phobos | a7506f1c992044746b81bd99535fee967a9994bfd39800a4ef44dfc64aa1cadc | Triage

Sharing

General

Target

a7506f1c992044746b81bd99535fee967a9994bfd39800a4ef44dfc64aa1cadc
Size

56KB
Sample

221107-hvpjpsffeq
MD5

b0ff244e354382a1ba6ccc22fc7b88d0
SHA1

f1e9ff55206103b3b70d6ebd7cde83411ac16f02
SHA256

a7506f1c992044746b81bd99535fee967a9994bfd39800a4ef44dfc64aa1cadc
SHA512

bd9bb2164f927a39e7bb2a23a74ef0febad55b15999d43867d53bf335f35e799ea348edd0fd6ee778ff30a7ac09657ed6caeed125b86ab88d991227c110d10f6
SSDEEP

1536:BNeRBl5PT/rx1mzwRMSTdLpJSAP7BWlD:BQRrmzwR5JZVC

Score

10^/10

phobos evasion persistence ransomware

Malware Config

Targets

- Target
  
  a7506f1c992044746b81bd99535fee967a9994bfd39800a4ef44dfc64aa1cadc
- Size
  
  56KB
- MD5
  
  b0ff244e354382a1ba6ccc22fc7b88d0
- SHA1
  
  f1e9ff55206103b3b70d6ebd7cde83411ac16f02
- SHA256
  
  a7506f1c992044746b81bd99535fee967a9994bfd39800a4ef44dfc64aa1cadc
- SHA512
  
  bd9bb2164f927a39e7bb2a23a74ef0febad55b15999d43867d53bf335f35e799ea348edd0fd6ee778ff30a7ac09657ed6caeed125b86ab88d991227c110d10f6
- SSDEEP
  
  1536:BNeRBl5PT/rx1mzwRMSTdLpJSAP7BWlD:BQRrmzwR5JZVC
Score

10^/10

phobos evasion persistence ransomware
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Drops startup file
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

phobosevasionpersistenceransomware

behavioral2

phobosevasionpersistenceransomware