Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-04-2023 02:06

General

  • Target

    c21de9109580e03f0fc0a71c10bfe2923927eb0dfe748bea47d550f1fe7f1715.exe

  • Size

    56KB

  • MD5

    c3ccde9c3fab53d5c749b2186e997bdc

  • SHA1

    b494a696f4edbbd3831163dfd0f1b5efc134d068

  • SHA256

    c21de9109580e03f0fc0a71c10bfe2923927eb0dfe748bea47d550f1fe7f1715

  • SHA512

    2b72d43c3eba735ed69807f858ff59685df91fb7012d7bd868a08f0563c00832310fe9d7d160d5b633bc49c1f1d4b7c20c6ab2d9a39eea33ff8d00b683ccb586

  • SSDEEP

    1536:SNeRBl5PT/rx1mzwRMSTdLpJcQvW5NoDXMmX9S/b8V:SQRrmzwR5JsNoDcmXI/b8V

Malware Config

Extracted

Path

C:\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security issue with your computer. If you want to restore them, write to us by email <span class='mark'>[email protected]</span></div> <div class='bold'>Write this identifier in the header of your message <span class='mark'>716251C7-3327</span></div> <div> You will have to pay for decryption in bitcoins. The price depends on how quickly you write to us. After payment, we will send you a tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>We can decrypt 1 small, not important file as proof of decryption.</ul> <ul>1 megabyte of an unarchived file. We never decrypt important files for testing, such as XLS, databases and other important files.</ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul>Write to us and we will instruct you how to buy Bitcoin</ul> <ul>Attention! If you ask for help from third parties, know that they raise the price (they add their own price from ours). Contact us for help and we will help you buy Bitcoin, it's not difficult. Our experts will fully tell you how to buy bitcoin.</ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third-party software, this may lead to irreversible data loss.</li> <li>No one else will be able to return your files except us!</li> </ul> </div> </body> </html>
Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security issue with your computer. If you want to restore them, write to us by email [email protected] Write this identifier in the header of your message 716251C7-3327 You will have to pay for decryption in bitcoins. The price depends on how quickly you write to us. After payment, we will send you a tool that will decrypt all your files. Free decryption as guarantee We can decrypt 1 small, not important file as proof of decryption. 1 megabyte of an unarchived file. We never decrypt important files for testing, such as XLS, databases and other important files. How to obtain Bitcoins Write to us and we will instruct you how to buy Bitcoin Attention! If you ask for help from third parties, know that they raise the price (they add their own price from ours). Contact us for help and we will help you buy Bitcoin, it's not difficult. Our experts will fully tell you how to buy bitcoin. Attention! Do not rename encrypted files. Do not try to decrypt your data using third-party software, this may lead to irreversible data loss. No one else will be able to return your files except us!

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Modifies Windows Firewall 1 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\c21de9109580e03f0fc0a71c10bfe2923927eb0dfe748bea47d550f1fe7f1715.exe
    "C:\Users\Admin\AppData\Local\Temp\c21de9109580e03f0fc0a71c10bfe2923927eb0dfe748bea47d550f1fe7f1715.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Users\Admin\AppData\Local\Temp\c21de9109580e03f0fc0a71c10bfe2923927eb0dfe748bea47d550f1fe7f1715.exe
      "C:\Users\Admin\AppData\Local\Temp\c21de9109580e03f0fc0a71c10bfe2923927eb0dfe748bea47d550f1fe7f1715.exe"
      2⤵
        PID:3220
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4156
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:4632
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:628
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:2236
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:3928
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:4512
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3352
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:4408
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          PID:3612
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        2⤵
          PID:2664
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          2⤵
            PID:2620
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
            2⤵
              PID:3972
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:276
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                3⤵
                • Interacts with shadow copies
                PID:3852
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic shadowcopy delete
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1992
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} bootstatuspolicy ignoreallfailures
                3⤵
                • Modifies boot configuration data using bcdedit
                PID:4304
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} recoveryenabled no
                3⤵
                • Modifies boot configuration data using bcdedit
                PID:3228
              • C:\Windows\system32\wbadmin.exe
                wbadmin delete catalog -quiet
                3⤵
                • Deletes backup catalog
                PID:3912
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:5080
          • C:\Windows\system32\wbengine.exe
            "C:\Windows\system32\wbengine.exe"
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4624
          • C:\Windows\System32\vdsldr.exe
            C:\Windows\System32\vdsldr.exe -Embedding
            1⤵
              PID:4016
            • C:\Windows\System32\vds.exe
              C:\Windows\System32\vds.exe
              1⤵
              • Checks SCSI registry key(s)
              PID:536

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[716251C7-3327].[[email protected]].Devos

              Filesize

              3.2MB

              MD5

              6cc7b6894cf5e0eb136800fa0d7d9aaa

              SHA1

              3bc60684cd4ef6c2d1c846f4f2060786d3a250e0

              SHA256

              da46150b6ad2df108c33dad505428b910856787aed5f4204feca5fca881c2af9

              SHA512

              1cf953f1c3d7312baef5c75783758f27435d7af77be2d13d52b88ac4352833888f27dcdd93ac34b69724946c081fe2927b07d3a9044ed49431cae4240199f570

            • C:\Users\Admin\Desktop\info.hta

              Filesize

              4KB

              MD5

              b04dc8137ad20dd7c2d481791aa2a704

              SHA1

              3858490bb7362bba7dbca821b6d9e4c63deb43fd

              SHA256

              e69ec449e19beee148866553d40bde83e7fd80fc33341ee8be0f0e9ca3e0c97e

              SHA512

              0359ac84ff9802004a190116eb45edf88e3902d8232b085141a1b51f524ce49f5535015211d315fce11fd4e11bff4e9cb9fc4c24623d8797dec8bb95245966eb

            • C:\info.hta

              Filesize

              4KB

              MD5

              b04dc8137ad20dd7c2d481791aa2a704

              SHA1

              3858490bb7362bba7dbca821b6d9e4c63deb43fd

              SHA256

              e69ec449e19beee148866553d40bde83e7fd80fc33341ee8be0f0e9ca3e0c97e

              SHA512

              0359ac84ff9802004a190116eb45edf88e3902d8232b085141a1b51f524ce49f5535015211d315fce11fd4e11bff4e9cb9fc4c24623d8797dec8bb95245966eb

            • C:\info.hta

              Filesize

              4KB

              MD5

              b04dc8137ad20dd7c2d481791aa2a704

              SHA1

              3858490bb7362bba7dbca821b6d9e4c63deb43fd

              SHA256

              e69ec449e19beee148866553d40bde83e7fd80fc33341ee8be0f0e9ca3e0c97e

              SHA512

              0359ac84ff9802004a190116eb45edf88e3902d8232b085141a1b51f524ce49f5535015211d315fce11fd4e11bff4e9cb9fc4c24623d8797dec8bb95245966eb

            • C:\users\public\desktop\info.hta

              Filesize

              4KB

              MD5

              b04dc8137ad20dd7c2d481791aa2a704

              SHA1

              3858490bb7362bba7dbca821b6d9e4c63deb43fd

              SHA256

              e69ec449e19beee148866553d40bde83e7fd80fc33341ee8be0f0e9ca3e0c97e

              SHA512

              0359ac84ff9802004a190116eb45edf88e3902d8232b085141a1b51f524ce49f5535015211d315fce11fd4e11bff4e9cb9fc4c24623d8797dec8bb95245966eb