phobos | b1968b4be3f82fc26b1e2decdcb8f532915aed847603aeeaf254722bdd411d26

Resubmissions

16-03-2024 17:17

240316-vtswysfd2y 10

16-03-2024 15:31

240316-syg9xafg39 10

15-03-2024 08:15

240315-j5rmgsbg5z 10

Analysis

max time kernel
33s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2024 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
Size

55KB
MD5

498ee5cf9c611ba7ed2379414d0bb010
SHA1

c4f779d08633a53e7a03c702eafbe3314055aa18
SHA256

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf
SHA512

8dad911c0b59485dafd6ddcf879774016f8d63690085d4840e422b44735e82140ad177e9e7663b6cc474214461693219142b55e93fd853a593925752fbaa2761
SSDEEP

1536:KNeRBl5PT/rx1mzwRMSTdLpJYXRBawzpK:KQRrmzwR5J4e

Score

10^/10

phobos evasion persistence ransomware

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1580 bcdedit.exe
848 bcdedit.exe
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

752 netsh.exe
812 netsh.exe

pid	process
1580	bcdedit.exe
848	bcdedit.exe

pid	process
752	netsh.exe
812	netsh.exe

Drops startup file 1 IoCs

Processes:

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf = "C:\\Users\\Admin\\AppData\\Local\\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe"	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf = "C:\\Users\\Admin\\AppData\\Local\\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe"	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-557049126-2506969350-2798870634-1000\desktop.ini	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-557049126-2506969350-2798870634-1000\desktop.ini	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

Drops file in Program Files directory 33 IoCs

Processes:

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\7-Zip\7-zip.chm.id[83C7453C-2874].[tolong80@protonmail.ch].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\7-Zip\7zFM.exe.id[83C7453C-2874].[tolong80@protonmail.ch].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.id[83C7453C-2874].[tolong80@protonmail.ch].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.id[83C7453C-2874].[tolong80@protonmail.ch].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\7-Zip\descript.ion.id[83C7453C-2874].[tolong80@protonmail.ch].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.id[83C7453C-2874].[tolong80@protonmail.ch].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\7-Zip\7z.sfx.id[83C7453C-2874].[tolong80@protonmail.ch].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\7-Zip\7zG.exe.id[83C7453C-2874].[tolong80@protonmail.ch].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\7-Zip\History.txt.id[83C7453C-2874].[tolong80@protonmail.ch].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.id[83C7453C-2874].[tolong80@protonmail.ch].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll.id[83C7453C-2874].[tolong80@protonmail.ch].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.id[83C7453C-2874].[tolong80@protonmail.ch].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.id[83C7453C-2874].[tolong80@protonmail.ch].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.id[83C7453C-2874].[tolong80@protonmail.ch].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.id[83C7453C-2874].[tolong80@protonmail.ch].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\7-Zip\7-zip.dll.id[83C7453C-2874].[tolong80@protonmail.ch].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\7-Zip\7z.exe.id[83C7453C-2874].[tolong80@protonmail.ch].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4068 vssadmin.exe

pid	process
4068	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

pid	process
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
Token: SeBackupPrivilege	716	vssvc.exe
Token: SeRestorePrivilege	716	vssvc.exe
Token: SeAuditPrivilege	716	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.execmd.execmd.exe

description	pid	process	target process
PID 3840 wrote to memory of 2200	3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe	cmd.exe
PID 3840 wrote to memory of 2200	3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe	cmd.exe
PID 3840 wrote to memory of 1816	3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe	cmd.exe
PID 3840 wrote to memory of 1816	3840	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe	cmd.exe
PID 1816 wrote to memory of 752	1816	cmd.exe	netsh.exe
PID 1816 wrote to memory of 752	1816	cmd.exe	netsh.exe
PID 2200 wrote to memory of 4068	2200	cmd.exe	vssadmin.exe
PID 2200 wrote to memory of 4068	2200	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
"C:\Users\Admin\AppData\Local\Temp\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840

C:\Users\Admin\AppData\Local\Temp\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
"C:\Users\Admin\AppData\Local\Temp\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe"
2⤵
PID:4680

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4068

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
PID:5096

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:1580

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:848

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:752

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:716

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll
Filesize
65KB

MD5
e5f729728ef63949ee08cdb344e199a0

SHA1
39869fb44914a7aa172a48342d39dbdfbda4d65c

SHA256
ce89fdff60df750b5f78ae42df37b822cd79add907d2c2e604fd906bb5f85bd2

SHA512
5fe6ac63731b9ad38f2b23c3e9ec7a89f8624a24056cb251ce7e08d18687cdd23f17818892b4e1234121001689da2864a61fb239b1e40d0252554c3048f0d9a7

Download Submit