General

  • Target

    1.bin

  • Size

    8.1MB

  • Sample

    220402-fat8caegcp

  • MD5

    72ad5cebf69de22b971997bb261ef519

  • SHA1

    27aef0b7214b93b44cbeab76af1dd39db3d938fd

  • SHA256

    1b9a300d4e882a59e4bb15f7aa7069df6cc48057d1f89a71fff6df4e70d483f1

  • SHA512

    a4879dae60d580b3fad31311ae64acdc92604164cc95bd721a4a789c66791c5586eac3922e621c33aab5f919ad92e68ef6cbbc43b3d4857b547e627855bcefe8

Malware Config

Targets

    • Target

      1.bin

    • Size

      8.1MB

    • MD5

      72ad5cebf69de22b971997bb261ef519

    • SHA1

      27aef0b7214b93b44cbeab76af1dd39db3d938fd

    • SHA256

      1b9a300d4e882a59e4bb15f7aa7069df6cc48057d1f89a71fff6df4e70d483f1

    • SHA512

      a4879dae60d580b3fad31311ae64acdc92604164cc95bd721a4a789c66791c5586eac3922e621c33aab5f919ad92e68ef6cbbc43b3d4857b547e627855bcefe8

    • Babadeda

      Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

    • Babadeda Crypter

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks