| File name: | MsMpEng.exe |
| Full analysis: | https://app.any.run/tasks/51288977-97e7-45f8-a5b0-5a4f7d628a1e |
| Verdict: | Malicious activity |
| Threats: | Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files. |
| Analysis date: | June 05, 2024, 15:12:52 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 47E35509151B6F873E0D2850F80FB6C5 |
| SHA1: | F36D83A552722F1E16831E581FE250D705AD7C0D |
| SHA256: | BDC0B4ED743F44CEE4F75E97E413EC9ECEC851DD5E62F756AACA46AB77D5D05D |
| SSDEEP: | 768:MyVHL0Nw1ALXbLwHi/WEhFOYQj7zs7ERdxmEeISSLbyHYXbJ/SOMc13Iqd:MymNrLwC/WPYQ3CUXexSSHCxSOMKd |
MALICIOUS
Antivirus name has been found in the command line (generic signature)
- MsMpEng.exe (PID: 4008)
- MsMpEng.exe (PID: 4024)
- MsMpEng.exe (PID: 1064)
Drops the executable file immediately after the start
- MsMpEng.exe (PID: 4008)
- MsMpEng.exe (PID: 1064)
PHOBOS has been detected
- MsMpEng.exe (PID: 1064)
Changes the autorun value in the registry
- MsMpEng.exe (PID: 4008)
- MsMpEng.exe (PID: 1064)
Create files in the Startup directory
- MsMpEng.exe (PID: 1064)
Deletes shadow copies
- cmd.exe (PID: 2044)
Using BCDEDIT.EXE to modify recovery options
- cmd.exe (PID: 2044)
Actions looks like stealing of personal data
- MsMpEng.exe (PID: 1064)
Renames files like ransomware
- MsMpEng.exe (PID: 1064)
SUSPICIOUS
Application launched itself
- MsMpEng.exe (PID: 4008)
- MsMpEng.exe (PID: 4024)
Reads security settings of Internet Explorer
- MsMpEng.exe (PID: 4024)
Reads the Internet Settings
- MsMpEng.exe (PID: 4024)
- WMIC.exe (PID: 1600)
Starts CMD.EXE for commands execution
- MsMpEng.exe (PID: 1064)
Creates file in the systems drive root
- MsMpEng.exe (PID: 1064)
Executes as Windows Service
- VSSVC.exe (PID: 316)
- vds.exe (PID: 1468)
- wbengine.exe (PID: 324)
Process drops legitimate windows executable
- MsMpEng.exe (PID: 1064)
Executable content was dropped or overwritten
- MsMpEng.exe (PID: 1064)
Uses NETSH.EXE to change the status of the firewall
- cmd.exe (PID: 2036)
Reads browser cookies
- MsMpEng.exe (PID: 1064)
The process creates files with name similar to system file names
- MsMpEng.exe (PID: 1064)
Node.exe was dropped
- MsMpEng.exe (PID: 1064)
INFO
Checks supported languages
- MsMpEng.exe (PID: 4024)
- MsMpEng.exe (PID: 4008)
- MsMpEng.exe (PID: 1064)
Reads the computer name
- MsMpEng.exe (PID: 4024)
- MsMpEng.exe (PID: 1064)
- MsMpEng.exe (PID: 4008)
Creates files or folders in the user directory
- MsMpEng.exe (PID: 1064)
Creates files in the program directory
- MsMpEng.exe (PID: 1064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2020:03:31 14:17:25+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 10 |
| CodeSize: | 34304 |
| InitializedDataSize: | 15872 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x2fa7 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
Total processes
55
Monitored processes
16
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 284 | netsh firewall set opmode mode=disable | C:\Windows\System32\netsh.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 316 | C:\Windows\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 324 | "C:\Windows\system32\wbengine.exe" | C:\Windows\System32\wbengine.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Block Level Backup Engine Service EXE Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1064 | "C:\Users\admin\AppData\Local\Temp\MsMpEng.exe" | C:\Users\admin\AppData\Local\Temp\MsMpEng.exe | MsMpEng.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
| 1468 | C:\Windows\System32\vds.exe | C:\Windows\System32\vds.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Virtual Disk Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1580 | vssadmin delete shadows /all /quiet | C:\Windows\System32\vssadmin.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1600 | wmic shadowcopy delete | C:\Windows\System32\wbem\WMIC.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1768 | netsh advfirewall set currentprofile state off | C:\Windows\System32\netsh.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1960 | wbadmin delete catalog -quiet | C:\Windows\System32\wbadmin.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® BLB Backup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2036 | "C:\Windows\system32\cmd.exe" | C:\Windows\System32\cmd.exe | — | MsMpEng.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
4 825
Read events
4 703
Write events
122
Delete events
0
Modification events
| (PID) Process: | (4024) MsMpEng.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (4024) MsMpEng.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (4024) MsMpEng.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (4024) MsMpEng.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (1064) MsMpEng.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | MsMpEng |
Value: C:\Users\admin\AppData\Local\MsMpEng.exe | |||
| (PID) Process: | (1064) MsMpEng.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | MsMpEng |
Value: C:\Users\admin\AppData\Local\MsMpEng.exe | |||
| (PID) Process: | (1768) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1768) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | @%SystemRoot%\system32\dhcpqec.dll,-100 |
Value: DHCP Quarantine Enforcement Client | |||
| (PID) Process: | (1768) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | @%SystemRoot%\system32\dhcpqec.dll,-101 |
Value: Provides DHCP based enforcement for NAP | |||
| (PID) Process: | (1768) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | @%SystemRoot%\system32\dhcpqec.dll,-103 |
Value: 1.0 | |||
Executable files
253
Suspicious files
6 945
Text files
20
Unknown types
18
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1064 | MsMpEng.exe | C:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-3429].[backupfile@gmx.com].faust | — | |
MD5:— | SHA256:— | |||
| 1064 | MsMpEng.exe | C:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-3429].[backupfile@gmx.com].faust | — | |
MD5:— | SHA256:— | |||
| 1064 | MsMpEng.exe | C:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-3429].[backupfile@gmx.com].faust | — | |
MD5:— | SHA256:— | |||
| 1064 | MsMpEng.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-500\desktop.ini.id[C4BA3647-3429].[backupfile@gmx.com].faust | binary | |
MD5:D68739B208C8CC17794D357333D3E859 | SHA256:2A698AAB4938E0CA8C765F8D5339662C7E78BB38E8A9F2ED03BC7E8E854EF016 | |||
| 1064 | MsMpEng.exe | C:\Users\admin\AppData\Local\MsMpEng.exe | executable | |
MD5:47E35509151B6F873E0D2850F80FB6C5 | SHA256:BDC0B4ED743F44CEE4F75E97E413EC9ECEC851DD5E62F756AACA46AB77D5D05D | |||
| 1064 | MsMpEng.exe | C:\MSOCache\All Users\{90140000-0015-0411-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-3429].[backupfile@gmx.com].faust | — | |
MD5:— | SHA256:— | |||
| 1064 | MsMpEng.exe | C:\autoexec.bat.id[C4BA3647-3429].[backupfile@gmx.com].faust | binary | |
MD5:D09064B266A5F382CBC498674EFCB8F0 | SHA256:E76E4A0DAB57522EDEFE9AA68B7FADB2F7A1F2B7AE40F17E4E67E26134405328 | |||
| 1064 | MsMpEng.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\desktop.ini.id[C4BA3647-3429].[backupfile@gmx.com].faust | binary | |
MD5:737298CD32FE2808535F5601451485DA | SHA256:82FAA66028A1176AC2101DD6C2B5AC665197083A8A912E160F36424DB459EF86 | |||
| 1064 | MsMpEng.exe | C:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\MsMpEng.exe | executable | |
MD5:47E35509151B6F873E0D2850F80FB6C5 | SHA256:BDC0B4ED743F44CEE4F75E97E413EC9ECEC851DD5E62F756AACA46AB77D5D05D | |||
| 1064 | MsMpEng.exe | C:\config.sys.id[C4BA3647-3429].[backupfile@gmx.com].faust | binary | |
MD5:50CA72F22AA348C03338096816974CD6 | SHA256:6B061B8436DAEB32D4BD4477EA0CB19C5DACF5D25D1F98924F776CF2AA959677 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |