Overview

overview

10

Static

static

1.exe

windows7_x64

10

1.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    06-05-2021 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.exe

  • Size

    62KB

  • MD5

    ab7b66ee5385cb473b9c15db3e239692

  • SHA1

    5875f07b7b8174284ca15e4d5f53942e0d736024

  • SHA256

    8710ad8fb2938326655335455987aa17961b2496a345a7ed9f4bbfcb278212bc

  • SHA512

    1a9139af13dacb7cc0022b1216d725e39cfe3668384caf6942705bd1cad263368c4b305f7ccd649cd9bee3be5817029fd410bd02deff34c6b73d8159f2aae280

Score
10/10
phobosevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: nilaron@firemail.cc Write this ID in the title of your message B29913A8-3152 To increase the likelihood of receiving a response to your request, also duplicate your letters to the following e-mails: zezoxo@libertymail.net and togerpo@zohomail.eu For quick and convenient feedback, write to the online operator in the Telegram messenger: @zezoxo (The username of the Telegram account must be exactly the same as above.) You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) Attention! To get guaranteed assistance in decrypting your files, please contact only the contacts indicated in this note, otherwise we are not responsible for the decryption! Do not rename encrypted files. Do not try to decrypt your data using third-party software, as this may result in irreversible data loss. Decrypting your files with the help of third parties may increase the price (they add their fee to ours) or you risk losing money without receiving files decryption in return. !!! When contacting third parties, we do not give a guarantee for decryption of your files !!! How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Emails

nilaron@firemail.cc

zezoxo@libertymail.net

togerpo@zohomail.eu

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      2⤵
        PID:376
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:748
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2232
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2728
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:3916
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:2068
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:2084
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3276
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
            PID:3616
          • C:\Windows\system32\netsh.exe
            netsh firewall set opmode mode=disable
            3⤵
              PID:2500
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
            2⤵
              PID:3928
            • C:\Windows\SysWOW64\mshta.exe
              "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
              2⤵
                PID:2240
              • C:\Windows\SysWOW64\mshta.exe
                "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                2⤵
                  PID:2128
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2400
                  • C:\Windows\system32\vssadmin.exe
                    vssadmin delete shadows /all /quiet
                    3⤵
                    • Interacts with shadow copies
                    PID:3920
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic shadowcopy delete
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:772
                  • C:\Windows\system32\bcdedit.exe
                    bcdedit /set {default} bootstatuspolicy ignoreallfailures
                    3⤵
                    • Modifies boot configuration data using bcdedit
                    PID:276
                  • C:\Windows\system32\bcdedit.exe
                    bcdedit /set {default} recoveryenabled no
                    3⤵
                    • Modifies boot configuration data using bcdedit
                    PID:2224
                  • C:\Windows\system32\wbadmin.exe
                    wbadmin delete catalog -quiet
                    3⤵
                    • Deletes backup catalog
                    PID:576
              • \??\c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s seclogon
                1⤵
                • Suspicious use of NtCreateUserProcessOtherParentProcess
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:808
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3932
              • C:\Windows\system32\wbengine.exe
                "C:\Windows\system32\wbengine.exe"
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1388
              • C:\Windows\System32\vdsldr.exe
                C:\Windows\System32\vdsldr.exe -Embedding
                1⤵
                  PID:272
                • C:\Windows\System32\vds.exe
                  C:\Windows\System32\vds.exe
                  1⤵
                  • Checks SCSI registry key(s)
                  PID:3396

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Command-Line Interface

                1
                T1059

                Persistence

                Modify Existing Service

                1
                T1031

                Registry Run Keys / Startup Folder

                1
                T1060

                Privilege Escalation

                Defense Evasion

                File Deletion

                3
                T1107

                Modify Registry

                1
                T1112

                Credential Access

                Credentials in Files

                1
                T1081

                Discovery

                System Information Discovery

                2
                T1082

                Query Registry

                1
                T1012

                Peripheral Device Discovery

                1
                T1120

                Lateral Movement

                Collection

                Data from Local System

                1
                T1005

                Exfiltration

                Command and Control

                Impact

                Inhibit System Recovery

                4
                T1490

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\Desktop\info.hta
                  MD5

                  2e534a4f1167e481ad894fede301e02b

                  SHA1

                  a9809975a973910a6bf4377032b774fcb4563900

                  SHA256

                  d503f76f3f3c7683388e94d3c06192423fd07deac2bae4ad3f492c48165c820a

                  SHA512

                  7d20c5c56722042e78e6126eb92099c7eec343ba3992b55ce3afe9f59236dcd22be531a00e27ecb50b1e6aa43aa2344f60e5ab8eed7f67199520eaaf97ab9610

                  Download Submit
                • C:\info.hta
                  MD5

                  2e534a4f1167e481ad894fede301e02b

                  SHA1

                  a9809975a973910a6bf4377032b774fcb4563900

                  SHA256

                  d503f76f3f3c7683388e94d3c06192423fd07deac2bae4ad3f492c48165c820a

                  SHA512

                  7d20c5c56722042e78e6126eb92099c7eec343ba3992b55ce3afe9f59236dcd22be531a00e27ecb50b1e6aa43aa2344f60e5ab8eed7f67199520eaaf97ab9610

                  Download Submit
                • C:\users\public\desktop\info.hta
                  MD5

                  2e534a4f1167e481ad894fede301e02b

                  SHA1

                  a9809975a973910a6bf4377032b774fcb4563900

                  SHA256

                  d503f76f3f3c7683388e94d3c06192423fd07deac2bae4ad3f492c48165c820a

                  SHA512

                  7d20c5c56722042e78e6126eb92099c7eec343ba3992b55ce3afe9f59236dcd22be531a00e27ecb50b1e6aa43aa2344f60e5ab8eed7f67199520eaaf97ab9610

                  Download Submit
                • memory/276-133-0x0000000000000000-mapping.dmp
                  Download
                • memory/376-114-0x0000000000000000-mapping.dmp
                  Download
                • memory/576-135-0x0000000000000000-mapping.dmp
                  Download
                • memory/748-115-0x0000000000000000-mapping.dmp
                  Download
                • memory/772-132-0x0000000000000000-mapping.dmp
                  Download
                • memory/2068-122-0x0000000000000000-mapping.dmp
                  Download
                • memory/2084-123-0x0000000000000000-mapping.dmp
                  Download
                • memory/2128-128-0x0000000000000000-mapping.dmp
                  Download
                • memory/2224-134-0x0000000000000000-mapping.dmp
                  Download
                • memory/2232-117-0x0000000000000000-mapping.dmp
                  Download
                • memory/2240-125-0x0000000000000000-mapping.dmp
                  Download
                • memory/2400-129-0x0000000000000000-mapping.dmp
                  Download
                • memory/2500-119-0x0000000000000000-mapping.dmp
                  Download
                • memory/2728-120-0x0000000000000000-mapping.dmp
                  Download
                • memory/3276-116-0x0000000000000000-mapping.dmp
                  Download
                • memory/3616-118-0x0000000000000000-mapping.dmp
                  Download
                • memory/3916-121-0x0000000000000000-mapping.dmp
                  Download
                • memory/3920-131-0x0000000000000000-mapping.dmp
                  Download
                • memory/3928-124-0x0000000000000000-mapping.dmp
                  Download