phobos | d68cd1a46733695e31c8d8604ad7f5658ebba343404d8443e1e64f0ee3e79a11

General

Target

phobos.exe
Size

56KB
MD5

2680a0e23ec4966fa69e3613d1e2e731
SHA1

adef6ebd6794f47fb665c4f1b7341f6422deb01b
SHA256

d68cd1a46733695e31c8d8604ad7f5658ebba343404d8443e1e64f0ee3e79a11
SHA512

234d28bde9ba11225849efe5e6533d29fccbbd6e3028e347e7497488cb2d127b86d2acd0299cfff43c9871edf36db3840dafde2a564e28bb9e6e066051ec0af2
SSDEEP

1536:vNeRBl5PT/rx1mzwRMSTdLpJeObjDNJjhkL:vQRrmzwR5JJPD/CL

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

2064 bcdedit.exe
2852 bcdedit.exe
328 bcdedit.exe
1700 bcdedit.exe
Renames multiple (313) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

2236 wbadmin.exe
2672 wbadmin.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

2592 netsh.exe
2408 netsh.exe

pid	process
2064	bcdedit.exe
2852	bcdedit.exe
328	bcdedit.exe
1700	bcdedit.exe

pid	process
2236	wbadmin.exe
2672	wbadmin.exe

pid	process
2592	netsh.exe
2408	netsh.exe

Drops startup file 3 IoCs

Processes:

phobos.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\phobos.exe	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	phobos.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

phobos.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\phobos = "C:\\Users\\Admin\\AppData\\Local\\phobos.exe"	phobos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\phobos = "C:\\Users\\Admin\\AppData\\Local\\phobos.exe"	phobos.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

phobos.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2084844033-2744876406-2053742436-1000\desktop.ini	phobos.exe
File opened for modification	C:\Program Files\desktop.ini	phobos.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	phobos.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	phobos.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	phobos.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	phobos.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	phobos.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CBQGOI21\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	phobos.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	phobos.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\54O2E0BW\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	phobos.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\68A65AU5\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	phobos.exe
File opened for modification	C:\Users\Public\desktop.ini	phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	phobos.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	phobos.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	phobos.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2084844033-2744876406-2053742436-1000\desktop.ini	phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	phobos.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	phobos.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	phobos.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\G0RZ308A\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	phobos.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	phobos.exe

Drops file in Program Files directory 64 IoCs

Processes:

phobos.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00296_.WMF	phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00833_.WMF.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\COUGH.WAV	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGATNGET.DPV	phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png	phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6CDT.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libfluidsynth_plugin.dll	phobos.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\xmlrw.dll.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSEngine.dll	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Training.potx	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232393.WMF	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02400_.WMF	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00110_.WMF	phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-14	phobos.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00319_.WMF.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIcon.jpg.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105280.WMF	phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152876.WMF.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR1F.GIF	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF	phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar	phobos.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\PREVIEW.GIF.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\msdaorar.dll.mui	phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00687_.WMF.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\calendar.html	phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml	phobos.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\vlc.mo	phobos.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDCNCLL.ICO	phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105292.WMF	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18211_.WMF	phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_pt_BR.properties.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00049_.WMF	phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18243_.WMF.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV.HXS.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\NOTEL.ICO.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\RSSFeeds.js	phobos.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN02122_.WMF	phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0300862.WMF.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IT.XML	phobos.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\sidebar.exe	phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui	phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml	phobos.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21328_.GIF	phobos.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Tegucigalpa	phobos.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpshare.exe	phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148309.JPG.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImageMask.bmp	phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER.XML.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Tabs.accdt.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153508.WMF.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Paper.xml	phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21295_.GIF.id[EE1FC7D6-2850].[[email protected]].eject	phobos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2584 vssadmin.exe
2568 vssadmin.exe

pid	process
2584	vssadmin.exe
2568	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exemshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

phobos.exe

pid	process
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe
2752	phobos.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

