phobos | 4dddfd8d5d0a097700ec211ed5ff49ae6dc0426f1dcb0c97b13da0acffe09216

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
Size

58KB
MD5

5ead2a024b88bbb4b37cd50501b77b7f
SHA1

1a632cff4a5f1b469d8a5b3b5402d96e750215b0
SHA256

4dddfd8d5d0a097700ec211ed5ff49ae6dc0426f1dcb0c97b13da0acffe09216
SHA512

10e6f160f7821b24f6f0257507c957c39b16397844ef94dc1cc45463a6a3e018b3f7999952ab86396909e7a69cc93c56204cd4537625838e0217673c8390120a
SSDEEP

1536:PNeRBl5PT/rx1mzwRMSTdLpJ5lE9qc+YvHSSP9:PQRrmzwR5JnEpZP9

Score

10^/10

phobos defense_evasion evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>PIRATES</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #C6B5C4; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #B5CC8E; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #e6ecf2; border-left: 10px solid #B58CB2; } .alert { background: #FFE4E4; border-left: 10px solid #FFA07A; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #B5CC8E; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>Your data is encrypted and downloaded!</div> </div> <div class='bold'>Unlocking your data is possible only with our software.</div> <div class='bold'>Important! An attempt to decrypt it yourself or decrypt it with third-party software will result in the loss of your data forever.</div> <div class='bold'>Contacting intermediary companies, recovery companies will create the risk of losing your data forever or being deceived by these companies. Being deceived is your responsibility! Learn the experience on the forums.</div> <div class='note info'> <div class='title'>Downloaded data of your company</div> <ul> <li>Data leakage is a serious violation of the law. Don't worry, the incident will remain a secret, the data is protected.</li> <li>After the transaction is completed, all data downloaded from you will be deleted from our resources. Government agencies, competitors, contractors and local media not aware of the incident.</li> <li>Also, we guarantee that your company's personal data will not be sold on DArkWeb resources and will not be used to attack your company, employees and counterparties in the future.</li> <li>If you have not contacted within 2 days from the moment of the incident, we will consider the transaction not completed. Your data will be sent to all interested parties. This is your responsibility.</li> </ul> </div> <div class='note info'> <div class='title'>Contact us</div> <ul> <li>Write us to the e-mail: <span class='mark'>[email protected]</span></li> <li>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected]</span></li> <li>Write this ID in the title of your message <span class='mark'>4E3D5D49-3506</span></li> <li>If you have not contacted within 2 days from the moment of the incident, we will consider the transaction not completed. Your data will be sent to all interested parties. This is your responsibility.</li> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></li>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3216	bcdedit.exe
2300	bcdedit.exe
2044	bcdedit.exe
464	bcdedit.exe

