Overview

overview

10

Static

static

executable.exe

windows7-x64

10

executable.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    executable.exe

  • Size

    59KB

  • Sample

    220926-lvxrvsada9

  • MD5

    e522012832258c2a249ec2d47ae6466b

  • SHA1

    801b3409be244e0002c39a7ea1ae9dad983d57a8

  • SHA256

    928b382e4ace76bdd1dd260ae5c8b832d724e07ae72ff665406ac2e599aff3e3

  • SHA512

    33737b79a7f8989c7999dea94d2c5fb03f3c8fc91b94b1cbced391cf1db3c8ea1321f7b21391f711b4ef36bb6a46c92f0036f524b336fb791e903265af0704df

  • SSDEEP

    1536:NNeRBl5PT/rx1mzwRMSTdLpJcBSW1kXWFe8:NQRrmzwR5JISW1kX

Score
10/10
phobosevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note
Hello my dear friend. All your files have been encrypted! Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted. The only method of recovering files is to purchase decrypt tool and unique key for you. If you want to recover your files, write us to this e-mail: [email protected] In case of no answer in 24 hours write us to this e-mail: [email protected] Our online operator is available in the messenger Telegram: @Files_decrypt or https://t.me/Files_decrypt If there is no response from our mail, you can install ICQ software on your PC here https://icq.com/windows/ or on smartphone from Appstore / Google Play Market search for "ICQ" Write to our ICQ @Ransomware_Decrypt https://icq.im/Ransomware_Decrypt/ Or download the (Session) messenger (https://getsession.org) in messenger: 0569a7c0949434c9c4464cf2423f66d046e3e08654e4164404b1dc23783096d313 You have to add this ID E7171302-3373 and we will complete our converstion. Or download the Tox Chat (https://tox.chat/download.html') in messenger: C20A4B4AC30BBF70E7F2340FC0F97B08FA58B6E041557ABBF29EAF82FED0C47D79239FA26B51 You must add this ID E7171302-3373 and write to us. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. Your Data Sensitive data on your system was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: Employees personal data, CVs, DL, SSN. Complete network map including credentials for local and remote services. Private financial information including: clients data, bills, budgets, annual reports, bank statements. Manufacturing documents including: datagrams, schemas, drawings in solidworks format And more... Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. We are always ready to cooperate and find the best way to solve your problem. The faster you write - the more favorable conditions will be for you. Our company values its reputation. We give all guarantees of your files decryption.
URLs

https://t.me/Files_decrypt

https://icq.com/windows/

https://icq.im/Ransomware_Decrypt/

https://getsession.org

https://tox.chat/download.html

Extracted

Path

C:\info.hta

Ransom Note
Hello my dear friend. All your files have been encrypted! Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted. The only method of recovering files is to purchase decrypt tool and unique key for you. If you want to recover your files, write us to this e-mail: [email protected] In case of no answer in 24 hours write us to this e-mail: [email protected] Our online operator is available in the messenger Telegram: @Files_decrypt or https://t.me/Files_decrypt If there is no response from our mail, you can install ICQ software on your PC here https://icq.com/windows/ or on smartphone from Appstore / Google Play Market search for "ICQ" Write to our ICQ @Ransomware_Decrypt https://icq.im/Ransomware_Decrypt/ Or download the (Session) messenger (https://getsession.org) in messenger: 0569a7c0949434c9c4464cf2423f66d046e3e08654e4164404b1dc23783096d313 You have to add this ID D48DB28D-3373 and we will complete our converstion. Or download the Tox Chat (https://tox.chat/download.html') in messenger: C20A4B4AC30BBF70E7F2340FC0F97B08FA58B6E041557ABBF29EAF82FED0C47D79239FA26B51 You must add this ID D48DB28D-3373 and write to us. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. Your Data Sensitive data on your system was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: Employees personal data, CVs, DL, SSN. Complete network map including credentials for local and remote services. Private financial information including: clients data, bills, budgets, annual reports, bank statements. Manufacturing documents including: datagrams, schemas, drawings in solidworks format And more... Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. We are always ready to cooperate and find the best way to solve your problem. The faster you write - the more favorable conditions will be for you. Our company values its reputation. We give all guarantees of your files decryption.
URLs

https://t.me/Files_decrypt

https://icq.com/windows/

https://icq.im/Ransomware_Decrypt/

https://getsession.org

https://tox.chat/download.html

Targets

    • Target

      executable.exe

    • Size

      59KB

    • MD5

      e522012832258c2a249ec2d47ae6466b

    • SHA1

      801b3409be244e0002c39a7ea1ae9dad983d57a8

    • SHA256

      928b382e4ace76bdd1dd260ae5c8b832d724e07ae72ff665406ac2e599aff3e3

    • SHA512

      33737b79a7f8989c7999dea94d2c5fb03f3c8fc91b94b1cbced391cf1db3c8ea1321f7b21391f711b4ef36bb6a46c92f0036f524b336fb791e903265af0704df

    • SSDEEP

      1536:NNeRBl5PT/rx1mzwRMSTdLpJcBSW1kXWFe8:NQRrmzwR5JISW1kX

    Score
    10/10
    phobosevasionpersistenceransomwarespywarestealer

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks