File name: | connhost.rar |
Full analysis: | https://app.any.run/tasks/a2e4c787-6a68-4683-ac19-4058daf3b92c |
Verdict: | Malicious activity |
Threats: | Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files. |
Analysis date: | August 08, 2020, 12:22:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | A2705A962629D0731C652FD358E62A71 |
SHA1: | 61B4846F70716F2C6D4001C62BC5938D179466A8 |
SHA256: | 14623156505B3935E765AD3A7204FF3D7F67B045A1910C7C28190D9DD0585336 |
SSDEEP: | 768:ANn3MojLFNK+15ARoLT1aLvisi8mAwRiD5HSVw0YZhizlbngVRFz:ehLFNK+15ARG1Yqsi1AwOyYZhAlbnA |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2700 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\connhost.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3632 | "C:\Users\admin\Desktop\connhost.exe" | C:\Users\admin\Desktop\connhost.exe | explorer.exe | |
User: admin Integrity Level: HIGH | ||||
2216 | "C:\Users\admin\Desktop\connhost.exe" | C:\Users\admin\Desktop\connhost.exe | connhost.exe | |
User: admin Integrity Level: MEDIUM | ||||
2104 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | connhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1204 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | connhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1560 | netsh advfirewall set currentprofile state off | C:\Windows\system32\netsh.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4076 | vssadmin delete shadows /all /quiet | C:\Windows\system32\vssadmin.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1532 | netsh firewall set opmode mode=disable | C:\Windows\system32\netsh.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1528 | wmic shadowcopy delete | C:\Windows\System32\Wbem\WMIC.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2964 | bcdedit /set {default} bootstatuspolicy ignoreallfailures | C:\Windows\system32\bcdedit.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Boot Configuration Data Editor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3632 | connhost.exe | C:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-2850].[[email protected]].eject | — | |
MD5:— | SHA256:— | |||
3632 | connhost.exe | C:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-2850].[[email protected]].eject | — | |
MD5:— | SHA256:— | |||
3632 | connhost.exe | C:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-2850].[[email protected]].eject | — | |
MD5:— | SHA256:— | |||
3632 | connhost.exe | C:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\AccessMUI.msi.id[C4BA3647-2850].[[email protected]].eject | atn | |
MD5:E32B3473A385C4B973287D3570611B22 | SHA256:810677AE2E938978075BA7CAC82E7E9F2F7DB855EA6C513ACFD2FFFDB1A9FED6 | |||
3632 | connhost.exe | C:\autoexec.bat.id[C4BA3647-2850].[[email protected]].eject | binary | |
MD5:36F16AF87DFB435318F247C1445789BB | SHA256:D4EDC471D58048608F7FE205B075C4266EDF1617953F49B2CACD27FBED3D8C2A | |||
3632 | connhost.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\desktop.ini.id[C4BA3647-2850].[[email protected]].eject | binary | |
MD5:938EA371E290286B89AAC0F8DF2D19E5 | SHA256:9E045545011F4F612CE46534E568F7CA6F74EBF1CDD18E0434E6D51C4B22DC05 | |||
3632 | connhost.exe | C:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\AccessMUI.msi.id[C4BA3647-2850].[[email protected]].eject | atn | |
MD5:459F6737373B9780B87B12721D7A6942 | SHA256:66A92A7B611A7D401F13CFCB1A4C18CF68D8D9CDDD98EA481125AAEE20D0620F | |||
3632 | connhost.exe | C:\config.sys.id[C4BA3647-2850].[[email protected]].eject | binary | |
MD5:B0619769F3F33AA78735B6F0FF27EA78 | SHA256:A99B2DEB5F669E68117AC09563B5480B48E7AF790E5A9E9110B33208EE7D676A | |||
3632 | connhost.exe | C:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\branding.xml.id[C4BA3647-2850].[[email protected]].eject | binary | |
MD5:40C80C20DC3CC4A4D5F57B566144E0D0 | SHA256:5651F1A91F6C840D64A19338B4A0F9F72754AAA14E6F2BB5F3BA4AB5DDFBD48D | |||
3632 | connhost.exe | C:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\AccessMUI.xml.id[C4BA3647-2850].[[email protected]].eject | binary | |
MD5:8E49746DCA54FADF24F0CE95461F2DCE | SHA256:024D5352948013AB3B979E825E0B5ED09E98E5CE78FEB9E08F2F61ECB90FFC8C |