from Local System

                1
                T1005

                Command and Control

                Exfiltration

                Impact

                Inhibit System Recovery

                4
                T1490

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[556B8F3E-2822].[[email protected]].eight
                  Filesize

                  2.7MB

                  MD5

                  23cd7259175db276877739fdc3ae0aa8

                  SHA1

                  3e84a267555be7bcc8bfac5792a313142e61f6cf

                  SHA256

                  a84dc9820d9ac5086945da20158cf89977d10822fc5d306f9970227953c7cbab

                  SHA512

                  facbfb35cd47bd86dca16ab75d4fb4e3b7981a95d4f180ea2066f78ffddfebd94e9999cdeb20e40d6a73355ff4f39ff60b1ca15b1373c24b017543c55a15aee1

                  Download Submit
                • C:\info.hta
                  Filesize

                  4KB

                  MD5

                  25842062144ad6c90de18aa88332fc5a

                  SHA1

                  02c89cdeabf8b1588755fe5fe584aede5cc9135b

                  SHA256

                  e0cdb3d54f9fbe73a8c21d0d62e6f9f6cf8ebc3ed42e3527dc3ae096c5849e17

                  SHA512

                  02a2a2235941e56cfbb9bacc697d59d230ce7f86412cc5ddbdfef1e0eacfae6d8a1d5536903369fa3a67a7310b4b81001501840ea09da4ed345a6b4122006ec2

                  Download Submit