Analysis
-
max time kernel
101s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2025, 21:55 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.7z
Resource
win10v2004-20250314-en
phoboscredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer
windows10-2004-x64
32 signatures
300 seconds
General
-
Target
HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.7z
-
Size
35KB
-
MD5
8e6f83b06c6c010293b8b798102bed1f
-
SHA1
1c84da8f9bd35cc60bb0e826cf312ba9c7c372b4
-
SHA256
27aebbda43b8e6e72b1f305b912ca4a506401d9462baf60bc30ce35852984f70
-
SHA512
9aae2d3e1f54add6bda63828dfbc48d6ad85f0e31345e3638d47715dab9b84df4b4f6e187f8578d40c6af78738db37857bf15ffbe7c7895d2cac1aae028f9f25
-
SSDEEP
768:1Upgmy0MS3BZYdStnK6gBZ918LXT9spwzcwR2NcmbFimd9SLFYnbzkgwKU5dIBHx:1UimBuu/gB0JsBzNcOj9SLF1f1St
Malware Config
Extracted
Path
C:\info.hta
Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'>
<html>
<head>
<meta charset='windows-1251'>
<title>encrypted</title>
<HTA:APPLICATION
ICON='msiexec.exe'
SINGLEINSTANCE='yes'
SysMenu="no">
<script language='JScript'>
window.moveTo(50, 50);
window.resizeTo(screen.width - 100, screen.height - 100);
</script>
<style type='text/css'>
body {
font: 15px Tahoma, sans-serif;
margin: 10px;
line-height: 25px;
background: #EDEDED;
}
img {
display:inline-block;
}
.bold {
font-weight: bold;
}
.mark {
background: #D0D0E8;
padding: 2px 5px;
}
.header {
text-align: center;
font-size: 30px;
line-height: 50px;
font-weight: bold;
margin-bottom:20px;
}
.info {
background: #D0D0E8;
border-left: 10px solid #00008B;
}
.alert {
background: #FFE4E4;
border-left: 10px solid #FF0000;
}
.private {
border: 1px dashed #000;
background: #FFFFEF;
}
.note {
height: auto;
padding-bottom: 1px;
margin: 15px 0;
}
.note .title {
font-weight: bold;
text-indent: 10px;
height: 30px;
line-height: 30px;
padding-top: 10px;
}
.note .mark {
background: #A2A2B5;
}
.note ul {
margin-top: 0;
}
.note pre {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
}
.footer {
position:fixed;
bottom:0;
right:0;
text-align: right;
}
</style>
</head>
<body>
<div class='header'>
<img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='>
<div>All your files have been encrypted!</div>
</div>
<div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: <span class='mark'>Resp0nse1999@tutanota.com</span></div>
<div class='bold'>Write this ID in the title of your message <span class='mark'>7B1DB1F7-2930</span></div>
<div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>Resp0nse19999@tutanota.com</span></div>
<div class='bold'>Our online operator is available in the messenger Telegram: <span class='mark'><a href='https://t.me/Resp0nse'>@Resp0nse</a></span>
<div>
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
</div>
<div class='note info'>
<div class='title'>Free decryption as guarantee</div>
<ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul>
</div>
<div class='note info'>
<div class='title'>How to obtain Bitcoins</div>
<ul>
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
<br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a>
<br> Also you can find other places to buy Bitcoins and beginners guide here:
<br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a>
</ul>
</div>
<div class='note alert'>
<div class='title'>Attention!</div>
<ul>
<li>Do not rename encrypted files.</li>
<li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li>
<li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li>
</ul>
</div>
</body>
</html>
Emails
class='mark'>Resp0nse1999@tutanota.com</span></div>
class='mark'>Resp0nse19999@tutanota.com</span></div>
URLs
http://www.w3.org/TR/html4/strict.dtd'>
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Phobos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 3320 bcdedit.exe 1988 bcdedit.exe 4024 bcdedit.exe 5812 bcdedit.exe -
Renames multiple (785) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 684 wbadmin.exe 4452 wbadmin.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 1500 netsh.exe 6016 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
pid Process 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe -
Drops startup file 3 IoCs
description ioc Process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe -
Executes dropped EXE 2 IoCs
