Overview

overview

10

Static

static

phobos.exe

windows7-x64

10

phobos.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20-08-2022 16:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    phobos.exe

  • Size

    71KB

  • MD5

    e59ffeaf7acb0c326e452fa30bb71a36

  • SHA1

    c88fad293256bfead6962124394de4f8b97765aa

  • SHA256

    a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2

  • SHA512

    737937ac074b1754878f9548be0fae43a18b88ed669a5626468763577d254ef4cd833686d3b9ed5a3169eb8dd1593ca03a74f5ba4664ccc1446d9b85d2f316b3

Score
10/10
phobosevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 595FC482-1096 If there is no response from our mail, you can install the Jabber client and write to us in support of [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Jabber client installation instructions: Download the jabber (Pidgin) client from https://pidgin.im/download/windows/ After installation, the Pidgin client will prompt you to create a new account. Click "Add" In the "Protocol" field, select XMPP In "Username" - come up with any name In the field "domain" - enter any jabber-server, there are a lot of them, for example - exploit.im Create a password At the bottom, put a tick "Create account" Click add If you selected "domain" - exploit.im, then a new window should appear in which you will need to re-enter your data: User password You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
URLs

https://pidgin.im/download/windows/

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
    ransomwareevasion
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\phobos.exe
    "C:\Users\Admin\AppData\Local\Temp\phobos.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\phobos.exe
      "C:\Users\Admin\AppData\Local\Temp\phobos.exe"
      2⤵
        PID:108
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:792
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:1524
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          PID:1544
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1744
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:1764
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1512
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1328
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:900
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
        2⤵
        • Modifies Internet Explorer settings
        PID:1812
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
        2⤵
        • Modifies Internet Explorer settings
        PID:304
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
        2⤵
        • Modifies Internet Explorer settings
        PID:940
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1324
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:976
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:860
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1524
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1528
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1796
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1688

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\info.hta
      Filesize

      6KB

      MD5

      116fcc9d261970ed3b0dcacdd15d65c4

      SHA1

      ee3c58ac8f1585f7735ee180074f09b5bbd08a12

      SHA256

      85409a74657a9f66293374a386f9e9bc0451014db08b5e9ca9b625af8c4c5a73

      SHA512

      da1a6ccd105cea80311538012b368ce872ecbc7feda132624ef69f59bab44c6667d74f3c52433ae8be7c70b5fe6aa486151bbaf3e8713020f0a93fb24404141d

      Download Submit

    • C:\info.hta
      Filesize

      6KB

      MD5

      116fcc9d261970ed3b0dcacdd15d65c4

      SHA1

      ee3c58ac8f1585f7735ee180074f09b5bbd08a12

      SHA256

      85409a74657a9f66293374a386f9e9bc0451014db08b5e9ca9b625af8c4c5a73

      SHA512

      da1a6ccd105cea80311538012b368ce872ecbc7feda132624ef69f59bab44c6667d74f3c52433ae8be7c70b5fe6aa486151bbaf3e8713020f0a93fb24404141d

      Download Submit

    • C:\users\public\desktop\info.hta
      Filesize

      6KB

      MD5

      116fcc9d261970ed3b0dcacdd15d65c4

      SHA1

      ee3c58ac8f1585f7735ee180074f09b5bbd08a12

      SHA256

      85409a74657a9f66293374a386f9e9bc0451014db08b5e9ca9b625af8c4c5a73

      SHA512

      da1a6ccd105cea80311538012b368ce872ecbc7feda132624ef69f59bab44c6667d74f3c52433ae8be7c70b5fe6aa486151bbaf3e8713020f0a93fb24404141d

      Download Submit

    • memory/304-71-0x0000000000000000-mapping.dmp

      Download

    • memory/792-58-0x0000000000000000-mapping.dmp

      Download

    • memory/860-79-0x0000000000000000-mapping.dmp

      Download

    • memory/900-66-0x0000000000000000-mapping.dmp

      Download

    • memory/940-73-0x0000000000000000-mapping.dmp

      Download

    • memory/976-78-0x0000000000000000-mapping.dmp

      Download

    • memory/1192-54-0x0000000076701000-0x0000000076703000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1324-77-0x0000000000000000-mapping.dmp

      Download

    • memory/1328-65-0x0000000000000000-mapping.dmp

      Download

    • memory/1512-63-0x0000000000000000-mapping.dmp

      Download

    • memory/1524-60-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1524-59-0x0000000000000000-mapping.dmp

      Download

    • memory/1524-80-0x0000000000000000-mapping.dmp

      Download

    • memory/1528-81-0x0000000000000000-mapping.dmp

      Download

    • memory/1544-61-0x0000000000000000-mapping.dmp

      Download

    • memory/1688-69-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/1688-68-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/1688-67-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/1744-56-0x0000000000000000-mapping.dmp

      Download

    • memory/1764-57-0x0000000000000000-mapping.dmp

      Download

    • memory/1812-70-0x0000000000000000-mapping.dmp

      Download