phobos | 7fb02a35bf5c3ae045dd33295ebc72e2c927684058c0194207f2cf3226571f3a

Analysis

max time kernel
7s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/05/2024, 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
Size

56KB
MD5

d35b28401ff2f12c55296e95fd0b82ad
SHA1

31dd40eba1aea2217afe307a98fab9f05c8a5e32
SHA256

7fb02a35bf5c3ae045dd33295ebc72e2c927684058c0194207f2cf3226571f3a
SHA512

bbfc1a4bbbb2be47ddaa26899f5450f99328e601149771c1616369502af7c6286deb7a66ea60c0b91e1ff0a97e6547fac3ee8c9a71d6e7d28250b4145f2fbc67
SSDEEP

1536:SNeRBl5PT/rx1mzwRMSTdLpJ67d6P12zbZ:SQRrmzwR5Jt10Z

Score

10^/10

phobos defense_evasion evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: <span class='mark'>[email protected]</span></div> <div class='bold'>Or write us to the e-mail: <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>A7B57FDF-3316</span></div> <div class='bold'>Or text in the messenger Telegram: <span class='mark'><a href='https://t.me/santasupp'>@santasupp</a></span> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1080	bcdedit.exe
1572	bcdedit.exe
2256	bcdedit.exe
1816	bcdedit.exe

Deletes backup catalog 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2928	wbadmin.exe
2976	wbadmin.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2632	netsh.exe
1816	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe"	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe"	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\desktop.ini	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.id[A7B57FDF-3316].[[email protected]].mango	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_SelectionSubpicture.png	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\106.0.5249.119.manifest.id[A7B57FDF-3316].[[email protected]].mango	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_200_percent.pak	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll.id[A7B57FDF-3316].[[email protected]].mango	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.id[A7B57FDF-3316].[[email protected]].mango	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.id[A7B57FDF-3316].[[email protected]].mango	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd.dll	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File created	C:\Program Files\desktop.ini.id[A7B57FDF-3316].[[email protected]].mango	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.id[A7B57FDF-3316].[[email protected]].mango	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File created	C:\Program Files\EnableRemove.rar.id[A7B57FDF-3316].[[email protected]].mango	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Common.fxh	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.id[A7B57FDF-3316].[[email protected]].mango	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll.id[A7B57FDF-3316].[[email protected]].mango	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.id[A7B57FDF-3316].[[email protected]].mango	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IpsMigrationPlugin.dll.mui	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\scenesscroll.png	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DismountDebug.xls.id[A7B57FDF-3316].[[email protected]].mango	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2644	vssadmin.exe
2916	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2224	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
2224	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
2224	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
2224	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
Token: SeBackupPrivilege	2052	vssvc.exe
Token: SeRestorePrivilege	2052	vssvc.exe
Token: SeAuditPrivilege	2052	vssvc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 636	2224	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe	29
PID 2224 wrote to memory of 636	2224	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe	29
PID 2224 wrote to memory of 636	2224	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe	29
PID 2224 wrote to memory of 636	2224	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe	29
PID 2224 wrote to memory of 2756	2224	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe	30
PID 2224 wrote to memory of 2756	2224	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe	30
PID 2224 wrote to memory of 2756	2224	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe	30
PID 2224 wrote to memory of 2756	2224	2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe	30
PID 2756 wrote to memory of 2632	2756	cmd.exe	33
PID 2756 wrote to memory of 2632	2756	cmd.exe	33
PID 2756 wrote to memory of 2632	2756	cmd.exe	33
PID 636 wrote to memory of 2644	636	cmd.exe	34
PID 636 wrote to memory of 2644	636	cmd.exe	34
PID 636 wrote to memory of 2644	636	cmd.exe	34
PID 2756 wrote to memory of 1816	2756	cmd.exe	57
PID 2756 wrote to memory of 1816	2756	cmd.exe	57
PID 2756 wrote to memory of 1816	2756	cmd.exe	57

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-05-02_d35b28401ff2f12c55296e95fd0b82ad_phobos.exe"
  2⤵
  PID:2832
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2644
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    PID:1776
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1572
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1080
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:2928
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:2632
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:1816
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
  2⤵
  PID:2792
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
  2⤵
  PID:1508
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
  2⤵
  PID:1952
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"
  2⤵
  PID:1016
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:3060
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2916
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    PID:308
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1816
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2256
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:2976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2876

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2396

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\info.hta

Filesize
5KB

MD5
9afb2ba93502c75eaa3b8db2c5ab6d15

SHA1
42fefd0ab263661e77c99bfbe861042f1785d98f

SHA256
45d1fab2977acd6af1a87713858c757a951c92dc239eca6367642a1458c961bd

SHA512
4bc0d3001a0da675b9a8f471c87e99919981dfc647dadbd73070218ee57489961276c33a00361fdea707250c149ba54add0dd3029bb7937e2055848275486060

Download Submit