phobos | a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183

General

Target

a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe
Size

853KB
MD5

ede5bbc69594ab35cd44eead5dc73752
SHA1

32734225f02f0fd4a375313183b692900ee5eeea
SHA256

a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183
SHA512

22b24fba0d320be89765d6fd9bde2226c2e928c4ef6e9476b69b1ee426c59072949c045c834b357ec747a679b2f613750d3058c46d89a1ec47bfa7622b0a543c

Score

10^/10

phobos persistence ransomware

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Drops startup file 1 IoCs

Processes:

ieinstal.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ieinstal.exe ieinstal.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ieinstal.exe	ieinstal.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ieinstal.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ieinstal = "C:\\Users\\Admin\\AppData\\Local\\ieinstal.exe"	ieinstal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\ieinstal = "C:\\Users\\Admin\\AppData\\Local\\ieinstal.exe"	ieinstal.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

ieinstal.exe

description ioc process

File opened for modification C:\$Recycle.Bin\S-1-5-21-1083475884-596052423-1669053738-1000\desktop.ini ieinstal.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1083475884-596052423-1669053738-1000\desktop.ini	ieinstal.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe

description	pid	process	target process
PID 1972 set thread context of 1716	1972	a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe	ieinstal.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

996 vssadmin.exe

pid	process
996	vssadmin.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ieinstal.exe

pid	process
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe
1716	ieinstal.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ieinstal.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1716	ieinstal.exe
Token: SeBackupPrivilege	808	vssvc.exe
Token: SeRestorePrivilege	808	vssvc.exe
Token: SeAuditPrivilege	808	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exeieinstal.execmd.exe

description	pid	process	target process
PID 1972 wrote to memory of 1716	1972	a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe	ieinstal.exe
PID 1972 wrote to memory of 1716	1972	a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe	ieinstal.exe
PID 1972 wrote to memory of 1716	1972	a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe	ieinstal.exe
PID 1972 wrote to memory of 1716	1972	a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe	ieinstal.exe
PID 1972 wrote to memory of 1716	1972	a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe	ieinstal.exe
PID 1972 wrote to memory of 1716	1972	a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe	ieinstal.exe
PID 1972 wrote to memory of 1716	1972	a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe	ieinstal.exe
PID 1972 wrote to memory of 1716	1972	a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe	ieinstal.exe
PID 1972 wrote to memory of 1716	1972	a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe	ieinstal.exe
PID 1716 wrote to memory of 1820	1716	ieinstal.exe	cmd.exe
PID 1716 wrote to memory of 1820	1716	ieinstal.exe	cmd.exe
PID 1716 wrote to memory of 1820	1716	ieinstal.exe	cmd.exe
PID 1716 wrote to memory of 1820	1716	ieinstal.exe	cmd.exe
PID 1820 wrote to memory of 996	1820	cmd.exe	vssadmin.exe
PID 1820 wrote to memory of 996	1820	cmd.exe	vssadmin.exe
PID 1820 wrote to memory of 996	1820	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe
"C:\Users\Admin\AppData\Local\Temp\a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1972

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
2⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
3⤵
PID:1208

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:996

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/996-64-0x0000000000000000-mapping.dmp

Download
memory/1716-55-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1716-57-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1716-58-0x0000000000402E94-mapping.dmp

Download
memory/1716-61-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1716-62-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1820-63-0x0000000000000000-mapping.dmp

Download
memory/1972-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads