analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

connhost.rar

Full analysis: https://app.any.run/tasks/2883725e-cbca-4ca9-a069-f2e7c2663c14
Verdict: Malicious activity
Threats:

Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.

Analysis date: August 08, 2020, 12:26:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
phobos
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

A2705A962629D0731C652FD358E62A71

SHA1:

61B4846F70716F2C6D4001C62BC5938D179466A8

SHA256:

14623156505B3935E765AD3A7204FF3D7F67B045A1910C7C28190D9DD0585336

SSDEEP:

768:ANn3MojLFNK+15ARoLT1aLvisi8mAwRiD5HSVw0YZhizlbngVRFz:ehLFNK+15ARG1Yqsi1AwOyYZhAlbnA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • connhost.exe (PID: 3872)
      • connhost.exe (PID: 280)
    • PHOBOS was detected

      • WinRAR.exe (PID: 2644)
      • connhost.exe (PID: 3872)
      • connhost.exe (PID: 280)
    • Writes to a start menu file

      • connhost.exe (PID: 3872)
      • connhost.exe (PID: 280)
    • Changes the autorun value in the registry

      • connhost.exe (PID: 3872)
      • connhost.exe (PID: 280)
    • Runs app for hidden code execution

      • connhost.exe (PID: 280)
    • Turns off the firewall via NETSH.EXE

      • cmd.exe (PID: 3732)
    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 3212)
    • Deletes shadow copies

      • cmd.exe (PID: 3212)
    • Loads the Task Scheduler COM API

      • wbengine.exe (PID: 4012)
    • Actions looks like stealing of personal data

      • connhost.exe (PID: 280)
    • Renames files like Ransomware

      • connhost.exe (PID: 280)
  • SUSPICIOUS

    • Application launched itself

      • connhost.exe (PID: 280)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2644)
      • connhost.exe (PID: 3872)
      • connhost.exe (PID: 280)
    • Creates files in the user directory

      • connhost.exe (PID: 3872)
      • connhost.exe (PID: 280)
    • Starts CMD.EXE for commands execution

      • connhost.exe (PID: 280)
    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 3732)
    • Executed as Windows Service

      • wbengine.exe (PID: 4012)
      • vds.exe (PID: 4076)
    • Low-level read access rights to disk partition

      • wbengine.exe (PID: 4012)
      • vds.exe (PID: 4076)
    • Creates files in the Windows directory

      • wbadmin.exe (PID: 1424)
    • Reads the cookies of Mozilla Firefox

      • connhost.exe (PID: 280)
    • Executed via COM

      • vdsldr.exe (PID: 2504)
    • Creates files in the program directory

      • connhost.exe (PID: 280)
  • INFO

    • Manual execution by user

      • connhost.exe (PID: 280)
      • explorer.exe (PID: 2272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
16
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start #PHOBOS winrar.exe #PHOBOS connhost.exe #PHOBOS connhost.exe cmd.exe no specs cmd.exe no specs vssadmin.exe no specs netsh.exe no specs netsh.exe no specs wmic.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2644"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\connhost.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
280"C:\Users\admin\Desktop\connhost.exe" C:\Users\admin\Desktop\connhost.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
3872"C:\Users\admin\Desktop\connhost.exe"C:\Users\admin\Desktop\connhost.exe
connhost.exe
User:
admin
Integrity Level:
MEDIUM
3212"C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.execonnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3732"C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.execonnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3628vssadmin delete shadows /all /quietC:\Windows\system32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3720netsh advfirewall set currentprofile state offC:\Windows\system32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2348netsh firewall set opmode mode=disableC:\Windows\system32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2692wmic shadowcopy deleteC:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2792bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
621
Read events
492
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
946
Text files
1
Unknown types
56

Dropped files

PID
Process
Filename
Type
280connhost.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-2850].[[email protected]].eject
MD5:
SHA256:
280connhost.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-2850].[[email protected]].eject
MD5:
SHA256:
280connhost.exeC:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-2850].[[email protected]].eject
MD5:
SHA256:
280connhost.exeC:\config.sys.id[C4BA3647-2850].[[email protected]].ejectbinary
MD5:22B90389091F025F962094E845C2D323
SHA256:5DB145870E718AD4F2C929E7EB3C4B5CF956047704685E02E1640D7ED8203F6F
280connhost.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\AccessMUI.xml.id[C4BA3647-2850].[[email protected]].ejectbinary
MD5:B26252889F84EACE31F7627D2D5D586E
SHA256:FFDC173B13486FB7AF2910E423AE79B9497A9C2A01DB204931729BBDAD12A1FB
280connhost.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\Setup.xml.id[C4BA3647-2850].[[email protected]].ejectbinary
MD5:45FDEE898E8132935615FFBFF22908E0
SHA256:425D716CC69CB7B833CDD4DCE6288654DE29EF3DDE765A3E03848D9108E973B9
280connhost.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\AccessMUI.msi.id[C4BA3647-2850].[[email protected]].ejectatn
MD5:1C79421EE8454867D4E26418DDAC0FC6
SHA256:4096AE232B157138A7C49EAAD58F2550595A4E1C005F29381EC8AA9C1564CD23
280connhost.exeC:\autoexec.bat.id[C4BA3647-2850].[[email protected]].ejectbinary
MD5:B41C0CB9CEEE44AC0061FB45AB5906C6
SHA256:A05C5E5F84989ABA895532493615D543E18AE88AE68C64FDC5250550A026C533
280connhost.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-500\desktop.ini.id[C4BA3647-2850].[[email protected]].ejectbinary
MD5:36715633EA05E08CBB7FC64222B855A8
SHA256:191EC2AECE5032D1B13ADF4FD3C2C50D51FEEB37F6EDE376D3538447A13E1B8C
280connhost.exeC:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\AccessMUI.xml.id[C4BA3647-2850].[[email protected]].ejectbinary
MD5:6341E8E02D34718D1C3205C60220FCE9
SHA256:25A93B8CBF04E6DA62A93195A2B13DD4BD1AF066129DA0D8085DFE49E738FB63
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info