phobos | 16ed08cf0be590a0cf11648f1efee344cb49fdb4df1278a4277976d857823df3

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
Size

56KB
MD5

8e4ab089f8ee00854a714b627482e8b7
SHA1

992055ecd82ec51f9d5693dc2bfe83801df2dfc6
SHA256

16ed08cf0be590a0cf11648f1efee344cb49fdb4df1278a4277976d857823df3
SHA512

668a460e191ceba91e340937085fbbbecd78d89e12f5bdccd185535ca80ba182c41eac191e57884bd2a5c37234f9d29a302c40c1a57203fc3d3b9f5cd94a4754
SSDEEP

1536:ANeRBl5PT/rx1mzwRMSTdLpJkxhGQj+EAh4ymMG:AQRrmzwR5J3Q6EAO

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2152	bcdedit.exe
1052	bcdedit.exe

Renames multiple (72) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1340	wbadmin.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2588	netsh.exe
2760	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe"	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe"	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3787592910-3720486031-2929222812-1000\desktop.ini	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3787592910-3720486031-2929222812-1000\desktop.ini	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adojavas.inc	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\HideBackup.aif.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_zh_CN.jar.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZMAIN.ACCDE	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Eirunepe	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Casey	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lt.pak.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\mlib_image.dll	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\LICENSE.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Scoresbysund.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\pop3.jar.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZMAIN.ACCDE.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox_1.0.500.v20131211-1531.jar	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\BackupEnable.snd	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lindeman	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Midway.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_zh_4.4.0.v20140623020002.jar.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jar	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Jamaica	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\instrument.dll	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\sound.properties	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Juneau.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Oral	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_zh_CN.jar.id[5452021D-3449].[[email protected]].xDec	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2664	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
Token: SeBackupPrivilege	2936	vssvc.exe
Token: SeRestorePrivilege	2936	vssvc.exe
Token: SeAuditPrivilege	2936	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2912	WMIC.exe
Token: SeSecurityPrivilege	2912	WMIC.exe
Token: SeTakeOwnershipPrivilege	2912	WMIC.exe
Token: SeLoadDriverPrivilege	2912	WMIC.exe
Token: SeSystemProfilePrivilege	2912	WMIC.exe
Token: SeSystemtimePrivilege	2912	WMIC.exe
Token: SeProfSingleProcessPrivilege	2912	WMIC.exe
Token: SeIncBasePriorityPrivilege	2912	WMIC.exe
Token: SeCreatePagefilePrivilege	2912	WMIC.exe
Token: SeBackupPrivilege	2912	WMIC.exe
Token: SeRestorePrivilege	2912	WMIC.exe
Token: SeShutdownPrivilege	2912	WMIC.exe
Token: SeDebugPrivilege	2912	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2912	WMIC.exe
Token: SeRemoteShutdownPrivilege	2912	WMIC.exe
Token: SeUndockPrivilege	2912	WMIC.exe
Token: SeManageVolumePrivilege	2912	WMIC.exe
Token: 33	2912	WMIC.exe
Token: 34	2912	WMIC.exe
Token: 35	2912	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2912	WMIC.exe
Token: SeSecurityPrivilege	2912	WMIC.exe
Token: SeTakeOwnershipPrivilege	2912	WMIC.exe
Token: SeLoadDriverPrivilege	2912	WMIC.exe
Token: SeSystemProfilePrivilege	2912	WMIC.exe
Token: SeSystemtimePrivilege	2912	WMIC.exe
Token: SeProfSingleProcessPrivilege	2912	WMIC.exe
Token: SeIncBasePriorityPrivilege	2912	WMIC.exe
Token: SeCreatePagefilePrivilege	2912	WMIC.exe
Token: SeBackupPrivilege	2912	WMIC.exe
Token: SeRestorePrivilege	2912	WMIC.exe
Token: SeShutdownPrivilege	2912	WMIC.exe
Token: SeDebugPrivilege	2912	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2912	WMIC.exe
Token: SeRemoteShutdownPrivilege	2912	WMIC.exe
Token: SeUndockPrivilege	2912	WMIC.exe
Token: SeManageVolumePrivilege	2912	WMIC.exe
Token: 33	2912	WMIC.exe
Token: 34	2912	WMIC.exe
Token: 35	2912	WMIC.exe
Token: SeBackupPrivilege	1536	wbengine.exe
Token: SeRestorePrivilege	1536	wbengine.exe
Token: SeSecurityPrivilege	1536	wbengine.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 3044	2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe	30
PID 2932 wrote to memory of 3044	2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe	30
PID 2932 wrote to memory of 3044	2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe	30
PID 2932 wrote to memory of 3044	2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe	30
PID 2932 wrote to memory of 3004	2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe	29
PID 2932 wrote to memory of 3004	2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe	29
PID 2932 wrote to memory of 3004	2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe	29
PID 2932 wrote to memory of 3004	2932	2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe	29
PID 3044 wrote to memory of 2664	3044	cmd.exe	33
PID 3044 wrote to memory of 2664	3044	cmd.exe	33
PID 3044 wrote to memory of 2664	3044	cmd.exe	33
PID 3004 wrote to memory of 2588	3004	cmd.exe	34
PID 3004 wrote to memory of 2588	3004	cmd.exe	34
PID 3004 wrote to memory of 2588	3004	cmd.exe	34
PID 3004 wrote to memory of 2760	3004	cmd.exe	37
PID 3004 wrote to memory of 2760	3004	cmd.exe	37
PID 3004 wrote to memory of 2760	3004	cmd.exe	37
PID 3044 wrote to memory of 2912	3044	cmd.exe	40
PID 3044 wrote to memory of 2912	3044	cmd.exe	40
PID 3044 wrote to memory of 2912	3044	cmd.exe	40
PID 3044 wrote to memory of 2152	3044	cmd.exe	42
PID 3044 wrote to memory of 2152	3044	cmd.exe	42
PID 3044 wrote to memory of 2152	3044	cmd.exe	42
PID 3044 wrote to memory of 1052	3044	cmd.exe	43
PID 3044 wrote to memory of 1052	3044	cmd.exe	43
PID 3044 wrote to memory of 1052	3044	cmd.exe	43
PID 3044 wrote to memory of 1340	3044	cmd.exe	44
PID 3044 wrote to memory of 1340	3044	cmd.exe	44
PID 3044 wrote to memory of 1340	3044	cmd.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-04-17_8e4ab089f8ee00854a714b627482e8b7_phobos.exe"
  2⤵
  PID:1708
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:2588
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:2760
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2664
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2152
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1052
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:1340