pid Process 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4996 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1 = "C:\\Users\\Admin\\AppData\\Local\\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe" HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1 = "C:\\Users\\Admin\\AppData\\Local\\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe" HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\Videos\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3975168204-1612096350-4002976354-1000\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\Searches\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Public\Documents\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Public\Pictures\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Public\Videos\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Public\Music\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\Documents\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3975168204-1612096350-4002976354-1000\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Public\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Public\Libraries\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\Links\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Public\Downloads\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files (x86)\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Collections.dll HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Trust Protection Lists\Mu\Advertising.DATA HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-locale-l1-1-0.dll HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_contrast-white.png HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Cloud.png HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-100.png HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\edge_game_assist\EdgeGameAssist.msix.DATA.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\D3DCompiler_47_cor3.dll.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File created C:\Program Files\Java\jre-1.8\lib\javaws.jar.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-100_contrast-white.png HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\SmallTile.scale-125.png HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-125.png HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\ui-strings.js HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\pa.pak.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Controls.Ribbon.resources.dll.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\v8_context_snapshot.bin HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\EssentialReport.dotx.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-200.png HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\sunec.jar HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-125.png HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdateres_gd.dll HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsFormsIntegration.resources.dll HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+Connect to New Data Source.odc.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\OSFINTL.DLL.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File created C:\Program Files\Microsoft Office\root\vreg\proof.fr-fr.msi.16.fr-fr.vreg.dat.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookSmallTile.scale-150.png HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-80_contrast-black.png HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_f_col.hxk.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60_altform-unplated.png HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\msipc.dll.mui HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_contrast-black.png HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationUI.resources.dll HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ta.pak HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\THMBNAIL.PNG HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_contrast-white.png HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatialaudio_plugin.dll HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.winmd HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsFormsIntegration.resources.dll.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File created C:\Program Files\Java\jre-1.8\bin\jsoundds.dll.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\NamedUrls.HxK HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\sk_get.svg.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.MetaProvider.PowerShell.dll HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Primitives.resources.dll HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.Design.dll HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Concurrent.dll.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerBackgroundTasks.winmd HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2628 vssadmin.exe 3820 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2348 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4872 taskmgr.exe 4872 taskmgr.