Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    06-08-2024 16:11

General

  • Target

    43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe

  • Size

    55KB

  • MD5

    4e93c194b641d9b849f270531ec14d20

  • SHA1

    8b5a21254a0c10e3ca2570eeba490755197b544e

  • SHA256

    43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc

  • SHA512

    0c6dba53321b00a7b17bde84598de18cad9ecdae1a36209b6f13a99df96abe86987c2cbef132c6bc0ce80de75b4ad15351abd8c0c8e5c83bc17bb4f64713f2ec

  • SSDEEP

    1536:YNeRBl5PT/rx1mzwRMSTdLpJZtqoQOcO:YQRrmzwR5JAOF

Malware Config

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
  • Renames multiple (321) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe
    "C:\Users\Admin\AppData\Local\Temp\43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Users\Admin\AppData\Local\Temp\43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe
      "C:\Users\Admin\AppData\Local\Temp\43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc.exe"
      2⤵
        PID:2148
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:324
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1768
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:2940
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:2496
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:1332
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2556
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2628
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2224
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        PID:2124
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        PID:228
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        PID:2164
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        PID:1704
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:1708
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:552
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:872
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:2312
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:1240
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:976
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:3056
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:2532

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\info.hta

          Filesize

          4KB

          MD5

          f59a101b43c79ab0f4864f8485ce236f

          SHA1

          0a35f225d7f75470cf6af1524a12cc13220914e4

          SHA256

          08c1e8025586063e1c7c698944ff268d3536aba763337f478a4b2fa52a4e5a73

          SHA512

          125655ed3cc4d10cee126d2ca898c7a02a9e7088fe65fb79236782734f76923a5ad77ee50cfd72925bd371fec34e21c178e1ce7d2860235da46f1c8b085b91aa