Renames multiple (525) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4368	wbadmin.exe
2848	wbadmin.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
924	netsh.exe
1512	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[4E3D5D49-3506].[[email protected]].Lexus	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\202405315ead2a024b88bbb4b37cd50501b77b7fphobos = "C:\\Users\\Admin\\AppData\\Local\\202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe"	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\202405315ead2a024b88bbb4b37cd50501b77b7fphobos = "C:\\Users\\Admin\\AppData\\Local\\202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe"	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Public\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppStoreLogo.scale-100.png	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-en_us_2x.gif.id[4E3D5D49-3506].[[email protected]].Lexus	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.id[4E3D5D49-3506].[[email protected]].Lexus	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\th-TH\View3d\3DViewerProductDescription-universal.xml	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-200.png	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api.id[4E3D5D49-3506].[[email protected]].Lexus	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_18.svg	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xsl	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-400.png	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24_altform-lightunplated.png	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\PREVIEW.GIF	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png.id[4E3D5D49-3506].[[email protected]].Lexus	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODATASERVICE.DLL.id[4E3D5D49-3506].[[email protected]].Lexus	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\logo.png	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\close.png	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\de-de\ui-strings.js.id[4E3D5D49-3506].[[email protected]].Lexus	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms.id[4E3D5D49-3506].[[email protected]].Lexus	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\selector.js	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-100.png	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\THEMES.INF.id[4E3D5D49-3506].[[email protected]].Lexus	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ogg_plugin.dll	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libgl_plugin.dll	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Diagram_Lines.png	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-24.png	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\[email protected]	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationUI.resources.dll	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreWideTile.scale-200.png	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\SearchEmail.png	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO99LRES.DLL.id[4E3D5D49-3506].[[email protected]].Lexus	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-30_altform-unplated.png	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\ui-strings.js	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.Json.dll	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.dll	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Shared.Windows.dll.id[4E3D5D49-3506].[[email protected]].Lexus	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.scale-200.png	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.id[4E3D5D49-3506].[[email protected]].Lexus	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsBase.resources.dll.id[4E3D5D49-3506].[[email protected]].Lexus	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\LargeTile.scale-200.png	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\StoreLogo.png	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-256.png	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-400.png	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationTypes.resources.dll.id[4E3D5D49-3506].[[email protected]].Lexus	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Input.Manipulations.dll.id[4E3D5D49-3506].[[email protected]].Lexus	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.id[4E3D5D49-3506].[[email protected]].Lexus	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Design.resources.dll	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\BloodPressureTracker.xltx	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileSmallSquare.scale-200.png	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\main-selector.css	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nl-nl\ui-strings.js	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Classic.dll.id[4E3D5D49-3506].[[email protected]].Lexus	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.id[4E3D5D49-3506].[[email protected]].Lexus	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\rename.svg	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.id[4E3D5D49-3506].[[email protected]].Lexus	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2224	vssadmin.exe
4508	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
Token: SeBackupPrivilege	440	vssvc.exe
Token: SeRestorePrivilege	440	vssvc.exe
Token: SeAuditPrivilege	440	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3332	WMIC.exe
Token: SeSecurityPrivilege	3332	WMIC.exe
Token: SeTakeOwnershipPrivilege	3332	WMIC.exe
Token: SeLoadDriverPrivilege	3332	WMIC.exe
Token: SeSystemProfilePrivilege	3332	WMIC.exe
Token: SeSystemtimePrivilege	3332	WMIC.exe
Token: SeProfSingleProcessPrivilege	3332	WMIC.exe
Token: SeIncBasePriorityPrivilege	3332	WMIC.exe
Token: SeCreatePagefilePrivilege	3332	WMIC.exe
Token: SeBackupPrivilege	3332	WMIC.exe
Token: SeRestorePrivilege	3332	WMIC.exe
Token: SeShutdownPrivilege	3332	WMIC.exe
Token: SeDebugPrivilege	3332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3332	WMIC.exe
Token: SeRemoteShutdownPrivilege	3332	WMIC.exe
Token: SeUndockPrivilege	3332	WMIC.exe
Token: SeManageVolumePrivilege	3332	WMIC.exe
Token: 33	3332	WMIC.exe
Token: 34	3332	WMIC.exe
Token: 35	3332	WMIC.exe
Token: 36	3332	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3332	WMIC.exe
Token: SeSecurityPrivilege	3332	WMIC.exe
Token: SeTakeOwnershipPrivilege	3332	WMIC.exe
Token: SeLoadDriverPrivilege	3332	WMIC.exe
