phobos | d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7 | Triage

Sharing

General

Target

9824d07cea51069c0042eff0e46d1ad2.exe
Size

312KB
Sample

231013-df63zsbf8w
MD5

9824d07cea51069c0042eff0e46d1ad2
SHA1

70ef130a8f88076dc671ab9873b2a3a3c45818fc
SHA256

d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7
SHA512

6d38269e1c93c7e8bd6668cd26947cb821043c9bcbcb19d586795e0fb3d52b8a492e3817eef912bae165973c001c205fd879bbca9810339e6b45bda1651e3bb9
SSDEEP

6144:XAo4v3KmeRDWs0cSsm42PWB1vEtf8h81dZgjvxbtIGnWSPgYYshfnmU3H1l5Fy4:XGimeAs0cuvuB14I9JWfWnNl

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Malware Config

Targets

- Target
  
  9824d07cea51069c0042eff0e46d1ad2.exe
- Size
  
  312KB
- MD5
  
  9824d07cea51069c0042eff0e46d1ad2
- SHA1
  
  70ef130a8f88076dc671ab9873b2a3a3c45818fc
- SHA256
  
  d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7
- SHA512
  
  6d38269e1c93c7e8bd6668cd26947cb821043c9bcbcb19d586795e0fb3d52b8a492e3817eef912bae165973c001c205fd879bbca9810339e6b45bda1651e3bb9
- SSDEEP
  
  6144:XAo4v3KmeRDWs0cSsm42PWB1vEtf8h81dZgjvxbtIGnWSPgYYshfnmU3H1l5Fy4:XGimeAs0cuvuB14I9JWfWnNl
Score

10^/10

phobos evasion persistence ransomware spyware stealer
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (169) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

phobosevasionpersistenceransomwarespywarestealer

behavioral2

phobosevasionpersistenceransomware