Malware Analysis Report

2024-09-11 00:56

Sample ID 240606-q1vxnsfg92
Target phobos3.exe
SHA256 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46
Tags
phobos defense_evasion evasion execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46

Threat Level: Known bad

The file phobos3.exe was found to be: Known bad.

Malicious Activity Summary

phobos defense_evasion evasion execution impact persistence ransomware spyware stealer

Phobos

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (311) files with added filename extension

Renames multiple (514) files with added filename extension

Deletes backup catalog

Modifies Windows Firewall

Checks computer location settings

Reads user/profile data of web browsers

Drops startup file

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Modifies registry class

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-06 13:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 13:44

Reported

2024-06-06 13:47

Platform

win7-20240221-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\phobos3.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (311) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\phobos3.exe C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\phobos3 = "C:\\Users\\Admin\\AppData\\Local\\phobos3.exe" C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\phobos3 = "C:\\Users\\Admin\\AppData\\Local\\phobos3.exe" C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NQ9N4B3U\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O29M4VT2\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FXU0E4DR\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CYXNIRQN\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\HKGE1S7K\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\87XXOISN\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Games\Mahjong\desktop.ini.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\WPGIMP32.FLT C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSO.DLL.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+3 C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\gadget.xml C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00116_.WMF C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Executive.xml.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00272_.WMF.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_ja.jar C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Windows Media Player\es-ES\wmpnetwk.exe.mui C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIBUtils.dll C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153516.WMF.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\ACCOLKI.DLL.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTINTERNET.NET.XML.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\hxdsui.dll.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107364.WMF C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Distinctive.dotx.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESNL.ICO.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\jce.jar C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02413_.WMF C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18210_.WMF C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEB11.POC C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieResume.dotx.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\ShvlRes.dll.mui.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.dll C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\Proofing.XML.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151055.WMF C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGTOC.XML C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\release C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01170_.WMF C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_postage_Thumbnail.bmp C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Filters\odffilt.dll C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02405_.WMF.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\VelvetRose.css C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DOTS.POC.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME14.CSS C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-3 C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\instrument.dll C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider.png C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\DATES.XML C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212953.WMF.id[50F46D4A-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2880 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\system32\cmd.exe
PID 1752 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1752 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1752 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2872 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2872 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2872 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1752 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1752 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1752 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2872 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2872 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2872 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2872 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2872 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2872 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2872 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2872 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2872 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2872 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2872 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2872 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2880 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 2880 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 2880 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 2880 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 2880 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 2880 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 2880 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 2880 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 2880 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 2880 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 2880 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 2880 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 2880 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 2880 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 2880 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 2880 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 2880 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\system32\cmd.exe
PID 560 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 560 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 560 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 560 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 560 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 560 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 560 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 560 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 560 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 560 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 560 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 560 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 560 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 560 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 560 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\phobos3.exe

"C:\Users\Admin\AppData\Local\Temp\phobos3.exe"

C:\Users\Admin\AppData\Local\Temp\phobos3.exe

"C:\Users\Admin\AppData\Local\Temp\phobos3.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id[50F46D4A-2803].[[email protected]].eight

MD5 f9b6a9fdebc4460616311d9c7ae4ac29
SHA1 00cc46196ac0f39eaff7107c9123406834720c4c
SHA256 76dd1f0418b69496639ee9247223d9061494ffd854e8529a14a358a5a2eaff2f
SHA512 c2a919ac42f7961a2f2aed9367c0392c9ff798374fe9aff7594c2e17c3972978b1d2b97fe36c436195b65e3d272de3a07da8b2f05755eafe47c94edc595d9c6f

C:\info.hta

MD5 21cc645012421337571c4cb17bde1efd
SHA1 1ea6246f6ee14d57e19552438bde37a3ec1bb58f
SHA256 e9092c0c489eb7bc685fe3a0719ba84e7945f7964c5a3856958203fe9e4671db
SHA512 d5957f7ea21fb228eb374f67bcd59b2ac3bfbc8e266f96bdfadddb3b7b5dd1c93f5c0887d20ee6bc7674b9db2d73a18df624bfdf6ef999bdd0b714559ee23c74

