Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2024 07:20

General

  • Target

    e32cdc23449666ff37b9c9ef327255d6d858cc52653500fb34f47af2cac4b3fb.exe

  • Size

    1.1MB

  • MD5

    de710ff19a8716336603752d5630afb6

  • SHA1

    e8160ad7ff4505603d6e41c311dc2ded3c1eddc6

  • SHA256

    e32cdc23449666ff37b9c9ef327255d6d858cc52653500fb34f47af2cac4b3fb

  • SHA512

    a6362fbc83075a0dfb9236411ae9992e731f7863eac3d298b0919eca4ec47b6ce69edfffad130ee5140ed1d6f66276faf7aab5974ccd76a80521413f2f9ad729

  • SSDEEP

    24576:5HOlaHILUR9X/oGhmE5EApGfZAuBQfm+t0:Mywk53mE5EA8fZ52++m

Malware Config

Extracted

Path

C:\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>cartilage</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #C6B5C4; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #B5CC8E; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #e6ecf2; border-left: 10px solid #B58CB2; } .alert { background: #FFE4E4; border-left: 10px solid #FFA07A; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC.</div> <div class='bold'>If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Or write us to the Tox: <span class='mark'>78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>286E4C81-3483</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
  • Renames multiple (519) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e32cdc23449666ff37b9c9ef327255d6d858cc52653500fb34f47af2cac4b3fb.exe
    "C:\Users\Admin\AppData\Local\Temp\e32cdc23449666ff37b9c9ef327255d6d858cc52653500fb34f47af2cac4b3fb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Users\Admin\AppData\Local\Temp\e32cdc23449666ff37b9c9ef327255d6d858cc52653500fb34f47af2cac4b3fb.exe
      C:\Users\Admin\AppData\Local\Temp\e32cdc23449666ff37b9c9ef327255d6d858cc52653500fb34f47af2cac4b3fb.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2240
      • C:\Users\Admin\AppData\Local\Temp\e32cdc23449666ff37b9c9ef327255d6d858cc52653500fb34f47af2cac4b3fb.exe
        "C:\Users\Admin\AppData\Local\Temp\e32cdc23449666ff37b9c9ef327255d6d858cc52653500fb34f47af2cac4b3fb.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3908
        • C:\Users\Admin\AppData\Local\Temp\e32cdc23449666ff37b9c9ef327255d6d858cc52653500fb34f47af2cac4b3fb.exe
          C:\Users\Admin\AppData\Local\Temp\e32cdc23449666ff37b9c9ef327255d6d858cc52653500fb34f47af2cac4b3fb.exe
          4⤵
            PID:4832
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2892
          • C:\Windows\system32\netsh.exe
            netsh advfirewall set currentprofile state off
            4⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:3804
          • C:\Windows\system32\netsh.exe
            netsh firewall set opmode mode=disable
            4⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:936
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1112
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:512
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4324
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} bootstatuspolicy ignoreallfailures
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:4904
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} recoveryenabled no
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:4424
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:308
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3460
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4024
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2412
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3004
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2012
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:2396
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:368
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} bootstatuspolicy ignoreallfailures
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:2656
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} recoveryenabled no
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:2100
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:2040
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:212
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4984
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:1536
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:1280

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[286E4C81-3483].[[email protected]].8base

        Filesize

        2.7MB

        MD5

        3c89d203384b3a2ef7c1363b51a195ce

        SHA1

        eac831e3ac942a40577ee291e2208a40c5fc41bb

        SHA256

        0ba00b4dc035c7210e5ce4a493088f084e86515cd4795d47fba7fd481a5b39a4

        SHA512

        c9833b03d8d961ed70965c8380844d04202949d137343c11ee0035b76481f0501f41d480eb0776a9a1c9866625536e8601e662c91133fce9990c338aa0afd39a

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e32cdc23449666ff37b9c9ef327255d6d858cc52653500fb34f47af2cac4b3fb.exe.log

        Filesize

        1016B

        MD5

        4353288293ab8929e492327245a7ccb2

        SHA1

        89b365f2f5e14faaf17715e5764b60d344250d67

        SHA256

        61954fc5184dd88a959f803ee98ca9af53eb0c942dbb00b98ba4f8a46081b587

        SHA512

        48c07ca1b769cf02af6ec938aad8b5a03133e82a451bdff5a03bf4ba47cfd7add0ab28ee6622c22fb54e127472a7cf68dd7d05da15ec439cc18aed2ca76cd08a

      • C:\info.hta

        Filesize

        5KB

        MD5

        4ae7a21dc66d20cc8ce688f25e0c674b

        SHA1

        6c9510ba14aa79f2282b2fe376d4b63dde9b3ce9

        SHA256

        e5ad141388706b4b25fc30c8cb6246e66df6a9412993b617fec3a27ac28b366f

        SHA512

        66f33c3a715a8ac847c4671800321d930b043906acff6dd24739ac8e7b6d1d65fa3714e69b4931fa8c7aada240fb0ec5acc2b0914ef800904405e5c84af63412

      • memory/2240-37-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-131-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-35-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-36-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-2035-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-2019-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-9-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-12-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-1994-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-13-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-1696-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-1383-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-61-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-136-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-74-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-33-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-38-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-84-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-86-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-12659-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-98-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-34-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2240-137-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2652-8-0x0000000005600000-0x0000000005BA4000-memory.dmp

        Filesize

        5.6MB

      • memory/2652-6-0x0000000004F50000-0x0000000004F84000-memory.dmp

        Filesize

        208KB

      • memory/2652-0-0x000000007511E000-0x000000007511F000-memory.dmp

        Filesize

        4KB

      • memory/2652-1-0x0000000000190000-0x00000000002BC000-memory.dmp

        Filesize

        1.2MB

      • memory/2652-5-0x0000000004DE0000-0x0000000004E16000-memory.dmp

        Filesize

        216KB

      • memory/2652-2-0x0000000004C70000-0x0000000004D02000-memory.dmp

        Filesize

        584KB

      • memory/2652-7-0x0000000004FB0000-0x0000000004FFC000-memory.dmp

        Filesize

        304KB

      • memory/2652-4-0x0000000004D90000-0x0000000004DDE000-memory.dmp

        Filesize

        312KB

      • memory/2652-3-0x0000000075110000-0x00000000758C0000-memory.dmp

        Filesize

        7.7MB

      • memory/2652-14-0x0000000075110000-0x00000000758C0000-memory.dmp

        Filesize

        7.7MB

      • memory/3908-22-0x00000000751B0000-0x0000000075960000-memory.dmp

        Filesize

        7.7MB

      • memory/3908-16-0x00000000751BE000-0x00000000751BF000-memory.dmp

        Filesize

        4KB

      • memory/3908-17-0x00000000751B0000-0x0000000075960000-memory.dmp

        Filesize

        7.7MB

      • memory/4832-21-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB