File name:

backupfile@gmx.com - Kopie.zip

Full analysis: https://app.any.run/tasks/b4fe9488-55c2-4147-a2a1-cfc7e2329b14
Verdict: Malicious activity
Threats:

Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.

Malware Trends Tracker     >>>
Analysis date: June 05, 2024, 15:01:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
phobos
ransomware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

CD5C62E5946CB107B99FAB1A50A98ED2

SHA1:

4DFA3BC32393982CBB56FF9F02585844849476EA

SHA256:

6EBA1FA4D9DD98407DF5084B0F5B0CD859F854B25948830EFA1CB8153FB4A511

SSDEEP:

768:Vj0zCt5B/7ETV319NXrAw5nCy313A/05hhme5e8FJnxT673s1lD4hqx5zBVNL7kz:VtzElqwD3ZAyz5e8da8LD4qNL7ODoy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Antivirus name has been found in the command line (generic signature)

      • MsMpEng.exe (PID: 4012)
      • MsMpEng.exe (PID: 4020)
      • MsMpEng.exe (PID: 752)
      • MsMpEng.exe (PID: 2400)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3972)
      • MsMpEng.exe (PID: 752)

    • Deletes shadow copies

      • cmd.exe (PID: 112)

    • PHOBOS has been detected

      • MsMpEng.exe (PID: 752)

    • Changes the autorun value in the registry

      • MsMpEng.exe (PID: 4012)
      • MsMpEng.exe (PID: 752)

    • Create files in the Startup directory

      • MsMpEng.exe (PID: 752)

    • Using BCDEDIT.EXE to modify recovery options

      • cmd.exe (PID: 112)

    • Renames files like ransomware

      • MsMpEng.exe (PID: 752)

    • Actions looks like stealing of personal data

      • MsMpEng.exe (PID: 752)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3972)
      • MsMpEng.exe (PID: 4020)

    • Application launched itself

      • MsMpEng.exe (PID: 4012)
      • MsMpEng.exe (PID: 4020)

    • Reads the Internet Settings

      • MsMpEng.exe (PID: 4020)
      • WMIC.exe (PID: 2256)

    • Creates file in the systems drive root

      • MsMpEng.exe (PID: 752)

    • Uses NETSH.EXE to change the status of the firewall

      • cmd.exe (PID: 2032)

    • Executable content was dropped or overwritten

      • MsMpEng.exe (PID: 752)

    • Executes as Windows Service

      • VSSVC.exe (PID: 312)
      • vds.exe (PID: 2476)
      • wbengine.exe (PID: 2452)

    • Starts CMD.EXE for commands execution

      • MsMpEng.exe (PID: 752)

    • Process drops legitimate windows executable

      • MsMpEng.exe (PID: 752)

    • The process creates files with name similar to system file names

      • MsMpEng.exe (PID: 752)

    • Node.exe was dropped

      • MsMpEng.exe (PID: 752)

    • Reads browser cookies

      • MsMpEng.exe (PID: 752)

  • INFO

    • Checks supported languages

      • MsMpEng.exe (PID: 4012)
      • MsMpEng.exe (PID: 4020)
      • MsMpEng.exe (PID: 752)
      • MsMpEng.exe (PID: 2400)

    • Reads the computer name

      • MsMpEng.exe (PID: 4020)
      • MsMpEng.exe (PID: 752)
      • MsMpEng.exe (PID: 4012)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3972)

    • Creates files or folders in the user directory

      • MsMpEng.exe (PID: 752)

    • Creates files in the program directory

      • MsMpEng.exe (PID: 752)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2023:05:23 12:26:46
ZipCRC: 0xb69ec257
ZipCompressedSize: 39890
ZipUncompressedSize: 57344
ZipFileName: backupfile@gmx.com/MsMpEng.exe
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
18
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe msmpeng.exe msmpeng.exe no specs msmpeng.exe cmd.exe no specs cmd.exe no specs netsh.exe no specs vssadmin.exe no specs vssvc.exe no specs netsh.exe no specs wmic.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs msmpeng.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
112"C:\Windows\system32\cmd.exe"C:\Windows\System32\cmd.exeMsMpEng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
188bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\System32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
312C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
752"C:\Users\admin\AppData\Local\Temp\Rar$EXa3972.48974\backupfile@gmx.com\MsMpEng.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3972.48974\backupfile@gmx.com\MsMpEng.exe
MsMpEng.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3972.48974\backupfile@gmx.com\msmpeng.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
1332C:\Windows\System32\vdsldr.exe -EmbeddingC:\Windows\System32\vdsldr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Virtual Disk Service Loader
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vdsldr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll
1588netsh firewall set opmode mode=disableC:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
1764vssadmin delete shadows /all /quietC:\Windows\System32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2032"C:\Windows\system32\cmd.exe"C:\Windows\System32\cmd.exeMsMpEng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2256wmic shadowcopy deleteC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2316netsh advfirewall set currentprofile state offC:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
Total events
8 312
Read events
8 171
Write events
141
Delete events
0

Modification events

(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3972) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\backupfile@gmx.com - Kopie.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
254
Suspicious files
6 517
Text files
9
Unknown types
21

Dropped files

PID
Process
Filename
Type
752MsMpEng.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-3429].[backupfile@gmx.com].faust
MD5:
SHA256:
752MsMpEng.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-3429].[backupfile@gmx.com].faust
MD5:
SHA256:
752MsMpEng.exeC:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-3429].[backupfile@gmx.com].faust
MD5:
SHA256:
752MsMpEng.exeC:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\MsMpEng.exeexecutable
MD5:47E35509151B6F873E0D2850F80FB6C5
SHA256:BDC0B4ED743F44CEE4F75E97E413EC9ECEC851DD5E62F756AACA46AB77D5D05D
752MsMpEng.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-500\desktop.ini.id[C4BA3647-3429].[backupfile@gmx.com].faustbinary
MD5:C322E5616A3057123F6BD2589CC37260
SHA256:FE3AFBEFCBC51CA63C89B3CB9D7E132A7890DAE5B2ABE0AAFF21F26C136A1132
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3972.48974\backupfile@gmx.com\MsMpEng.exeexecutable
MD5:47E35509151B6F873E0D2850F80FB6C5
SHA256:BDC0B4ED743F44CEE4F75E97E413EC9ECEC851DD5E62F756AACA46AB77D5D05D
752MsMpEng.exeC:\MSOCache\All Users\{90140000-0015-0411-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-3429].[backupfile@gmx.com].faust
MD5:
SHA256:
752MsMpEng.exeC:\programdata\microsoft\windows\start menu\programs\startup\MsMpEng.exeexecutable
MD5:47E35509151B6F873E0D2850F80FB6C5
SHA256:BDC0B4ED743F44CEE4F75E97E413EC9ECEC851DD5E62F756AACA46AB77D5D05D
752MsMpEng.exeC:\config.sys.id[C4BA3647-3429].[backupfile@gmx.com].faustbinary
MD5:1FE5AF92DB29D6BCA419C152BBAEA72F
SHA256:3972E87DF8A3B675A5BE21FF7F25780BFFFE1FDC772D3506BB6EA1CC220E849F
752MsMpEng.exeC:\autoexec.bat.id[C4BA3647-3429].[backupfile@gmx.com].faustbinary
MD5:0A515D9A2D26025B6CB8865485B981BE
SHA256:B3B8D9FF2CF066F9C6CBA07665162DBCA9864E963625F278CE0EEE970C8EAD77
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
backupfile@gmx.com - Kopie.zip