Overview

overview

10

Static

static

3

43f846c12c...fc.exe

windows7-x64

10

43f846c12c...fc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 06:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe

  • Size

    55KB

  • MD5

    4e93c194b641d9b849f270531ec14d20

  • SHA1

    8b5a21254a0c10e3ca2570eeba490755197b544e

  • SHA256

    43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc

  • SHA512

    0c6dba53321b00a7b17bde84598de18cad9ecdae1a36209b6f13a99df96abe86987c2cbef132c6bc0ce80de75b4ad15351abd8c0c8e5c83bc17bb4f64713f2ec

  • SSDEEP

    1536:YNeRBl5PT/rx1mzwRMSTdLpJZtqoQOcO:YQRrmzwR5JAOF

Score
10/10
phobosdefense_evasionevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer

Malware Config

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
    ransomwareevasion
  • Renames multiple (514) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe
    "C:\Users\Admin\AppData\Local\Temp\43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4308
    • C:\Users\Admin\AppData\Local\Temp\43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe
      "C:\Users\Admin\AppData\Local\Temp\43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe"
      2⤵
        PID:4804
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3240
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:4804
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:4776
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1692
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:4028
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3444
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:5004
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:712
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:3612
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        2⤵
          PID:1760
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          2⤵
            PID:4808
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
            2⤵
              PID:4548
            • C:\Windows\SysWOW64\mshta.exe
              "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
              2⤵
                PID:4484
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1080
                • C:\Windows\system32\vssadmin.exe
                  vssadmin delete shadows /all /quiet
                  3⤵
                  • Interacts with shadow copies
                  PID:1732
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic shadowcopy delete
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3824
                • C:\Windows\system32\bcdedit.exe
                  bcdedit /set {default} bootstatuspolicy ignoreallfailures
                  3⤵
                  • Modifies boot configuration data using bcdedit
                  PID:4496
                • C:\Windows\system32\bcdedit.exe
                  bcdedit /set {default} recoveryenabled no
                  3⤵
                  • Modifies boot configuration data using bcdedit
                  PID:1780
                • C:\Windows\system32\wbadmin.exe
                  wbadmin delete catalog -quiet
                  3⤵
                  • Deletes backup catalog
                  PID:836
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1612
            • C:\Windows\system32\wbengine.exe
              "C:\Windows\system32\wbengine.exe"
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1528
            • C:\Windows\System32\vdsldr.exe
              C:\Windows\System32\vdsldr.exe -Embedding
              1⤵
                PID:116
              • C:\Windows\System32\vds.exe
                C:\Windows\System32\vds.exe
                1⤵
                • Checks SCSI registry key(s)
                PID:2588

              Network

              MITRE ATT&CK Enterprise v15

              Reconnaissance

              Resource Development

              Initial Access

              Execution

              Command and Scripting Interpreter

              1
              T1059

              Windows Management Instrumentation

              1
              T1047

              Persistence

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Event Triggered Execution

              1
              T1546

              Netsh Helper DLL

              1
              T1546.007

              Privilege Escalation

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Event Triggered Execution

              1
              T1546

              Netsh Helper DLL

              1
              T1546.007

              Defense Evasion

              Direct Volume Access

              1
              T1006

              Impair Defenses

              1
              T1562

              Disable or Modify System Firewall

              1
              T1562.004

              Indicator Removal

              3
              T1070

              File Deletion

              3
              T1070.004

              Modify Registry

              1
              T1112

              Credential Access

              Unsecured Credentials

              1
              T1552

              Credentials In Files

              1
              T1552.001

              Discovery

              Peripheral Device Discovery

              1
              T1120

              Query Registry

              3
              T1012

              System Information Discovery

              3
              T1082

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Command and Control

              Exfiltration

              Impact

              Inhibit System Recovery

              4
              T1490

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[AA79893D-2822].[[email protected]].eight
                Filesize

                2.7MB

                MD5

                73d32820e3376b0543f01c1abbcb789c

                SHA1

                ad7b735652092718c2fb6a3b58412dd75df3147c

                SHA256

                e9a593998901ec2a4f841f5cf901937f2a842940b28f5d3f3d0cd2d150921e92

                SHA512

                521c1ef930c71ac0895a20716914f45263fbab150d9080f69865ee5f55d4b59ea6a9da938aa25d7af556363c22e9ce58e4a256122484b0bba976f3206b072f07

                Download Submit
              • C:\info.hta
                Filesize

                4KB

                MD5

                9f80e1706127ba5e2ff798130b1b437f

                SHA1

                6203d072c137f2ca33a50728d968dfe948fd643b

                SHA256

                60b14f94b597f824ec5d545c3c6267194db68609a48beff1deb93ee94c53e5ef

                SHA512

                851f843461d50d830ea3ef9cd5aefdc41623173819c6390d02b6cc2f86587faeb4fc134d015c456688756d3b98a7be7d459c56e4701c8efddf9dc562a99e2eec

                Download Submit