Extracted

• • Target

    426284b7dedb929129687303f1bf7e4def607f404c93f7736d17241e43f0ab33

  • Size

    22KB

  • MD5

    fe4409bf10488b02442cadeb85e000d2

  • SHA1

    17125f4ece6483933eb6646a16cd2859389a938a

  • SHA256

    426284b7dedb929129687303f1bf7e4def607f404c93f7736d17241e43f0ab33

  • SHA512

    ad75086c169d9680d87283de9726dca9721d8746377f5144f7385a7522bee42eacda2b0037426751e79593ac2a0c76207dd906d08ac4188716fb5c73c86e5227

  • SSDEEP

    384:AKlevd/K/C9tqsXdt2tH5cLun2Y7WUNS4VF/J9/iuJsMOawaW0E1JPTp8gF5iz:AKlQ/mGtfYSL+2Y7x4UF/J96SxOdarCm

  Score

  10^/10

  phobosevasionpersistenceransomware

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Renames multiple (116) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Blocklisted process makes network request

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Modifies Windows Firewall

    evasion

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  behavioral1behavioral2