Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 09:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe
Resource
win7-20240221-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe
-
Size
57KB
-
MD5
5ec053bc341fb1b3504bd95b1bba7d71
-
SHA1
96bf10b3a9551f2812c1a0dff058c0229d71c5e7
-
SHA256
8f8d76d157e5e4dbd7210cb19ce27b3734147c430a534143c97b90c1f5e35249
-
SHA512
9066da52a37b164e8a75573ed289fb8b17539ad46a3f805fcd0e684dddcda6862744b371c6750f326c1aa138931e3e5c9d6b1a2849d3d2c98e6bbd76e50593cd
-
SSDEEP
768:uvrNNeRBl5JFTXqwXrkgrn/9/HiDKGwRj4RcTdyH4pYT3nPKVU1EyZ1nyqkShh/o:gNeRBl5PT/rx1mzwRMSTdLpJyZ1He9b
Malware Config
Extracted
Path
C:\Users\Public\Desktop\info.hta
Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'>
<html>
<head>
<meta charset='windows-1251'>
<title>encrypted</title>
<HTA:APPLICATION
ICON='msiexec.exe'
SINGLEINSTANCE='yes'
SysMenu="no">
<script language='JScript'>
window.moveTo(50, 50);
window.resizeTo(screen.width - 100, screen.height - 100);
</script>
<style type='text/css'>
body {
font: 15px Tahoma, sans-serif;
margin: 10px;
line-height: 25px;
background: #EDEDED;
}
img {
display:inline-block;
}
.bold {
font-weight: bold;
}
.mark {
background: #D0D0E8;
padding: 2px 5px;
}
.header {
text-align: center;
font-size: 30px;
line-height: 50px;
font-weight: bold;
margin-bottom:20px;
}
.info {
background: #D0D0E8;
border-left: 10px solid #00008B;
}
.alert {
background: #FFE4E4;
border-left: 10px solid #FF0000;
}
.private {
border: 1px dashed #000;
background: #FFFFEF;
}
.note {
height: auto;
padding-bottom: 1px;
margin: 15px 0;
}
.note .title {
font-weight: bold;
text-indent: 10px;
height: 30px;
line-height: 30px;
padding-top: 10px;
}
.note .mark {
background: #A2A2B5;
}
.note ul {
margin-top: 0;
}
.note pre {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
}
.footer {
position:fixed;
bottom:0;
right:0;
text-align: right;
}
</style>
</head>
<body>
<div class='header'>
<img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='>
<div>!!!Attention!!! All your files have been encrypted and downloaded to our servers.</div>
<div>Payment is made only in bitcoins.</div>
<div>Do not under any conditions refer to third parties for assistance. Their decryption of your files will increase the price because they add their fees to ours (no one but us can decrypt your data) or you may be a victims of fraud.</div>
</div>
<div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>91A2998C-3333</span></div>
<div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected]</span></div>
<div class='bold'>If there is no response from our mail, you can install the Jabber client and write to us in support of <span class='mark'>[email protected]</span> </div>
<div class='note info'>
<div class='title'>Free decryption as guarantee</div>
<ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul>
</div>
<div class='note info'>
<div class='title'>How to obtain Bitcoins</div>
<ul>
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
<br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a>
<br> Also you can find other places to buy Bitcoins and beginners guide here:
<br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a>
</ul>
</div>
<div class='title'>Jabber client installation instructions:</div>
<div class='note info'>
<ul>
<li>Download the jabber (Pidgin) client from https://pidgin.im/download/windows/</li>
<li>After installation, the Pidgin client will prompt you to create a new account.</li>
<li>Click "Add"</li><li>In the "Protocol" field, select XMPP</li>
<li>In "Username" - come up with any name</li>
<li>In the field "domain" - enter any jabber-server, there are a lot of them, for example - exploit.im</li>
<li>Create a password</li><li>At the bottom, put a tick "Create account"</li>
<li>Click add</li>
<li>If you selected "domain" - exploit.im, then a new window should appear in which you will need to re-enter your data:</li>
<ul>
<li>User</li>
<li>password</li>
<li>You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)</li>
</ul>
<li>If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - <a href = "https://www.youtube.com/results?search_query=pidgin+jabber+install">https://www.youtube.com/results?search_query=pidgin+jabber+install</a></li>
</ul>
</div>
<div class='note alert'>
<div class='title'>Attention!</div>
<ul>
<li>Do not rename encrypted files.</li>
<li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li>
<li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li>
</ul>
</div>
</body>
</html>
Emails
class='mark'>[email protected]</span></div>
class='mark'>[email protected]</span></div>
class='mark'>[email protected]</span>
URLs
http://www.w3.org/TR/html4/strict.dtd'>
https://pidgin.im/download/windows/</li>
