Overview

overview

10

Static

static

svchost.exe

windows7-x64

10

svchost.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    svchost.donotopen

  • Size

    55KB

  • Sample

    220808-p7dfjadbf2

  • MD5

    95f685338ecc3926dfd2cd012f6be29e

  • SHA1

    6c63b931c54f9c0f25aeea1d759067f5fad6c1f1

  • SHA256

    46e1fdccfc5746e9c6ba561de9848eb36c051b6be9dc0d11dda69612ed9c6c76

  • SHA512

    05d0dbc82e443e666eb4f293bfe54f317e7b0322de5828af1b336e58542a95e2f67d27c2b704e10a0c2e101bbbb5a6f38eb3b325f506c7e359d0bd4491f6674e

Score
10/10
phobosevasionpersistenceransomwarespywarestealer

Malware Config

Targets

    • Target

      svchost.donotopen

    • Size

      55KB

    • MD5

      95f685338ecc3926dfd2cd012f6be29e

    • SHA1

      6c63b931c54f9c0f25aeea1d759067f5fad6c1f1

    • SHA256

      46e1fdccfc5746e9c6ba561de9848eb36c051b6be9dc0d11dda69612ed9c6c76

    • SHA512

      05d0dbc82e443e666eb4f293bfe54f317e7b0322de5828af1b336e58542a95e2f67d27c2b704e10a0c2e101bbbb5a6f38eb3b325f506c7e359d0bd4491f6674e

    Score
    10/10
    phobosevasionpersistenceransomwarespywarestealer

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks