modiloader | a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183 | Triage

Submit
Reports

Overview

overview

Static

static

a76dbe766b...83.exe

windows7_x64

a76dbe766b...83.exe

windows10-2004_x64

Sharing

General

Target

a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183
Size

853KB
Sample

220520-3f1zeagha4
MD5

ede5bbc69594ab35cd44eead5dc73752
SHA1

32734225f02f0fd4a375313183b692900ee5eeea
SHA256

a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183
SHA512

22b24fba0d320be89765d6fd9bde2226c2e928c4ef6e9476b69b1ee426c59072949c045c834b357ec747a679b2f613750d3058c46d89a1ec47bfa7622b0a543c

Score

10^/10

modiloader phobos evasion persistence ransomware

Static task

static1

Behavioral task

behavioral1

Sample

a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe

Resource

win7-20220414-en

phobos persistence ransomware

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe

Resource

win10v2004-20220414-en

phobos evasion persistence ransomware

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183
- Size
  
  853KB
- MD5
  
  ede5bbc69594ab35cd44eead5dc73752
- SHA1
  
  32734225f02f0fd4a375313183b692900ee5eeea
- SHA256
  
  a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183
- SHA512
  
  22b24fba0d320be89765d6fd9bde2226c2e928c4ef6e9476b69b1ee426c59072949c045c834b357ec747a679b2f613750d3058c46d89a1ec47bfa7622b0a543c
Score

10^/10

phobos persistence ransomware evasion
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Drops startup file
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

phobospersistenceransomware

behavioral2

phobosevasionpersistenceransomware

© 2018-2024

Terms | Privacy