Overview

overview

10

Static

static

7

samples3.zip

windows7-x64

1

samples3.zip

windows10-2004-x64

1

05cf6eee9b...b3.exe

windows7-x64

1

05cf6eee9b...b3.exe

windows10-2004-x64

1

0d332c0478...a7.exe

windows7-x64

9

0d332c0478...a7.exe

windows10-2004-x64

9

0fd8500fde...1e.exe

windows7-x64

1

0fd8500fde...1e.exe

windows10-2004-x64

1

11edf9436a...ed.pdf

windows7-x64

1

11edf9436a...ed.pdf

windows10-2004-x64

1

19a640415b...5c.exe

windows7-x64

10

19a640415b...5c.exe

windows10-2004-x64

10

33aa57b04b...cb.exe

windows7-x64

6

33aa57b04b...cb.exe

windows10-2004-x64

6

3643464a22...19.exe

windows7-x64

3

3643464a22...19.exe

windows10-2004-x64

3

37e2f97755...26.exe

windows7-x64

1

37e2f97755...26.exe

windows10-2004-x64

1

54cd11236f...ff.exe

windows7-x64

6

54cd11236f...ff.exe

windows10-2004-x64

6

55bc661ad4...8c.exe

windows7-x64

9

55bc661ad4...8c.exe

windows10-2004-x64

7

603d665f09...68.exe

windows7-x64

1

603d665f09...68.exe

windows10-2004-x64

1

6ea27a0861...7e.exe

windows7-x64

1

6ea27a0861...7e.exe

windows10-2004-x64

3

73af283fcb...0c.exe

windows7-x64

8

73af283fcb...0c.exe

windows10-2004-x64

8

7e41197b74...67.exe

windows7-x64

9

7e41197b74...67.exe

windows10-2004-x64

9

a878fed055...99.exe

windows7-x64

3

a878fed055...99.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    151s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01-01-2024 15:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19a640415bb2bbc2f2624c204f6c5771b908b6c54b88976eb0daa76a29af255c.exe

  • Size

    145KB

  • MD5

    fd946ba0ca811f8f5cddba5c4634fd64

  • SHA1

    02536e5089857fd7421a50adb07fe871593d5b9f

  • SHA256

    19a640415bb2bbc2f2624c204f6c5771b908b6c54b88976eb0daa76a29af255c

  • SHA512

    b50b8bbd93bf00e9d89cadc99900211d5b7a3d3e0f5d450445435ea498ee58be80151f608912244f55e9ad2f907fa896f66389d987b8d3b1a470ad257d7414e8

  • SSDEEP

    3072:Tv/FR9m6kfHpVC1pY8iblkCIax6CdAje+QlLC+Q/eJRhz8Jmu+X:j/f9m6g42xqQVSD

Score
10/10
phobosevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>phobos</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>6ED41006-1130</span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected]</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> <div class='footer'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAH4AAAAUCAQAAADhRUE/AAADW0lEQVR4Ad3WA4wnZxjA4efWZ1u1bdu2bdu2bdu2bUS127PN9TQ9TObLdP4zNb5fcLf75s0+yQiIcnpcDXaK/3+38NDFwb4XiRwLoMrZmjJ3NtkKd4pKNszikqeXl0tM/6Q3gEV8WnLzsxTDj7dmSXy1uzWIAnylo00R5eNzOl98dPeg5kL4+bxZcutkO8T43O5TZsdMfGvviQJ8pWNMFf0J+AEWjOkPZc8F+Pm8lTP5lDbF8ROsaruC+Hx6gM/tgnx6gM+nT7UJQrwGQw2c0QDDwgvMNXYujN8xoE80MG6ohgz8mHhmgOmiRN/op8yNorhmIxM7RyfwvbTxXGKy0TADwwzxgNZp/BDL66OfvuZ2U4D/0Zp2KIw/VZTYufUvO2fUx3IGZ+AP13PGTG97GieKm+501WqCe/h1S8Y7e9lfUwLf3feJq+tuc+kZppcOpPED9AFVTjE9uJzWJXHPv2LdoE19kYEfajPJ08dPGfhdAGv5XhRXO4NOywT+DfNInq0z8d/a2VrWSbWuZZX/Or7aqWl68LRvUhdUrzkDfxG/Cb+2H9L0AF9rfQriG9SqS6fJ69pI41Vm0GN8TiH+jN+EX9OPwQV/mmpCvGlWycfn9k4a/5O5Uxf8evxt+BODTYMty9+H/9EaPkvR/z58BzcH34QfWfTvww/Q34IuMnjW/xL0AD/Mi16Ke9ErxhfEL25ECTwd3JLi5+EPEiXwHdzhZS+FhX9lFr4PyizsPK/YgAz8vaoSVerg/UL4ubwiKomnnRs0hvyS+I0MCj9yVChLp9KBJuXjoYXWyjLxxd/zt1reSrNaO0GPNNg8wJ85a3IFG/k4vET1UB3jax0Y71zBLgYmJr/XC60sZ6UwKzg8+Hp4Q+tsPPgT8PWmxk0LPpse1S3A18ZzU9QG+Ne0Dz5ypid21iXmpjleBbY0ztRU9YnJMXbmr8Zn96geBPisam0fXPZZTXOCSuLP2+zG2FWLfw7/mJ4UxL+ifTY+oFeBLUzLoe+WpP9W/HCHF8Xn0PPxtXYgFz/NibPobb342+icO6PzHKt9SXyzoa6wmDLhqbK/82fsON+qWHPW/9Kd5wS9xMc2LnBuZuc7QltQaV/nZ07toRrQwynOK7FvC2V+11nHJZZV7n9zfgbFAebsYO1DaQAAAABJRU5ErkJggg==' /> </div> </body> </html>
Emails

