Resubmissions

28-07-2024 16:33

240728-t2rheswfqd 10

26-07-2024 03:12

240726-dqpaxsshqq 10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-07-2024 16:33

General

  • Target

    4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea.exe

  • Size

    72KB

  • MD5

    fcb76d19b9003bd5522c6da0703175d5

  • SHA1

    99b5b69c4c3c6946162c1239ddbfa6e366cce3e3

  • SHA256

    4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea

  • SHA512

    dc08946159c732d367fa9a2f603eca3ec994eb37c962141bdf91bdd39f136998d560ba45ed307db4527386f85db4c002682d7b55b7a880d345ef613afd49fdce

  • SSDEEP

    1536:lNeRBl5PT/rx1mzwRMSTdLpJSVJaaw38x6S3hT3GCq2iW7z:lQRrmzwR5J7UthDGCH

Malware Config

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Renames multiple (129) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 7 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 60 IoCs
  • Suspicious use of SendNotifyMessage 60 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Users\Admin\AppData\Local\Temp\DaGvPt.exe
      C:\Users\Admin\AppData\Local\Temp\DaGvPt.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4236
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\419456aa.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1044
    • C:\Users\Admin\AppData\Local\Temp\4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea.exe"
      2⤵
        PID:388
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:4136
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:952
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4212
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:3868
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4316
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:3460
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:2444
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:3956
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3620
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4908
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:2948
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:284
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4320

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\7-Zip\7z.exe

        Filesize

        544KB

        MD5

        26f7a83fcf6b31b786c91895d1bdf46e

        SHA1

        ee774dde283164e3728f154a218de091f87d161f

        SHA256

        3701a7e99b37d6738cf1406569b5b3a7aef28ef55ad7def4191ba57835d502d6

        SHA512

        ffdf7aced2f86ca568eb13c1b44458b5336aefe5c8517c86d3171766f7694f7a6ba112a6ee3511eb50712b9f954d1c3de12e3e68259174efa8ad41f8d55c5991

      • C:\Program Files\7-Zip\Uninstall.exe

        Filesize

        31KB

        MD5

        50615dd05bb46aafc9490a7c48391314

        SHA1

        d955e44ff63fda3f9b18f19aa72cbba43a5d8e44

        SHA256

        4fa7abf3016b4fce22b2ef413654a5ef60fd6a75cce4b6e7aeedf3cf46dde806

        SHA512

        db29f2204faeac580799cbd65346d83a7c74d5b7239dcd761287324f8aae27cafe7b7b19ab0a2d94580d34a74278faaab141a07e620699be4b96da36c8bd6e11

      • C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md

        Filesize

        2KB

        MD5

        ddc4cb14453391bcb5f4d645b2916a6c

        SHA1

        c4738d174c90c285e17bf51a9218256f45f96ea7

        SHA256

        0c19ba9eeecab3cbbdf38da08c3fa0266f10ce8166e056715931efc543335eeb

        SHA512

        34a32b92ffb2945608439653b5ecacba49fd3312ba5487ba14796c75b07655f0d8f735453dac117d46d204d3f810126f8a189f82c015fa8bb6ea37d9b8e0e30f

      • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

        Filesize

        190B

        MD5

        c5b7a97bda04c48435a145f2d1f9bb42

        SHA1

        bd94219a79987af3e4d4ce45b07edc2230aaf655

        SHA256

        07ec9bf950252d0254d4d778698c2e4173f36dbc3f57f51f34d1b85a07c2eab0

        SHA512

        7eb1a26cf8ef725ba6d1934ca4802f70cc22539017334c1d7a6873afeea6236bcd643b52630f7fa9d8a9e692f718ba42cc704ed5f8df17757028be63c3efad80