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 2968 bcdedit.exe 856 bcdedit.exe 2748 bcdedit.exe 3056 bcdedit.exe -
Renames multiple (312) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 284 wbadmin.exe 384 wbadmin.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2736 netsh.exe 2368 netsh.exe -
Drops startup file 3 IoCs
description ioc Process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\202407035ec053bc341fb1b3504bd95b1bba7d71phobos = "C:\\Users\\Admin\\AppData\\Local\\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe" 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\202407035ec053bc341fb1b3504bd95b1bba7d71phobos = "C:\\Users\\Admin\\AppData\\Local\\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe" 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\Links\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Public\Documents\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\87XXOISN\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\HKGE1S7K\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Public\Music\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6QIBR00Y\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O29M4VT2\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Public\Videos\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FXU0E4DR\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files (x86)\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NQ9N4B3U\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Users\Admin\Music\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Juneau.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Port_Moresby 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00289_.WMF.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\arrow.png.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02451_.WMF.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCD98SP.POC 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_zh_4.4.0.v20140623020002.jar.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuvp_plugin.dll 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185828.WMF 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Thatch.eftx.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationCore.resources.dll 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dili.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Net.Resources.dll 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\penkor.dll 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\THMBNAIL.PNG 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0215086.WMF.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\gadget.xml 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Choibalsan 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Campo_Grande 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d11\libdirect3d11_filters_plugin.dll 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_disabled.png 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\settings.html 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_over.png 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\de.pak.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files\Mozilla Firefox\firefox.cfg.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00184_.WMF 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Formal.dotx 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files\Microsoft Games\FreeCell\es-ES\FreeCell.exe.mui.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186362.WMF.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR27F.GIF.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files\7-Zip\Lang\co.txt.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cuiaba.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsharpen_plugin.dll.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099172.WMF.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0287005.WMF.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files (x86)\Microsoft Office\Office14\MIMEDIR.DLL.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javaws.policy.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Budapest 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text_3.9.1.v20140827-1810.jar 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199036.WMF 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_F_COL.HXK.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.HTM.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files\7-Zip\Lang\lt.txt.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Resources.dll 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01875_.WMF 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01126_.WMF 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02280_.WMF.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OneNoteSyncPCIntl.dll 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files\Java\jre7\lib\zi\America\Puerto_Rico.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libty_plugin.dll 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_plugin.dll.id[91A2998C-3333].[[email protected]].faust 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2456 vssadmin.exe 552 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe Token: SeBackupPrivilege 1892 vssvc.exe Token: SeRestorePrivilege 1892 vssvc.exe Token: SeAuditPrivilege 1892 vssvc.exe Token: SeIncreaseQuotaPrivilege 2128 WMIC.exe Token: SeSecurityPrivilege 2128 WMIC.exe Token: SeTakeOwnershipPrivilege 2128 WMIC.exe Token: SeLoadDriverPrivilege 2128 WMIC.exe Token: SeSystemProfilePrivilege 2128 WMIC.exe Token: SeSystemtimePrivilege 2128 WMIC.exe Token: SeProfSingleProcessPrivilege 2128 WMIC.exe Token: SeIncBasePriorityPrivilege 2128 WMIC.exe Token: SeCreatePagefilePrivilege 2128 WMIC.exe Token: SeBackupPrivilege 2128 WMIC.exe Token: SeRestorePrivilege 2128 WMIC.exe Token: SeShutdownPrivilege 2128 WMIC.exe Token: SeDebugPrivilege 2128 WMIC.exe Token: SeSystemEnvironmentPrivilege 2128 WMIC.exe Token: SeRemoteShutdownPrivilege 2128 WMIC.exe Token: SeUndockPrivilege 2128 WMIC.exe Token: SeManageVolumePrivilege 2128 WMIC.exe Token: 33 2128 WMIC.exe Token: 34 2128 WMIC.exe Token: 35 2128 WMIC.exe Token: SeIncreaseQuotaPrivilege 2128 WMIC.exe Token: SeSecurityPrivilege 2128 WMIC.exe Token: SeTakeOwnershipPrivilege 2128 WMIC.exe Token: SeLoadDriverPrivilege 2128 WMIC.exe Token: SeSystemProfilePrivilege 2128 WMIC.exe Token: SeSystemtimePrivilege 2128 WMIC.exe Token: SeProfSingleProcessPrivilege 2128 WMIC.exe Token: SeIncBasePriorityPrivilege 2128 WMIC.exe Token: SeCreatePagefilePrivilege 2128 WMIC.exe Token: SeBackupPrivilege 2128 WMIC.exe Token: SeRestorePrivilege 2128 WMIC.exe Token: SeShutdownPrivilege 2128 WMIC.exe Token: SeDebugPrivilege 2128 WMIC.exe Token: SeSystemEnvironmentPrivilege 2128 WMIC.exe Token: SeRemoteShutdownPrivilege 2128 WMIC.exe Token: SeUndockPrivilege 2128 WMIC.exe Token: SeManageVolumePrivilege 2128 WMIC.exe Token: 33 2128 WMIC.exe Token: 34 2128 WMIC.exe Token: 35 2128 WMIC.exe Token: SeBackupPrivilege 956 wbengine.exe Token: SeRestorePrivilege 956 wbengine.exe Token: SeSecurityPrivilege 956 wbengine.exe Token: SeIncreaseQuotaPrivilege 2344 WMIC.exe Token: SeSecurityPrivilege 2344 WMIC.exe Token: SeTakeOwnershipPrivilege 2344 WMIC.exe Token: SeLoadDriverPrivilege 2344 WMIC.exe Token: SeSystemProfilePrivilege 2344 WMIC.exe Token: SeSystemtimePrivilege 2344 WMIC.exe Token: SeProfSingleProcessPrivilege 2344 WMIC.exe Token: SeIncBasePriorityPrivilege 2344 WMIC.exe Token: SeCreatePagefilePrivilege 2344 WMIC.exe Token: SeBackupPrivilege 2344 WMIC.exe Token: SeRestorePrivilege 2344 WMIC.exe Token: SeShutdownPrivilege 2344 WMIC.exe Token: SeDebugPrivilege 2344 WMIC.exe Token: SeSystemEnvironmentPrivilege 2344 WMIC.exe Token: SeRemoteShutdownPrivilege 2344 WMIC.exe Token: SeUndockPrivilege 2344 WMIC.exe Token: SeManageVolumePrivilege 2344 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1660 wrote to memory of 2960 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 29 PID 1660 wrote to memory of 2960 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 29 PID 1660 wrote to memory of 2960 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 29 PID 1660 wrote to memory of 2960 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 29 PID 1660 wrote to memory of 2628 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 30 PID 1660 wrote to memory of 2628 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 30 PID 1660 wrote to memory of 2628 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 30 PID 1660 wrote to memory of 2628 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 30 PID 2960 wrote to memory of 2736 2960 cmd.exe 33 PID 2960 wrote to memory of 2736 2960 cmd.exe 33 PID 2960 wrote to memory of 2736 2960 cmd.exe 33 PID 2628 wrote to memory of 2456 2628 cmd.exe 34 PID 2628 wrote to memory of 2456 2628 cmd.exe 34 PID 2628 wrote to memory of 2456 2628 cmd.exe 34 PID 2960 wrote to memory of 2368 2960 cmd.exe 36 PID 2960 wrote to memory of 2368 2960 cmd.exe 36 PID 2960 wrote to memory of 2368 2960 cmd.exe 36 PID 2628 wrote to memory of 2128 2628 cmd.exe 38 PID 2628 wrote to memory of 2128 2628 cmd.exe 38 PID 2628 wrote to memory of 2128 2628 cmd.exe 38 PID 2628 wrote to memory of 2968 2628 cmd.exe 40 PID 2628 wrote to memory of 2968 2628 cmd.exe 40 PID 2628 wrote to memory of 2968 2628 cmd.exe 40 PID 2628 wrote to memory of 856 2628 cmd.exe 41 PID 2628 wrote to memory of 856 2628 cmd.exe 41 PID 2628 wrote to memory of 856 2628 