Token: SeSystemProfilePrivilege	3332	WMIC.exe
Token: SeSystemtimePrivilege	3332	WMIC.exe
Token: SeProfSingleProcessPrivilege	3332	WMIC.exe
Token: SeIncBasePriorityPrivilege	3332	WMIC.exe
Token: SeCreatePagefilePrivilege	3332	WMIC.exe
Token: SeBackupPrivilege	3332	WMIC.exe
Token: SeRestorePrivilege	3332	WMIC.exe
Token: SeShutdownPrivilege	3332	WMIC.exe
Token: SeDebugPrivilege	3332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3332	WMIC.exe
Token: SeRemoteShutdownPrivilege	3332	WMIC.exe
Token: SeUndockPrivilege	3332	WMIC.exe
Token: SeManageVolumePrivilege	3332	WMIC.exe
Token: 33	3332	WMIC.exe
Token: 34	3332	WMIC.exe
Token: 35	3332	WMIC.exe
Token: 36	3332	WMIC.exe
Token: SeBackupPrivilege	296	wbengine.exe
Token: SeRestorePrivilege	296	wbengine.exe
Token: SeSecurityPrivilege	296	wbengine.exe
Token: SeIncreaseQuotaPrivilege	1436	WMIC.exe
Token: SeSecurityPrivilege	1436	WMIC.exe
Token: SeTakeOwnershipPrivilege	1436	WMIC.exe
Token: SeLoadDriverPrivilege	1436	WMIC.exe
Token: SeSystemProfilePrivilege	1436	WMIC.exe
Token: SeSystemtimePrivilege	1436	WMIC.exe
Token: SeProfSingleProcessPrivilege	1436	WMIC.exe
Token: SeIncBasePriorityPrivilege	1436	WMIC.exe
Token: SeCreatePagefilePrivilege	1436	WMIC.exe
Token: SeBackupPrivilege	1436	WMIC.exe
Token: SeRestorePrivilege	1436	WMIC.exe
Token: SeShutdownPrivilege	1436	WMIC.exe
Token: SeDebugPrivilege	1436	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1436	WMIC.exe
Token: SeRemoteShutdownPrivilege	1436	WMIC.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 956	3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe	86
PID 3324 wrote to memory of 956	3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe	86
PID 3324 wrote to memory of 1936	3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe	87
PID 3324 wrote to memory of 1936	3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe	87
PID 1936 wrote to memory of 924	1936	cmd.exe	90
PID 1936 wrote to memory of 924	1936	cmd.exe	90
PID 956 wrote to memory of 2224	956	cmd.exe	91
PID 956 wrote to memory of 2224	956	cmd.exe	91
PID 1936 wrote to memory of 1512	1936	cmd.exe	95
PID 1936 wrote to memory of 1512	1936	cmd.exe	95
PID 956 wrote to memory of 3332	956	cmd.exe	96
PID 956 wrote to memory of 3332	956	cmd.exe	96
PID 956 wrote to memory of 3216	956	cmd.exe	97
PID 956 wrote to memory of 3216	956	cmd.exe	97
PID 956 wrote to memory of 2300	956	cmd.exe	98
PID 956 wrote to memory of 2300	956	cmd.exe	98
PID 956 wrote to memory of 4368	956	cmd.exe	99
PID 956 wrote to memory of 4368	956	cmd.exe	99
PID 3324 wrote to memory of 4944	3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe	107
PID 3324 wrote to memory of 4944	3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe	107
PID 3324 wrote to memory of 4944	3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe	107
PID 3324 wrote to memory of 1212	3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe	108
PID 3324 wrote to memory of 1212	3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe	108
PID 3324 wrote to memory of 1212	3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe	108
PID 3324 wrote to memory of 1344	3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe	109
PID 3324 wrote to memory of 1344	3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe	109
PID 3324 wrote to memory of 1344	3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe	109
PID 3324 wrote to memory of 3544	3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe	110
PID 3324 wrote to memory of 3544	3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe	110
PID 3324 wrote to memory of 3544	3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe	110
PID 3324 wrote to memory of 3472	3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe	111
PID 3324 wrote to memory of 3472	3324	202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe	111
PID 3472 wrote to memory of 4508	3472	cmd.exe	113
PID 3472 wrote to memory of 4508	3472	cmd.exe	113
PID 3472 wrote to memory of 1436	3472	cmd.exe	114
PID 3472 wrote to memory of 1436	3472	cmd.exe	114
PID 3472 wrote to memory of 2044	3472	cmd.exe	115
PID 3472 wrote to memory of 2044	3472	cmd.exe	115
PID 3472 wrote to memory of 464	3472	cmd.exe	116
PID 3472 wrote to memory of 464	3472	cmd.exe	116
PID 3472 wrote to memory of 2848	3472	cmd.exe	117
PID 3472 wrote to memory of 2848	3472	cmd.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
"C:\Users\Admin\AppData\Local\Temp\202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Users\Admin\AppData\Local\Temp\202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe
  "C:\Users\Admin\AppData\Local\Temp\202405315ead2a024b88bbb4b37cd50501b77b7fphobos.exe"
  2⤵
  PID:2688
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2224
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3332
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3216
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2300
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:4368
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:924
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:1512
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:4944
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:1212
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:1344
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:3544
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4508
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2044
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:464
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:2848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:296

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2480

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[4E3D5D49-3506].[[email protected]].Lexus

Filesize
2.7MB

MD5
932f2afe352491182a6e3f5820d032ed

SHA1
58e59d8998165ef9c72ef0d6931b27a981738be7

SHA256
6a45d873925595e984a6a3fbd9cc40539bfea50de5c03949263413138968771a

SHA512
cd82fb1308c20caea260a7241b5d680a473067aaddb7de2fb408e3e7c00d2aaf9146cc22ec044485e52aeb35bf4a635fcbfe96439847eef127ba7f8f15121e58

Download Submit
C:\info.hta

Filesize
5KB

MD5
77a2996399d20c4650e2986f885d514d

SHA1
525d8a50139653cfa8e3c2200a6081c6429fec0f

SHA256
2f4005841554e62c8d0935da683bb84b16528f3f4ccb1291f718d8150b51eb82

SHA512
182e146e97df17df7050da35d0434c3d6e03aef9b5986fd441e5e16cfb5e39b83316dbc010ad545af70f26a54c8705c5e74817b3e809fe5ea7a51c45f37686c6

Download Submit