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 13:44

Reported

2024-06-06 13:47

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\phobos3.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (514) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\phobos3.exe C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[9B01C199-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\phobos3 = "C:\\Users\\Admin\\AppData\\Local\\phobos3.exe" C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\phobos3 = "C:\\Users\\Admin\\AppData\\Local\\phobos3.exe" C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXmlLinq.dll C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sqlpdw.xsl C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_MouseNose.png C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libstereo_widen_plugin.dll C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Internet Explorer\images\bing.ico C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationSensorCalibrationFigure.png C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.ViewElements.winmd C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\PhtoMDL2.ttf C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.ResourceManager.dll.id[9B01C199-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.dll C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationFramework.resources.dll.id[9B01C199-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.boot.tree.dat.id[9B01C199-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files\ResetPush.DVR.id[9B01C199-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark2x.gif.id[9B01C199-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Controls.Ribbon.resources.dll.id[9B01C199-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\hi.pak C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\msipc.dll.mui C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Runtime.Numerics.dll C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\RunningLate.scale-80.png C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.id[9B01C199-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms.id[9B01C199-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_NinjaCat.png C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\ui-strings.js C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ro.pak.id[9B01C199-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsFormsIntegration.dll.id[9B01C199-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.id[9B01C199-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.dll C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg6.jpg C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Confirmation.png.id[9B01C199-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DcfMsoWrapper.x86.dll C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Input.Manipulations.dll C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONBttnPPT.dll.id[9B01C199-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\JumpListSettings.png C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\ui-strings.js.id[9B01C199-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.TypeConverter.dll C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\CHICAGO.XSL C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Design.dll.id[9B01C199-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.id[9B01C199-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms.id[9B01C199-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnvpxy.dll C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\YellowAbstractNote.scale-200.png C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_contrast-black.png C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\ui-strings.js C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SplashWideTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3952 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\system32\cmd.exe
PID 1896 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1896 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 876 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 876 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 876 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 876 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1896 wrote to memory of 732 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1896 wrote to memory of 732 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1896 wrote to memory of 276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1896 wrote to memory of 276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1896 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1896 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1896 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1896 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3952 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 3952 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 3952 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 3952 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 3952 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 3952 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 3952 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 3952 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 3952 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 3952 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 3952 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 3952 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\SysWOW64\mshta.exe
PID 3952 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\phobos3.exe C:\Windows\system32\cmd.exe
PID 2396 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2396 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2396 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2396 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2396 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2396 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2396 wrote to memory of 992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2396 wrote to memory of 992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2396 wrote to memory of 4000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2396 wrote to memory of 4000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\phobos3.exe

"C:\Users\Admin\AppData\Local\Temp\phobos3.exe"

C:\Users\Admin\AppData\Local\Temp\phobos3.exe

"C:\Users\Admin\AppData\Local\Temp\phobos3.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[9B01C199-2803].[[email protected]].eight

MD5 dad00cf3bb81fcb7b376998f13a46d45
SHA1 8f0d7154982278f0b97e31a08301de291252317d
SHA256 97ef6af1718f2066bb4400e7399c064352725acda7041cf5e6019e16522305cb
SHA512 49bb1812d930b8d0a641932356941de9c0d25b304b260ac44cbd87b89828ccd2a36d5df3d1be5ea0bf48d175ef41db4023ce08268ce38f28859caeaeac43b886

C:\info.hta

MD5 0a4bf7f15d2ddfca27632f29edbe2f74
SHA1 21b94e36e47a3e27752878c91d87d244470b30b9
SHA256 e2864fc1dd027bee41d385568133d23e3a2b51a453ab3140eb73c28dc5df5118
SHA512 f15263e4e3a2bc735eb8634e941d3dcf70897dde0b43dab87b5e4b38ca8cb134967d823b3998280cfb6115066d3b8d122670a6595e63fb992e8d3d62dd28d793