phobos | ebbbc1d293ce864c83cf874c3f8051dd636bd1303f013d3fa0cc97eada3266ac

General

Target

1.exe
Size

56KB
MD5

207334ec40b616948c5670272ebc3037
SHA1

788910e883058ef9df86528a966528caf63eb29c
SHA256

ebbbc1d293ce864c83cf874c3f8051dd636bd1303f013d3fa0cc97eada3266ac
SHA512

c8c452737dd3399eadd7cce0a6b9bcd736d2dd226a5a0af21c360c6167a1d309c1e186199880998d9a017e2dec5a33846d70007814587824bae8cd2bd2c85e49
SSDEEP

1536:MNeRBl5PT/rx1mzwRMSTdLpJBH3T+rZz:MQRrmzwR5JVM

Score

10^/10

phobos evasion persistence ransomware

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2248 bcdedit.exe
1728 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4392 wbadmin.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

1388 netsh.exe
4256 netsh.exe
Drops startup file 1 IoCs

Processes:

1.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\1.exe 1.exe

pid	process
2248	bcdedit.exe
1728	bcdedit.exe

pid	process
4392	wbadmin.exe

pid	process
1388	netsh.exe
4256	netsh.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\1.exe	1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Users\\Admin\\AppData\\Local\\1.exe"	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Users\\Admin\\AppData\\Local\\1.exe"	1.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

1.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3027552071-446050021-1254071215-1000\desktop.ini	1.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3027552071-446050021-1254071215-1000\desktop.ini	1.exe
File opened for modification	C:\Program Files\desktop.ini	1.exe

Drops file in Program Files directory 64 IoCs

Processes:

1.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\msvcr100.dll	1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	1.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msador15.dll	1.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui	1.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP	1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui	1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui	1.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adovbs.inc	1.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\da.pak	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\COPYRIGHT	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui	1.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\verify.dll	1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui	1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\classfile_constants.h.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\instrument.dll	1.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll	1.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ca.pak.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png	1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	1.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\mlib_image.dll	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\jvm.dll.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll	1.exe
File opened for modification	C:\Program Files\Internet Explorer\images\bing.ico	1.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaprst.dll	1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll	1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\glib-lite.dll.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll	1.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui	1.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Configuration\configuration.sqlite	1.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-PT.pak.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man	1.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui	1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pl.jar.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tabskb.dll.mui	1.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_100_percent.pak.id[8E3AD4BA-3344].[[email protected]].Elbie	1.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	1.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3904 vssadmin.exe

pid	process
3904	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

1.exe

pid	process
4500	1.exe
4500	1.exe
4500	1.exe
4500	1.exe
4500	1.exe
4500	1.exe
4500	1.exe
4500	1.exe
4500	1.exe
4500	1.exe
4500	1.exe
4500	1.exe
4500	1.exe
4500	1.exe
4500	1.exe
4500	1.exe
4500	1.exe
4500	1.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

1.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4500	1.exe
Token: SeBackupPrivilege	4688	vssvc.exe
Token: SeRestorePrivilege	4688	vssvc.exe
Token: SeAuditPrivilege	4688	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4192	WMIC.exe
Token: SeSecurityPrivilege	4192	WMIC.exe
Token: SeTakeOwnershipPrivilege	4192	WMIC.exe
Token: SeLoadDriverPrivilege	4192	WMIC.exe
Token: SeSystemProfilePrivilege	4192	WMIC.exe
Token: SeSystemtimePrivilege	4192	WMIC.exe
Token: SeProfSingleProcessPrivilege	4192	WMIC.exe
Token: SeIncBasePriorityPrivilege	4192	WMIC.exe
Token: SeCreatePagefilePrivilege	4192	WMIC.exe
Token: SeBackupPrivilege	4192	WMIC.exe
Token: SeRestorePrivilege	4192	WMIC.exe
Token: SeShutdownPrivilege	4192	WMIC.exe
Token: SeDebugPrivilege	4192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4192	WMIC.exe
Token: SeRemoteShutdownPrivilege	4192	WMIC.exe
Token: SeUndockPrivilege	4192	WMIC.exe
Token: SeManageVolumePrivilege	4192	WMIC.exe
Token: 33	4192	WMIC.exe
Token: 34	4192	WMIC.exe
Token: 35	4192	WMIC.exe
Token: 36	4192	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4192	WMIC.exe
Token: SeSecurityPrivilege	4192	WMIC.exe
Token: SeTakeOwnershipPrivilege	4192	WMIC.exe
Token: SeLoadDriverPrivilege	4192	WMIC.exe
Token: SeSystemProfilePrivilege	4192	WMIC.exe
Token: SeSystemtimePrivilege	4192	WMIC.exe
Token: SeProfSingleProcessPrivilege	4192	WMIC.exe
Token: SeIncBasePriorityPrivilege	4192	WMIC.exe
Token: SeCreatePagefilePrivilege	4192	WMIC.exe
Token: SeBackupPrivilege	4192	WMIC.exe
Token: SeRestorePrivilege	4192	WMIC.exe
Token: SeShutdownPrivilege	4192	WMIC.exe
Token: SeDebugPrivilege	4192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4192	WMIC.exe
Token: SeRemoteShutdownPrivilege	4192	WMIC.exe
Token: SeUndockPrivilege	4192	WMIC.exe
Token: SeManageVolumePrivilege	4192	WMIC.exe
Token: 33	4192	WMIC.exe
Token: 34	4192	WMIC.exe
Token: 35	4192	WMIC.exe
Token: 36	4192	WMIC.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

1.execmd.execmd.exe

description	pid	process	target process
PID 4500 wrote to memory of 3448	4500	1.exe	cmd.exe
PID 4500 wrote to memory of 3448	4500	1.exe	cmd.exe
PID 4500 wrote to memory of 3544	4500	1.exe	cmd.exe
PID 4500 wrote to memory of 3544	4500	1.exe	cmd.exe
PID 3544 wrote to memory of 1388	3544	cmd.exe	netsh.exe
PID 3544 wrote to memory of 1388	3544	cmd.exe	netsh.exe
PID 3448 wrote to memory of 3904	3448	cmd.exe	vssadmin.exe
PID 3448 wrote to memory of 3904	3448	cmd.exe	vssadmin.exe
PID 3448 wrote to memory of 4192	3448	cmd.exe	WMIC.exe
PID 3448 wrote to memory of 4192	3448	cmd.exe	WMIC.exe
PID 3448 wrote to memory of 2248	3448	cmd.exe	bcdedit.exe
PID 3448 wrote to memory of 2248	3448	cmd.exe	bcdedit.exe
PID 3448 wrote to memory of 1728	3448	cmd.exe	bcdedit.exe
PID 3448 wrote to memory of 1728	3448	cmd.exe	bcdedit.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
2⤵
PID:4908

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3544

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:1388

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:4256

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3448

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3904

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:2248

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:1728

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:4392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:1332

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1004

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

3

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[8E3AD4BA-3344].[[email protected]].Elbie
Filesize
3.2MB

MD5
bd6feee01f47803f24626060e4ba3391

SHA1
5e21660f53f11250aa91e5e2b746c2540d647b4a

SHA256
400f1a855e224f785b54c4fb398dca5e35bfd02179c5f6431f484fb30d18c434

SHA512
59712eb60fc3d4993b5671d7848aa84d66c0e97c3727b18021688b43fb780bcacd6b27d415225fd4f5f6cc2e87631135552f877049b3885c3f6d4bdb2fefced7

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads