Overview

overview

10

Static

static

2d310cd281...90.exe

windows7-x64

10

2d310cd281...90.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2d310cd28162abfe2bc489e000fc1a9ca52f7d2b739f29be266d807439bced90

  • Size

    149KB

  • Sample

    221125-kkemvseb36

  • MD5

    24e0cf05d2d34b1e6efbc7949bd7aa1f

  • SHA1

    dfdf26d8de8f123dbfdc0b4d5a0a967aee454d9b

  • SHA256

    2d310cd28162abfe2bc489e000fc1a9ca52f7d2b739f29be266d807439bced90

  • SHA512

    5b0a000a3dc159de262de88d8721b766ced6424209ab136c5630c4cd0eb4fc0f7e14624b3f6fb08c2b775ab45402fe863975ae43b48c6b9775f67045f29773f2

  • SSDEEP

    3072:iMYxKXZHdlgQhA+zXuIDl33qMDqNfSwAk/GDbjXR4s4npu4:UOltfDl33BDsJAS8R4Xpu

Score
10/10
phobosevasionpersistenceransomwarerezer0

Malware Config

Targets

    • Target

      2d310cd28162abfe2bc489e000fc1a9ca52f7d2b739f29be266d807439bced90

    • Size

      149KB

    • MD5

      24e0cf05d2d34b1e6efbc7949bd7aa1f

    • SHA1

      dfdf26d8de8f123dbfdc0b4d5a0a967aee454d9b

    • SHA256

      2d310cd28162abfe2bc489e000fc1a9ca52f7d2b739f29be266d807439bced90

    • SHA512

      5b0a000a3dc159de262de88d8721b766ced6424209ab136c5630c4cd0eb4fc0f7e14624b3f6fb08c2b775ab45402fe863975ae43b48c6b9775f67045f29773f2

    • SSDEEP

      3072:iMYxKXZHdlgQhA+zXuIDl33qMDqNfSwAk/GDbjXR4s4npu4:UOltfDl33BDsJAS8R4Xpu

    Score
    10/10
    phobospersistenceransomwarerezer0evasion

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks