phobos | b0b7a65f4821d5c9e8c782ee5ccca1c1a6a05236c27a4a136eb370302db2b35e | Triage

Sharing

General

Target

f709d1f84e4f0a845ebb4a9fb1500aa2a9fd600e97cbea32ffc3e49c1084f467
Size

279KB
Sample

231013-pdhhdshd4w
MD5

8f13309c2e611b456b7e50448b67358d
SHA1

19752d3739931f4018e261b90778c513038d1c53
SHA256

b0b7a65f4821d5c9e8c782ee5ccca1c1a6a05236c27a4a136eb370302db2b35e
SHA512

bec192b8599d09098c6496cba08eb4d4a9bbe3631dbf036f84256e27594175e05c49fc6bb8fbbe624fe3e868812ed7e2780be0a3b74394c68b181e7544d75c12
SSDEEP

6144:mUKek+88/VoSSlt6bZUSHu8cL1G18grxLO3u2yjQDXyczl2:h/1P/Svl8bqSHAL1GSgrKu28aXG

Score

10^/10

phobos evasion persistence ransomware

Malware Config

Targets

- Target
  
  f709d1f84e4f0a845ebb4a9fb1500aa2a9fd600e97cbea32ffc3e49c1084f467
- Size
  
  414KB
- MD5
  
  d8b6ce65fe360d7cd880237fe445de24
- SHA1
  
  c0a29ad9ade648cca94e67b0dca6f7814202dda5
- SHA256
  
  f709d1f84e4f0a845ebb4a9fb1500aa2a9fd600e97cbea32ffc3e49c1084f467
- SHA512
  
  aa3b50bfc26da4a4b34a7d81daf9b9928a7116252dfe1c0f7999ac114c1895d38f7df6b5938efbd7f60b7c8a6ce34aeb645628e1a57178a62645c874377d4824
- SSDEEP
  
  6144:tEidtIJgPmKItsSTBr6hZUSPu8cL1G18grxLOZu2yjQDr9oHSMGFcZ6OMuW:tTIJgKslhqSPAL1GSgrSu28a5GSFcZ
Score

10^/10

phobos evasion persistence ransomware
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (78) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (96) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Drops startup file
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

phobosevasionpersistenceransomware

behavioral2

phobosevasionpersistenceransomware