Overview

overview

10

Static

static

db_exec.exe

windows7_x64

10

db_exec.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    9s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    29-09-2020 10:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db_exec.exe

  • Size

    56KB

  • MD5

    57a5909170a0faee72e61ad2155fd3fc

  • SHA1

    f03548eb37425741e62b5f64914513f53b82f4f7

  • SHA256

    05eb6a100b33f2bcf48a1acaa989b96de246d09e6e8526de83a622ebe575d25f

  • SHA512

    a8237c539ea9d2145d8f1e77f81f4a5182da45e6f5a63c4d7f13560a336bfec75c825267de734bfd3c82fca7c9804f03d582bc1374357374fd660083f7dd0e74

Score
10/10
phobosevasionpersistenceransomwarespyware

Malware Config

Extracted

Path

\??\c:\users\admin\desktop\info.txt

Ransom Note
ATTENTION! ALL YOUR DATA ARE PROTECTED WITH RSA ALGORITHM Your security system was vulnerable, so all of your files are encrypted. If you want to restore them, contact us by email: helpisos@aol.com in the header of the letter indicate your encrypted ID (you can find it in the names of your encrypted files) If you do not receive a response within 24 hours, please contact us by Telegram.org account: @iso_recovery BE CAREFUL AND DO NOT DAMAGE YOUR DATA: Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Do not trust anyone! Only we have keys to your files! Without this keys restore your data is impossible WE GUARANTEE A FREE DECODE AS A PROOF OF OUR POSSIBILITIES: You can send us 2 files for free decryption. Size of file must be less than 1 Mb (non archived). We don`t decrypt for test DATABASE, XLS and other important files. DO NOT ATTEMPT TO DECODE YOUR DATA YOURSELF, YOU ONLY DAMAGE THEM AND THEN YOU LOSE THEM FOREVER. AFTER DECRYPTION YOUR SYSTEM WILL RETURN TO A FULLY NORMALLY AND OPERATIONAL CONDITION!
Emails

helpisos@aol.com

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note
ATTENTION! ALL YOUR DATA ARE PROTECTED WITH RSA ALGORITHM Your security system was vulnerable, so all of your files are encrypted. If you want to restore them, contact us by email: helpisos@aol.com in the header of the letter indicate your encrypted ID 08742CD1-2589 If you do not receive a response within 24 hours, please contact us by Telegram.org account: @iso_recovery BE CAREFUL AND DO NOT DAMAGE YOUR DATA: Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Do not trust anyone! Only we have keys to your files! Without this keys restore your data is impossible WE GUARANTEE A FREE DECODE AS A PROOF OF OUR POSSIBILITIES: You can send us 2 files for free decryption. Size of file must be less than 1 Mb (non archived). We don`t decrypt for test DATABASE, XLS and other important files. DO NOT ATTEMPT TO DECODE YOUR DATA YOURSELF, YOU ONLY DAMAGE THEM AND THEN YOU LOSE THEM FOREVER. AFTER DECRYPTION YOUR SYSTEM WILL RETURN TO A FULLY NORMALLY AND OPERATIONAL CONDITION!
Emails

helpisos@aol.com

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db_exec.exe
    "C:\Users\Admin\AppData\Local\Temp\db_exec.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Users\Admin\AppData\Local\Temp\db_exec.exe
      "C:\Users\Admin\AppData\Local\Temp\db_exec.exe"
      2⤵
        PID:1856
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1632
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
            PID:1964
          • C:\Windows\system32\netsh.exe
            netsh firewall set opmode mode=disable
            3⤵
              PID:524
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1564
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              3⤵
              • Interacts with shadow copies
              PID:1992
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic shadowcopy delete
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1404
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} bootstatuspolicy ignoreallfailures
              3⤵
              • Modifies boot configuration data using bcdedit
              PID:1420
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} recoveryenabled no
              3⤵
              • Modifies boot configuration data using bcdedit
              PID:1492
            • C:\Windows\system32\wbadmin.exe
              wbadmin delete catalog -quiet
              3⤵
              • Deletes backup catalog
              PID:1552
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            PID:936
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            PID:980
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            PID:1500
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1844
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              3⤵
              • Interacts with shadow copies
              PID:1552
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic shadowcopy delete
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1952
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} bootstatuspolicy ignoreallfailures
              3⤵
              • Modifies boot configuration data using bcdedit
              PID:1856
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} recoveryenabled no
              3⤵
              • Modifies boot configuration data using bcdedit
              PID:1380
            • C:\Windows\system32\wbadmin.exe
              wbadmin delete catalog -quiet
              3⤵
              • Deletes backup catalog
              PID:480
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:652
        • C:\Windows\system32\wbengine.exe
          "C:\Windows\system32\wbengine.exe"
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1668
        • C:\Windows\System32\vdsldr.exe
          C:\Windows\System32\vdsldr.exe -Embedding
          1⤵
            PID:2024
          • C:\Windows\System32\vds.exe
            C:\Windows\System32\vds.exe
            1⤵
              PID:1356
            • C:\Windows\system32\NOTEPAD.EXE
              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\info.txt
              1⤵
              • Opens file in notepad (likely ransom note)
              PID:1936

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Command-Line Interface

            1
            T1059

            Persistence

            Modify Existing Service

            1
            T1031

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            File Deletion

            3
            T1107

            Modify Registry

            2
            T1112

            Credential Access

            Credentials in Files

            1
            T1081

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Impact

            Inhibit System Recovery

            4
            T1490

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\Desktop\info.hta
              MD5

              2887e232b753eda276857ac79fc3d527

              SHA1

              65ae49f09f1f12957f85c810b9a0eb302e2eced5

              SHA256

              31d28a6a7f2145cff859005844e54f1acc4ef15052773d58990bb5a63088da1e

              SHA512

              f55bc7b72b952e1a580b642d25f8c6657d72da1db381286b7943b33db4f4fa19c400f478171a986b9114e9d9692eb9076135ff8c7c141f251b6ed15fcb70c421

              Download Submit
            • C:\Users\Admin\Desktop\info.txt
              MD5

              dd00d6983524a96df2f4e0be391744cb

              SHA1

              576f564b2822638e3fc27f0fcdd34fcc0832a257

              SHA256

              57084c6f3eda27f7887683f931651b81196aac66f9400a9788764ddba95d1776

              SHA512

              b2282161764369c623f54ec915d6f70d793065da6acc1dcdcd8ee16931ff5419e1a797a56d230e7a047a613cb2a2c18236e25b2db6a1498545a7f773458ebf28

              Download Submit
            • C:\info.hta
              MD5

              2887e232b753eda276857ac79fc3d527

              SHA1

              65ae49f09f1f12957f85c810b9a0eb302e2eced5

              SHA256

              31d28a6a7f2145cff859005844e54f1acc4ef15052773d58990bb5a63088da1e

              SHA512

              f55bc7b72b952e1a580b642d25f8c6657d72da1db381286b7943b33db4f4fa19c400f478171a986b9114e9d9692eb9076135ff8c7c141f251b6ed15fcb70c421

              Download Submit
            • C:\users\public\desktop\info.hta
              MD5

              2887e232b753eda276857ac79fc3d527

              SHA1

              65ae49f09f1f12957f85c810b9a0eb302e2eced5

              SHA256

              31d28a6a7f2145cff859005844e54f1acc4ef15052773d58990bb5a63088da1e

              SHA512

              f55bc7b72b952e1a580b642d25f8c6657d72da1db381286b7943b33db4f4fa19c400f478171a986b9114e9d9692eb9076135ff8c7c141f251b6ed15fcb70c421

              Download Submit
            • memory/480-20-0x0000000000000000-mapping.dmp
              Download
            • memory/524-4-0x0000000000000000-mapping.dmp
              Download
            • memory/936-9-0x0000000000000000-mapping.dmp
              Download
            • memory/980-10-0x0000000000000000-mapping.dmp
              Download
            • memory/1380-19-0x0000000000000000-mapping.dmp
              Download
            • memory/1404-5-0x0000000000000000-mapping.dmp
              Download
            • memory/1420-6-0x0000000000000000-mapping.dmp
              Download
            • memory/1492-7-0x0000000000000000-mapping.dmp
              Download
            • memory/1500-11-0x0000000000000000-mapping.dmp
              Download
            • memory/1552-8-0x0000000000000000-mapping.dmp
              Download
            • memory/1552-16-0x0000000000000000-mapping.dmp
              Download
            • memory/1564-0-0x0000000000000000-mapping.dmp
              Download
            • memory/1632-1-0x0000000000000000-mapping.dmp
              Download
            • memory/1844-12-0x0000000000000000-mapping.dmp
              Download
            • memory/1856-18-0x0000000000000000-mapping.dmp
              Download
            • memory/1900-21-0x000007FEF7FA0000-0x000007FEF821A000-memory.dmp
              Filesize

              2.5MB

              Download
            • memory/1952-17-0x0000000000000000-mapping.dmp
              Download
            • memory/1964-3-0x0000000000000000-mapping.dmp
              Download
            • memory/1992-2-0x0000000000000000-mapping.dmp
              Download