Resubmissions

28-07-2024 18:23

240728-w1kdtsxcll 10

28-07-2024 16:49

240728-vbwj5axckg 10

General

  • Target

    4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea.exe

  • Size

    72KB

  • Sample

    240728-vbwj5axckg

  • MD5

    fcb76d19b9003bd5522c6da0703175d5

  • SHA1

    99b5b69c4c3c6946162c1239ddbfa6e366cce3e3

  • SHA256

    4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea

  • SHA512

    dc08946159c732d367fa9a2f603eca3ec994eb37c962141bdf91bdd39f136998d560ba45ed307db4527386f85db4c002682d7b55b7a880d345ef613afd49fdce

  • SSDEEP

    1536:lNeRBl5PT/rx1mzwRMSTdLpJSVJaaw38x6S3hT3GCq2iW7z:lQRrmzwR5J7UthDGCH

Malware Config

Targets

    • Target

      4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea.exe

    • Size

      72KB

    • MD5

      fcb76d19b9003bd5522c6da0703175d5

    • SHA1

      99b5b69c4c3c6946162c1239ddbfa6e366cce3e3

    • SHA256

      4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea

    • SHA512

      dc08946159c732d367fa9a2f603eca3ec994eb37c962141bdf91bdd39f136998d560ba45ed307db4527386f85db4c002682d7b55b7a880d345ef613afd49fdce

    • SSDEEP

      1536:lNeRBl5PT/rx1mzwRMSTdLpJSVJaaw38x6S3hT3GCq2iW7z:lQRrmzwR5J7UthDGCH

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (296) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Modifies Windows Firewall

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks