File name:

Phobos.exe

Full analysis: https://app.any.run/tasks/766b879b-5e3c-4137-914a-d8f87ce8c3d8
Verdict: Malicious activity
Threats:

Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.

Analysis date: September 01, 2024, 09:07:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
ransomware
phobos
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4E93C194B641D9B849F270531EC14D20

SHA1:

8B5A21254A0C10E3CA2570EEBA490755197B544E

SHA256:

43F846C12C24A078EBE33F71E8EA3B4F75107AEB275E2C3CD9DC61617C9757FC

SSDEEP:

1536:kymNrLwC/WPYQ3CUXeXx35/bj3xLmPGDM3Q8wUx:kymdw49Q3teHDjhLmeDQNj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Deletes shadow copies

      • cmd.exe (PID: 7132)
    • Create files in the Startup directory

      • Phobos.exe (PID: 6768)
    • Changes the autorun value in the registry

      • Phobos.exe (PID: 6768)
      • Phobos.exe (PID: 5852)
    • PHOBOS has been detected

      • Phobos.exe (PID: 6768)
    • Using BCDEDIT.EXE to modify recovery options

      • cmd.exe (PID: 7132)
    • Actions looks like stealing of personal data

      • Phobos.exe (PID: 6768)
    • Renames files like ransomware

      • Phobos.exe (PID: 6768)
  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Phobos.exe (PID: 3660)
    • Creates file in the systems drive root

      • Phobos.exe (PID: 6768)
    • Reads the date of Windows installation

      • Phobos.exe (PID: 3660)
    • Application launched itself

      • Phobos.exe (PID: 5852)
      • Phobos.exe (PID: 3660)
    • Starts CMD.EXE for commands execution

      • Phobos.exe (PID: 6768)
    • Uses NETSH.EXE to change the status of the firewall

      • cmd.exe (PID: 7164)
    • Executes as Windows Service

      • VSSVC.exe (PID: 5128)
      • wbengine.exe (PID: 6372)
      • vds.exe (PID: 876)
    • The process creates files with name similar to system file names

      • Phobos.exe (PID: 6768)
    • Drops the executable file immediately after the start

      • Phobos.exe (PID: 6768)
    • Executable content was dropped or overwritten

      • Phobos.exe (PID: 6768)
    • Process drops legitimate windows executable

      • Phobos.exe (PID: 6768)
  • INFO

    • Creates files in the program directory

      • Phobos.exe (PID: 6768)
    • Creates files or folders in the user directory

      • Phobos.exe (PID: 6768)
    • Checks supported languages

      • Phobos.exe (PID: 3660)
      • Phobos.exe (PID: 5852)
      • Phobos.exe (PID: 6768)
    • Reads the computer name

      • Phobos.exe (PID: 6768)
      • Phobos.exe (PID: 3660)
      • Phobos.exe (PID: 5852)
    • Process checks computer location settings

      • Phobos.exe (PID: 3660)
    • The process uses the downloaded file

      • Phobos.exe (PID: 3660)
    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6056)
    • Reads the software policy settings

      • slui.exe (PID: 5292)
      • slui.exe (PID: 1932)
    • Checks proxy server information

      • slui.exe (PID: 5292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x2fa7
UninitializedDataSize: -
InitializedDataSize: 15872
CodeSize: 34304
LinkerVersion: 10
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2020:03:31 14:17:25+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
156
Monitored processes
21
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start phobos.exe phobos.exe no specs phobos.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs vssadmin.exe no specs netsh.exe no specs vssvc.exe no specs netsh.exe no specs wmic.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe wbengine.exe no specs vdsldr.exe no specs vds.exe no specs sppextcomobj.exe no specs slui.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
5852"C:\Users\admin\AppData\Local\Temp\Phobos.exe" C:\Users\admin\AppData\Local\Temp\Phobos.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\phobos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
3660C:\Users\admin\AppData\Local\Temp\Phobos.exeC:\Users\admin\AppData\Local\Temp\Phobos.exePhobos.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\phobos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
6768"C:\Users\admin\AppData\Local\Temp\Phobos.exe" C:\Users\admin\AppData\Local\Temp\Phobos.exe
Phobos.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\phobos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
7164"C:\WINDOWS\system32\cmd.exe"C:\Windows\System32\cmd.exePhobos.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
7132"C:\WINDOWS\system32\cmd.exe"C:\Windows\System32\cmd.exePhobos.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
6988\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6804\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5700vssadmin delete shadows /all /quietC:\Windows\System32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5724netsh advfirewall set currentprofile state offC:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
5128C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
7 007
Read events
6 935
Write events
52
Delete events
20

Modification events

(PID) Process:(3660) Phobos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3660) Phobos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3660) Phobos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3660) Phobos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6768) Phobos.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Phobos
Value:
C:\Users\admin\AppData\Local\Phobos.exe
(PID) Process:(6768) Phobos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Phobos
Value:
C:\Users\admin\AppData\Local\Phobos.exe
(PID) Process:(5852) Phobos.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Phobos
Value:
C:\Users\admin\AppData\Local\Phobos.exe
(PID) Process:(5852) Phobos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Phobos
Value:
C:\Users\admin\AppData\Local\Phobos.exe
(PID) Process:(6124) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(6124) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Description
Operation:writeName:FirmwareModified
Value:
1
Executable files
138
Suspicious files
8 765
Text files
13
Unknown types
1

Dropped files

PID
Process
Filename
Type
6768Phobos.exeC:\$WinREAgent\Backup\Winre.wim.id[26B799FA-2822].[[email protected]].eight
MD5:
SHA256:
6768Phobos.exeC:\$WinREAgent\Scratch\update.wim.id[26B799FA-2822].[[email protected]].eight
MD5:
SHA256:
6768Phobos.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Phobos.exeexecutable
MD5:4E93C194B641D9B849F270531EC14D20
SHA256:43F846C12C24A078EBE33F71E8EA3B4F75107AEB275E2C3CD9DC61617C9757FC
6768Phobos.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Phobos.exeexecutable
MD5:4E93C194B641D9B849F270531EC14D20
SHA256:43F846C12C24A078EBE33F71E8EA3B4F75107AEB275E2C3CD9DC61617C9757FC
6768Phobos.exeC:\found.000\dir0000.chk\UpdateSessionOrchestration.055.etl.id[26B799FA-2822].[[email protected]].eightbinary
MD5:45D66D8664E0965EF15DDB2792290B73
SHA256:9064BAE8403D9BEBCA57BD5BAD8922F4C8697D2F5BDDA03C0EC02E341C81B063
6768Phobos.exeC:\$WinREAgent\Backup\location.txt.id[26B799FA-2822].[[email protected]].eightbinary
MD5:7FD1C335DAA31EA3BE15391E7C5D46D5
SHA256:64F6C5DB20D7176643E615BC4EA6F820525A8E78BEA47ACBD7DA318D90D7CBEB
6768Phobos.exeC:\found.000\dir0000.chk\UpdateSessionOrchestration.037.etl.id[26B799FA-2822].[[email protected]].eightbinary
MD5:C59BB18A837C860ED5A3ECE993E3F75A
SHA256:677BA6C6C0B2490357E9E311923088C66388334A120291DA0094ADB53F36423A
6768Phobos.exeC:\$WinREAgent\RollbackInfo.ini.id[26B799FA-2822].[[email protected]].eightbc
MD5:413C285C3A3BAAC26ACA79E59BAFE4AB
SHA256:B6A7BA35305E831E5F38F898CD4DC188018C098A335CC7DDA444545B80BBFE3E
6768Phobos.exeC:\found.000\dir0000.chk\UpdateSessionOrchestration.049.etl.id[26B799FA-2822].[[email protected]].eightbinary
MD5:FFDBF7A7A8BFC5E2A016A15832A77E3D
SHA256:A2CEF2DB86F061CC0CA5745A3E0A7025CB7143BF249509C2B33488D0C9B289AC
6768Phobos.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-500\desktop.ini.id[26B799FA-2822].[[email protected]].eightbinary
MD5:464B469F92A831EFD93E3D173A98E06E
SHA256:AED590ED41E4CE4AB0D555E1584B7CEA1802A4A100EE1109B8A142807152972F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
31
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6156
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6156
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1332
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6400
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
568
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
2344
svchost.exe
239.255.255.250:3702
whitelisted
4
System
192.168.100.255:137
whitelisted
568
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1332
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.181.238
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 20.190.160.22
  • 40.126.32.140
  • 40.126.32.134
  • 40.126.32.136
  • 40.126.32.68
  • 40.126.32.133
  • 20.190.160.14
  • 40.126.32.138
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted

Threats

No threats detected
Process
Message
wbadmin.exe
Invalid parameter passed to C runtime function.