cmd.exe 41 PID 2628 wrote to memory of 284 2628 cmd.exe 42 PID 2628 wrote to memory of 284 2628 cmd.exe 42 PID 2628 wrote to memory of 284 2628 cmd.exe 42 PID 1660 wrote to memory of 312 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 47 PID 1660 wrote to memory of 312 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 47 PID 1660 wrote to memory of 312 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 47 PID 1660 wrote to memory of 312 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 47 PID 1660 wrote to memory of 2608 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 48 PID 1660 wrote to memory of 2608 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 48 PID 1660 wrote to memory of 2608 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 48 PID 1660 wrote to memory of 2608 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 48 PID 1660 wrote to memory of 2128 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 50 PID 1660 wrote to memory of 2128 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 50 PID 1660 wrote to memory of 2128 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 50 PID 1660 wrote to memory of 2128 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 50 PID 1660 wrote to memory of 1600 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 51 PID 1660 wrote to memory of 1600 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 51 PID 1660 wrote to memory of 1600 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 51 PID 1660 wrote to memory of 1600 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 51 PID 1660 wrote to memory of 1628 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 52 PID 1660 wrote to memory of 1628 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 52 PID 1660 wrote to memory of 1628 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 52 PID 1660 wrote to memory of 1628 1660 202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe 52 PID 1628 wrote to memory of 552 1628 cmd.exe 54 PID 1628 wrote to memory of 552 1628 cmd.exe 54 PID 1628 wrote to memory of 552 1628 cmd.exe 54 PID 1628 wrote to memory of 2344 1628 cmd.exe 55 PID 1628 wrote to memory of 2344 1628 cmd.exe 55 PID 1628 wrote to memory of 2344 1628 cmd.exe 55 PID 1628 wrote to memory of 2748 1628 cmd.exe 56 PID 1628 wrote to memory of 2748 1628 cmd.exe 56 PID 1628 wrote to memory of 2748 1628 cmd.exe 56 PID 1628 wrote to memory of 3056 1628 cmd.exe 57 PID 1628 wrote to memory of 3056 1628 cmd.exe 57 PID 1628 wrote to memory of 3056 1628 cmd.exe 57 PID 1628 wrote to memory of 384 1628 cmd.exe 58 PID 1628 wrote to memory of 384 1628 cmd.exe 58 PID 1628 wrote to memory of 384 1628 cmd.exe 58 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe"C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe"C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe"2⤵PID:2668
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2736
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2368
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2456
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2968
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:856
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:284
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"2⤵
- Modifies Internet Explorer settings
PID:312
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"2⤵
- Modifies Internet Explorer settings
PID:2608
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"2⤵
- Modifies Internet Explorer settings
PID:2128
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"2⤵
- Modifies Internet Explorer settings
PID:1600
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:552
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2748
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:3056
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:384
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:956
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2056
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2076
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.id[91A2998C-3333].[[email protected]].faust
Filesize6.3MB
MD5f17327cd87f0e22af1d7b953b3896744
SHA1722a11ff79e421697ee4a97243c8a1c63df2d8e4
SHA256feffd27d0e1fc456dc2847b7ad67b2e983d247200f9687e92c6814b0d39b116e
SHA512abc224ec295cc39ddba6f84956a63d46d46870f09b1b5d3d00007192e2122d4264ae086127d12694a489b62afcb910ed5895d59ee4aafc2a497895edb093ddef
-
Filesize
6KB
MD541ae04bcdddd2e64098f1b9846ca7aa5
SHA1b038e5ce049c234b40c74602244365ba69983ff3
SHA2562d4c1f0a587e44698a88c172c4a3b012b8a9406321ce1bbcff34707a7a7819fc
SHA512383e16168eb6dc2dc37f3bdcf9372fc11fbd607cf582c3cbc1f3049ba69fd729cdbe52d6ea1fada22b03b9def7b30de51f1a9e089679cfb705e99590f88b91e6