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1392

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id[5452021D-3449].[[email protected]].xDec

Filesize
23.5MB

MD5
ca6c77f334857a3fa5c4598782aa2b3a

SHA1
fdb95fb5152368acb26f2c729472da90a176d22b

SHA256
20e0b9cad737307a4fa75f345f144e76aa451f56e5f84bf976e72ab0b94b3097

SHA512
4938f9a716ac21f29367764eba6fdd0c5f893894f2be32f4df0d3eac6d624e73ee02c4009d04cc3008af9ad22f4a8c5e101722aa89c73a2bfd039c042a933f3a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos

Filesize
549B

MD5
db10fd32bfe67918ed177579d4be9d76

SHA1
44ecf4c5a6fbbd1ace84d0efe91f13d6ba6bb738

SHA256
c936ab1da7ef4314182c8edabaeae90f8d51ed45bc48848d35670adf5b470d31

SHA512
bb574ef876e7529d4f3c4c52cc54aa1814f2c02030b83a5bd7223d4b31c992668c00e4a7e68d4f1caaa6493db4ac84eb649fe59e98feceb9828119cac1e74b05

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao

Filesize
77B

MD5
2b62a30906a2b8bf3b68abd2ef9d105b

SHA1
9898d25a214dba04ebd7e3030ac9e2e90ea7a369

SHA256
075561eff2cd3ad586776fa904f0040282c5f6a261f6a8fd6a0a524d14cd2d2c

SHA512
6db5955477a9bb5386c1af03df526496f9e64533e6c3071c8e5c44062541e91e9bb39096da947a91bdfa5e7de53c1e047dcf427c1dfde94554d7458f8f0862ea

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil

Filesize
65B

MD5
1ef5e829303a139ce967440e0cdca10c

SHA1
f0fa45906bd0f4c3668fcd0d8f68d4b298b30e5b

SHA256
98ce42deef51d40269d542f5314bef2c7468d401ad5d85168bfab4c0108f75f7

SHA512
19dc6ae12de08b21b36c1ec7f353ce9e7cef73fa4d1354c436234167f0847bc9e2b85e2f36208f773ef324e2d79e6af1beca4470e44b8672b47d077efe33a1f8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana

Filesize
1KB

MD5
71c7e24524aea1022361143d0a876c84

SHA1
b141efff466f27664599dd2aa91f0b7c50736f1d

SHA256
07a692cc9bc920ef8caed75ba9af60ad2d6b144c83bfde3b91a77b5bcce277a3

SHA512
4cd51849de464e0139ce77de3003af1ab1b6c639862fb7d5e8362f33ef0a9828f8af9ebd6d4b4ce9dc5a67084bc5c1106fd3b3327fc428e25c75b780e98d37ff

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Karachi

Filesize
153B

MD5
d13b5ffdeb538f15ee1d30f2788601d5

SHA1
8dc4da8e4efca07472b08b618bc059dcbfd03efa

SHA256
f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876

SHA512
58e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk

Filesize
589B

MD5
985f599bb4b81c01d5b5d16ad241d5ed

SHA1
a90b24a33383273378fc6429b95fdf62c4c2e5d5

SHA256
36bce57f9ab26334f370d700cd0a853618cf2051afbe561ba09b0aae5dc371a4

SHA512
fd8f3414083a7b4c75e9a5dc043f38db062971dcac022194c274d5f5816867961736dbf0e17b7da19ca9c835f2e11864e0f305895e8c76eee3d0c5ecdf3e0239

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide

Filesize
1KB

MD5
0a876dfacfdabc170818581a2e6e6d54

SHA1
376fd52e52867f959cb2076fbbc4d214778a7fc0

SHA256
e28b98a94e0077340a3aece749f2d400c3f06890cec9447f4c2567bd1e7a5839

SHA512
766fb737e92fbd233563887cf8335c9aa4e96d3a970c28b7ddebbd21ca764dc85ee4ebd805538f697ad8b2d59ed0c53bd46d9fb7077d54c136f9c22bedae9cba

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+10

Filesize
27B

MD5
65435a5d117aa6b052a5f737d9946a7b

SHA1
b8b17ad613463c3c9a1fe928819fb30cb853e6b1

SHA256
ea49aa9f6f6cf2d53d454e628ba5a339cc000230c4651655d0237711d747f50b

SHA512
4f85061ef6c66bf0e030af017af8c7154ed3f7953594ae2cf6f663e8b95ba978a54c171b01f212880e2711c2fd745a12b959ed27e7f6b1847273f70a4010ccde

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Bougainville

Filesize
85B

MD5
eeb20c9bc165677800b6dc7621a50cc9

SHA1
def5026103297fa44a2185104f2ee400cb93329c

SHA256
6a3a9301bb8dd782bb5c170bedfa73e9e7c60235e6e1840f14bd14b812127ef2

SHA512
d4e72f43c75de83deb0526233423726503354d7112618b44c94e695d159a02b6da4823a2c9a2be8cf71d2c7e42108d0db7edbb54a640579f853e6d110e7599ed

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury

Filesize
89B

MD5
335a7c8e767a2dd0ecf3460eaabb0bbd

SHA1
111ffd83edcb095d251067456a3a60b754b4c717

SHA256
a0bf83b3948dce6afe987c170a5cd711a3d65fcd5c70e3b7bbfeeb1578544609

SHA512
bf0772423bdc11a4029439acef8922c6c541519ce98bce97681d1a1da32bbf3a73f506138d494d9cc860b6afb3584094565db7683f6b2a2cb30e3e94430d1933

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT

Filesize
2KB

MD5
b8d5d64c3ef0b30644898a80682f5121

SHA1
bbc7b3902250307a2cdbb314abe98e34795032be

SHA256
2f329134686a44ee0362fd0c8b5d071e38bade32a5389e31282f64f565e76759

SHA512
f1f90923769648e585f3f38724d203e4bf6a10cab7c6708f7791a83dd6348b3b9948eaf481baa7bef31ff63d75b6fe1ec00cb888dc1acc8b65b90d96bff39638

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf

Filesize
57B

MD5
ab9d8ef2ffa9145d6c325cefa41d5d4e

SHA1
0f2bf6d5e1a0209d19f8f6e7d08b3e2d9cf4c5ab

SHA256
65a16cb7861335d5ace3c60718b5052e44660726da4cd13bb745381b235a1785

SHA512
904f1892ec5c43c557199325fda79cacaee2e8f1b4a1d41b85c893d967c3209f0c58081c0c9a6083f85fd4866611dfeb490c11f3163c12f4f0579adda2c68100

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

Filesize
133B

MD5
b85026155b964b6f3a883c9a8b62dfe3

SHA1
5c38290813cd155c68773c19b0dd5371b7b1c337

SHA256
57ffc9ca3beb6ee6226c28248ab9c77b2076ef6acffba839cec21fac28a8fd1f

SHA512
c6953aea1f31da67d3ac33171617e01252672932a6e6eae0382e68fa9048b0e78871b68467945c6b940f1ea6e815231e0c95fbe97090b53bf2181681ecf6c2dd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png

Filesize
138B

MD5
a2bb242dc046bacdc58e7fbbe03cce85

SHA1
052ab788f1646b958e0ea2c0ef47d00141fc1004

SHA256
486a8212c0d6860840d883981ca52daaad3bf3b2ab5be56cdc47ed9b42daba22

SHA512
d9bb4c0658f79fbcf22697c24bc32f4ef27ddf934e8f41cf73a2990d18cdb38379f6b61e50edef8ebdf5a2f59a0f8fa40e000b24f1c55a06cfa161db658326ad

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml

Filesize
453B

MD5
118db038cff249fc1b96f7a8f2b27620

SHA1
6f804438c7a4af3c57191138510a644d24bde92b

SHA256
8d43407158818d7f3e03cc0a6ae6d789e9e393467ba847a998214eb4e292b989

SHA512
4ee3a5d2c49d50ecd97193828389d3339661f90d8b8d41bea5fc4ffedb26578c738016fc772217f3f5049adadcf744273f6b9f60ba379a8e39fc60188be5dde5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml

Filesize
437B

MD5
ceb1e6764a28b208d51a7801052118d7

SHA1
2719eea8bde44ff35dd7b274df167c103483b895

SHA256
99d48b66d590c07b14f4cd68adac79e92616afcf00503a846b6bf4599bfeabc0

SHA512
f4a2df6229bca6c6ef9ef9f432847683238715eddcb1f89c291da5f5900c9a3461204d8495c3450c8bae1c1a661424089554d316468ba1b039a2c50d6e69bf29

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml

Filesize
431B

MD5
2c16868331f82ff43059dcb0ea178af3

SHA1
983589535e05c495ffeae4b0b31ddcfafe92a763

SHA256
be9ceb4464b22203feffd3700c5570b7d6d44c5d0d357148e1e6d5be5e694376

SHA512
184653d3e40df84cd0052e5d9477201f276ce0e8cbb5e4b7bfac86fc7da325eef476982910be24c20725a6db6617fffd88998d6053c1b694718bc7ab0bde9ea1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml

Filesize
411B

MD5
f7c78514872f9cb5585f8d69532cd2d0

SHA1
ff9dfbb62a3b48c85b6434ee831fb33a8dba9526

SHA256
5f7bcd85900e62abb00ce739eaad53d80170a4a6152d951b6825110d2fc17965

SHA512
50ee6ae916ea0e806b73c2e5bb727f6ee4837a696c5bd8559ede78148b40a5d5cdd135e28c8b5153a8fef568fd21ef0708ca198ace89e7120ffb84fd9bc91c01

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar

Filesize
1KB

MD5
8b550761ab80413c9c09f7fb472dbfaf

SHA1
67122822562203c17dd3f762194e470f90ddfa97

SHA256
f5ea79165516de2e7e1efb53d016983f5d18c3184413f044a4002f4b751c918b

SHA512
9546013cf4d45a2c4c609524b7ed4adecc7dc2fecded7c3b7085415a1bcd1c25db5d88bb591ac05fa5a6313763a8e8d5d8fc6ee6610b454cf7696b647e7781fe

Download Submit