phobos | 510a354916e0b8e1c3df4ef4e4fde9bd9a37fdec85741378e5e195a7f5dc043b

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2025, 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
Size

52KB
MD5

730f82bd103aa7199005757a5d68cee3
SHA1

936dad4266ee6c02de5fe0f2804cdd1fd5d76508
SHA256

510a354916e0b8e1c3df4ef4e4fde9bd9a37fdec85741378e5e195a7f5dc043b
SHA512

01c6fb60b0e6eb8f5659dc919245674b9e42b18ba6330b799bb2e2d3a02ad211aec5e02ed08a0252b7927f42290c05beb7ff8647c22f98d57b0a780e6781f975
SSDEEP

1536:kRvoU+XfE9ICf4t1OwruWiy70/aLNQdr:k6X89NfsjruWiyvLqZ

Score

10^/10

phobos credential_access defense_evasion discovery persistence privilege_escalation ransomware spyware stealer

Malware Config

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>D2A00513-1018</span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected]</span></div> <div class='bold'>If there is no response from our mail, you can install the Jabber client and write to us in support of <span class='mark'>[email protected]</span> </div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='title'>Jabber client installation instructions:</div> <div class='note info'> <ul> <li>Download the jabber (Pidgin) client from https://pidgin.im/download/windows/</li> <li>After installation, the Pidgin client will prompt you to create a new account.</li> <li>Click "Add"</li><li>In the "Protocol" field, select XMPP</li> <li>In "Username" - come up with any name</li> <li>In the field "domain" - enter any jabber-server, there are a lot of them, for example - exploit.im</li> <li>Create a password</li><li>At the bottom, put a tick "Create account"</li> <li>Click add</li> <li>If you selected "domain" - exploit.im, then a new window should appear in which you will need to re-enter your data:</li> <ul> <li>User</li> <li>password</li> <li>You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)</li> </ul> <li>If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - <a href = "https://www.youtube.com/results?search_query=pidgin+jabber+install">https://www.youtube.com/results?search_query=pidgin+jabber+install</a></li> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

class='mark'>[email protected]</span>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

https://pidgin.im/download/windows/</li>

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Phobos family
phobos
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Renames multiple (784) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2760	netsh.exe
996	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 3 IoCs

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe

Executes dropped EXE 2 IoCs

pid	Process
4816	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
2564	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos = "C:\\Users\\Admin\\AppData\\Local\\2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe"	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos = "C:\\Users\\Admin\\AppData\\Local\\2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe"	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Public\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3975168204-1612096350-4002976354-1000\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3975168204-1612096350-4002976354-1000\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_sw.dll.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dll.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\wordpad.exe.mui	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageMedTile.scale-200.png	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\require.min.js	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\vccorlib140.dll.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Utils.CX.dll	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-150.png	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\AdSelectionAttestationsPreloaded\ad-selection-attestations.dat	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsBase.resources.dll.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwingdi_plugin.dll	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\ui-strings.js.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Trust Protection Lists\Sigma\LICENSE.DATA	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdaenum.dll	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\mspdf.dll.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-40_altform-unplated.png	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarMediumTile.scale-150.png	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\MSFT_PackageManagementSource.strings.psd1	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\ui-strings.js.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\ui-strings.js	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Design.resources.dll.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.png	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_altform-unplated_contrast-white.png	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-60_altform-unplated_contrast-white.png	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\SearchEmail2x.png.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\print_poster.png.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.Registry.AccessControl.dll.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\MEIPreload\preloaded_data.pb	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\eu-es\ui-strings.js.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationTypes.resources.dll	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPMediaSharing.dll	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-200_contrast-white.png	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-150.png	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\it\Microsoft.PowerShell.PSReadline.Resources.dll	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\file_info2x.png	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-lightunplated.png	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\PREVIEW.GIF	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-20_altform-unplated.png	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-phn.xrm-ms.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLL.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-colorize.png	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\It.Tests.ps1	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\Microsoft.VisualBasic.Forms.resources.dll	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll.id[D2A00513-1018].[[email protected]].phoenix	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozglue.dll	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\avdevice-58_ms.dll	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-150.png	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d8.png	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-exit.svg	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\nub.png	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 5328 wrote to memory of 4604	5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe	96
PID 5328 wrote to memory of 4604	5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe	96
PID 4604 wrote to memory of 2760	4604	cmd.exe	98
PID 4604 wrote to memory of 2760	4604	cmd.exe	98
PID 4604 wrote to memory of 996	4604	cmd.exe	99
PID 4604 wrote to memory of 996	4604	cmd.exe	99
PID 4856 wrote to memory of 4816	4856	cmd.exe	105
PID 4856 wrote to memory of 4816	4856	cmd.exe	105
PID 4856 wrote to memory of 4816	4856	cmd.exe	105
PID 4980 wrote to memory of 2564	4980	cmd.exe	106
PID 4980 wrote to memory of 2564	4980	cmd.exe	106
PID 4980 wrote to memory of 2564	4980	cmd.exe	106
PID 5328 wrote to memory of 3000	5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe	112
PID 5328 wrote to memory of 3000	5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe	112
PID 5328 wrote to memory of 3000	5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe	112
PID 5328 wrote to memory of 2548	5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe	113
PID 5328 wrote to memory of 2548	5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe	113
PID 5328 wrote to memory of 2548	5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe	113
PID 5328 wrote to memory of 3136	5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe	114
PID 5328 wrote to memory of 3136	5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe	114
PID 5328 wrote to memory of 3136	5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe	114
PID 5328 wrote to memory of 4588	5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe	115
PID 5328 wrote to memory of 4588	5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe	115
PID 5328 wrote to memory of 4588	5328	2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe	115

C:\Users\Admin\AppData\Local\Temp\2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5328
- C:\Users\Admin\AppData\Local\Temp\2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe"
  2⤵
  PID:3020
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2760
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:996
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3000
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2548
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3136
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\AppData\Local\2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
  C:\Users\Admin\AppData\Local\2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\AppData\Local\2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
  C:\Users\Admin\AppData\Local\2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe
  2⤵
  - Executes dropped EXE
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.id[D2A00513-1018].[[email protected]].phoenix

Filesize
3.6MB

MD5
4bf04ce44373eadc1a82cc21097ab14b

SHA1
4e2f31ae4b6e1f9f54011f7869ea7e3c29675f12

SHA256
acc98df98db76e87bbbc2373c51fc127bbde845b9e9cd7084481bb1623786c2a

SHA512
2cd1fd6c4fe97273ee3f5bcad3c118ba8cbd92158baa64dbdcea82a327eddeaa2299665d74f6daaa04dbb92faa4e80b02c54e58582cc133e0e0d57d396bf1acc

Download Submit
C:\Users\Admin\AppData\Local\2025-04-05_730f82bd103aa7199005757a5d68cee3_phobos.exe

Filesize
52KB

MD5
730f82bd103aa7199005757a5d68cee3

SHA1
936dad4266ee6c02de5fe0f2804cdd1fd5d76508

SHA256
510a354916e0b8e1c3df4ef4e4fde9bd9a37fdec85741378e5e195a7f5dc043b

SHA512
01c6fb60b0e6eb8f5659dc919245674b9e42b18ba6330b799bb2e2d3a02ad211aec5e02ed08a0252b7927f42290c05beb7ff8647c22f98d57b0a780e6781f975

Download Submit
C:\info.hta

Filesize
6KB

MD5
01e0ec6b5fac89a526d419196b5249a4

SHA1
768e0674a9b26f9de04957994c7363d4b287b84f

SHA256
5bf9d140c66f6d80cafa86f744c3e4d28f890cdedf689d2b048c808354e95f11

SHA512
a5501480de089f81fda68d6248a5fc2d0331ba17ea80ebda7f6a207e2ae526d950e424acde46a13bc6350344294c3d70812f9bfb9fb1601651f2e93fa58b807b

Download Submit