phobos | b609555a43a2e1151f9ee7b028d0141034bfce25487ef2ec826d2af714e15ee5

General

Target

ar.exe
Size

56KB
MD5

ca960a5f89e3d82dc4dec752e912fdc3
SHA1

04b7b4939788b1055c0909eee3bc0e96cf483127
SHA256

b609555a43a2e1151f9ee7b028d0141034bfce25487ef2ec826d2af714e15ee5
SHA512

9615aa809568cadc119f415cf159ccbf835fbd62241293cdef9288a42c6c57c2a416d0b68f21e160432a01895eaf406025b3bd9bb0c9ae7e93ab934008a34689
SSDEEP

768:EvrNNeRBl5JFTXqwXrkgrn/9/HiDKGwRj4RcTdyH4pYT3nPKVU1EwDXEkMd:ONeRBl5PT/rx1mzwRMSTdLpJwDzM

Score

10^/10

phobos evasion persistence ransomware

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4044 bcdedit.exe
1920 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3764 wbadmin.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

1608 netsh.exe
2480 netsh.exe
Drops startup file 1 IoCs

Processes:

ar.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ar.exe ar.exe

pid	process
4044	bcdedit.exe
1920	bcdedit.exe

pid	process
3764	wbadmin.exe

pid	process
1608	netsh.exe
2480	netsh.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ar.exe	ar.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ar.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ar = "C:\\Users\\Admin\\AppData\\Local\\ar.exe"	ar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ar = "C:\\Users\\Admin\\AppData\\Local\\ar.exe"	ar.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

ar.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3350690463-3549324357-1323838019-1000\desktop.ini	ar.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3350690463-3549324357-1323838019-1000\desktop.ini	ar.exe

Drops file in Program Files directory 19 IoCs

Processes:

ar.exe

description	ioc	process
File opened for modification	C:\Program Files\InstallHide.sql	ar.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	ar.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll.id[7542AD9F-3501].[[email protected]].faust	ar.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	ar.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	ar.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	ar.exe
File created	C:\Program Files\7-Zip\7-zip.chm.id[7542AD9F-3501].[[email protected]].faust	ar.exe
File created	C:\Program Files\7-Zip\7-zip.dll.id[7542AD9F-3501].[[email protected]].faust	ar.exe
File created	C:\Program Files\7-Zip\7zG.exe.id[7542AD9F-3501].[[email protected]].faust	ar.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	ar.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	ar.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.id[7542AD9F-3501].[[email protected]].faust	ar.exe
File created	C:\Program Files\7-Zip\7zFM.exe.id[7542AD9F-3501].[[email protected]].faust	ar.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	ar.exe
File created	C:\Program Files\InstallHide.sql.id[7542AD9F-3501].[[email protected]].faust	ar.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	ar.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.id[7542AD9F-3501].[[email protected]].faust	ar.exe
File created	C:\Program Files\7-Zip\7z.exe.id[7542AD9F-3501].[[email protected]].faust	ar.exe
File created	C:\Program Files\7-Zip\7z.sfx.id[7542AD9F-3501].[[email protected]].faust	ar.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2680 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ar.exe

pid process

4392 ar.exe
4392 ar.exe
4392 ar.exe
4392 ar.exe
4392 ar.exe
4392 ar.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ar.exe

description pid process

Token: SeDebugPrivilege 4392 ar.exe

pid	process
2680	vssadmin.exe

pid	process
4392	ar.exe
4392	ar.exe
4392	ar.exe
4392	ar.exe
4392	ar.exe
4392	ar.exe

description	pid	process
Token: SeDebugPrivilege	4392	ar.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ar.execmd.execmd.exe

description	pid	process	target process
PID 4392 wrote to memory of 4312	4392	ar.exe	cmd.exe
PID 4392 wrote to memory of 4312	4392	ar.exe	cmd.exe
PID 4392 wrote to memory of 1604	4392	ar.exe	cmd.exe
PID 4392 wrote to memory of 1604	4392	ar.exe	cmd.exe
PID 1604 wrote to memory of 1608	1604	cmd.exe	netsh.exe
PID 1604 wrote to memory of 1608	1604	cmd.exe	netsh.exe
PID 4312 wrote to memory of 2680	4312	cmd.exe	vssadmin.exe
PID 4312 wrote to memory of 2680	4312	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ar.exe
"C:\Users\Admin\AppData\Local\Temp\ar.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392