class='mark'>[email protected]</span></div>

class='mark'>[email protected]</span></div>
URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
    ransomwareevasion
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\19a640415bb2bbc2f2624c204f6c5771b908b6c54b88976eb0daa76a29af255c.exe
    "C:\Users\Admin\AppData\Local\Temp\19a640415bb2bbc2f2624c204f6c5771b908b6c54b88976eb0daa76a29af255c.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Users\Admin\AppData\Local\Temp\19a640415bb2bbc2f2624c204f6c5771b908b6c54b88976eb0daa76a29af255c.exe
      "C:\Users\Admin\AppData\Local\Temp\19a640415bb2bbc2f2624c204f6c5771b908b6c54b88976eb0daa76a29af255c.exe"
      2⤵
        PID:2708
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2340
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:456
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:812
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:2632
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:2696
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          PID:2580
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
        2⤵
        • Modifies Internet Explorer settings
        PID:1992
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
        2⤵
        • Modifies Internet Explorer settings
        PID:2036
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
        2⤵
        • Modifies Internet Explorer settings
        PID:2212
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"
        2⤵
        • Modifies Internet Explorer settings
        PID:1492
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1448
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:1188
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2648
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:2948
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1716
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2600

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Document Themes 14\Couture.thmx.id[6ED41006-1130].[[email protected]].mamba
      Filesize

      2.7MB

      MD5

      f4a451b25b9b8c7a31e302d794402fd8

      SHA1

      dbe1e7d35bf6125b13d386f3a8c000dc330c8d84

      SHA256

      9f9faf4c2a122ea3208c6c6b07db22cf4e39415dbf41508a633759e7d9d7e702

      SHA512

      f45c2417d9270db5ec9c1a9c2eea666bf02a525fcb9eb55e1c0bcb4ec5e1eca028a311bff7857b10fb86f3a24c04764d6ab04dce8ea22ca548f6d25c66fc05aa

      Download Submit
    • C:\info.hta
      Filesize

      6KB

      MD5

      841d33c870635d433b7a92d42cc54da9

      SHA1

      ac800029f771ee9815857eb4509400a3593871da

      SHA256

      58d5f1c3f2661f2df34c218d87cea26b91c5176591ec92c7dcf29be3d49eae9f

      SHA512

      7c0e52ff5f262a27305f27acd476d1f36689b0c4a4a4b57cb334f7c1e229e2c0b2d36326511ed22da30f85ba99132cec247d37523e1f34b05bbac4492261524e

      Download Submit
    • memory/2412-1-0x00000000002F0000-0x00000000003F0000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2412-2-0x0000000000400000-0x00000000004B8000-memory.dmp
      Filesize

      736KB

      Download
    • memory/2412-423-0x0000000000400000-0x00000000004B8000-memory.dmp
      Filesize

      736KB

      Download
    • memory/2412-1266-0x00000000002F0000-0x00000000003F0000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2412-4771-0x0000000000400000-0x00000000004B8000-memory.dmp
      Filesize

      736KB

      Download
    • memory/2412-5002-0x0000000000400000-0x00000000004B8000-memory.dmp
      Filesize

      736KB

      Download
    • memory/2708-4-0x0000000000590000-0x0000000000690000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2708-5-0x0000000000400000-0x00000000004B8000-memory.dmp
      Filesize

      736KB

      Download
    • memory/2708-6-0x0000000000400000-0x00000000004B8000-memory.dmp
      Filesize

      736KB

      Download