Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2023 17:59

General

  • Target

    V1Fast.bin.exe

  • Size

    56KB

  • MD5

    c3ccde9c3fab53d5c749b2186e997bdc

  • SHA1

    b494a696f4edbbd3831163dfd0f1b5efc134d068

  • SHA256

    c21de9109580e03f0fc0a71c10bfe2923927eb0dfe748bea47d550f1fe7f1715

  • SHA512

    2b72d43c3eba735ed69807f858ff59685df91fb7012d7bd868a08f0563c00832310fe9d7d160d5b633bc49c1f1d4b7c20c6ab2d9a39eea33ff8d00b683ccb586

  • SSDEEP

    1536:SNeRBl5PT/rx1mzwRMSTdLpJcQvW5NoDXMmX9S/b8V:SQRrmzwR5JsNoDcmXI/b8V

Malware Config

Extracted

Path

C:\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security issue with your computer. If you want to restore them, write to us by email <span class='mark'>[email protected]</span></div> <div class='bold'>Write this identifier in the header of your message <span class='mark'>C3D90E0E-3327</span></div> <div> You will have to pay for decryption in bitcoins. The price depends on how quickly you write to us. After payment, we will send you a tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>We can decrypt 1 small, not important file as proof of decryption.</ul> <ul>1 megabyte of an unarchived file. We never decrypt important files for testing, such as XLS, databases and other important files.</ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul>Write to us and we will instruct you how to buy Bitcoin</ul> <ul>Attention! If you ask for help from third parties, know that they raise the price (they add their own price from ours). Contact us for help and we will help you buy Bitcoin, it's not difficult. Our experts will fully tell you how to buy bitcoin.</ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third-party software, this may lead to irreversible data loss.</li> <li>No one else will be able to return your files except us!</li> </ul> </div> </body> </html>
Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security issue with your computer. If you want to restore them, write to us by email [email protected] Write this identifier in the header of your message C3D90E0E-3327 You will have to pay for decryption in bitcoins. The price depends on how quickly you write to us. After payment, we will send you a tool that will decrypt all your files. Free decryption as guarantee We can decrypt 1 small, not important file as proof of decryption. 1 megabyte of an unarchived file. We never decrypt important files for testing, such as XLS, databases and other important files. How to obtain Bitcoins Write to us and we will instruct you how to buy Bitcoin Attention! If you ask for help from third parties, know that they raise the price (they add their own price from ours). Contact us for help and we will help you buy Bitcoin, it's not difficult. Our experts will fully tell you how to buy bitcoin. Attention! Do not rename encrypted files. Do not try to decrypt your data using third-party software, this may lead to irreversible data loss. No one else will be able to return your files except us!

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Modifies Windows Firewall 1 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1480
    • C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe
      "C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe"
      2⤵
        PID:1536
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4828
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:4888
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4984
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:3796
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:5064
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:5036
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3644
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:4264
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          PID:3864
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        2⤵
          PID:1580
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          2⤵
            PID:4952
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
            2⤵
              PID:4716
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:792
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                3⤵
                • Interacts with shadow copies
                PID:1484
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic shadowcopy delete
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1488
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} bootstatuspolicy ignoreallfailures
                3⤵
                • Modifies boot configuration data using bcdedit
                PID:4812
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} recoveryenabled no
                3⤵
                • Modifies boot configuration data using bcdedit
                PID:4528
              • C:\Windows\system32\wbadmin.exe
                wbadmin delete catalog -quiet
                3⤵
                • Deletes backup catalog
                PID:3872
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3544
          • C:\Windows\system32\wbengine.exe
            "C:\Windows\system32\wbengine.exe"
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4700
          • C:\Windows\System32\vdsldr.exe
            C:\Windows\System32\vdsldr.exe -Embedding
            1⤵
              PID:3724
            • C:\Windows\System32\vds.exe
              C:\Windows\System32\vds.exe
              1⤵
              • Checks SCSI registry key(s)
              PID:1440

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[C3D90E0E-3327].[[email protected]].Devos

              Filesize

              3.2MB

              MD5

              04a83410254c8043a9449485b446e99a

              SHA1

              7d88a29115a48b09ebcf149712ba489e464f5e4f

              SHA256

              2beac4524d54fc50181118b255fdcef902c729df7d2aec75221973262e6f2ae6

              SHA512

              5737b4748f0ed8636450dd9292588e6822cb35bb6b669be9325448caab23379a4c43b12f7247a6486208ac619b4e418c26e80e2c81a96b8446de3139f77bb9e1

            • C:\Users\Admin\Desktop\info.hta

              Filesize

              4KB

              MD5

              ac121023febf0e35bcb6c19cc8c35d4a

              SHA1

              e036f0293e0fa081293b26c61e901d5d70b9e699

              SHA256

              72d732c2574effc7a1fd2cb60072c48abd652a0b24127af85b6fdd66ae46ddbc

              SHA512

              64a51fce86284584d8d5620be559fdcc16b6a6593fcc5d7ca4b235e2c23b5bd3d444c34757fca0b1247c2ef72f4f67daf7e9fc7c27d6fc68f33c7235f4d4a8cf

            • C:\info.hta

              Filesize

              4KB

              MD5

              ac121023febf0e35bcb6c19cc8c35d4a

              SHA1

              e036f0293e0fa081293b26c61e901d5d70b9e699

              SHA256

              72d732c2574effc7a1fd2cb60072c48abd652a0b24127af85b6fdd66ae46ddbc

              SHA512

              64a51fce86284584d8d5620be559fdcc16b6a6593fcc5d7ca4b235e2c23b5bd3d444c34757fca0b1247c2ef72f4f67daf7e9fc7c27d6fc68f33c7235f4d4a8cf

            • C:\info.hta

              Filesize

              4KB

              MD5

              ac121023febf0e35bcb6c19cc8c35d4a

              SHA1

              e036f0293e0fa081293b26c61e901d5d70b9e699

              SHA256

              72d732c2574effc7a1fd2cb60072c48abd652a0b24127af85b6fdd66ae46ddbc

              SHA512

              64a51fce86284584d8d5620be559fdcc16b6a6593fcc5d7ca4b235e2c23b5bd3d444c34757fca0b1247c2ef72f4f67daf7e9fc7c27d6fc68f33c7235f4d4a8cf

            • C:\users\public\desktop\info.hta

              Filesize

              4KB

              MD5

              ac121023febf0e35bcb6c19cc8c35d4a

              SHA1

              e036f0293e0fa081293b26c61e901d5d70b9e699

              SHA256

              72d732c2574effc7a1fd2cb60072c48abd652a0b24127af85b6fdd66ae46ddbc

              SHA512

              64a51fce86284584d8d5620be559fdcc16b6a6593fcc5d7ca4b235e2c23b5bd3d444c34757fca0b1247c2ef72f4f67daf7e9fc7c27d6fc68f33c7235f4d4a8cf