Overview

overview

10

Static

static

3

2024-02-10...ia.exe

windows7-x64

10

2024-02-10...ia.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    10-02-2024 11:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-10_79d31027c986b4a882f3fa3175104312_mafia.exe

  • Size

    461KB

  • MD5

    79d31027c986b4a882f3fa3175104312

  • SHA1

    d9fa32737040e1a8a1491d7d0924e6762969c304

  • SHA256

    e1411426b34189a43481fe607bddd2f2d1c573d71db5328dcad0d2b94a0ef3e0

  • SHA512

    7aaafbf7bbba9d09ddf2a747cfa1624a20f2e0d8595ed7a7660287bb825b79c4cb231218941ba14e43e75b4e3aa75c5c55a50a9b81d939e95a628b0d12b7576a

  • SSDEEP

    12288:OIPMWEUD0Q2NPhnttpNHLgYWneskTedNO:r79D0ZPjzBLgY13TeH

Score
10/10
phobosevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>phobos</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>3EB61E55-1113</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
    ransomwareevasion
  • Renames multiple (316) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-10_79d31027c986b4a882f3fa3175104312_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-10_79d31027c986b4a882f3fa3175104312_mafia.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:456
    • C:\Users\Admin\AppData\Local\Temp\2024-02-10_79d31027c986b4a882f3fa3175104312_mafia.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-02-10_79d31027c986b4a882f3fa3175104312_mafia.exe"
      2⤵
        PID:2868
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1036
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:1940
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          PID:2848
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1004
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2580
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2496
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1104
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:2568
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
        2⤵
        • Modifies Internet Explorer settings
        PID:2192
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
        2⤵
        • Modifies Internet Explorer settings
        PID:2696
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
        2⤵
        • Modifies Internet Explorer settings
        PID:2788
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2556
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2308
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2400
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1704
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1600
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"
        2⤵
        • Modifies Internet Explorer settings
        PID:1996
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2992

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Indicator Removal

    2
    T1070

    File Deletion

    2
    T1070.004

    Modify Registry

    2
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Inhibit System Recovery

    3
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[3EB61E55-1113].[[email protected]].actin
      Filesize

      6.1MB

      MD5

      a572711c65d389f5ced679a67f38a45a

      SHA1

      18146887e32d8a034f2cdc19cfb0515f859a0c58

      SHA256

      00916fba62807ff51c261e9167e0c15a9912784ec8ce44b59f3833d12cc7cdb4

      SHA512

      2d976261eaa3424245d69dae228be78044b70c441fbea87ff55c92610e720383bdaa6677bdff8f6c7e3a1a693f37d4f98f2b86c6ffa6e8ade8476240214003a7

      Download Submit

    • C:\info.hta
      Filesize

      5KB

      MD5

      e3e80599c4117faa3631da743594a7b1

      SHA1

      fd4a70f2a724cc718f5dcea5960f0cfdda1515ca

      SHA256

      748ca25aeb321856ccd1d9978c54d5c5d16c794d951635a6b3917aba020ff802

      SHA512

      0558acdbc8ad164bc978e369a7e00804bffe8ce339a4db291b3ea9021958c37dd9be4738c386b2dc2af75eb5d3129721b83e4b0d40542adca524b8466ef8715c

      Download Submit

    • memory/456-0-0x0000000000390000-0x000000000039C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/456-1-0x0000000000400000-0x000000000047A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/456-2-0x0000000000400000-0x000000000047A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/456-211-0x0000000000400000-0x000000000047A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/456-3470-0x0000000000390000-0x000000000039C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/456-10147-0x0000000000400000-0x000000000047A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/456-10229-0x0000000000400000-0x000000000047A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/2868-7364-0x0000000000290000-0x000000000029C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2868-7444-0x0000000000400000-0x000000000047A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/2868-7474-0x0000000000400000-0x000000000047A000-memory.dmp

      Filesize

      488KB

      Download