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4872 taskmgr.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4872 taskmgr.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4872 taskmgr.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4872 taskmgr.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4872 taskmgr.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4872 taskmgr.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2340 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2340 7zFM.exe Token: 35 2340 7zFM.exe Token: SeSecurityPrivilege 2340 7zFM.exe Token: SeDebugPrivilege 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe Token: SeBackupPrivilege 5724 vssvc.exe Token: SeRestorePrivilege 5724 vssvc.exe Token: SeAuditPrivilege 5724 vssvc.exe Token: SeIncreaseQuotaPrivilege 4112 WMIC.exe Token: SeSecurityPrivilege 4112 WMIC.exe Token: SeTakeOwnershipPrivilege 4112 WMIC.exe Token: SeLoadDriverPrivilege 4112 WMIC.exe Token: SeSystemProfilePrivilege 4112 WMIC.exe Token: SeSystemtimePrivilege 4112 WMIC.exe Token: SeProfSingleProcessPrivilege 4112 WMIC.exe Token: SeIncBasePriorityPrivilege 4112 WMIC.exe Token: SeCreatePagefilePrivilege 4112 WMIC.exe Token: SeBackupPrivilege 4112 WMIC.exe Token: SeRestorePrivilege 4112 WMIC.exe Token: SeShutdownPrivilege 4112 WMIC.exe Token: SeDebugPrivilege 4112 WMIC.exe Token: SeSystemEnvironmentPrivilege 4112 WMIC.exe Token: SeRemoteShutdownPrivilege 4112 WMIC.exe Token: SeUndockPrivilege 4112 WMIC.exe Token: SeManageVolumePrivilege 4112 WMIC.exe Token: 33 4112 WMIC.exe Token: 34 4112 WMIC.exe Token: 35 4112 WMIC.exe Token: 36 4112 WMIC.exe Token: SeIncreaseQuotaPrivilege 4112 WMIC.exe Token: SeSecurityPrivilege 4112 WMIC.exe Token: SeTakeOwnershipPrivilege 4112 WMIC.exe Token: SeLoadDriverPrivilege 4112 WMIC.exe Token: SeSystemProfilePrivilege 4112 WMIC.exe Token: SeSystemtimePrivilege 4112 WMIC.exe Token: SeProfSingleProcessPrivilege 4112 WMIC.exe Token: SeIncBasePriorityPrivilege 4112 WMIC.exe Token: SeCreatePagefilePrivilege 4112 WMIC.exe Token: SeBackupPrivilege 4112 WMIC.exe Token: SeRestorePrivilege 4112 WMIC.exe Token: SeShutdownPrivilege 4112 WMIC.exe Token: SeDebugPrivilege 4112 WMIC.exe Token: SeSystemEnvironmentPrivilege 4112 WMIC.exe Token: SeRemoteShutdownPrivilege 4112 WMIC.exe Token: SeUndockPrivilege 4112 WMIC.exe Token: SeManageVolumePrivilege 4112 WMIC.exe Token: 33 4112 WMIC.exe Token: 34 4112 WMIC.exe Token: 35 4112 WMIC.exe Token: 36 4112 WMIC.exe Token: SeBackupPrivilege 5244 wbengine.exe Token: SeRestorePrivilege 5244 wbengine.exe Token: SeSecurityPrivilege 5244 wbengine.exe Token: SeDebugPrivilege 4872 taskmgr.exe Token: SeSystemProfilePrivilege 4872 taskmgr.exe Token: SeCreateGlobalPrivilege 4872 taskmgr.exe Token: SeIncreaseQuotaPrivilege 5476 WMIC.exe Token: SeSecurityPrivilege 5476 WMIC.exe Token: SeTakeOwnershipPrivilege 5476 WMIC.exe Token: SeLoadDriverPrivilege 5476 WMIC.exe Token: SeSystemProfilePrivilege 5476 WMIC.exe Token: SeSystemtimePrivilege 5476 WMIC.exe Token: SeProfSingleProcessPrivilege 5476 WMIC.exe Token: SeIncBasePriorityPrivilege 5476 WMIC.exe Token: SeCreatePagefilePrivilege 5476 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2340 7zFM.exe 2340 7zFM.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4640 wrote to memory of 5924 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 95 PID 4640 wrote to memory of 5924 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 95 PID 4640 wrote to memory of 1496 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 94 PID 4640 wrote to memory of 1496 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 94 PID 5924 wrote to memory of 1500 5924 cmd.exe 98 PID 5924 wrote to memory of 1500 5924 cmd.exe 98 PID 1496 wrote to memory of 2628 1496 cmd.exe 99 PID 1496 wrote to memory of 2628 1496 cmd.exe 99 PID 5924 wrote to memory of 6016 5924 cmd.exe 103 PID 5924 wrote to memory of 6016 5924 cmd.exe 103 PID 1496 wrote to memory of 4112 1496 cmd.exe 104 PID 1496 wrote to memory of 4112 1496 cmd.exe 104 PID 1496 wrote to memory of 3320 1496 cmd.exe 106 PID 1496 wrote to memory of 3320 1496 cmd.exe 106 PID 1496 wrote to memory of 1988 1496 cmd.exe 107 PID 1496 wrote to memory of 1988 1496 cmd.exe 107 PID 1496 wrote to memory of 684 1496 cmd.exe 108 PID 1496 wrote to memory of 684 1496 cmd.exe 108 PID 4640 wrote to memory of 2820 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 117 PID 4640 wrote to memory of 2820 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 117 PID 4640 wrote to memory of 2820 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 117 PID 4640 wrote to memory of 2064 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 118 PID 4640 wrote to memory of 2064 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 118 PID 4640 wrote to memory of 2064 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 118 PID 4640 wrote to memory of 5948 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 119 PID 4640 wrote to memory of 5948 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 119 PID 4640 wrote to memory of 5948 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 119 PID 4640 wrote to memory of 1988 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 120 PID 4640 wrote to memory of 1988 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 120 PID 4640 wrote to memory of 1988 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 120 PID 4640 wrote to memory of 3244 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 121 PID 4640 wrote to memory of 3244 4640 HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe 121 PID 3244 wrote to memory of 3820 3244 cmd.exe 123 PID 3244 wrote to memory of 3820 3244 cmd.exe 123 PID 3244 wrote to memory of 5476 3244 cmd.exe 124 PID 3244 wrote to memory of 5476 3244 cmd.exe 124 PID 3244 wrote to memory of 4024 3244 cmd.exe 125 PID 3244 wrote to memory of 4024 3244 cmd.exe 125 PID 3244 wrote to memory of 5812 3244 cmd.exe 126 PID 3244 wrote to memory of 5812 3244 cmd.exe 126 PID 3244 wrote to memory of 4452 3244 cmd.exe 127 PID 3244 wrote to memory of 4452 3244 cmd.exe 127 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2340
-
C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe"C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe"1⤵
- Checks computer location settings
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe"C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe"2⤵
- Executes dropped EXE
PID:4996
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2628
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4112
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:3320
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:1988
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:684
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5924 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1500
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:6016
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
PID:2820
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
PID:2064
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
PID:5948
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
PID:1988
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3820
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5476
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:4024
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:5812
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:4452
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5724
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5244
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3468
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4952
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4872
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\info.txt1⤵
- Opens file in notepad (likely ransom note)
PID:2348
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
3File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[7B1DB1F7-2930].[Resp0nse1999@tutanota.com].eking
Filesize2.7MB
MD5bb03cfbdebabd4a4d6a3877b8d804667
SHA1cc69eb5064258d85730c203fe16894eb88a43590
SHA2566b73c5e9c3ba3a29dd5013c1d7e32a28b9f78c61290496aaf68d6bc1007672b7
SHA5122036f2f0e2759a21c909d084549867cbd6529735724ef28388c29057b16c1582a8f8d0c65aa424190bcc9bf600270f28928ff5f2f34f462311f54bd9291c987a
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
Filesize55KB
MD53ada72cac8ab9b5578ae56fce08aac52
SHA1175d036720d40787c9d3614623f2f88381396a71
SHA256a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1
SHA5126551387585f3e7904e6a062123edb7b628bb7996ccb6c129c275728ec9ff76bce1287abe4b6f49d89d4f640f75251af0b7ca443cface087bb34f96203cd6e955
-
Filesize
268B
MD559103d781c92b08e00d9eacf5e381e23
SHA1dc254f359ef3b42c5617368323d2bfbf79c72f35
SHA256cbb2f848dee8d94628743e5758232ce2500274423cf699532d5918665db10099
SHA5128be870bf04abdd872d12a9d8c1f6eb6fcef97f4f5e81b05c83ae78107c54242e55d88b878f799fc849e7cf22ec92a40ee16b2d9ab95cd6c9baaa423274e87fe5
-
Filesize
5KB
MD5e0cc46e125ebaf2dc2c0ab07086be03c
SHA12e997e4d0fd915a86b39c3f3873a74f6b06d2e29
SHA256b7b20db038561830766b67da924beb6af4366402a462fbc7f1f80f50776e81a8
SHA5120d7c2c9d50d383b40d65761b12db992d74f4fd41dba76e19259e0799c483345a8d70bfc71cb99cbbe730128f107dfdb1035cf9b33f9d9f3e5b90a1b6a25f28e7