General
-
Target
202407035ec053bc341fb1b3504bd95b1bba7d71phobos
-
Size
57KB
-
Sample
240704-lb8d9awerh
-
MD5
5ec053bc341fb1b3504bd95b1bba7d71
-
SHA1
96bf10b3a9551f2812c1a0dff058c0229d71c5e7
-
SHA256
8f8d76d157e5e4dbd7210cb19ce27b3734147c430a534143c97b90c1f5e35249
-
SHA512
9066da52a37b164e8a75573ed289fb8b17539ad46a3f805fcd0e684dddcda6862744b371c6750f326c1aa138931e3e5c9d6b1a2849d3d2c98e6bbd76e50593cd
-
SSDEEP
768:uvrNNeRBl5JFTXqwXrkgrn/9/HiDKGwRj4RcTdyH4pYT3nPKVU1EyZ1nyqkShh/o:gNeRBl5PT/rx1mzwRMSTdLpJyZ1He9b
Static task
static1
Behavioral task
behavioral1
Sample
202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
C:\Users\Public\Desktop\info.hta
class='mark'>[email protected]</span></div>
class='mark'>[email protected]</span></div>
class='mark'>[email protected]</span>
http://www.w3.org/TR/html4/strict.dtd'>
https://pidgin.im/download/windows/</li>
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
class='mark'>[email protected]</span></div>
class='mark'>[email protected]</span>
http://www.w3.org/TR/html4/strict.dtd'>
https://pidgin.im/download/windows/</li>
Targets
-
-
Target
202407035ec053bc341fb1b3504bd95b1bba7d71phobos
-
Size
57KB
-
MD5
5ec053bc341fb1b3504bd95b1bba7d71
-
SHA1
96bf10b3a9551f2812c1a0dff058c0229d71c5e7
-
SHA256
8f8d76d157e5e4dbd7210cb19ce27b3734147c430a534143c97b90c1f5e35249
-
SHA512
9066da52a37b164e8a75573ed289fb8b17539ad46a3f805fcd0e684dddcda6862744b371c6750f326c1aa138931e3e5c9d6b1a2849d3d2c98e6bbd76e50593cd
-
SSDEEP
768:uvrNNeRBl5JFTXqwXrkgrn/9/HiDKGwRj4RcTdyH4pYT3nPKVU1EyZ1nyqkShh/o:gNeRBl5PT/rx1mzwRMSTdLpJyZ1He9b
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (312) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
3File Deletion
3Modify Registry
2