General

  • Target

    cd89fd5bf3049fad64718c190ae014b4c9c0d141e3550d63008c1c5c71d50bd7

  • Size

    55KB

  • Sample

    221103-jgk5ssffh6

  • MD5

    fd0ef924c1edc067cd2298024a7057b0

  • SHA1

    0a32d7600869f37f0fbe2a5c996cda5111d4a4d1

  • SHA256

    cd89fd5bf3049fad64718c190ae014b4c9c0d141e3550d63008c1c5c71d50bd7

  • SHA512

    275efb2d22ceaed29c4c4563782f648663ea752a6b08d4472ba12d29dc76c57b2120c3a5984d08f5a0ebdd3abf68e6ea8af1325ff9eb24830c43c8c489ad44c0

  • SSDEEP

    1536:HNeRBl5PT/rx1mzwRMSTdLpJ47kmvBMRM:HQRrmzwR5JWk2+

Malware Config

Targets

    • Target

      cd89fd5bf3049fad64718c190ae014b4c9c0d141e3550d63008c1c5c71d50bd7

    • Size

      55KB

    • MD5

      fd0ef924c1edc067cd2298024a7057b0

    • SHA1

      0a32d7600869f37f0fbe2a5c996cda5111d4a4d1

    • SHA256

      cd89fd5bf3049fad64718c190ae014b4c9c0d141e3550d63008c1c5c71d50bd7

    • SHA512

      275efb2d22ceaed29c4c4563782f648663ea752a6b08d4472ba12d29dc76c57b2120c3a5984d08f5a0ebdd3abf68e6ea8af1325ff9eb24830c43c8c489ad44c0

    • SSDEEP

      1536:HNeRBl5PT/rx1mzwRMSTdLpJ47kmvBMRM:HQRrmzwR5JWk2+

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Modifies Windows Firewall

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks