General

  • Target

    rundll64.exe

  • Size

    236KB

  • Sample

    230505-zrenrsgg4w

  • MD5

    4165a3dba3c7ac26b225f8623f70ebaa

  • SHA1

    587df43d63da7dfd726a4bb8f39877647cc07da0

  • SHA256

    523d97331fcef84ff767dbb01836766d8b1be9bbeb3d76e9fda3a02ad46fd976

  • SHA512

    43ad74651aad95f16bd17f6fea857534c6c6502cb0c06262092e7b10ab59a27b663565668d6fd4436c72a114f632ab6940fc4f1914d165eba7e5a8a8b5743b8e

  • SSDEEP

    6144:qb/A0SeQu0hL2cyBt2iOjese1HSCRhECwt6:q8D5P2ICsDCRhQ6

Malware Config

Targets

    • Target

      rundll64.exe

    • Size

      236KB

    • MD5

      4165a3dba3c7ac26b225f8623f70ebaa

    • SHA1

      587df43d63da7dfd726a4bb8f39877647cc07da0

    • SHA256

      523d97331fcef84ff767dbb01836766d8b1be9bbeb3d76e9fda3a02ad46fd976

    • SHA512

      43ad74651aad95f16bd17f6fea857534c6c6502cb0c06262092e7b10ab59a27b663565668d6fd4436c72a114f632ab6940fc4f1914d165eba7e5a8a8b5743b8e

    • SSDEEP

      6144:qb/A0SeQu0hL2cyBt2iOjese1HSCRhECwt6:q8D5P2ICsDCRhQ6

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Modifies Windows Firewall

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks