File name: | connhost.rar |
Full analysis: | https://app.any.run/tasks/2883725e-cbca-4ca9-a069-f2e7c2663c14 |
Verdict: | Malicious activity |
Threats: | Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files. |
Analysis date: | August 08, 2020, 12:26:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | A2705A962629D0731C652FD358E62A71 |
SHA1: | 61B4846F70716F2C6D4001C62BC5938D179466A8 |
SHA256: | 14623156505B3935E765AD3A7204FF3D7F67B045A1910C7C28190D9DD0585336 |
SSDEEP: | 768:ANn3MojLFNK+15ARoLT1aLvisi8mAwRiD5HSVw0YZhizlbngVRFz:ehLFNK+15ARG1Yqsi1AwOyYZhAlbnA |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2644 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\connhost.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
280 | "C:\Users\admin\Desktop\connhost.exe" | C:\Users\admin\Desktop\connhost.exe | explorer.exe | |
User: admin Integrity Level: HIGH | ||||
3872 | "C:\Users\admin\Desktop\connhost.exe" | C:\Users\admin\Desktop\connhost.exe | connhost.exe | |
User: admin Integrity Level: MEDIUM | ||||
3212 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | connhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3732 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | connhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3628 | vssadmin delete shadows /all /quiet | C:\Windows\system32\vssadmin.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3720 | netsh advfirewall set currentprofile state off | C:\Windows\system32\netsh.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2348 | netsh firewall set opmode mode=disable | C:\Windows\system32\netsh.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2692 | wmic shadowcopy delete | C:\Windows\System32\Wbem\WMIC.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2792 | bcdedit /set {default} bootstatuspolicy ignoreallfailures | C:\Windows\system32\bcdedit.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Boot Configuration Data Editor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
280 | connhost.exe | C:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-2850].[[email protected]].eject | — | |
MD5:— | SHA256:— | |||
280 | connhost.exe | C:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-2850].[[email protected]].eject | — | |
MD5:— | SHA256:— | |||
280 | connhost.exe | C:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-2850].[[email protected]].eject | — | |
MD5:— | SHA256:— | |||
280 | connhost.exe | C:\config.sys.id[C4BA3647-2850].[[email protected]].eject | binary | |
MD5:22B90389091F025F962094E845C2D323 | SHA256:5DB145870E718AD4F2C929E7EB3C4B5CF956047704685E02E1640D7ED8203F6F | |||
280 | connhost.exe | C:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\AccessMUI.xml.id[C4BA3647-2850].[[email protected]].eject | binary | |
MD5:B26252889F84EACE31F7627D2D5D586E | SHA256:FFDC173B13486FB7AF2910E423AE79B9497A9C2A01DB204931729BBDAD12A1FB | |||
280 | connhost.exe | C:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\Setup.xml.id[C4BA3647-2850].[[email protected]].eject | binary | |
MD5:45FDEE898E8132935615FFBFF22908E0 | SHA256:425D716CC69CB7B833CDD4DCE6288654DE29EF3DDE765A3E03848D9108E973B9 | |||
280 | connhost.exe | C:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\AccessMUI.msi.id[C4BA3647-2850].[[email protected]].eject | atn | |
MD5:1C79421EE8454867D4E26418DDAC0FC6 | SHA256:4096AE232B157138A7C49EAAD58F2550595A4E1C005F29381EC8AA9C1564CD23 | |||
280 | connhost.exe | C:\autoexec.bat.id[C4BA3647-2850].[[email protected]].eject | binary | |
MD5:B41C0CB9CEEE44AC0061FB45AB5906C6 | SHA256:A05C5E5F84989ABA895532493615D543E18AE88AE68C64FDC5250550A026C533 | |||
280 | connhost.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-500\desktop.ini.id[C4BA3647-2850].[[email protected]].eject | binary | |
MD5:36715633EA05E08CBB7FC64222B855A8 | SHA256:191EC2AECE5032D1B13ADF4FD3C2C50D51FEEB37F6EDE376D3538447A13E1B8C | |||
280 | connhost.exe | C:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\AccessMUI.xml.id[C4BA3647-2850].[[email protected]].eject | binary | |
MD5:6341E8E02D34718D1C3205C60220FCE9 | SHA256:25A93B8CBF04E6DA62A93195A2B13DD4BD1AF066129DA0D8085DFE49E738FB63 |