phobos | da24e2d56eb8bf572abc67c2ba3ef64d0bac9fdda0f9a11132b10fac12343aaf | Triage

Sharing

General

Target

da24e2d56eb8bf572abc67c2ba3ef64d0bac9fdda0f9a11132b10fac12343aaf
Size

57KB
Sample

221011-haz5psaedk
MD5

2bc3c9bdeb39b4586b128fbb596994fc
SHA1

04ae20aebd7eebaac3f83f4246aecf427ddb50c0
SHA256

da24e2d56eb8bf572abc67c2ba3ef64d0bac9fdda0f9a11132b10fac12343aaf
SHA512

040a38d769766dd2c34f31a2d9018f55b7d668c18942de01121511510927506ee5caf35da4d21b773cbd4281c3c5f14064343f94bbd37ef422f5f68e8900d82b
SSDEEP

1536:TNeRBl5PT/rx1mzwRMSTdLpJYgL+THbh:TQRrmzwR5JAT7

Score

10^/10

phobos evasion persistence ransomware

Malware Config

Targets

- Target
  
  da24e2d56eb8bf572abc67c2ba3ef64d0bac9fdda0f9a11132b10fac12343aaf
- Size
  
  57KB
- MD5
  
  2bc3c9bdeb39b4586b128fbb596994fc
- SHA1
  
  04ae20aebd7eebaac3f83f4246aecf427ddb50c0
- SHA256
  
  da24e2d56eb8bf572abc67c2ba3ef64d0bac9fdda0f9a11132b10fac12343aaf
- SHA512
  
  040a38d769766dd2c34f31a2d9018f55b7d668c18942de01121511510927506ee5caf35da4d21b773cbd4281c3c5f14064343f94bbd37ef422f5f68e8900d82b
- SSDEEP
  
  1536:TNeRBl5PT/rx1mzwRMSTdLpJYgL+THbh:TQRrmzwR5JAT7
Score

10^/10

phobos evasion persistence ransomware
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Drops startup file
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

phobosevasionpersistenceransomware

behavioral2

phobosevasionpersistenceransomware