phobos | 6b8a013b0f6223aa5984034cd7ea60a968860255658313386969bd5d15b6139b | Triage

Sharing

General

Target

2024-07-29_745c05bb7d78133a8b0fd74ac6526cfb_phobos
Size

50KB
Sample

240729-h7l94sserc
MD5

745c05bb7d78133a8b0fd74ac6526cfb
SHA1

a3b9060cd2677228478e1401cd35a6fbe6de01b7
SHA256

6b8a013b0f6223aa5984034cd7ea60a968860255658313386969bd5d15b6139b
SHA512

840800e9614d9cd7875c2d398d3a32f87fcfcb4a38feaa67cdf75b7383fe3cb6daf2e93deab67b10ffee02b83c5b6ab6da991dabfbb335ba427f06c61d3afb09
SSDEEP

768:ZvrNNeRBl5JFTXqwXrkgrn/9/HiDKGwRj4RcTdyH4pYT3nPKVU1Er4bkCnrS3:jNeRBl5PT/rx1mzwRMSTdLpJr4bk6g

Score

10^/10

phobos defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer

Malware Config

Targets

- Target
  
  2024-07-29_745c05bb7d78133a8b0fd74ac6526cfb_phobos
- Size
  
  50KB
- MD5
  
  745c05bb7d78133a8b0fd74ac6526cfb
- SHA1
  
  a3b9060cd2677228478e1401cd35a6fbe6de01b7
- SHA256
  
  6b8a013b0f6223aa5984034cd7ea60a968860255658313386969bd5d15b6139b
- SHA512
  
  840800e9614d9cd7875c2d398d3a32f87fcfcb4a38feaa67cdf75b7383fe3cb6daf2e93deab67b10ffee02b83c5b6ab6da991dabfbb335ba427f06c61d3afb09
- SSDEEP
  
  768:ZvrNNeRBl5JFTXqwXrkgrn/9/HiDKGwRj4RcTdyH4pYT3nPKVU1Er4bkCnrS3:jNeRBl5PT/rx1mzwRMSTdLpJr4bk6g
Score

10^/10

phobos defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (284) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Modifies Windows Firewall
  evasion
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Direct Volume Access

Impair Defenses

Disable or Modify System Firewall

Indicator Removal

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

phobosdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer

behavioral2

phobosdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer