Extracted

Extracted

• • Target

    992dad791a523f2c0a0b5a74c08e5573905f301d8891db0ed6e885face9ef0e2.exe

  • Size

    55KB

  • MD5

    ea0740178ed1d9c298816351d68ee859

  • SHA1

    bcf0db0e3ea2a96e776f49243d6c1c5080fcc364

  • SHA256

    992dad791a523f2c0a0b5a74c08e5573905f301d8891db0ed6e885face9ef0e2

  • SHA512

    ba1725eabf2d040a1e0d02b79f5501356ae9c0a0ac42a81a7fc70982cc837597431f59cce24673c13975c31c914ce77c51a937475b1b78b78cf611d394bdfbf2

  • SSDEEP

    1536:fNeRBl5PT/rx1mzwRMSTdLpJWaCN60YX/:fQRrmzwR5JEc

  Score

  10^/10

  phobosevasionpersistenceransomwarespywarestealer

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Modifies Windows Firewall

    evasion

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  behavioral1behavioral2