General

  • Target

    7e18ff461e3fc159c9b6634c9250600ea4c62da604885697c95d9bac794109b8

  • Size

    549KB

  • Sample

    231012-jawyqadh7z

  • MD5

    40a2a330dece024db63f275748eb3d7a

  • SHA1

    97508bbbff47aa06a381ff80428b8578d4daafb5

  • SHA256

    7e18ff461e3fc159c9b6634c9250600ea4c62da604885697c95d9bac794109b8

  • SHA512

    dcec48482463a960d47ea93b655dfec3ca88561fab3648b5ab8a8e7253a59d282c7cd4392daec9d3c95ebe9fb5265961705433c2374f6ffe2348123e586ed0a4

  • SSDEEP

    12288:yVthvdMSOXfbbOPFErVy0MRRp1o6tD5B:k3FMFXfXOPmRy0Wp1Ft

Malware Config

Targets

    • Target

      7e18ff461e3fc159c9b6634c9250600ea4c62da604885697c95d9bac794109b8

    • Size

      549KB

    • MD5

      40a2a330dece024db63f275748eb3d7a

    • SHA1

      97508bbbff47aa06a381ff80428b8578d4daafb5

    • SHA256

      7e18ff461e3fc159c9b6634c9250600ea4c62da604885697c95d9bac794109b8

    • SHA512

      dcec48482463a960d47ea93b655dfec3ca88561fab3648b5ab8a8e7253a59d282c7cd4392daec9d3c95ebe9fb5265961705433c2374f6ffe2348123e586ed0a4

    • SSDEEP

      12288:yVthvdMSOXfbbOPFErVy0MRRp1o6tD5B:k3FMFXfXOPmRy0Wp1Ft

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (90) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Modifies Windows Firewall

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks