analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

connhost.rar

Full analysis: https://app.any.run/tasks/a2e4c787-6a68-4683-ac19-4058daf3b92c
Verdict: Malicious activity
Threats:

Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.

Analysis date: August 08, 2020, 12:22:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
phobos
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

A2705A962629D0731C652FD358E62A71

SHA1:

61B4846F70716F2C6D4001C62BC5938D179466A8

SHA256:

14623156505B3935E765AD3A7204FF3D7F67B045A1910C7C28190D9DD0585336

SSDEEP:

768:ANn3MojLFNK+15ARoLT1aLvisi8mAwRiD5HSVw0YZhizlbngVRFz:ehLFNK+15ARG1Yqsi1AwOyYZhAlbnA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • connhost.exe (PID: 3632)
      • connhost.exe (PID: 2216)
    • PHOBOS was detected

      • WinRAR.exe (PID: 2700)
      • connhost.exe (PID: 2216)
      • connhost.exe (PID: 3632)
    • Changes the autorun value in the registry

      • connhost.exe (PID: 2216)
      • connhost.exe (PID: 3632)
    • Writes to a start menu file

      • connhost.exe (PID: 2216)
      • connhost.exe (PID: 3632)
    • Runs app for hidden code execution

      • connhost.exe (PID: 3632)
    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 2104)
    • Turns off the firewall via NETSH.EXE

      • cmd.exe (PID: 1204)
    • Deletes shadow copies

      • cmd.exe (PID: 2104)
    • Loads the Task Scheduler COM API

      • wbengine.exe (PID: 584)
    • Actions looks like stealing of personal data

      • connhost.exe (PID: 3632)
    • Renames files like Ransomware

      • connhost.exe (PID: 3632)
  • SUSPICIOUS

    • Application launched itself

      • connhost.exe (PID: 3632)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2700)
      • connhost.exe (PID: 2216)
      • connhost.exe (PID: 3632)
    • Creates files in the user directory

      • connhost.exe (PID: 2216)
      • connhost.exe (PID: 3632)
    • Starts CMD.EXE for commands execution

      • connhost.exe (PID: 3632)
    • Creates files in the Windows directory

      • wbadmin.exe (PID: 2444)
    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 1204)
    • Low-level read access rights to disk partition

      • wbengine.exe (PID: 584)
      • vds.exe (PID: 1680)
    • Executed as Windows Service

      • wbengine.exe (PID: 584)
      • vds.exe (PID: 1680)
    • Executed via COM

      • vdsldr.exe (PID: 2184)
    • Reads the cookies of Mozilla Firefox

      • connhost.exe (PID: 3632)
    • Creates files in the program directory

      • connhost.exe (PID: 3632)
  • INFO

    • Manual execution by user

      • connhost.exe (PID: 3632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
59
Monitored processes
15
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start #PHOBOS winrar.exe #PHOBOS connhost.exe #PHOBOS connhost.exe cmd.exe no specs cmd.exe no specs netsh.exe no specs vssadmin.exe no specs netsh.exe no specs wmic.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2700"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\connhost.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3632"C:\Users\admin\Desktop\connhost.exe" C:\Users\admin\Desktop\connhost.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
2216"C:\Users\admin\Desktop\connhost.exe"C:\Users\admin\Desktop\connhost.exe
connhost.exe
User:
admin
Integrity Level:
MEDIUM
2104"C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.execonnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1204"C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.execonnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1560netsh advfirewall set currentprofile state offC:\Windows\system32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4076vssadmin delete shadows /all /quietC:\Windows\system32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1532netsh firewall set opmode mode=disableC:\Windows\system32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1528wmic shadowcopy deleteC:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2964bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
595
Read events
466
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
1 003
Text files
5
Unknown types
67

Dropped files

PID
Process
Filename
Type
3632connhost.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-2850].[[email protected]].eject
MD5:
SHA256:
3632connhost.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-2850].[[email protected]].eject
MD5:
SHA256:
3632connhost.exeC:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-2850].[[email protected]].eject
MD5:
SHA256:
3632connhost.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\AccessMUI.msi.id[C4BA3647-2850].[[email protected]].ejectatn
MD5:E32B3473A385C4B973287D3570611B22
SHA256:810677AE2E938978075BA7CAC82E7E9F2F7DB855EA6C513ACFD2FFFDB1A9FED6
3632connhost.exeC:\autoexec.bat.id[C4BA3647-2850].[[email protected]].ejectbinary
MD5:36F16AF87DFB435318F247C1445789BB
SHA256:D4EDC471D58048608F7FE205B075C4266EDF1617953F49B2CACD27FBED3D8C2A
3632connhost.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\desktop.ini.id[C4BA3647-2850].[[email protected]].ejectbinary
MD5:938EA371E290286B89AAC0F8DF2D19E5
SHA256:9E045545011F4F612CE46534E568F7CA6F74EBF1CDD18E0434E6D51C4B22DC05
3632connhost.exeC:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\AccessMUI.msi.id[C4BA3647-2850].[[email protected]].ejectatn
MD5:459F6737373B9780B87B12721D7A6942
SHA256:66A92A7B611A7D401F13CFCB1A4C18CF68D8D9CDDD98EA481125AAEE20D0620F
3632connhost.exeC:\config.sys.id[C4BA3647-2850].[[email protected]].ejectbinary
MD5:B0619769F3F33AA78735B6F0FF27EA78
SHA256:A99B2DEB5F669E68117AC09563B5480B48E7AF790E5A9E9110B33208EE7D676A
3632connhost.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\branding.xml.id[C4BA3647-2850].[[email protected]].ejectbinary
MD5:40C80C20DC3CC4A4D5F57B566144E0D0
SHA256:5651F1A91F6C840D64A19338B4A0F9F72754AAA14E6F2BB5F3BA4AB5DDFBD48D
3632connhost.exeC:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\AccessMUI.xml.id[C4BA3647-2850].[[email protected]].ejectbinary
MD5:8E49746DCA54FADF24F0CE95461F2DCE
SHA256:024D5352948013AB3B979E825E0B5ED09E98E5CE78FEB9E08F2F61ECB90FFC8C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info