C:\Users\Admin\AppData\Local\Temp\ar.exe
"C:\Users\Admin\AppData\Local\Temp\ar.exe"
2⤵
PID:2372

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:1608

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:2480

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2680

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
PID:4588

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:4044

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:1920

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:3764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2784

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:5020

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3188

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:4292

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

3

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.chm
Filesize
105KB

MD5
c3da131680360820f9dfe4ec9ec6dac7

SHA1
6dc1dcae815fa4641e6cb1ca006a7a85060ecfe2

SHA256
61bd3501384b5ffaa3ea51bd7398148fa533190da9dbc5df19c6d2a8820166e3

SHA512
c60a047f622fa817c559cecd73099db6eb6dc646b5cc6a664fa167bcb01370e95d9c0734eaea3c2b03e54785796f5cff8fc851ac5316ef0e4bf2d7446306cd29

Download Submit
C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md
Filesize
2KB

MD5
ddc4cb14453391bcb5f4d645b2916a6c

SHA1
c4738d174c90c285e17bf51a9218256f45f96ea7

SHA256
0c19ba9eeecab3cbbdf38da08c3fa0266f10ce8166e056715931efc543335eeb

SHA512
34a32b92ffb2945608439653b5ecacba49fd3312ba5487ba14796c75b07655f0d8f735453dac117d46d204d3f810126f8a189f82c015fa8bb6ea37d9b8e0e30f

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
Filesize
190B

MD5
c5b7a97bda04c48435a145f2d1f9bb42

SHA1
bd94219a79987af3e4d4ce45b07edc2230aaf655

SHA256
07ec9bf950252d0254d4d778698c2e4173f36dbc3f57f51f34d1b85a07c2eab0

SHA512
7eb1a26cf8ef725ba6d1934ca4802f70cc22539017334c1d7a6873afeea6236bcd643b52630f7fa9d8a9e692f718ba42cc704ed5f8df17757028be63c3efad80

Download Submit
C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif
Filesize
153B

MD5
d13b5ffdeb538f15ee1d30f2788601d5

SHA1
8dc4da8e4efca07472b08b618bc059dcbfd03efa

SHA256
f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876

SHA512
58e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46

Download Submit
C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml
Filesize
744B

MD5
809457c05fe696f5d34ac5ac8768cdd4

SHA1
a2c3e4966415100c7d24f7f3dc7e27d2a60d20c9

SHA256
1b66520d471367f736d50c070a2e2bba8ad88ac58743394a764b888e9cb6f6be

SHA512
cf38e01d3e174ff4b8070fb88ead7e787143ce7cf60b91365fafd01cacc1420337654083a14dfb2caa900141a578717f5d24fa3cadd17c1a992d09280fd8dc44

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK
Filesize
114B

MD5
301657e2669b4c76979a15f801cc2adf

SHA1
f7430efc590e79b847ab97b6e429cd07ef886726

SHA256
802bbf1167e97e336bc7e1d1574466db744c7021efe0f0ff01ff7e352c44f56b

SHA512
e94480d20b6665599c4ed1bc3fc6949c9be332fd91a14cef14b3e263ab1000666e706b51869bc93b4f479bb6389351674e707e79562020510c1b6dfe4b90cc51

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK
Filesize
113B

MD5
b9205d5c0a413e022f6c36d4bdfa0750

SHA1
f16acd929b52b77b7dad02dbceff25992f4ba95e

SHA256
951b1c95584b91fd8776e1d26b25d745ad5d508f6337686b9f7131d7c2f7096a

SHA512
0e67910bcf0f9ccde5464c63b9c850a12a759227d16b040d98986d54253f9f34322318e56b8feb86c5fb2270ed87f31252f7f68493ee759743909bd75e4bb544

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db
Filesize
24B

MD5
1681ffc6e046c7af98c9e6c232a3fe0a

SHA1
d3399b7262fb56cb9ed053d68db9291c410839c4

SHA256
9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0

SHA512
11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads