Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 12:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe
Resource
win7-20240729-en
phoboscredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe
Resource
win10v2004-20241007-en
phobosdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe
-
Size
76KB
-
MD5
9f266fdde8035a4dda5edfd835f57915
-
SHA1
b6192ee9c381111cd4cb879e738d9e1781d8a079
-
SHA256
5b597aa9b71965d37b0e6835d8a014e3917ed4758506ce32e52f78196f8852d7
-
SHA512
7f39e1defb986a592e57afc7118e8fa1a10ac1f6bedf152c8e6b705e36735038a4e014bdba60d5684c4ab67547c7923d190e5c4aa5a30a11a2d8ace35c52347e
-
SSDEEP
1536:wPgGB2xAiABz7T43MSTdQluUV2CU+tqRnq9kDIuKt:wWuv7QMuY1DtqRPDlK
Malware Config
Extracted
Path
C:\info.hta
Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'>
<html>
<head>
<meta charset='windows-1251'>
<title>encrypted</title>
<HTA:APPLICATION
ICON='msiexec.exe'
SINGLEINSTANCE='yes'
SysMenu="no">
<script language='JScript'>
window.moveTo(50, 50);
window.resizeTo(screen.width - 100, screen.height - 100);
</script>
<style type='text/css'>
body {
font: 15px Tahoma, sans-serif;
margin: 10px;
line-height: 25px;
background: #EDEDED;
}
img {
display:inline-block;
}
.bold {
font-weight: bold;
}
.mark {
background: #D0D0E8;
padding: 2px 5px;
}
.header {
text-align: center;
font-size: 30px;
line-height: 50px;
font-weight: bold;
margin-bottom:20px;
}
.info {
background: #D0D0E8;
border-left: 10px solid #00008B;
}
.alert {
background: #FFE4E4;
border-left: 10px solid #FF0000;
}
.private {
border: 1px dashed #000;
background: #FFFFEF;
}
.note {
height: auto;
padding-bottom: 1px;
margin: 15px 0;
}
.note .title {
font-weight: bold;
text-indent: 10px;
height: 30px;
line-height: 30px;
padding-top: 10px;
}
.note .mark {
background: #A2A2B5;
}
.note ul {
margin-top: 0;
}
.note pre {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
}
.footer {
position:fixed;
bottom:0;
right:0;
text-align: right;
}
</style>
</head>
<body>
<div class='header'>
<img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='>
<div>All your files have been encrypted!</div>
</div>
<div class='bold'>All your files have been encrypted. If you want to restore them, write to us by e-mail: <span class='mark'>[email protected]</span></div>
<div class='bold'>Write this ID in the title of your message: <span class='mark'>402087EE-3240</span></div>
<div class='bold'>To increase the likelihood of receiving a response to your request, also duplicate your letters to the following e-mails: <span class='mark'>[email protected] and [email protected]</span></div>
<div class='bold'>For quick and convenient feedback, write to the online operator in the Wire messenger: <span class='mark'>@sewzok</span></div>
<div class='bold'>(The username of the Wire account must be exactly the same as above,beware of fake accounts.)</div>
<div>
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
</div>
<div class='note info'>
<div class='title'>Free decryption as guarantee</div>
<ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul>
</div>
<div class='note alert'>
<div class='title'>Attention!</div>
<ul>
<li>To get guaranteed assistance in decrypting your files, please contact only the contacts indicated in this note, otherwise we are not responsible for the decryption!</li>
<li>Do not rename encrypted files.</li>
<li>Do not try to decrypt your data using third-party software, as this may result in irreversible data loss.</li>
<li>Decrypting your files with the help of third parties may increase the price (they add their fee to ours) or you risk losing money without receiving files decryption in return.</li>
<li>!!! When contacting third parties, we do not give a guarantee for decryption of your files !!!</li>
</ul>
</div>
<div class='note info'>
<div class='title'>How to obtain Bitcoins</div>
<ul>
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
<br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a>
<br> Also you can find other places to buy Bitcoins and beginners guide here:
<br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a>
</ul>
</div>
</body>
</html>
Emails
class='mark'>[email protected]</span></div>
class='mark'>[email protected]
[email protected]</span></div>
URLs
http://www.w3.org/TR/html4/strict.dtd'>
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Phobos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 1584 bcdedit.exe 2916 bcdedit.exe 2140 bcdedit.exe 2196 bcdedit.exe -
Renames multiple (309) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2812 wbadmin.exe 1568 wbadmin.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2764 netsh.exe 1528 netsh.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 3 IoCs
description ioc Process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe" 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe" 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B329PW0O\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JMFEWY8E\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Public\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CBCNU6WZ\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Public\Videos\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\25UY7HZX\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FXDUII3O\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\Links\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\Music\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Public\Documents\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files (x86)\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RTJA0BV0\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jre7\lib\zi\Pacific\Easter.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files\Microsoft Games\FreeCell\de-DE\FreeCell.exe.mui.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\EVRGREEN.ELM 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01630_.WMF.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00308_.WMF.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImages.jpg.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\ReachFramework.resources.dll 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_dummy_plugin.dll 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Urumqi.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\Windows Media Player\es-ES\WMPMediaSharing.dll.mui 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21365_.GIF 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\settings.html 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107344.WMF 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14538_.GIF.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_alignright.gif 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MY.XML 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7EN.DLL.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files\Java\jre7\lib\calendars.properties.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Generic.css.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\utilityfunctions.js.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Training.potx.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02092_.WMF.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_K_COL.HXK.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\DVD Maker\bod_r.TTF 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine_2.3.0.v20140506-1720.jar 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\bckgRes.dll.mui 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libfolder_plugin.dll.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_sse2_plugin.dll.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\libvisual_plugin.dll 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime.css 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\Mozilla Firefox\xul.dll.sig 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\LEVEL.ELM.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00146_.WMF.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBOX.DPV 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\sound.properties.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ACCESS12.ACC 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Utilities.v3.5.resources.dll 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Marengo 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Client.resources.dll 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_asf_plugin.dll.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcer.dll.mui 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00076_.WMF.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03241_.WMF 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\currency.js 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR40F.GIF.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl.css.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File created C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html.id[402087EE-3240].[[email protected]].eking 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_it.dll 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2736 vssadmin.exe 2332 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe Token: SeBackupPrivilege 2472 vssvc.exe Token: SeRestorePrivilege 2472 vssvc.exe Token: SeAuditPrivilege 2472 vssvc.exe Token: SeIncreaseQuotaPrivilege 2248 WMIC.exe Token: SeSecurityPrivilege 2248 WMIC.exe Token: SeTakeOwnershipPrivilege 2248 WMIC.exe Token: SeLoadDriverPrivilege 2248 WMIC.exe Token: SeSystemProfilePrivilege 2248 WMIC.exe Token: SeSystemtimePrivilege 2248 WMIC.exe Token: SeProfSingleProcessPrivilege 2248 WMIC.exe Token: SeIncBasePriorityPrivilege 2248 WMIC.exe Token: SeCreatePagefilePrivilege 2248 WMIC.exe Token: SeBackupPrivilege 2248 WMIC.exe Token: SeRestorePrivilege 2248 WMIC.exe Token: SeShutdownPrivilege 2248 WMIC.exe Token: SeDebugPrivilege 2248 WMIC.exe Token: SeSystemEnvironmentPrivilege 2248 WMIC.exe Token: SeRemoteShutdownPrivilege 2248 WMIC.exe Token: SeUndockPrivilege 2248 WMIC.exe Token: SeManageVolumePrivilege 2248 WMIC.exe Token: 33 2248 WMIC.exe Token: 34 2248 WMIC.exe Token: 35 2248 WMIC.exe Token: SeIncreaseQuotaPrivilege 2248 WMIC.exe Token: SeSecurityPrivilege 2248 WMIC.exe Token: SeTakeOwnershipPrivilege 2248 WMIC.exe Token: SeLoadDriverPrivilege 2248 WMIC.exe Token: SeSystemProfilePrivilege 2248 WMIC.exe Token: SeSystemtimePrivilege 2248 WMIC.exe Token: SeProfSingleProcessPrivilege 2248 WMIC.exe Token: SeIncBasePriorityPrivilege 2248 WMIC.exe Token: SeCreatePagefilePrivilege 2248 WMIC.exe Token: SeBackupPrivilege 2248 WMIC.exe Token: SeRestorePrivilege 2248 WMIC.exe Token: SeShutdownPrivilege 2248 WMIC.exe Token: SeDebugPrivilege 2248 WMIC.exe Token: SeSystemEnvironmentPrivilege 2248 WMIC.exe Token: SeRemoteShutdownPrivilege 2248 WMIC.exe Token: SeUndockPrivilege 2248 WMIC.exe Token: SeManageVolumePrivilege 2248 WMIC.exe Token: 33 2248 WMIC.exe Token: 34 2248 WMIC.exe Token: 35 2248 WMIC.exe Token: SeBackupPrivilege 1808 wbengine.exe Token: SeRestorePrivilege 1808 wbengine.exe Token: SeSecurityPrivilege 1808 wbengine.exe Token: SeIncreaseQuotaPrivilege 2840 WMIC.exe Token: SeSecurityPrivilege 2840 WMIC.exe Token: SeTakeOwnershipPrivilege 2840 WMIC.exe Token: SeLoadDriverPrivilege 2840 WMIC.exe Token: SeSystemProfilePrivilege 2840 WMIC.exe Token: SeSystemtimePrivilege 2840 WMIC.exe Token: SeProfSingleProcessPrivilege 2840 WMIC.exe Token: SeIncBasePriorityPrivilege 2840 WMIC.exe Token: SeCreatePagefilePrivilege 2840 WMIC.exe Token: SeBackupPrivilege 2840 WMIC.exe Token: SeRestorePrivilege 2840 WMIC.exe Token: SeShutdownPrivilege 2840 WMIC.exe Token: SeDebugPrivilege 2840 WMIC.exe Token: SeSystemEnvironmentPrivilege 2840 WMIC.exe Token: SeRemoteShutdownPrivilege 2840 WMIC.exe Token: SeUndockPrivilege 2840 WMIC.exe Token: SeManageVolumePrivilege 2840 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1744 wrote to memory of 328 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 32 PID 1744 wrote to memory of 328 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 32 PID 1744 wrote to memory of 328 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 32 PID 1744 wrote to memory of 328 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 32 PID 1744 wrote to memory of 2520 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 33 PID 1744 wrote to memory of 2520 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 33 PID 1744 wrote to memory of 2520 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 33 PID 1744 wrote to memory of 2520 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 33 PID 2520 wrote to memory of 2736 2520 cmd.exe 36 PID 2520 wrote to memory of 2736 2520 cmd.exe 36 PID 2520 wrote to memory of 2736 2520 cmd.exe 36 PID 328 wrote to memory of 2764 328 cmd.exe 37 PID 328 wrote to memory of 2764 328 cmd.exe 37 PID 328 wrote to memory of 2764 328 cmd.exe 37 PID 328 wrote to memory of 1528 328 cmd.exe 39 PID 328 wrote to memory of 1528 328 cmd.exe 39 PID 328 wrote to memory of 1528 328 cmd.exe 39 PID 2520 wrote to memory of 2248 2520 cmd.exe 41 PID 2520 wrote to memory of 2248 2520 cmd.exe 41 PID 2520 wrote to memory of 2248 2520 cmd.exe 41 PID 2520 wrote to memory of 1584 2520 cmd.exe 43 PID 2520 wrote to memory of 1584 2520 cmd.exe 43 PID 2520 wrote to memory of 1584 2520 cmd.exe 43 PID 2520 wrote to memory of 2916 2520 cmd.exe 44 PID 2520 wrote to memory of 2916 2520 cmd.exe 44 PID 2520 wrote to memory of 2916 2520 cmd.exe 44 PID 2520 wrote to memory of 2812 2520 cmd.exe 45 PID 2520 wrote to memory of 2812 2520 cmd.exe 45 PID 2520 wrote to memory of 2812 2520 cmd.exe 45 PID 1744 wrote to memory of 3048 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 51 PID 1744 wrote to memory of 3048 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 51 PID 1744 wrote to memory of 3048 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 51 PID 1744 wrote to memory of 3048 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 51 PID 1744 wrote to memory of 2456 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 52 PID 1744 wrote to memory of 2456 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 52 PID 1744 wrote to memory of 2456 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 52 PID 1744 wrote to memory of 2456 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 52 PID 1744 wrote to memory of 2320 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 53 PID 1744 wrote to memory of 2320 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 53 PID 1744 wrote to memory of 2320 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 53 PID 1744 wrote to memory of 2320 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 53 PID 1744 wrote to memory of 2988 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 54 PID 1744 wrote to memory of 2988 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 54 PID 1744 wrote to memory of 2988 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 54 PID 1744 wrote to memory of 2988 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 54 PID 1744 wrote to memory of 2808 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 55 PID 1744 wrote to memory of 2808 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 55 PID 1744 wrote to memory of 2808 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 55 PID 1744 wrote to memory of 2808 1744 2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe 55 PID 2808 wrote to memory of 2332 2808 cmd.exe 57 PID 2808 wrote to memory of 2332 2808 cmd.exe 57 PID 2808 wrote to memory of 2332 2808 cmd.exe 57 PID 2808 wrote to memory of 2840 2808 cmd.exe 58 PID 2808 wrote to memory of 2840 2808 cmd.exe 58 PID 2808 wrote to memory of 2840 2808 cmd.exe 58 PID 2808 wrote to memory of 2140 2808 cmd.exe 59 PID 2808 wrote to memory of 2140 2808 cmd.exe 59 PID 2808 wrote to memory of 2140 2808 cmd.exe 59 PID 2808 wrote to memory of 2196 2808 cmd.exe 60 PID 2808 wrote to memory of 2196 2808 cmd.exe 60 PID 2808 wrote to memory of 2196 2808 cmd.exe 60 PID 2808 wrote to memory of 1568 2808 cmd.exe 61 PID 2808 wrote to memory of 1568 2808 cmd.exe 61 PID 2808 wrote to memory of 1568 2808 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-23_9f266fdde8035a4dda5edfd835f57915_phobos.exe"2⤵PID:2684
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2764
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1528
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2736
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:1584
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:2916
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:2812
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:3048
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2456
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2320
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2988
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2332
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2140
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:2196
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:1568
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2016
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2920
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
3File Deletion
3Modify Registry
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5997057257ab829ec9d040a58c86c7745
SHA1cd80d82b8558d13ee4377277eb4e8fb1fdf9e7b7
SHA2566dfec93aacb0b5ffde395b8074ae51c315ac07c37d9ace1d174039bdd79a9230
SHA51248d5151aba9ae22e1b0ba471b0e55b874c37337bd0c45e6d8cbefcf5b6c3e85acce01599609b5fd0b72aec1729adb1602da09e98799e3b364eb81035ecc79767