Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-04-2023 02:33

General

  • Target

    c6960bb3329175489959ec95de0a83a3bd5f206f8cd7f46633e34a0227973d0e.exe

  • Size

    57KB

  • MD5

    e76c5a5f3b8f69f6b390b812f24bb9af

  • SHA1

    107102c804bffc23c2c61f4ec7e554e0d8bbadbb

  • SHA256

    c6960bb3329175489959ec95de0a83a3bd5f206f8cd7f46633e34a0227973d0e

  • SHA512

    71570a395813b02ad1b25310c7fe6a9eae0ddce1e335c60ef4d23ab073c2566e7df4b15a9b69a2f76eb2cb9c29c89e4bb80d007b5c6a83a135802b10a4b98746

  • SSDEEP

    1536:xNeRBl5PT/rx1mzwRMSTdLpJGiEXk2PNtQ:xQRrmzwR5Jm00LQ

Malware Config

Extracted

Path

C:\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All of your files have been encrypted. If you want to restore them, write to us by e-mail: <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>2B089A14-3390</span></div> <div class='bold'>To increase the likelihood of receiving a response to your request, also duplicate your letters to the following e-mails:<span class='mark'>[email protected]</span> or [email protected]</div> <div class='bold'>For quick and convenient feedback, write to the online operator in the Wire messenger: <span class='mark'><a href='https://t.me/@zexor'>zexor</a></span>&ensp;(The username of the Wire account must be exactly the same as above,beware of fake accounts.)</div> <div class='bold'>You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.</span></div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>To get guaranteed assistance in decrypting your files, please contact only the contacts indicated in this note, otherwise we are not responsible for the decryption!</li> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third-party software, as this may result in irreversible data loss.</li> <li>Decrypting your files with the help of third parties may increase the price (they add their fee to ours) or you risk losing money without receiving files decryption in return.</li> <li>!!! When contacting third parties, we do not give a guarantee for decryption of your files !!!</li> </ul> </div> </body> </html>
Emails

class='mark'>[email protected]</span></div>

class='mark'>[email protected]</span>

[email protected]</div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\users\public\desktop\info.hta

Ransom Note
All your files have been encrypted! All of your files have been encrypted. If you want to restore them, write to us by e-mail: [email protected] Write this ID in the title of your message 2B089A14-3390 To increase the likelihood of receiving a response to your request, also duplicate your letters to the following e-mails: [email protected] or [email protected] For quick and convenient feedback, write to the online operator in the Wire messenger: zexor (The username of the Wire account must be exactly the same as above,beware of fake accounts.) You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! To get guaranteed assistance in decrypting your files, please contact only the contacts indicated in this note, otherwise we are not responsible for the decryption! Do not rename encrypted files. Do not try to decrypt your data using third-party software, as this may result in irreversible data loss. Decrypting your files with the help of third parties may increase the price (they add their fee to ours) or you risk losing money without receiving files decryption in return. !!! When contacting third parties, we do not give a guarantee for decryption of your files !!!

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Modifies Windows Firewall 1 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\c6960bb3329175489959ec95de0a83a3bd5f206f8cd7f46633e34a0227973d0e.exe
    "C:\Users\Admin\AppData\Local\Temp\c6960bb3329175489959ec95de0a83a3bd5f206f8cd7f46633e34a0227973d0e.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Users\Admin\AppData\Local\Temp\c6960bb3329175489959ec95de0a83a3bd5f206f8cd7f46633e34a0227973d0e.exe
      "C:\Users\Admin\AppData\Local\Temp\c6960bb3329175489959ec95de0a83a3bd5f206f8cd7f46633e34a0227973d0e.exe"
      2⤵
        PID:3452
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4148
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:4280
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          PID:292
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2604
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:4588
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:564
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:4832
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:4260
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:1220
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        2⤵
          PID:5040
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          2⤵
            PID:1496
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
            2⤵
              PID:4248
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1644
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                3⤵
                • Interacts with shadow copies
                PID:2412
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic shadowcopy delete
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4340
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} bootstatuspolicy ignoreallfailures
                3⤵
                • Modifies boot configuration data using bcdedit
                PID:1752
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} recoveryenabled no
                3⤵
                • Modifies boot configuration data using bcdedit
                PID:1816
              • C:\Windows\system32\wbadmin.exe
                wbadmin delete catalog -quiet
                3⤵
                • Deletes backup catalog
                PID:1588
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3112
          • C:\Windows\system32\wbengine.exe
            "C:\Windows\system32\wbengine.exe"
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1368
          • C:\Windows\System32\vdsldr.exe
            C:\Windows\System32\vdsldr.exe -Embedding
            1⤵
              PID:1532
            • C:\Windows\System32\vds.exe
              C:\Windows\System32\vds.exe
              1⤵
              • Checks SCSI registry key(s)
              PID:1856

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[2B089A14-3390].[[email protected]].fopra

              Filesize

              3.2MB

              MD5

              2d2ac0289367f3671d49f884a86c3dd2

              SHA1

              f148825cda3cddfe92fcb517134fb3b4c12924ee

              SHA256

              925c20b089d84c606f9eaa11a8d238a78e9988218b6a5cc77577be142873873d

              SHA512

              82a196240abcb4e99dc148d65fe0d2bb18daefea5b22405d2993eff1a8ada4f48ef234b1f9380b86bc9fa5664848192fe1c40a5d1e6ef06ec2e1c93ff51f957e

            • C:\Users\Admin\Desktop\info.hta

              Filesize

              5KB

              MD5

              e51b52d86be061f778c7274ffd993439

              SHA1

              ab9340d0fe2addbfd1f15885fcb381cb561bc1dd

              SHA256

              b344e49c1f89e6ed7a465a60f52a0246af8a48f4ddb3e18877f57eefb367d437

              SHA512

              978430efc34598f451e11ed58bc6af06f8c4033d5910fb65da56b7726953b49752798da25d80233a88dd0b9c691725b8fb767ec21daf68d39f6225c5d3cee7a1

            • C:\info.hta

              Filesize

              5KB

              MD5

              e51b52d86be061f778c7274ffd993439

              SHA1

              ab9340d0fe2addbfd1f15885fcb381cb561bc1dd

              SHA256

              b344e49c1f89e6ed7a465a60f52a0246af8a48f4ddb3e18877f57eefb367d437

              SHA512

              978430efc34598f451e11ed58bc6af06f8c4033d5910fb65da56b7726953b49752798da25d80233a88dd0b9c691725b8fb767ec21daf68d39f6225c5d3cee7a1

            • C:\info.hta

              Filesize

              5KB

              MD5

              e51b52d86be061f778c7274ffd993439

              SHA1

              ab9340d0fe2addbfd1f15885fcb381cb561bc1dd

              SHA256

              b344e49c1f89e6ed7a465a60f52a0246af8a48f4ddb3e18877f57eefb367d437

              SHA512

              978430efc34598f451e11ed58bc6af06f8c4033d5910fb65da56b7726953b49752798da25d80233a88dd0b9c691725b8fb767ec21daf68d39f6225c5d3cee7a1

            • C:\users\public\desktop\info.hta

              Filesize

              5KB

              MD5

              e51b52d86be061f778c7274ffd993439

              SHA1

              ab9340d0fe2addbfd1f15885fcb381cb561bc1dd

              SHA256

              b344e49c1f89e6ed7a465a60f52a0246af8a48f4ddb3e18877f57eefb367d437

              SHA512

              978430efc34598f451e11ed58bc6af06f8c4033d5910fb65da56b7726953b49752798da25d80233a88dd0b9c691725b8fb767ec21daf68d39f6225c5d3cee7a1