Overview

overview

10

Static

static

3

45de59851d...9f.exe

windows7-x64

10

45de59851d...9f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    36s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-07-2024 17:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe

  • Size

    66KB

  • MD5

    87d6d2488b1260e70f4042bf1f292529

  • SHA1

    161f9a79f8197c9b5de1beb7bd4d425d5c23b45b

  • SHA256

    45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f

  • SHA512

    a9d3930de1ff5849e61d1807c6de4b063790dc03f7e4f3f2101cbddde55002ffcc85d2ff433b753a5936403feedbc93c0f3658ffb5e8051d00ba58641e6afda7

  • SSDEEP

    1536:/NeRBl5PT/rx1mzwRMSTdLpJy/jIlkugRGVy/SR1qo+tEgfNni:/QRrmzwR5JysFV12i

Score
10/10
phobosdefense_evasionevasionexecutionimpactpersistenceprivilege_escalationransomware

Malware Config

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (63) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe
    "C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe
      "C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe"
      2⤵
        PID:3464
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1252
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:3548
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2672
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:3324
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1468
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:1552
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2468
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:1048
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2288
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2844
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:888
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:4328

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      Windows Management Instrumentation

      1
      T1047

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Defense Evasion

      Direct Volume Access

      1
      T1006

      Impair Defenses

      1
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Indicator Removal

      3
      T1070

      File Deletion

      3
      T1070.004

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      2
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Inhibit System Recovery

      4
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[C6692232-3483].[[email protected]].8base
        Filesize

        2.7MB

        MD5

        116d008a0f1e751d853f0f53ba148fe3

        SHA1

        bf4547ec4e8b0765b2d5852f04f4e81a04e3b66b

        SHA256

        2796973e3ba611826171cae6a782299bf1d0787a13cfa7cf46bad192759052de

        SHA512

        8d07503003a7b74f5c3664d2cf3b9b598c671c8090c8420c49972cd48fc2ed80a23ba7bd00d6ecad702a77012edb7dd51469f531d551fcd3b7e8a1b4eb772d01

        Download Submit