phobos | de7350681f5bacfaeceaff015c0ec34028ac1edaaec70ff4f3641006039d7de4 | Triage

Submit
Reports

Overview

overview

Static

static

de7350681f...e4.exe

windows7_x64

de7350681f...e4.exe

windows10-2004_x64

Sharing

General

Target

de7350681f5bacfaeceaff015c0ec34028ac1edaaec70ff4f3641006039d7de4
Size

195KB
Sample

220524-dffwssgfaq
MD5

e6d10e0728948343745188e29e9e4c0a
SHA1

e97a20c518c9ecbb2b05a52b815809224d418821
SHA256

de7350681f5bacfaeceaff015c0ec34028ac1edaaec70ff4f3641006039d7de4
SHA512

877b447fa337bd88b601ea7048ee76ee76afaec8749dd978d847827554571be9e18d22f4fa28b300b2317c61b30ca488c893458e00b3ac0f75bfb9121d422651

Score

10^/10

phobos evasion persistence ransomware

Static task

static1

Behavioral task

behavioral1

Sample

de7350681f5bacfaeceaff015c0ec34028ac1edaaec70ff4f3641006039d7de4.exe

Resource

win7-20220414-en

phobos persistence ransomware

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

de7350681f5bacfaeceaff015c0ec34028ac1edaaec70ff4f3641006039d7de4.exe

Resource

win10v2004-20220414-en

phobos evasion persistence ransomware

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  de7350681f5bacfaeceaff015c0ec34028ac1edaaec70ff4f3641006039d7de4
- Size
  
  195KB
- MD5
  
  e6d10e0728948343745188e29e9e4c0a
- SHA1
  
  e97a20c518c9ecbb2b05a52b815809224d418821
- SHA256
  
  de7350681f5bacfaeceaff015c0ec34028ac1edaaec70ff4f3641006039d7de4
- SHA512
  
  877b447fa337bd88b601ea7048ee76ee76afaec8749dd978d847827554571be9e18d22f4fa28b300b2317c61b30ca488c893458e00b3ac0f75bfb9121d422651
Score

10^/10

phobos persistence ransomware evasion
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Drops startup file
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

phobospersistenceransomware

behavioral2

phobosevasionpersistenceransomware

© 2018-2024

Terms | Privacy