Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/12/2022, 18:35

General

  • Target

    4ae6519e0d6a7aaf9b684497763257e3a752ef0b31b4ba31afb9aecd1af59d9a.exe

  • Size

    56KB

  • MD5

    c5d5171d5af7b55de4056c8ef928b6d2

  • SHA1

    62f92ae34f886ae7c77f5c3eaf52fecdb00d6b77

  • SHA256

    4ae6519e0d6a7aaf9b684497763257e3a752ef0b31b4ba31afb9aecd1af59d9a

  • SHA512

    af700712dfd0ed80217326ab7c4d3dd41bbe7620ea1abfcbba40e1233933fa206663c1fd08467fce3793e975c8c216ce0c882d5780fc5e364e24c0e483a7e24a

  • SSDEEP

    768:GvrNNeRBl5JFTXqwXrkgrn/9/HiDKGwRj4RcTdyH4pYT3nPKVU1EwykIrI8OAeMm:INeRBl5PT/rx1mzwRMSTdLpJwyBQ0m

Malware Config

Extracted

Path

C:\users\public\desktop\info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message AFD5013C-3351 If you do not receive a response within 24 hours, please contact us by Telegram.org account: @Stop_24 You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Modifies Windows Firewall 1 TTPs 2 IoCs
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ae6519e0d6a7aaf9b684497763257e3a752ef0b31b4ba31afb9aecd1af59d9a.exe
    "C:\Users\Admin\AppData\Local\Temp\4ae6519e0d6a7aaf9b684497763257e3a752ef0b31b4ba31afb9aecd1af59d9a.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Users\Admin\AppData\Local\Temp\4ae6519e0d6a7aaf9b684497763257e3a752ef0b31b4ba31afb9aecd1af59d9a.exe
      "C:\Users\Admin\AppData\Local\Temp\4ae6519e0d6a7aaf9b684497763257e3a752ef0b31b4ba31afb9aecd1af59d9a.exe"
      2⤵
        PID:4604
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1140
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:756
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2408
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:4876
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:4656
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:3412
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2052
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:4192
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          PID:908
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        2⤵
          PID:1496
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          2⤵
            PID:1252
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
            2⤵
              PID:2768
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3424
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                3⤵
                • Interacts with shadow copies
                PID:1152
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic shadowcopy delete
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3688
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} bootstatuspolicy ignoreallfailures
                3⤵
                • Modifies boot configuration data using bcdedit
                PID:4912
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} recoveryenabled no
                3⤵
                • Modifies boot configuration data using bcdedit
                PID:1820
              • C:\Windows\system32\wbadmin.exe
                wbadmin delete catalog -quiet
                3⤵
                • Deletes backup catalog
                PID:5108
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
            1⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4628
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3484
          • C:\Windows\system32\wbengine.exe
            "C:\Windows\system32\wbengine.exe"
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4936
          • C:\Windows\System32\vdsldr.exe
            C:\Windows\System32\vdsldr.exe -Embedding
            1⤵
              PID:3496
            • C:\Windows\System32\vds.exe
              C:\Windows\System32\vds.exe
              1⤵
              • Checks SCSI registry key(s)
              PID:3744

            Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\Desktop\info.hta

                    Filesize

                    5KB

                    MD5

                    f22187ac34e27701a5ca28503087ccb5

                    SHA1

                    bf4ae61d07e04e4a3c47e4feb3f21c6a98c6fa8a

                    SHA256

                    52cd7790cd24d44697a416eaafe1ae1e8231f81019bef327248c403697ea6104

                    SHA512

                    a4066d764a8faa9b169e51e33006ffb1b97c74babc51a206984326c3b952efc0c194ac68e1f5098772366fdbfff97e6586a39611f4e6e871ef4ac6413fd8b84b

                  • C:\info.hta

                    Filesize

                    5KB

                    MD5

                    f22187ac34e27701a5ca28503087ccb5

                    SHA1

                    bf4ae61d07e04e4a3c47e4feb3f21c6a98c6fa8a

                    SHA256

                    52cd7790cd24d44697a416eaafe1ae1e8231f81019bef327248c403697ea6104

                    SHA512

                    a4066d764a8faa9b169e51e33006ffb1b97c74babc51a206984326c3b952efc0c194ac68e1f5098772366fdbfff97e6586a39611f4e6e871ef4ac6413fd8b84b

                  • C:\users\public\desktop\info.hta

                    Filesize

                    5KB

                    MD5

                    f22187ac34e27701a5ca28503087ccb5

                    SHA1

                    bf4ae61d07e04e4a3c47e4feb3f21c6a98c6fa8a

                    SHA256

                    52cd7790cd24d44697a416eaafe1ae1e8231f81019bef327248c403697ea6104

                    SHA512

                    a4066d764a8faa9b169e51e33006ffb1b97c74babc51a206984326c3b952efc0c194ac68e1f5098772366fdbfff97e6586a39611f4e6e871ef4ac6413fd8b84b