phobos.exevssvc.exeWMIC.exewbengine.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2752	phobos.exe
Token: SeBackupPrivilege	1240	vssvc.exe
Token: SeRestorePrivilege	1240	vssvc.exe
Token: SeAuditPrivilege	1240	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2928	WMIC.exe
Token: SeSecurityPrivilege	2928	WMIC.exe
Token: SeTakeOwnershipPrivilege	2928	WMIC.exe
Token: SeLoadDriverPrivilege	2928	WMIC.exe
Token: SeSystemProfilePrivilege	2928	WMIC.exe
Token: SeSystemtimePrivilege	2928	WMIC.exe
Token: SeProfSingleProcessPrivilege	2928	WMIC.exe
Token: SeIncBasePriorityPrivilege	2928	WMIC.exe
Token: SeCreatePagefilePrivilege	2928	WMIC.exe
Token: SeBackupPrivilege	2928	WMIC.exe
Token: SeRestorePrivilege	2928	WMIC.exe
Token: SeShutdownPrivilege	2928	WMIC.exe
Token: SeDebugPrivilege	2928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2928	WMIC.exe
Token: SeRemoteShutdownPrivilege	2928	WMIC.exe
Token: SeUndockPrivilege	2928	WMIC.exe
Token: SeManageVolumePrivilege	2928	WMIC.exe
Token: 33	2928	WMIC.exe
Token: 34	2928	WMIC.exe
Token: 35	2928	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2928	WMIC.exe
Token: SeSecurityPrivilege	2928	WMIC.exe
Token: SeTakeOwnershipPrivilege	2928	WMIC.exe
Token: SeLoadDriverPrivilege	2928	WMIC.exe
Token: SeSystemProfilePrivilege	2928	WMIC.exe
Token: SeSystemtimePrivilege	2928	WMIC.exe
Token: SeProfSingleProcessPrivilege	2928	WMIC.exe
Token: SeIncBasePriorityPrivilege	2928	WMIC.exe
Token: SeCreatePagefilePrivilege	2928	WMIC.exe
Token: SeBackupPrivilege	2928	WMIC.exe
Token: SeRestorePrivilege	2928	WMIC.exe
Token: SeShutdownPrivilege	2928	WMIC.exe
Token: SeDebugPrivilege	2928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2928	WMIC.exe
Token: SeRemoteShutdownPrivilege	2928	WMIC.exe
Token: SeUndockPrivilege	2928	WMIC.exe
Token: SeManageVolumePrivilege	2928	WMIC.exe
Token: 33	2928	WMIC.exe
Token: 34	2928	WMIC.exe
Token: 35	2928	WMIC.exe
Token: SeBackupPrivilege	3020	wbengine.exe
Token: SeRestorePrivilege	3020	wbengine.exe
Token: SeSecurityPrivilege	3020	wbengine.exe
Token: SeIncreaseQuotaPrivilege	340	WMIC.exe
Token: SeSecurityPrivilege	340	WMIC.exe
Token: SeTakeOwnershipPrivilege	340	WMIC.exe
Token: SeLoadDriverPrivilege	340	WMIC.exe
Token: SeSystemProfilePrivilege	340	WMIC.exe
Token: SeSystemtimePrivilege	340	WMIC.exe
Token: SeProfSingleProcessPrivilege	340	WMIC.exe
Token: SeIncBasePriorityPrivilege	340	WMIC.exe
Token: SeCreatePagefilePrivilege	340	WMIC.exe
Token: SeBackupPrivilege	340	WMIC.exe
Token: SeRestorePrivilege	340	WMIC.exe
Token: SeShutdownPrivilege	340	WMIC.exe
Token: SeDebugPrivilege	340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	340	WMIC.exe
Token: SeRemoteShutdownPrivilege	340	WMIC.exe
Token: SeUndockPrivilege	340	WMIC.exe
Token: SeManageVolumePrivilege	340	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

phobos.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2752 wrote to memory of 2712	2752	phobos.exe	cmd.exe
PID 2752 wrote to memory of 2712	2752	phobos.exe	cmd.exe
PID 2752 wrote to memory of 2712	2752	phobos.exe	cmd.exe
PID 2752 wrote to memory of 2712	2752	phobos.exe	cmd.exe
PID 2752 wrote to memory of 2772	2752	phobos.exe	cmd.exe
PID 2752 wrote to memory of 2772	2752	phobos.exe	cmd.exe
PID 2752 wrote to memory of 2772	2752	phobos.exe	cmd.exe
PID 2752 wrote to memory of 2772	2752	phobos.exe	cmd.exe
PID 2772 wrote to memory of 2592	2772	cmd.exe	netsh.exe
PID 2772 wrote to memory of 2592	2772	cmd.exe	netsh.exe
PID 2772 wrote to memory of 2592	2772	cmd.exe	netsh.exe
PID 2712 wrote to memory of 2584	2712	cmd.exe	vssadmin.exe
PID 2712 wrote to memory of 2584	2712	cmd.exe	vssadmin.exe
PID 2712 wrote to memory of 2584	2712	cmd.exe	vssadmin.exe
PID 2772 wrote to memory of 2408	2772	cmd.exe	netsh.exe
PID 2772 wrote to memory of 2408	2772	cmd.exe	netsh.exe
PID 2772 wrote to memory of 2408	2772	cmd.exe	netsh.exe
PID 2712 wrote to memory of 2928	2712	cmd.exe	WMIC.exe
PID 2712 wrote to memory of 2928	2712	cmd.exe	WMIC.exe
PID 2712 wrote to memory of 2928	2712	cmd.exe	WMIC.exe
PID 2712 wrote to memory of 2064	2712	cmd.exe	bcdedit.exe
PID 2712 wrote to memory of 2064	2712	cmd.exe	bcdedit.exe
PID 2712 wrote to memory of 2064	2712	cmd.exe	bcdedit.exe
PID 2712 wrote to memory of 2852	2712	cmd.exe	bcdedit.exe
PID 2712 wrote to memory of 2852	2712	cmd.exe	bcdedit.exe
PID 2712 wrote to memory of 2852	2712	cmd.exe	bcdedit.exe
PID 2712 wrote to memory of 2236	2712	cmd.exe	wbadmin.exe
PID 2712 wrote to memory of 2236	2712	cmd.exe	wbadmin.exe
PID 2712 wrote to memory of 2236	2712	cmd.exe	wbadmin.exe
PID 2752 wrote to memory of 2416	2752	phobos.exe	mshta.exe
PID 2752 wrote to memory of 2416	2752	phobos.exe	mshta.exe
PID 2752 wrote to memory of 2416	2752	phobos.exe	mshta.exe
PID 2752 wrote to memory of 2416	2752	phobos.exe	mshta.exe
PID 2752 wrote to memory of 2180	2752	phobos.exe	mshta.exe
PID 2752 wrote to memory of 2180	2752	phobos.exe	mshta.exe
PID 2752 wrote to memory of 2180	2752	phobos.exe	mshta.exe
PID 2752 wrote to memory of 2180	2752	phobos.exe	mshta.exe
PID 2752 wrote to memory of 2328	2752	phobos.exe	mshta.exe
PID 2752 wrote to memory of 2328	2752	phobos.exe	mshta.exe
PID 2752 wrote to memory of 2328	2752	phobos.exe	mshta.exe
PID 2752 wrote to memory of 2328	2752	phobos.exe	mshta.exe
PID 2752 wrote to memory of 588	2752	phobos.exe	mshta.exe
PID 2752 wrote to memory of 588	2752	phobos.exe	mshta.exe
PID 2752 wrote to memory of 588	2752	phobos.exe	mshta.exe
PID 2752 wrote to memory of 588	2752	phobos.exe	mshta.exe
PID 2752 wrote to memory of 2636	2752	phobos.exe	cmd.exe
PID 2752 wrote to memory of 2636	2752	phobos.exe	cmd.exe
PID 2752 wrote to memory of 2636	2752	phobos.exe	cmd.exe
PID 2752 wrote to memory of 2636	2752	phobos.exe	cmd.exe
PID 2636 wrote to memory of 2568	2636	cmd.exe	vssadmin.exe
PID 2636 wrote to memory of 2568	2636	cmd.exe	vssadmin.exe
PID 2636 wrote to memory of 2568	2636	cmd.exe	vssadmin.exe
PID 2636 wrote to memory of 340	2636	cmd.exe	WMIC.exe
PID 2636 wrote to memory of 340	2636	cmd.exe	WMIC.exe
PID 2636 wrote to memory of 340	2636	cmd.exe	WMIC.exe
PID 2636 wrote to memory of 328	2636	cmd.exe	bcdedit.exe
PID 2636 wrote to memory of 328	2636	cmd.exe	bcdedit.exe
PID 2636 wrote to memory of 328	2636	cmd.exe	bcdedit.exe
PID 2636 wrote to memory of 1700	2636	cmd.exe	bcdedit.exe
PID 2636 wrote to memory of 1700	2636	cmd.exe	bcdedit.exe
PID 2636 wrote to memory of 1700	2636	cmd.exe	bcdedit.exe
PID 2636 wrote to memory of 2672	2636	cmd.exe	wbadmin.exe
PID 2636 wrote to memory of 2672	2636	cmd.exe	wbadmin.exe
PID 2636 wrote to memory of 2672	2636	cmd.exe	wbadmin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\phobos.exe
"C:\Users\Admin\AppData\Local\Temp\phobos.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Local\Temp\phobos.exe
"C:\Users\Admin\AppData\Local\Temp\phobos.exe"
2⤵
PID:2908

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2584

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:2064

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:2852

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:2236

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:2592

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:2408

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
2⤵
- Modifies Internet Explorer settings
PID:2416

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
2⤵
- Modifies Internet Explorer settings
PID:2180

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
2⤵
- Modifies Internet Explorer settings
PID:2328

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"
2⤵
- Modifies Internet Explorer settings
PID:588

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2568

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:340

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:328

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:1700

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:2672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1880

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Indicator Removal

3

T1070

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

4

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[EE1FC7D6-2850].[[email protected]].eject

Filesize
4.5MB

MD5
f2f7a7ccd68f6b51fdf5d4c9030a36e8

SHA1
ac9d5de1a3be54cb4ff5a570d91c26b338ebf496

SHA256
f1efdbfff858f63e7c2f7c5a243788504edfecd168fb8391993db899c3a472a2

SHA512
dc58622b9887c35f51a29af2f006528f8e9d0b04c3d6692b5cecda4b07fe996417edd5107158e1acbda11d55d8fd8abdaa4cbb98868c6699063a66575000aafb

Download Submit
C:\info.hta

Filesize
4KB

MD5
67ac82a1b0d0d68e53d63159a086a957

SHA1
8c688892fa47160712c79add0fcb7c68f4d692e6

SHA256
a1e154a5a65626b0adf3c454b72005a452c47985cebc7bfd88262c317f6e33dc

SHA512
618c02cfb44c83bdd9e6840264d8c713ba4ae886289241eac846198b388d577e9f8f3790d428fa3d99944cebe72ec4e6f4c3741d43ed6b0de8612ea0aa85891c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads