Resubmissions

20-04-2024 11:55

240420-n3tfhsgg61 10

20-04-2024 11:12

240420-na6v5sfb59 10

General

  • Target

    43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc

  • Size

    55KB

  • Sample

    240420-n3tfhsgg61

  • MD5

    4e93c194b641d9b849f270531ec14d20

  • SHA1

    8b5a21254a0c10e3ca2570eeba490755197b544e

  • SHA256

    43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc

  • SHA512

    0c6dba53321b00a7b17bde84598de18cad9ecdae1a36209b6f13a99df96abe86987c2cbef132c6bc0ce80de75b4ad15351abd8c0c8e5c83bc17bb4f64713f2ec

  • SSDEEP

    1536:YNeRBl5PT/rx1mzwRMSTdLpJZtqoQOcO:YQRrmzwR5JAOF

Malware Config

Extracted

Path

C:\Users\Public\Desktop\info.txt

Ransom Note
Your computer is infected with a virus. Files are locked* but not corrupted. Send an email [email protected] and you will definitely be helped to recover. *you can send us a couple of files and we will return the restored ones to prove that only we can do it IMPORTANT: 1. the infection was due to vulnerabilities in your software 2. if you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 3. only communication through our email can guarantee file recovery for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 4. if we do not respond to you within 24 hours, send a message to the email [email protected] or [email protected] or telegram acc - @phobos_support 5. if you need an alternative communication channel - write a request by e-mail 6. our goal is to return your data, but if you do not contact us, we will not succeed

Targets

    • Target

      43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc

    • Size

      55KB

    • MD5

      4e93c194b641d9b849f270531ec14d20

    • SHA1

      8b5a21254a0c10e3ca2570eeba490755197b544e

    • SHA256

      43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc

    • SHA512

      0c6dba53321b00a7b17bde84598de18cad9ecdae1a36209b6f13a99df96abe86987c2cbef132c6bc0ce80de75b4ad15351abd8c0c8e5c83bc17bb4f64713f2ec

    • SSDEEP

      1536:YNeRBl5PT/rx1mzwRMSTdLpJZtqoQOcO:YQRrmzwR5JAOF

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (311) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks