Analysis
-
max time kernel
151s -
max time network
9s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
29-09-2020 10:31
Static task
static1
Behavioral task
behavioral1
Sample
db_exec.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
db_exec.exe
Resource
win10
General
-
Target
db_exec.exe
-
Size
56KB
-
MD5
57a5909170a0faee72e61ad2155fd3fc
-
SHA1
f03548eb37425741e62b5f64914513f53b82f4f7
-
SHA256
05eb6a100b33f2bcf48a1acaa989b96de246d09e6e8526de83a622ebe575d25f
-
SHA512
a8237c539ea9d2145d8f1e77f81f4a5182da45e6f5a63c4d7f13560a336bfec75c825267de734bfd3c82fca7c9804f03d582bc1374357374fd660083f7dd0e74
Malware Config
Extracted
\??\c:\users\admin\desktop\info.txt
helpisos@aol.com
Extracted
C:\Users\Admin\Desktop\info.hta
helpisos@aol.com
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 1420 bcdedit.exe 1492 bcdedit.exe 1856 bcdedit.exe 1380 bcdedit.exe -
Processes:
wbadmin.exewbadmin.exepid process 1552 wbadmin.exe 480 wbadmin.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 3 IoCs
Processes:
db_exec.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\db_exec.exe db_exec.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini db_exec.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
db_exec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\db_exec = "C:\\Users\\Admin\\AppData\\Local\\db_exec.exe" db_exec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\db_exec = "C:\\Users\\Admin\\AppData\\Local\\db_exec.exe" db_exec.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
db_exec.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini db_exec.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini db_exec.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini db_exec.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini db_exec.exe File opened for modification C:\Users\Public\Pictures\desktop.ini db_exec.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini db_exec.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DUF815Z1\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini db_exec.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini db_exec.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini db_exec.exe File opened for modification C:\Users\Admin\Documents\desktop.ini db_exec.exe File opened for modification C:\Users\Public\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\Searches\desktop.ini db_exec.exe File opened for modification C:\Users\Public\Desktop\desktop.ini db_exec.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini db_exec.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JSOYQ5ME\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\Music\desktop.ini db_exec.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini db_exec.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini db_exec.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2090973689-680783404-4292415065-1000\desktop.ini db_exec.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini db_exec.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini db_exec.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini db_exec.exe File opened for modification C:\Users\Public\Videos\desktop.ini db_exec.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini db_exec.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B7OQLK7P\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini db_exec.exe File opened for modification C:\Users\Public\Documents\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini db_exec.exe File opened for modification C:\Users\Admin\Videos\desktop.ini db_exec.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini db_exec.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini db_exec.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini db_exec.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WBCYF2DO\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini db_exec.exe File opened for modification C:\Users\Public\Libraries\desktop.ini db_exec.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini db_exec.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini db_exec.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini db_exec.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini db_exec.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini db_exec.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI db_exec.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini db_exec.exe File opened for modification C:\Users\Public\Music\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q2MEZ03C\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini db_exec.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini db_exec.exe File opened for modification C:\Program Files (x86)\desktop.ini db_exec.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini db_exec.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YAUNGDT1\desktop.ini db_exec.exe -
Drops file in Program Files directory 64 IoCs
Processes:
db_exec.exedescription ioc process File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\RSSFeeds.html db_exec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe db_exec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar db_exec.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\Module.eftx db_exec.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePageStyle.css db_exec.exe File opened for modification C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui db_exec.exe File created C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01162_.WMF.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File opened for modification C:\Program Files (x86)\Internet Explorer\msdbg2.dll db_exec.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGMN103.XML db_exec.exe File created C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105410.WMF.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File created C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA02404_.WMF.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File created C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02201_.GIF.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD10308_.GIF db_exec.exe File created C:\Program Files\Microsoft Office\Office14\OLKIRM.XML.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\eBook.api db_exec.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File created C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\Locales\te.pak.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar db_exec.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02039U.BMP db_exec.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18237_.WMF db_exec.exe File created C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR46B.GIF.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\koreus.luac db_exec.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif db_exec.exe File created C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\THMBNAIL.PNG.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdaps.dll db_exec.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107490.WMF db_exec.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\vlc.mo db_exec.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Class.zip.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File created C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\SLATE.ELM.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File created C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00612_.WMF.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\ENVELOPR.DLL db_exec.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MSCOL11.PPD db_exec.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43F.GIF db_exec.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\VBE6EXT.OLB db_exec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar db_exec.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_zh_CN.jar.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File created C:\Program Files\Java\jre7\lib\zi\Europe\Zurich.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00942_.WMF db_exec.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Palmer.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105490.WMF db_exec.exe File created C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\J0115876.GIF.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File created C:\Program Files\7-Zip\7z.sfx.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File created C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105298.WMF.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File created C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\InformationIcon.jpg.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File created C:\Program Files\Common Files\Microsoft Shared\Smart Tag\METCONV.TXT.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png db_exec.exe File created C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider.png db_exec.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14753_.GIF db_exec.exe File opened for modification C:\Program Files\Microsoft Office\Office14\FORMS\1033\RESENDS.ICO db_exec.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuvp_plugin.dll db_exec.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png db_exec.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Beulah.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG db_exec.exe File created C:\Program Files\Microsoft Office\Office14\FORMS\1033\NOTES.ICO.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File created C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif.id[08742CD1-2589].[helpisos@aol.com].isos db_exec.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pencht.dll db_exec.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui db_exec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1992 vssadmin.exe 1552 vssadmin.exe -
Processes:
mshta.exemshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1936 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
db_exec.exepid process 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe 1244 db_exec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
db_exec.exevssvc.exeWMIC.exewbengine.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1244 db_exec.exe Token: SeBackupPrivilege 652 vssvc.exe Token: SeRestorePrivilege 652 vssvc.exe Token: SeAuditPrivilege 652 vssvc.exe Token: SeIncreaseQuotaPrivilege 1404 WMIC.exe Token: SeSecurityPrivilege 1404 WMIC.exe Token: SeTakeOwnershipPrivilege 1404 WMIC.exe Token: SeLoadDriverPrivilege 1404 WMIC.exe Token: SeSystemProfilePrivilege 1404 WMIC.exe Token: SeSystemtimePrivilege 1404 WMIC.exe Token: SeProfSingleProcessPrivilege 1404 WMIC.exe Token: SeIncBasePriorityPrivilege 1404 WMIC.exe Token: SeCreatePagefilePrivilege 1404 WMIC.exe Token: SeBackupPrivilege 1404 WMIC.exe Token: SeRestorePrivilege 1404 WMIC.exe Token: SeShutdownPrivilege 1404 WMIC.exe Token: SeDebugPrivilege 1404 WMIC.exe Token: SeSystemEnvironmentPrivilege 1404 WMIC.exe Token: SeRemoteShutdownPrivilege 1404 WMIC.exe Token: SeUndockPrivilege 1404 WMIC.exe Token: SeManageVolumePrivilege 1404 WMIC.exe Token: 33 1404 WMIC.exe Token: 34 1404 WMIC.exe Token: 35 1404 WMIC.exe Token: SeIncreaseQuotaPrivilege 1404 WMIC.exe Token: SeSecurityPrivilege 1404 WMIC.exe Token: SeTakeOwnershipPrivilege 1404 WMIC.exe Token: SeLoadDriverPrivilege 1404 WMIC.exe Token: SeSystemProfilePrivilege 1404 WMIC.exe Token: SeSystemtimePrivilege 1404 WMIC.exe Token: SeProfSingleProcessPrivilege 1404 WMIC.exe Token: SeIncBasePriorityPrivilege 1404 WMIC.exe Token: SeCreatePagefilePrivilege 1404 WMIC.exe Token: SeBackupPrivilege 1404 WMIC.exe Token: SeRestorePrivilege 1404 WMIC.exe Token: SeShutdownPrivilege 1404 WMIC.exe Token: SeDebugPrivilege 1404 WMIC.exe Token: SeSystemEnvironmentPrivilege 1404 WMIC.exe Token: SeRemoteShutdownPrivilege 1404 WMIC.exe Token: SeUndockPrivilege 1404 WMIC.exe Token: SeManageVolumePrivilege 1404 WMIC.exe Token: 33 1404 WMIC.exe Token: 34 1404 WMIC.exe Token: 35 1404 WMIC.exe Token: SeBackupPrivilege 1668 wbengine.exe Token: SeRestorePrivilege 1668 wbengine.exe Token: SeSecurityPrivilege 1668 wbengine.exe Token: SeIncreaseQuotaPrivilege 1952 WMIC.exe Token: SeSecurityPrivilege 1952 WMIC.exe Token: SeTakeOwnershipPrivilege 1952 WMIC.exe Token: SeLoadDriverPrivilege 1952 WMIC.exe Token: SeSystemProfilePrivilege 1952 WMIC.exe Token: SeSystemtimePrivilege 1952 WMIC.exe Token: SeProfSingleProcessPrivilege 1952 WMIC.exe Token: SeIncBasePriorityPrivilege 1952 WMIC.exe Token: SeCreatePagefilePrivilege 1952 WMIC.exe Token: SeBackupPrivilege 1952 WMIC.exe Token: SeRestorePrivilege 1952 WMIC.exe Token: SeShutdownPrivilege 1952 WMIC.exe Token: SeDebugPrivilege 1952 WMIC.exe Token: SeSystemEnvironmentPrivilege 1952 WMIC.exe Token: SeRemoteShutdownPrivilege 1952 WMIC.exe Token: SeUndockPrivilege 1952 WMIC.exe Token: SeManageVolumePrivilege 1952 WMIC.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
mshta.exemshta.exemshta.exepid process 936 mshta.exe 980 mshta.exe 1500 mshta.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
db_exec.execmd.execmd.execmd.exedescription pid process target process PID 1244 wrote to memory of 1564 1244 db_exec.exe cmd.exe PID 1244 wrote to memory of 1564 1244 db_exec.exe cmd.exe PID 1244 wrote to memory of 1564 1244 db_exec.exe cmd.exe PID 1244 wrote to memory of 1564 1244 db_exec.exe cmd.exe PID 1244 wrote to memory of 1632 1244 db_exec.exe cmd.exe PID 1244 wrote to memory of 1632 1244 db_exec.exe cmd.exe PID 1244 wrote to memory of 1632 1244 db_exec.exe cmd.exe PID 1244 wrote to memory of 1632 1244 db_exec.exe cmd.exe PID 1564 wrote to memory of 1992 1564 cmd.exe vssadmin.exe PID 1564 wrote to memory of 1992 1564 cmd.exe vssadmin.exe PID 1564 wrote to memory of 1992 1564 cmd.exe vssadmin.exe PID 1632 wrote to memory of 1964 1632 cmd.exe netsh.exe PID 1632 wrote to memory of 1964 1632 cmd.exe netsh.exe PID 1632 wrote to memory of 1964 1632 cmd.exe netsh.exe PID 1632 wrote to memory of 524 1632 cmd.exe netsh.exe PID 1632 wrote to memory of 524 1632 cmd.exe netsh.exe PID 1632 wrote to memory of 524 1632 cmd.exe netsh.exe PID 1564 wrote to memory of 1404 1564 cmd.exe WMIC.exe PID 1564 wrote to memory of 1404 1564 cmd.exe WMIC.exe PID 1564 wrote to memory of 1404 1564 cmd.exe WMIC.exe PID 1564 wrote to memory of 1420 1564 cmd.exe bcdedit.exe PID 1564 wrote to memory of 1420 1564 cmd.exe bcdedit.exe PID 1564 wrote to memory of 1420 1564 cmd.exe bcdedit.exe PID 1564 wrote to memory of 1492 1564 cmd.exe bcdedit.exe PID 1564 wrote to memory of 1492 1564 cmd.exe bcdedit.exe PID 1564 wrote to memory of 1492 1564 cmd.exe bcdedit.exe PID 1564 wrote to memory of 1552 1564 cmd.exe wbadmin.exe PID 1564 wrote to memory of 1552 1564 cmd.exe wbadmin.exe PID 1564 wrote to memory of 1552 1564 cmd.exe wbadmin.exe PID 1244 wrote to memory of 936 1244 db_exec.exe mshta.exe PID 1244 wrote to memory of 936 1244 db_exec.exe mshta.exe PID 1244 wrote to memory of 936 1244 db_exec.exe mshta.exe PID 1244 wrote to memory of 936 1244 db_exec.exe mshta.exe PID 1244 wrote to memory of 980 1244 db_exec.exe mshta.exe PID 1244 wrote to memory of 980 1244 db_exec.exe mshta.exe PID 1244 wrote to memory of 980 1244 db_exec.exe mshta.exe PID 1244 wrote to memory of 980 1244 db_exec.exe mshta.exe PID 1244 wrote to memory of 1500 1244 db_exec.exe mshta.exe PID 1244 wrote to memory of 1500 1244 db_exec.exe mshta.exe PID 1244 wrote to memory of 1500 1244 db_exec.exe mshta.exe PID 1244 wrote to memory of 1500 1244 db_exec.exe mshta.exe PID 1244 wrote to memory of 1844 1244 db_exec.exe cmd.exe PID 1244 wrote to memory of 1844 1244 db_exec.exe cmd.exe PID 1244 wrote to memory of 1844 1244 db_exec.exe cmd.exe PID 1244 wrote to memory of 1844 1244 db_exec.exe cmd.exe PID 1844 wrote to memory of 1552 1844 cmd.exe vssadmin.exe PID 1844 wrote to memory of 1552 1844 cmd.exe vssadmin.exe PID 1844 wrote to memory of 1552 1844 cmd.exe vssadmin.exe PID 1844 wrote to memory of 1952 1844 cmd.exe WMIC.exe PID 1844 wrote to memory of 1952 1844 cmd.exe WMIC.exe PID 1844 wrote to memory of 1952 1844 cmd.exe WMIC.exe PID 1844 wrote to memory of 1856 1844 cmd.exe bcdedit.exe PID 1844 wrote to memory of 1856 1844 cmd.exe bcdedit.exe PID 1844 wrote to memory of 1856 1844 cmd.exe bcdedit.exe PID 1844 wrote to memory of 1380 1844 cmd.exe bcdedit.exe PID 1844 wrote to memory of 1380 1844 cmd.exe bcdedit.exe PID 1844 wrote to memory of 1380 1844 cmd.exe bcdedit.exe PID 1844 wrote to memory of 480 1844 cmd.exe wbadmin.exe PID 1844 wrote to memory of 480 1844 cmd.exe wbadmin.exe PID 1844 wrote to memory of 480 1844 cmd.exe wbadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\db_exec.exe"C:\Users\Admin\AppData\Local\Temp\db_exec.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\db_exec.exe"C:\Users\Admin\AppData\Local\Temp\db_exec.exe"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\info.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\info.htaMD5
2887e232b753eda276857ac79fc3d527
SHA165ae49f09f1f12957f85c810b9a0eb302e2eced5
SHA25631d28a6a7f2145cff859005844e54f1acc4ef15052773d58990bb5a63088da1e
SHA512f55bc7b72b952e1a580b642d25f8c6657d72da1db381286b7943b33db4f4fa19c400f478171a986b9114e9d9692eb9076135ff8c7c141f251b6ed15fcb70c421
-
C:\Users\Admin\Desktop\info.txtMD5
dd00d6983524a96df2f4e0be391744cb
SHA1576f564b2822638e3fc27f0fcdd34fcc0832a257
SHA25657084c6f3eda27f7887683f931651b81196aac66f9400a9788764ddba95d1776
SHA512b2282161764369c623f54ec915d6f70d793065da6acc1dcdcd8ee16931ff5419e1a797a56d230e7a047a613cb2a2c18236e25b2db6a1498545a7f773458ebf28
-
C:\info.htaMD5
2887e232b753eda276857ac79fc3d527
SHA165ae49f09f1f12957f85c810b9a0eb302e2eced5
SHA25631d28a6a7f2145cff859005844e54f1acc4ef15052773d58990bb5a63088da1e
SHA512f55bc7b72b952e1a580b642d25f8c6657d72da1db381286b7943b33db4f4fa19c400f478171a986b9114e9d9692eb9076135ff8c7c141f251b6ed15fcb70c421
-
C:\users\public\desktop\info.htaMD5
2887e232b753eda276857ac79fc3d527
SHA165ae49f09f1f12957f85c810b9a0eb302e2eced5
SHA25631d28a6a7f2145cff859005844e54f1acc4ef15052773d58990bb5a63088da1e
SHA512f55bc7b72b952e1a580b642d25f8c6657d72da1db381286b7943b33db4f4fa19c400f478171a986b9114e9d9692eb9076135ff8c7c141f251b6ed15fcb70c421
-
memory/480-20-0x0000000000000000-mapping.dmp
-
memory/524-4-0x0000000000000000-mapping.dmp
-
memory/936-9-0x0000000000000000-mapping.dmp
-
memory/980-10-0x0000000000000000-mapping.dmp
-
memory/1380-19-0x0000000000000000-mapping.dmp
-
memory/1404-5-0x0000000000000000-mapping.dmp
-
memory/1420-6-0x0000000000000000-mapping.dmp
-
memory/1492-7-0x0000000000000000-mapping.dmp
-
memory/1500-11-0x0000000000000000-mapping.dmp
-
memory/1552-8-0x0000000000000000-mapping.dmp
-
memory/1552-16-0x0000000000000000-mapping.dmp
-
memory/1564-0-0x0000000000000000-mapping.dmp
-
memory/1632-1-0x0000000000000000-mapping.dmp
-
memory/1844-12-0x0000000000000000-mapping.dmp
-
memory/1856-18-0x0000000000000000-mapping.dmp
-
memory/1900-21-0x000007FEF7FA0000-0x000007FEF821A000-memory.dmpFilesize
2.5MB
-
memory/1952-17-0x0000000000000000-mapping.dmp
-
memory/1964-3-0x0000000000000000-mapping.dmp
-
memory/1992-2-0x0000000000000000-mapping.dmp