Overview

overview

10

Static

static

9704a4959e...8d.exe

windows7-x64

10

9704a4959e...8d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe

  • Size

    56KB

  • Sample

    221220-wxlgqaae84

  • MD5

    8cffb643c8773ff71c8879fe20074f71

  • SHA1

    4ed2f6d803b03262becdc6045f04aca8a4fd5c4c

  • SHA256

    9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d

  • SHA512

    c3e8913c95f527e00f41488fa48285e297af014d01ef2a8d2f9fccdf7f7ce7c23bfcc6cad9128892fb80d8f6181e32427b9dd6bf247638788333e1dca9c01769

  • SSDEEP

    1536:gNeRBl5PT/rx1mzwRMSTdLpJ0ifl+/wA1rK:gQRrmzwR5JkwAE

Score
10/10
phobosevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\users\public\desktop\info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security issue with your computer. If you want to restore them, write to us by email [email protected] If you have not received a response within 24 hours, write to us at Jabber: [email protected] Write this ID in the title of your message 76D89E15-3327 You will have to pay for decryption in bitcoins. The price depends on how quickly you write to us. After payment, we will send you a tool that will decrypt all your files. Free decryption as guarantee We can decrypt 1 small, not important file as proof of decryption. 1 megabyte of an unarchived file. We never decrypt important files for testing, such as XLS, databases and other important files. How to obtain Bitcoins Write to us and we will instruct you how to buy Bitcoin Attention! If you ask for help from third parties, know that they raise the price (they add their own price from ours). Contact us for help and we will help you buy Bitcoin, it's not difficult. Our experts will fully tell you how to buy bitcoin. Jabber client installation instructions: Download the jabber (Pidgin) client from https://pidgin.im/download/windows/ After installation, the Pidgin client will prompt you to create a new account. Click "Add" In the "Protocol" field, select XMPP In "Username" - come up with any name In the field "domain" - enter any jabber-server, there are a lot of them, for example - exploit.im Create a password At the bottom, put a tick "Create account" Click add If you selected "domain" - exploit.im, then a new window should appear in which you will need to re-enter your data: User password You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, this may lead to irreversible data loss. No one else will be able to return your files except us!
URLs

https://pidgin.im/download/windows/

Extracted

Path

C:\info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security issue with your computer. If you want to restore them, write to us by email [email protected] If you have not received a response within 24 hours, write to us at Jabber: [email protected] Write this ID in the title of your message 8DC9F4D6-3327 You will have to pay for decryption in bitcoins. The price depends on how quickly you write to us. After payment, we will send you a tool that will decrypt all your files. Free decryption as guarantee We can decrypt 1 small, not important file as proof of decryption. 1 megabyte of an unarchived file. We never decrypt important files for testing, such as XLS, databases and other important files. How to obtain Bitcoins Write to us and we will instruct you how to buy Bitcoin Attention! If you ask for help from third parties, know that they raise the price (they add their own price from ours). Contact us for help and we will help you buy Bitcoin, it's not difficult. Our experts will fully tell you how to buy bitcoin. Jabber client installation instructions: Download the jabber (Pidgin) client from https://pidgin.im/download/windows/ After installation, the Pidgin client will prompt you to create a new account. Click "Add" In the "Protocol" field, select XMPP In "Username" - come up with any name In the field "domain" - enter any jabber-server, there are a lot of them, for example - exploit.im Create a password At the bottom, put a tick "Create account" Click add If you selected "domain" - exploit.im, then a new window should appear in which you will need to re-enter your data: User password You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, this may lead to irreversible data loss. No one else will be able to return your files except us!
URLs

https://pidgin.im/download/windows/

Targets

    • Target

      9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe

    • Size

      56KB

    • MD5

      8cffb643c8773ff71c8879fe20074f71

    • SHA1

      4ed2f6d803b03262becdc6045f04aca8a4fd5c4c

    • SHA256

      9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d

    • SHA512

      c3e8913c95f527e00f41488fa48285e297af014d01ef2a8d2f9fccdf7f7ce7c23bfcc6cad9128892fb80d8f6181e32427b9dd6bf247638788333e1dca9c01769

    • SSDEEP

      1536:gNeRBl5PT/rx1mzwRMSTdLpJ0ifl+/wA1rK:gQRrmzwR5JkwAE

    Score
    10/10
    phobosevasionpersistenceransomwarespywarestealer

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks