Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-04-2024 08:01
Static task
static1
Behavioral task
behavioral1
Sample
phobos.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
phobos.exe
Resource
win10v2004-20240226-en
General
-
Target
phobos.exe
-
Size
71KB
-
MD5
e59ffeaf7acb0c326e452fa30bb71a36
-
SHA1
c88fad293256bfead6962124394de4f8b97765aa
-
SHA256
a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2
-
SHA512
737937ac074b1754878f9548be0fae43a18b88ed669a5626468763577d254ef4cd833686d3b9ed5a3169eb8dd1593ca03a74f5ba4664ccc1446d9b85d2f316b3
-
SSDEEP
1536:zkGB8nHbKUvryElSpi8jCZGcqDKlKnr8dV+99rmuoENA4Cj:zFBMHRvrAjCZmKcnr8YrfA4Cj
Malware Config
Extracted
C:\info.hta
class='mark'>lockhelp@qq.com</span></div>
class='mark'>lockhelp@xmpp.jp</span>
http://www.w3.org/TR/html4/strict.dtd'>
https://pidgin.im/download/windows/</li>
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 2256 bcdedit.exe 1476 bcdedit.exe 2360 bcdedit.exe 1692 bcdedit.exe -
Renames multiple (311) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 2200 netsh.exe 2632 netsh.exe -
Drops startup file 3 IoCs
Processes:
phobos.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\phobos.exe phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini phobos.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
phobos.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\phobos = "C:\\Users\\Admin\\AppData\\Local\\phobos.exe" phobos.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\phobos = "C:\\Users\\Admin\\AppData\\Local\\phobos.exe" phobos.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
phobos.exedescription ioc process File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini phobos.exe File opened for modification C:\Users\Admin\Searches\desktop.ini phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\HKGE1S7K\desktop.ini phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini phobos.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini phobos.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini phobos.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini phobos.exe File opened for modification C:\Users\Public\Downloads\desktop.ini phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini phobos.exe File opened for modification C:\Users\Admin\Documents\desktop.ini phobos.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini phobos.exe File opened for modification C:\Users\Admin\Music\desktop.ini phobos.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini phobos.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini phobos.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NQ9N4B3U\desktop.ini phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini phobos.exe File opened for modification C:\Users\Public\Desktop\desktop.ini phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\87XXOISN\desktop.ini phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JSZQNXMR\desktop.ini phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini phobos.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FXU0E4DR\desktop.ini phobos.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini phobos.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini phobos.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini phobos.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CYXNIRQN\desktop.ini phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini phobos.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini phobos.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini phobos.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini phobos.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini phobos.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini phobos.exe File opened for modification C:\Users\Public\Pictures\desktop.ini phobos.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini phobos.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini phobos.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini phobos.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini phobos.exe File opened for modification C:\Users\Public\Documents\desktop.ini phobos.exe File opened for modification C:\Users\Public\Music\desktop.ini phobos.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini phobos.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini phobos.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini phobos.exe -
Drops file in Program Files directory 64 IoCs
Processes:
phobos.exedescription ioc process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\settings.js phobos.exe File created C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE phobos.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libugly_resampler_plugin.dll.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File opened for modification C:\Program Files\Windows Media Player\es-ES\wmlaunch.exe.mui phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Discussion14.gta phobos.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File created C:\Program Files\Java\jre7\lib\zi\Australia\Sydney.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740G.GIF phobos.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\sRGB.pf phobos.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.dll.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosecolor.gif.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\29.png phobos.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png phobos.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui phobos.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01170_.WMF.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00361_.WMF phobos.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Hand Prints.htm phobos.exe File created C:\Program Files\Java\jre7\lib\zi\Asia\Magadan.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File opened for modification C:\Program Files\Windows Media Player\WMPDMC.exe phobos.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif phobos.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\navBack.png phobos.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\net.properties phobos.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libadjust_plugin.dll.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Sts.css.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.Design.dll phobos.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\settings.css phobos.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Pangnirtung phobos.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293234.WMF.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Elegant.dotx phobos.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MUAUTH.CAB.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBPQT.XML.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_ja_4.4.0.v20140623020002.jar.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287415.WMF phobos.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo phobos.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_few-showers.png phobos.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-dialogs.jar.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jar.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\it-IT\Solitaire.exe.mui phobos.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\TipBand.dll.mui phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml phobos.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe phobos.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\SETUP.XML phobos.exe File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.CRT phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROG98.POC phobos.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\mip.exe.mui phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF phobos.exe File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGN.CFG.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00543_.WMF.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Atikokan phobos.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe phobos.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Yakutat phobos.exe File created C:\Program Files\VideoLAN\VLC\lua\modules\dkjson.luac.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.DLL phobos.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png phobos.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceAmharic.txt phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199469.WMF phobos.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00195_.WMF.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01015_.WMF phobos.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02074U.BMP.id[A8E39828-1096].[lockhelp@qq.com].acute phobos.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsvcdsub_plugin.dll phobos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 2676 vssadmin.exe 1712 vssadmin.exe -
Processes:
mshta.exemshta.exemshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
phobos.exepid process 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe 1968 phobos.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1940 vssvc.exe Token: SeRestorePrivilege 1940 vssvc.exe Token: SeAuditPrivilege 1940 vssvc.exe Token: SeIncreaseQuotaPrivilege 2612 WMIC.exe Token: SeSecurityPrivilege 2612 WMIC.exe Token: SeTakeOwnershipPrivilege 2612 WMIC.exe Token: SeLoadDriverPrivilege 2612 WMIC.exe Token: SeSystemProfilePrivilege 2612 WMIC.exe Token: SeSystemtimePrivilege 2612 WMIC.exe Token: SeProfSingleProcessPrivilege 2612 WMIC.exe Token: SeIncBasePriorityPrivilege 2612 WMIC.exe Token: SeCreatePagefilePrivilege 2612 WMIC.exe Token: SeBackupPrivilege 2612 WMIC.exe Token: SeRestorePrivilege 2612 WMIC.exe Token: SeShutdownPrivilege 2612 WMIC.exe Token: SeDebugPrivilege 2612 WMIC.exe Token: SeSystemEnvironmentPrivilege 2612 WMIC.exe Token: SeRemoteShutdownPrivilege 2612 WMIC.exe Token: SeUndockPrivilege 2612 WMIC.exe Token: SeManageVolumePrivilege 2612 WMIC.exe Token: 33 2612 WMIC.exe Token: 34 2612 WMIC.exe Token: 35 2612 WMIC.exe Token: SeIncreaseQuotaPrivilege 2612 WMIC.exe Token: SeSecurityPrivilege 2612 WMIC.exe Token: SeTakeOwnershipPrivilege 2612 WMIC.exe Token: SeLoadDriverPrivilege 2612 WMIC.exe Token: SeSystemProfilePrivilege 2612 WMIC.exe Token: SeSystemtimePrivilege 2612 WMIC.exe Token: SeProfSingleProcessPrivilege 2612 WMIC.exe Token: SeIncBasePriorityPrivilege 2612 WMIC.exe Token: SeCreatePagefilePrivilege 2612 WMIC.exe Token: SeBackupPrivilege 2612 WMIC.exe Token: SeRestorePrivilege 2612 WMIC.exe Token: SeShutdownPrivilege 2612 WMIC.exe Token: SeDebugPrivilege 2612 WMIC.exe Token: SeSystemEnvironmentPrivilege 2612 WMIC.exe Token: SeRemoteShutdownPrivilege 2612 WMIC.exe Token: SeUndockPrivilege 2612 WMIC.exe Token: SeManageVolumePrivilege 2612 WMIC.exe Token: 33 2612 WMIC.exe Token: 34 2612 WMIC.exe Token: 35 2612 WMIC.exe Token: SeIncreaseQuotaPrivilege 2240 WMIC.exe Token: SeSecurityPrivilege 2240 WMIC.exe Token: SeTakeOwnershipPrivilege 2240 WMIC.exe Token: SeLoadDriverPrivilege 2240 WMIC.exe Token: SeSystemProfilePrivilege 2240 WMIC.exe Token: SeSystemtimePrivilege 2240 WMIC.exe Token: SeProfSingleProcessPrivilege 2240 WMIC.exe Token: SeIncBasePriorityPrivilege 2240 WMIC.exe Token: SeCreatePagefilePrivilege 2240 WMIC.exe Token: SeBackupPrivilege 2240 WMIC.exe Token: SeRestorePrivilege 2240 WMIC.exe Token: SeShutdownPrivilege 2240 WMIC.exe Token: SeDebugPrivilege 2240 WMIC.exe Token: SeSystemEnvironmentPrivilege 2240 WMIC.exe Token: SeRemoteShutdownPrivilege 2240 WMIC.exe Token: SeUndockPrivilege 2240 WMIC.exe Token: SeManageVolumePrivilege 2240 WMIC.exe Token: 33 2240 WMIC.exe Token: 34 2240 WMIC.exe Token: 35 2240 WMIC.exe Token: SeIncreaseQuotaPrivilege 2240 WMIC.exe -
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
phobos.execmd.execmd.execmd.exedescription pid process target process PID 1968 wrote to memory of 2624 1968 phobos.exe cmd.exe PID 1968 wrote to memory of 2624 1968 phobos.exe cmd.exe PID 1968 wrote to memory of 2624 1968 phobos.exe cmd.exe PID 1968 wrote to memory of 2624 1968 phobos.exe cmd.exe PID 1968 wrote to memory of 2548 1968 phobos.exe cmd.exe PID 1968 wrote to memory of 2548 1968 phobos.exe cmd.exe PID 1968 wrote to memory of 2548 1968 phobos.exe cmd.exe PID 1968 wrote to memory of 2548 1968 phobos.exe cmd.exe PID 2548 wrote to memory of 2676 2548 cmd.exe vssadmin.exe PID 2548 wrote to memory of 2676 2548 cmd.exe vssadmin.exe PID 2548 wrote to memory of 2676 2548 cmd.exe vssadmin.exe PID 2624 wrote to memory of 2632 2624 cmd.exe netsh.exe PID 2624 wrote to memory of 2632 2624 cmd.exe netsh.exe PID 2624 wrote to memory of 2632 2624 cmd.exe netsh.exe PID 2624 wrote to memory of 2200 2624 cmd.exe netsh.exe PID 2624 wrote to memory of 2200 2624 cmd.exe netsh.exe PID 2624 wrote to memory of 2200 2624 cmd.exe netsh.exe PID 2548 wrote to memory of 2612 2548 cmd.exe WMIC.exe PID 2548 wrote to memory of 2612 2548 cmd.exe WMIC.exe PID 2548 wrote to memory of 2612 2548 cmd.exe WMIC.exe PID 2548 wrote to memory of 2256 2548 cmd.exe bcdedit.exe PID 2548 wrote to memory of 2256 2548 cmd.exe bcdedit.exe PID 2548 wrote to memory of 2256 2548 cmd.exe bcdedit.exe PID 2548 wrote to memory of 1476 2548 cmd.exe bcdedit.exe PID 2548 wrote to memory of 1476 2548 cmd.exe bcdedit.exe PID 2548 wrote to memory of 1476 2548 cmd.exe bcdedit.exe PID 1968 wrote to memory of 2068 1968 phobos.exe mshta.exe PID 1968 wrote to memory of 2068 1968 phobos.exe mshta.exe PID 1968 wrote to memory of 2068 1968 phobos.exe mshta.exe PID 1968 wrote to memory of 2068 1968 phobos.exe mshta.exe PID 1968 wrote to memory of 1600 1968 phobos.exe mshta.exe PID 1968 wrote to memory of 1600 1968 phobos.exe mshta.exe PID 1968 wrote to memory of 1600 1968 phobos.exe mshta.exe PID 1968 wrote to memory of 1600 1968 phobos.exe mshta.exe PID 1968 wrote to memory of 1300 1968 phobos.exe mshta.exe PID 1968 wrote to memory of 1300 1968 phobos.exe mshta.exe PID 1968 wrote to memory of 1300 1968 phobos.exe mshta.exe PID 1968 wrote to memory of 1300 1968 phobos.exe mshta.exe PID 1968 wrote to memory of 412 1968 phobos.exe mshta.exe PID 1968 wrote to memory of 412 1968 phobos.exe mshta.exe PID 1968 wrote to memory of 412 1968 phobos.exe mshta.exe PID 1968 wrote to memory of 412 1968 phobos.exe mshta.exe PID 1968 wrote to memory of 2760 1968 phobos.exe cmd.exe PID 1968 wrote to memory of 2760 1968 phobos.exe cmd.exe PID 1968 wrote to memory of 2760 1968 phobos.exe cmd.exe PID 1968 wrote to memory of 2760 1968 phobos.exe cmd.exe PID 2760 wrote to memory of 1712 2760 cmd.exe vssadmin.exe PID 2760 wrote to memory of 1712 2760 cmd.exe vssadmin.exe PID 2760 wrote to memory of 1712 2760 cmd.exe vssadmin.exe PID 2760 wrote to memory of 2240 2760 cmd.exe WMIC.exe PID 2760 wrote to memory of 2240 2760 cmd.exe WMIC.exe PID 2760 wrote to memory of 2240 2760 cmd.exe WMIC.exe PID 2760 wrote to memory of 2360 2760 cmd.exe bcdedit.exe PID 2760 wrote to memory of 2360 2760 cmd.exe bcdedit.exe PID 2760 wrote to memory of 2360 2760 cmd.exe bcdedit.exe PID 2760 wrote to memory of 1692 2760 cmd.exe bcdedit.exe PID 2760 wrote to memory of 1692 2760 cmd.exe bcdedit.exe PID 2760 wrote to memory of 1692 2760 cmd.exe bcdedit.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\phobos.exe"C:\Users\Admin\AppData\Local\Temp\phobos.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\phobos.exe"C:\Users\Admin\AppData\Local\Temp\phobos.exe"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[A8E39828-1096].[lockhelp@qq.com].acuteFilesize
143.1MB
MD51c4649acd7e068cbba01e11c5518126a
SHA1eab136940a8fe6af84fe02adbf57627d7d267f01
SHA256bee0e64822a3961d77cbba34afedaa9cc20c58c5c734ca86439749f7ae009fc3
SHA512eb75d0c0369712765513e6a1e6104f3077cbaf7ccffb2af5f9cb6612733d058a71090887505a4323d3310372441d8f544e1bef56a8fbe6fe9d8b2cdf14a63a84
-
C:\info.htaFilesize
6KB
MD5af4b885c070226f552a8aeb9425a0b28
SHA164b3b00cee4fbf5383955679bef184763591073c
SHA25666d55834590cdb9fd0daeea9682fe9f6d8ef00e9a1843d5673a3224cb6ac5122
SHA51216b4369e62d7af98d54e55dc3b5cb86a637cc760a62bc50711313738c6f9215eb40f318b0d83571c1a15ce39ad6820118c3ce8b7a5722e3048eb8ec0cb319d15