Overview

overview

10

Static

static

8

426284b7de...3.xlam

windows7-x64

10

426284b7de...3.xlam

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    426284b7dedb929129687303f1bf7e4def607f404c93f7736d17241e43f0ab33.zip

  • Size

    20KB

  • Sample

    240128-meb1wsgfb9

  • MD5

    3a28b596ff4e48fc9859b8055703d8a8

  • SHA1

    acdcc91dba45a0b2c50f2757bc84eb5f312e7c5c

  • SHA256

    4b0283887cb078283226d968eb5f33300d3eefd72faf0ca2e72f8421b1e67c94

  • SHA512

    8e79a5a6835bc2eec0a85bc96e5971697a3ae28d0092d62f7f22ede51a922bab485e88d9885743d656a0651ec55f2e4751bc8d6316bda3435a4eba7ee6e1a472

  • SSDEEP

    384:TBbOAhZYz8ydOqsOFiC3jiDIcswnl6mkkLi7BdlKa+dGkLsQirgFT:pNvYwcnnFV3j2QXXPO1LErgFT

Score
10/10
phobosevasionmacropersistenceransomware

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://gitea.com/JoinPokingo/JingaPol/raw/branch/main/cfmifs_CRPT.txt

Targets

    • Target

      426284b7dedb929129687303f1bf7e4def607f404c93f7736d17241e43f0ab33

    • Size

      22KB

    • MD5

      fe4409bf10488b02442cadeb85e000d2

    • SHA1

      17125f4ece6483933eb6646a16cd2859389a938a

    • SHA256

      426284b7dedb929129687303f1bf7e4def607f404c93f7736d17241e43f0ab33

    • SHA512

      ad75086c169d9680d87283de9726dca9721d8746377f5144f7385a7522bee42eacda2b0037426751e79593ac2a0c76207dd906d08ac4188716fb5c73c86e5227

    • SSDEEP

      384:AKlevd/K/C9tqsXdt2tH5cLun2Y7WUNS4VF/J9/iuJsMOawaW0E1JPTp8gF5iz:AKlQ/mGtfYSL+2Y7x4UF/J96SxOdarCm

    Score
    10/10
    phobosevasionpersistenceransomware

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (116) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Blocklisted process makes network request

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

4
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Resource Development

Reconnaissance

Tasks