      • C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif

        Filesize

        153B

        MD5

        d13b5ffdeb538f15ee1d30f2788601d5

        SHA1

        8dc4da8e4efca07472b08b618bc059dcbfd03efa

        SHA256

        f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876

        SHA512

        58e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46

      • C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml

        Filesize

        744B

        MD5

        809457c05fe696f5d34ac5ac8768cdd4

        SHA1

        a2c3e4966415100c7d24f7f3dc7e27d2a60d20c9

        SHA256

        1b66520d471367f736d50c070a2e2bba8ad88ac58743394a764b888e9cb6f6be

        SHA512

        cf38e01d3e174ff4b8070fb88ead7e787143ce7cf60b91365fafd01cacc1420337654083a14dfb2caa900141a578717f5d24fa3cadd17c1a992d09280fd8dc44

      • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea.exe

        Filesize

        72KB

        MD5

        fcb76d19b9003bd5522c6da0703175d5

        SHA1

        99b5b69c4c3c6946162c1239ddbfa6e366cce3e3

        SHA256

        4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea

        SHA512

        dc08946159c732d367fa9a2f603eca3ec994eb37c962141bdf91bdd39f136998d560ba45ed307db4527386f85db4c002682d7b55b7a880d345ef613afd49fdce

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

        Filesize

        24B

        MD5

        1681ffc6e046c7af98c9e6c232a3fe0a

        SHA1

        d3399b7262fb56cb9ed053d68db9291c410839c4

        SHA256

        9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0

        SHA512

        11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

      • C:\Users\Admin\AppData\Local\Temp\419456aa.bat

        Filesize

        187B

        MD5

        5c0e77edb62ad93a40853e81a166a9a0

        SHA1

        4b24dd74d7e7d287c0fe8f0ad2551593a1984505

        SHA256

        400ab5aee17ce6aaf6c028fac83007795bf843464eae21b969a816a73cb2a345

        SHA512

        85736e5a5b032da1e85dfef623be6b25dd0e4a93d6e13effbc2fcf6fa05c866c746c40cdcc1b68c7fb163b6bf65bbe89c2225688862b0a58d1d3ef1c7e4bb696

      • C:\Users\Admin\AppData\Local\Temp\DaGvPt.exe

        Filesize

        15KB

        MD5

        f7d21de5c4e81341eccd280c11ddcc9a

        SHA1

        d4e9ef10d7685d491583c6fa93ae5d9105d815bd

        SHA256

        4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

        SHA512

        e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

      • memory/388-7-0x0000000000E90000-0x0000000000EA8000-memory.dmp

        Filesize

        96KB

      • memory/1828-1617-0x0000000000E90000-0x0000000000EA8000-memory.dmp

        Filesize

        96KB

      • memory/1828-0-0x0000000000E90000-0x0000000000EA8000-memory.dmp

        Filesize

        96KB

      • memory/4236-160-0x0000000000D40000-0x0000000000D49000-memory.dmp

        Filesize

        36KB

      • memory/4236-5-0x0000000000D40000-0x0000000000D49000-memory.dmp

        Filesize

        36KB

      • memory/4320-6666-0x00000243D3920000-0x00000243D3921000-memory.dmp

        Filesize

        4KB

      • memory/4320-6706-0x00000243D3920000-0x00000243D3921000-memory.dmp

        Filesize

        4KB

      • memory/4320-6705-0x00000243D3920000-0x00000243D3921000-memory.dmp

        Filesize

        4KB

      • memory/4320-6704-0x00000243D3920000-0x00000243D3921000-memory.dmp

        Filesize

        4KB

      • memory/4320-6703-0x00000243D3920000-0x00000243D3921000-memory.dmp

        Filesize

        4KB

      • memory/4320-6702-0x00000243D3920000-0x00000243D3921000-memory.dmp

        Filesize

        4KB

      • memory/4320-6707-0x00000243D3920000-0x00000243D3921000-memory.dmp

        Filesize

        4KB

      • memory/4320-6708-0x00000243D3920000-0x00000243D3921000-memory.dmp

        Filesize

        4KB

      • memory/4320-6665-0x00000243D3920000-0x00000243D3921000-memory.dmp

        Filesize

        4KB

      • memory/4320-6664-0x00000243D3920000-0x00000243D3921000-memory.dmp

        Filesize

        4KB