Resubmissions

21/02/2025, 10:40

250221-mqpfcszrfk 10

26/07/2021, 12:41

210726-386gy5xqax 10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/02/2025, 10:40

General

  • Target

    97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.exe

  • Size

    192KB

  • MD5

    eb5d46bf72a013bfc7c018169eb1739b

  • SHA1

    f55680a34521ef07c2b8dedd1b74a9927990485a

  • SHA256

    97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb

  • SHA512

    b3e2d512c95913fe0ea1732f1e0bea2e849eb2ef98046380b01c76e6ec38a2ad5c00dcb66f90ad1f9d9c3ab97b81cd92318bdbfc84e2d408ed577902511b0c54

  • SSDEEP

    3072:NqRIVOgLw+7Evuahn9oVpORBqS3h1jHRWbDRaGZKMih4lMVHwz:NUIVOgLw+7Evu2nWsBqS3LjxWHR+Gh

Malware Config

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

  • Phobos family
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Renames multiple (657) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.exe
    "C:\Users\Admin\AppData\Local\Temp\97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Users\Admin\AppData\Local\Temp\97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.exe
      "C:\Users\Admin\AppData\Local\Temp\97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4580
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Windows\system32\netsh.exe
        netsh advfirewall set currentprofile state off
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        PID:1532
      • C:\Windows\system32\netsh.exe
        netsh firewall set opmode mode=disable
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        PID:116
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1896
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3640
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4396
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
      • System Location Discovery: System Language Discovery
      PID:436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[6AE639B4-2408].[[email protected]].Caleb

    Filesize

    2.7MB

    MD5

    e4fc8d9681efcc58585eff5143360b31

    SHA1

    2e39f7cabad3c8db9208b2786091d1ed6df54991

    SHA256

    7095d809a80cc42f72240fb52e09998f727cac405b28eff483054eefb8231f5c

    SHA512

    6521eaf3c1bf5683553b383f10ff72d0cc12a8b1c07783bed42acd8b8d230a2005717d8945b6e1c364d82bf0734fac4aaef832aec85fec1691f369aa11c77ac4

  • C:\info.hta

    Filesize

    4KB

    MD5

    d81fd4986b47479b573be7f5ed268328

    SHA1

    acd1f52774fc4e8404c0c5850844f77025499ab0

    SHA256

    b2d0c8526e12172576581722cbf3c849029c1ee72665a9407e7894126f58313c

    SHA512

    51e0402bac021cbaacf8aed2a25cf2ac74f0243fe84f9e93a6bbbad45ddb0fd25e8b8dd6a7e599050db441bc26ae118e55f774a1047527370e6f5ede6f13c7e8

  • memory/3944-0-0x0000000002080000-0x00000000020B0000-memory.dmp

    Filesize

    192KB

  • memory/3944-1-0x0000000002080000-0x00000000020B0000-memory.dmp

    Filesize

    192KB

  • memory/3944-2-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/3944-1062-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/3944-1361-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/3944-5020-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/3944-8624-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/3944-13113-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/3944-13316-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/4580-13317-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB