Overview

overview

10

Static

static

lsass.exe

windows7_x64

10

lsass.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    13s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    06-05-2021 11:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lsass.exe

  • Size

    62KB

  • MD5

    ab7b66ee5385cb473b9c15db3e239692

  • SHA1

    5875f07b7b8174284ca15e4d5f53942e0d736024

  • SHA256

    8710ad8fb2938326655335455987aa17961b2496a345a7ed9f4bbfcb278212bc

  • SHA512

    1a9139af13dacb7cc0022b1216d725e39cfe3668384caf6942705bd1cad263368c4b305f7ccd649cd9bee3be5817029fd410bd02deff34c6b73d8159f2aae280

Score
10/10
phobosevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\users\public\desktop\info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: nilaron@firemail.cc Write this ID in the title of your message 97C1E0A6-3152 To increase the likelihood of receiving a response to your request, also duplicate your letters to the following e-mails: zezoxo@libertymail.net and togerpo@zohomail.eu For quick and convenient feedback, write to the online operator in the Telegram messenger: @zezoxo (The username of the Telegram account must be exactly the same as above.) You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) Attention! To get guaranteed assistance in decrypting your files, please contact only the contacts indicated in this note, otherwise we are not responsible for the decryption! Do not rename encrypted files. Do not try to decrypt your data using third-party software, as this may result in irreversible data loss. Decrypting your files with the help of third parties may increase the price (they add their fee to ours) or you risk losing money without receiving files decryption in return. !!! When contacting third parties, we do not give a guarantee for decryption of your files !!! How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Emails

nilaron@firemail.cc

zezoxo@libertymail.net

togerpo@zohomail.eu

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lsass.exe
    "C:\Users\Admin\AppData\Local\Temp\lsass.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Users\Admin\AppData\Local\Temp\lsass.exe
      "C:\Users\Admin\AppData\Local\Temp\lsass.exe"
      2⤵
        PID:2036
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1192
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
            PID:1476
          • C:\Windows\system32\netsh.exe
            netsh firewall set opmode mode=disable
            3⤵
              PID:956
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1440
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              3⤵
              • Interacts with shadow copies
              PID:1768
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic shadowcopy delete
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1604
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} bootstatuspolicy ignoreallfailures
              3⤵
              • Modifies boot configuration data using bcdedit
              PID:1260
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} recoveryenabled no
              3⤵
              • Modifies boot configuration data using bcdedit
              PID:568
            • C:\Windows\system32\wbadmin.exe
              wbadmin delete catalog -quiet
              3⤵
              • Deletes backup catalog
              PID:996
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
            2⤵
            • Modifies Internet Explorer settings
            PID:1688
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
            2⤵
            • Modifies Internet Explorer settings
            PID:1396
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
            2⤵
            • Modifies Internet Explorer settings
            PID:668
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1132
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              3⤵
              • Interacts with shadow copies
              PID:1260
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic shadowcopy delete
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1796
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} bootstatuspolicy ignoreallfailures
              3⤵
              • Modifies boot configuration data using bcdedit
              PID:1568
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} recoveryenabled no
              3⤵
              • Modifies boot configuration data using bcdedit
              PID:688
            • C:\Windows\system32\wbadmin.exe
              wbadmin delete catalog -quiet
              3⤵
              • Deletes backup catalog
              PID:1728
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1816
        • C:\Windows\system32\wbengine.exe
          "C:\Windows\system32\wbengine.exe"
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:616
        • C:\Windows\System32\vdsldr.exe
          C:\Windows\System32\vdsldr.exe -Embedding
          1⤵
            PID:1540
          • C:\Windows\System32\vds.exe
            C:\Windows\System32\vds.exe
            1⤵
              PID:1784

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Command-Line Interface

            1
            T1059

            Persistence

            Modify Existing Service

            1
            T1031

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            File Deletion

            3
            T1107

            Modify Registry

            2
            T1112

            Credential Access

            Credentials in Files

            1
            T1081

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Impact

            Inhibit System Recovery

            4
            T1490

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\Desktop\info.hta
              MD5

              2d2fb9ba206c7ac0a0856d79375cc9ec

              SHA1

              e9db9d6cc1a0e40dcd24a249ac1731b5ccfe7df6

              SHA256

              4d36e020cc94fc83e1d66de050b2969085b171777bde45a943930a17c4c5c180

              SHA512

              fb9923e5d207c718362b16bdd7f722e6c7dc8a098a7ad4622fc372a6e5ac2f203ed542bd9530fb26cbc67234d649e5088a780aed9389e1b3eabfd57eb0e24c2c

              Download Submit
            • C:\info.hta
              MD5

              2d2fb9ba206c7ac0a0856d79375cc9ec

              SHA1

              e9db9d6cc1a0e40dcd24a249ac1731b5ccfe7df6

              SHA256

              4d36e020cc94fc83e1d66de050b2969085b171777bde45a943930a17c4c5c180

              SHA512

              fb9923e5d207c718362b16bdd7f722e6c7dc8a098a7ad4622fc372a6e5ac2f203ed542bd9530fb26cbc67234d649e5088a780aed9389e1b3eabfd57eb0e24c2c

              Download Submit
            • C:\users\public\desktop\info.hta
              MD5

              2d2fb9ba206c7ac0a0856d79375cc9ec

              SHA1

              e9db9d6cc1a0e40dcd24a249ac1731b5ccfe7df6

              SHA256

              4d36e020cc94fc83e1d66de050b2969085b171777bde45a943930a17c4c5c180

              SHA512

              fb9923e5d207c718362b16bdd7f722e6c7dc8a098a7ad4622fc372a6e5ac2f203ed542bd9530fb26cbc67234d649e5088a780aed9389e1b3eabfd57eb0e24c2c

              Download Submit
            • memory/568-71-0x0000000000000000-mapping.dmp
              Download
            • memory/668-76-0x0000000000000000-mapping.dmp
              Download
            • memory/688-85-0x0000000000000000-mapping.dmp
              Download
            • memory/956-67-0x0000000000000000-mapping.dmp
              Download
            • memory/996-72-0x0000000000000000-mapping.dmp
              Download
            • memory/1132-77-0x0000000000000000-mapping.dmp
              Download
            • memory/1192-63-0x0000000000000000-mapping.dmp
              Download
            • memory/1260-78-0x0000000000000000-mapping.dmp
              Download
            • memory/1260-70-0x0000000000000000-mapping.dmp
              Download
            • memory/1304-60-0x0000000075AD1000-0x0000000075AD3000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1396-75-0x0000000000000000-mapping.dmp
              Download
            • memory/1440-62-0x0000000000000000-mapping.dmp
              Download
            • memory/1476-66-0x000007FEFB761000-0x000007FEFB763000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1476-64-0x0000000000000000-mapping.dmp
              Download
            • memory/1568-84-0x0000000000000000-mapping.dmp
              Download
            • memory/1604-69-0x0000000000000000-mapping.dmp
              Download
            • memory/1688-74-0x0000000000000000-mapping.dmp
              Download
            • memory/1728-86-0x0000000000000000-mapping.dmp
              Download
            • memory/1768-65-0x0000000000000000-mapping.dmp
              Download
            • memory/1796-79-0x0000000000000000-mapping.dmp
              Download