General

  • Target

    AntiRecuvaAndDB.exe

  • Size

    58KB

  • Sample

    230614-m3xmhagb22

  • MD5

    d458a2f85bc1330f13acccd63d88d015

  • SHA1

    2604402597e41faa97db737fe0fb4166864752ad

  • SHA256

    0b997e8b0d0ff6cc4e6f1919c6c0f3080eaa0d08c8fccdf50f7648bf05cca446

  • SHA512

    5e89c3541022d31df8d7d2b15522734649796428ba6842182ab59988d3ea5679e1f8b2903b4e7646785c46c8d41b5e99031a4875a340e9be84362b63797e1c99

  • SSDEEP

    1536:hNeRBl5PT/rx1mzwRMSTdLpJ5mwnf+viID/:hQRrmzwR5JUD/

Malware Config

Targets

    • Target

      AntiRecuvaAndDB.exe

    • Size

      58KB

    • MD5

      d458a2f85bc1330f13acccd63d88d015

    • SHA1

      2604402597e41faa97db737fe0fb4166864752ad

    • SHA256

      0b997e8b0d0ff6cc4e6f1919c6c0f3080eaa0d08c8fccdf50f7648bf05cca446

    • SHA512

      5e89c3541022d31df8d7d2b15522734649796428ba6842182ab59988d3ea5679e1f8b2903b4e7646785c46c8d41b5e99031a4875a340e9be84362b63797e1c99

    • SSDEEP

      1536:hNeRBl5PT/rx1mzwRMSTdLpJ5mwnf+viID/:hQRrmzwR5JUD/

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (184) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (465) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Modifies Windows Firewall

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks