phobos | c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256

General

Target

c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
Size

56KB
MD5

03ff3bba0065b0b29723f59c41890e45
SHA1

37bcd0bdcf97e436b54440627bee368800f4188e
SHA256

c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256
SHA512

d28e52a5b1883aeb9863b21fa7a84aaa5731cff08c33b019e398d76a98a905eb6797eb92ff05445d20715f7f4d7273e1f55d86278e176c1d0722f40c37e0c1b2
SSDEEP

1536:CUNeRBl5PT/rx1mzwRMSTdLpJasHSW7E7oq5Mq:BQRrmzwR5J9HTeoqOq

Score

10^/10

phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2484 bcdedit.exe
4656 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2356 wbadmin.exe
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

1012 netsh.exe
3240 netsh.exe

pid	process
2484	bcdedit.exe
4656	bcdedit.exe

pid	process
2356	wbadmin.exe

pid	process
1012	netsh.exe
3240	netsh.exe

Drops startup file 1 IoCs

Processes:

c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256 = "C:\\Users\\Admin\\AppData\\Local\\c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe"	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256 = "C:\\Users\\Admin\\AppData\\Local\\c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe"	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe

Drops file in Program Files directory 17 IoCs

Processes:

c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe

description	ioc	process
File created	C:\Program Files\7-Zip\7zCon.sfx.id[59F5F7FE-3352].[[email protected]].LIZARD	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File created	C:\Program Files\7-Zip\7zG.exe.id[59F5F7FE-3352].[[email protected]].LIZARD	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File created	C:\Program Files\7-Zip\7-zip.dll.id[59F5F7FE-3352].[[email protected]].LIZARD	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.id[59F5F7FE-3352].[[email protected]].LIZARD	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File created	C:\Program Files\7-Zip\7z.exe.id[59F5F7FE-3352].[[email protected]].LIZARD	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File created	C:\Program Files\7-Zip\7zFM.exe.id[59F5F7FE-3352].[[email protected]].LIZARD	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File created	C:\Program Files\7-Zip\7-zip.chm.id[59F5F7FE-3352].[[email protected]].LIZARD	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll.id[59F5F7FE-3352].[[email protected]].LIZARD	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File created	C:\Program Files\7-Zip\7z.sfx.id[59F5F7FE-3352].[[email protected]].LIZARD	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

1568 vssadmin.exe

pid	process
1568	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe

pid	process
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe

description pid process

Token: SeDebugPrivilege 1904 c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe

description	pid	process
Token: SeDebugPrivilege	1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.execmd.execmd.exe

description	pid	process	target process
PID 1904 wrote to memory of 1296	1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe	cmd.exe
PID 1904 wrote to memory of 1572	1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe	cmd.exe
PID 1904 wrote to memory of 1572	1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe	cmd.exe
PID 1904 wrote to memory of 1296	1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe	cmd.exe
PID 1296 wrote to memory of 1012	1296	cmd.exe	netsh.exe
PID 1296 wrote to memory of 1012	1296	cmd.exe	netsh.exe
PID 1572 wrote to memory of 1568	1572	cmd.exe	vssadmin.exe
PID 1572 wrote to memory of 1568	1572	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
"C:\Users\Admin\AppData\Local\Temp\c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
  "C:\Users\Admin\AppData\Local\Temp\c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe"
  2⤵
  PID:2484
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1568
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    PID:920
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2484
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4656
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:2356
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1012
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:3240

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4832

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:1900

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1576

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3536 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Windows Management Instrumentation

1

T1047

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Direct Volume Access

1

T1006

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Indicator Removal

3

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

4

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll

Filesize
65KB

MD5
e5f729728ef63949ee08cdb344e199a0

SHA1
39869fb44914a7aa172a48342d39dbdfbda4d65c

SHA256
ce89fdff60df750b5f78ae42df37b822cd79add907d2c2e604fd906bb5f85bd2

SHA512
5fe6ac63731b9ad38f2b23c3e9ec7a89f8624a24056cb251ce7e08d18687cdd23f17818892b4e1234121001689da2864a61fb239b1e40d0252554c3048f0d9a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

Filesize
24B

MD5
1681ffc6e046c7af98c9e6c232a3fe0a

SHA1
d3399b7262fb56cb9ed053d68db9291c410839c4

SHA256
9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0

SHA512
11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads