Overview

overview

10

Static

static

10

55c30024ae...15.exe

windows7-x64

10

55c30024ae...15.exe

windows7-x64

10

55c30024ae...15.exe

windows10-2004-x64

10

55c30024ae...15.exe

windows10-ltsc_2021-x64

10

55c30024ae...15.exe

windows11-21h2-x64

10

56f7b48f38...59.exe

windows10-2004-x64

10

56f7b48f38...59.exe

windows7-x64

10

56f7b48f38...59.exe

windows10-2004-x64

10

56f7b48f38...59.exe

windows10-ltsc_2021-x64

10

56f7b48f38...59.exe

windows11-21h2-x64

10

5a96b92938...a4.exe

windows11-21h2-x64

10

5a96b92938...a4.exe

windows7-x64

10

5a96b92938...a4.exe

windows10-2004-x64

10

5a96b92938...a4.exe

windows10-ltsc_2021-x64

10

5a96b92938...a4.exe

windows11-21h2-x64

10

606b88fce1...c4.exe

windows10-2004-x64

3

606b88fce1...c4.exe

windows7-x64

1

606b88fce1...c4.exe

windows10-2004-x64

3

606b88fce1...c4.exe

windows10-ltsc_2021-x64

3

606b88fce1...c4.exe

windows11-21h2-x64

3

6bda9faf71...4b.exe

windows11-21h2-x64

10

6bda9faf71...4b.exe

windows7-x64

10

6bda9faf71...4b.exe

windows10-2004-x64

10

6bda9faf71...4b.exe

windows10-ltsc_2021-x64

10

6bda9faf71...4b.exe

windows11-21h2-x64

10

71b46e95fb...a8.exe

windows11-21h2-x64

10

71b46e95fb...a8.exe

windows7-x64

10

71b46e95fb...a8.exe

windows10-2004-x64

10

71b46e95fb...a8.exe

windows10-ltsc_2021-x64

10

71b46e95fb...a8.exe

windows11-21h2-x64

10

Resubmissions

25/03/2025, 13:12

250325-qfl42aznw9 10

25/03/2025, 13:09

250325-qdtq4aznv6 10

25/03/2025, 13:05

250325-qbtcjszns3 10

25/03/2025, 13:01

250325-p9k86awxat 10

25/03/2025, 12:55

250325-p58tnawwe1 10

25/03/2025, 12:51

250325-p3txqazmt6 10

05/02/2025, 11:16

250205-ndjvsavrdm 10

16/07/2024, 08:54

240716-kt64gavakp 10

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25/03/2025, 13:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4.exe

  • Size

    57KB

  • MD5

    a6092621b7db8dc1f2c1f93a9a7ced9f

  • SHA1

    d4fd035605baa14375c9a59a93849b959df36bc4

  • SHA256

    5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4

  • SHA512

    380318805a8fbed4b6e4a1270c697116de2b5a562bace4ab857e653dae5b319a5ace3a90c02f3235d6a95eec996a6632335c01df55136f051c13a01b82a5f4a4

  • SSDEEP

    1536:RNeRBl5PT/rx1mzwRMSTdLpJOycgw04NxJ:RQRrmzwR5Jhcg74L

Score
10/10
phoboscredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer

Malware Config

Extracted

Path

C:\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>A6C1C23B-3321</span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected]</span></div> <div class='bold'>If there is no response from our mail, you can install the Jabber client and write to us in support of <span class='mark'>[email protected]</span> </div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='title'>Jabber client installation instructions:</div> <div class='note info'> <ul> <li>Download the jabber (Pidgin) client from https://pidgin.im/download/windows/</li> <li>After installation, the Pidgin client will prompt you to create a new account.</li> <li>Click "Add"</li><li>In the "Protocol" field, select XMPP</li> <li>In "Username" - come up with any name</li> <li>In the field "domain" - enter any jabber-server, there are a lot of them, for example - exploit.im</li> <li>Create a password</li><li>At the bottom, put a tick "Create account"</li> <li>Click add</li> <li>If you selected "domain" - exploit.im, then a new window should appear in which you will need to re-enter your data:</li> <ul> <li>User</li> <li>password</li> <li>You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)</li> </ul> <li>If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - <a href = "https://www.youtube.com/results?search_query=pidgin+jabber+install">https://www.youtube.com/results?search_query=pidgin+jabber+install</a></li> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

class='mark'>[email protected]</span></div>

class='mark'>[email protected]</span></div>

class='mark'>[email protected]</span>
URLs

http://www.w3.org/TR/html4/strict.dtd'>

https://pidgin.im/download/windows/</li>

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Phobos family
    phobos
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
    ransomwareevasion
  • Renames multiple (779) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    defense_evasion
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4.exe
    "C:\Users\Admin\AppData\Local\Temp\5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5904
    • C:\Users\Admin\AppData\Local\Temp\5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4.exe
      "C:\Users\Admin\AppData\Local\Temp\5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4.exe"
      2⤵
        PID:4812
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3168
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:4936
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2164
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:4568
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:4872
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:2236
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4072
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:896
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2768
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2160
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        2⤵
        • System Location Discovery: System Language Discovery
        PID:3880
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        2⤵
        • System Location Discovery: System Language Discovery
        PID:5160
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        2⤵
        • System Location Discovery: System Language Discovery
        PID:4628
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:304
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2336
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3564
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:424
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1036
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:300
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:956
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5516
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:5868
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:5788

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      Windows Management Instrumentation

      1
      T1047

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Defense Evasion

      Direct Volume Access

      1
      T1006

      Impair Defenses

      1
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Indicator Removal

      3
      T1070

      File Deletion

      3
      T1070.004

      Modify Registry

      1
      T1112

      Credential Access

      Credentials from Password Stores

      2
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Windows Credential Manager

      1
      T1555.004

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Browser Information Discovery

      1
      T1217

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      2
      T1012

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Inhibit System Recovery

      4
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[A6C1C23B-3321].[[email protected]].WIN
        Filesize

        3.2MB

        MD5

        af7668fa165d32db99add2f629addcf8

        SHA1

        d5fbd3037e9dd94ebf27b1c1f210dc2d17b50931

        SHA256

        74d897cee0a6e741adf3c51c8876b8ff964469a8b28bbce358620f9edd10315e

        SHA512

        332ee0d569a497b1c7ea7bdeda08b5f1e1f7122f739719cc2086ea08838ff03ee8d0021245c026bb946c7d99d7284d93968693f7b908219dbba2897ce8d4bc59

        Download Submit

      • C:\info.hta
        Filesize

        6KB

        MD5

        89d44d130897bc5fe6d79b02594429bd

        SHA1

        3f46af72520b864a69d277b9a114b987e622ba52

        SHA256

        fb0469d6a844a33c5878f6ee2adcc66a5b52f9e8d69d0eb8d4010764638ef82d

        SHA512

        f61e2548798c7ed57ee561bb670195d2da108905db388c706248c11d47ddd84436297ef6fbde21f4d6ccfb652c3594906f036034a47ff1cea668ad19f920a250

        Download Submit