phobos | aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef

General

Target

aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
Size

664KB
MD5

acf73cf8ddfb182b8559779f8a165e49
SHA1

d944a1bc327f26b8c17345d04986ef0437d85484
SHA256

aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef
SHA512

284a26b9165b58c9a531364bb7609abdc38868efd38878b0cdf78bed45ef0ee73a83719ec972ee86416dddc0e9ab698ed387537e12c9aed75d81ad817a3c8fd0

Score

10^/10

phobos discovery evasion persistence ransomware

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

1928 netsh.exe
1724 netsh.exe

pid	process
1928	netsh.exe
1724	netsh.exe

Drops startup file 1 IoCs

Processes:

aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef = "C:\\Users\\Admin\\AppData\\Local\\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe"	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef = "C:\\Users\\Admin\\AppData\\Local\\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe"	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Drops desktop.ini file(s) 1 IoCs

Processes:

aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3762437355-3468409815-1164039494-1000\desktop.ini	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exeaa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

description	pid	process	target process
PID 1172 set thread context of 1476	1172	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
PID 1992 set thread context of 1700	1992	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

pid	process
1476	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
1476	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
1476	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
1476	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
1476	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
1476	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
1476	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
1476	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
1476	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
1476	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
1476	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
1476	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
1476	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
1476	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exeaa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

pid	process
1172	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
1992	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exeaa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exeaa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.execmd.exe

description	pid	process	target process
PID 1172 wrote to memory of 1476	1172	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
PID 1172 wrote to memory of 1476	1172	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
PID 1172 wrote to memory of 1476	1172	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
PID 1172 wrote to memory of 1476	1172	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
PID 1992 wrote to memory of 1700	1992	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
PID 1992 wrote to memory of 1700	1992	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
PID 1992 wrote to memory of 1700	1992	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
PID 1992 wrote to memory of 1700	1992	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
PID 1476 wrote to memory of 1440	1476	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	cmd.exe
PID 1476 wrote to memory of 1440	1476	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	cmd.exe
PID 1476 wrote to memory of 1440	1476	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	cmd.exe
PID 1476 wrote to memory of 1440	1476	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	cmd.exe
PID 1440 wrote to memory of 1928	1440	cmd.exe	netsh.exe
PID 1440 wrote to memory of 1928	1440	cmd.exe	netsh.exe
PID 1440 wrote to memory of 1928	1440	cmd.exe	netsh.exe
PID 1440 wrote to memory of 1724	1440	cmd.exe	netsh.exe
PID 1440 wrote to memory of 1724	1440	cmd.exe	netsh.exe
PID 1440 wrote to memory of 1724	1440	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
"C:\Users\Admin\AppData\Local\Temp\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\Temp\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
  C:\Users\Admin\AppData\Local\Temp\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Users\Admin\AppData\Local\Temp\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
    "C:\Users\Admin\AppData\Local\Temp\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Users\Admin\AppData\Local\Temp\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
      C:\Users\Admin\AppData\Local\Temp\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe"
      4⤵
      PID:1700
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set currentprofile state off
      4⤵
      Modifies Windows Firewall
      PID:1928
  - - C:\Windows\system32\netsh.exe
      netsh firewall set opmode mode=disable
      4⤵
      Modifies Windows Firewall
      PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1172-57-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/1172-59-0x0000000000240000-0x0000000000247000-memory.dmp

Filesize
28KB

Download
memory/1172-60-0x00000000776A0000-0x0000000077849000-memory.dmp

Filesize
1.7MB

Download
memory/1172-61-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1172-56-0x0000000000240000-0x0000000000247000-memory.dmp

Filesize
28KB

Download
memory/1440-78-0x0000000000000000-mapping.dmp

Download
memory/1476-58-0x000000000049B019-mapping.dmp

Download
memory/1476-63-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1476-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1476-69-0x00000000776A0000-0x0000000077849000-memory.dmp

Filesize
1.7MB

Download
memory/1476-70-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1700-74-0x000000000049B019-mapping.dmp

Download
memory/1700-87-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/1700-88-0x00000000776A0000-0x0000000077849000-memory.dmp

Filesize
1.7MB

Download
memory/1700-89-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1724-91-0x0000000000000000-mapping.dmp

Download
memory/1928-79-0x0000000000000000-mapping.dmp

Download
memory/1928-90-0x000007FEFC0C1000-0x000007FEFC0C3000-memory.dmp

Filesize
8KB

Download
memory/1992-76-0x00000000776A0000-0x0000000077849000-memory.dmp

Filesize
1.7MB

Download
memory/1992-77-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/1992-75-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads