Ransom:Win32/Phobos!pz - ThreatCheck.sh

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Ransom:Win32/Phobos!pz

Ransom:Win32/Phobos!pz - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Ransom:Win32/Phobos!pz

Classification:

Type:Ransom

Platform:Win32

Family:Phobos

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!pz

Packed or compressed to evade detection

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Ransomware - Encrypts files and demands payment for 32-bit Windows platform, family Phobos

Summary:

This is a concrete detection of Ransom:Win32/Phobos!pz, a highly destructive ransomware family designed to encrypt user files and demand ransom. The threat disables system recovery mechanisms (like Volume Shadow Copies and Windows Recovery), modifies firewall settings, and leverages various legitimate system tools such as PowerShell, BITS, MSHTA, Regsvr32, and Rundll32 for execution, persistence, and evasion.

Severity:

Critical

VDM Static Detection:

Relevant strings associated with this threat:
 - #vssadmin delete shadows /all /quiet (PEHSTR)
 - .netsh advfirewall set currentprofile state off (PEHSTR)
 - )bcdedit /set {default} recoveryenabled no (PEHSTR)
 - 9bcdedit /set {default} bootstatuspolicy ignoreallfailures (PEHSTR)
 - InitCommonControlsEx (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: mkp_nowin.exe

d2f2dcb52f79307c4f9745a169986ff1f2d5427fe4ba000efb458f7590176da6

21/12/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the infected system from the network to prevent further spread. Eradicate the ransomware by performing a full system scan with an updated antivirus, and if necessary, consider reimaging the affected machine. Restore data from secure, uninfected backups and investigate the initial infection vector to strengthen network defenses and prevent future compromises.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 21/12/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Ransom:Win32/Phobos!pz - Windows Defender Threat Analysis