Overview

overview

10

Static

static

1cestart.exe

windows7-x64

10

1cestart.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    89de605a720680233ddcdcd6d8fdd55f4b349e444aa416e2da924623d75979d6

  • Size

    36KB

  • Sample

    221027-ntfs3abhh9

  • MD5

    ba3cb3d8a6cfd99d439182777eecad65

  • SHA1

    aa782d669ef961e30b0426c93ffbaf19d6ff317b

  • SHA256

    89de605a720680233ddcdcd6d8fdd55f4b349e444aa416e2da924623d75979d6

  • SHA512

    45cc8a3d5a88bb228a1059dc94589cdb94195a7441669384c9379ce88ba0da09b041938f93473570aff6c9ef7bfca1701a65901b120d6254686ff219f45adf41

  • SSDEEP

    768:pRdv8WTq2axpsLy4JjYwD6AheFcI2iUBes+Dbl2oFilObJXZ:pRdvLqrALfJEcP1esKb3rVXZ

Score
10/10
phobosevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\info.hta

Ransom Note
!!!All of your files are encrypted and downloaded files!!! All your files (contacts, clients, accounting, sql, base, payments and other documents with share) are downloaded to our servers, if you do not make contact, they will be distributed to the public and local media will also be informed. If you want to restore them, write us to the e-mail: [email protected] Write this ID in the title of your message D4409462-3349 Our online operator is available in the messenger Telegram: @restoredata77 You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Path

C:\users\public\desktop\info.hta

Ransom Note
!!!All of your files are encrypted and downloaded files!!! All your files (contacts, clients, accounting, sql, base, payments and other documents with share) are downloaded to our servers, if you do not make contact, they will be distributed to the public and local media will also be informed. If you want to restore them, write us to the e-mail: [email protected] Write this ID in the title of your message 73802803-3349 Our online operator is available in the messenger Telegram: @restoredata77 You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      1cestart.exe

    • Size

      56KB

    • MD5

      bdb207908c7c6b2a7724250f0805ffbe

    • SHA1

      c815ea8d2b4657d9583ed99f8f264704bd12aa9b

    • SHA256

      8f757ae6b2d10afe86a399af9bc93438aec71e083ca7ad0e163a7e459831619d

    • SHA512

      cf91315fd7a4f70067483aeefbf4e4b2f61af82fa6f409f867ab526a4d175489601878f33a5e480adf574ac9dd53e154fb20efde6a918767cc9aeca815b13fa5

    • SSDEEP

      1536:yNeRBl5PT/rx1mzwRMSTdLpJGcbXobO1uwwDBr:yQRrmzwR5JHXl1uT9

    Score
    10/10
    phobosevasionpersistenceransomwarespywarestealer

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks