779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc

Resubmissions

09-06-2021 13:16

210609-r4nkyx7ywn 10

28-05-2021 09:36

210528-w5abwajf3x 10

Analysis

max time kernel
400s
max time network
499s
platform
windows10_x64
resource
win10v20210410
submitted
09-06-2021 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
Size

233KB
MD5

96c565af56a5ba8339f35121bf9ff196
SHA1

2edae92d476225b00b4a7ea1e9d7f7ccfda462cb
SHA256

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc
SHA512

6d4a3d91396bccae3dff43f6ee295980c1919a48f7914d9b8b6eca3e603aa97b8e05a0b78af27e7f1c86691fff6fc26fad69ddb774f8ed5d8011aa87b511b6c1

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: ____________________________________________________________________________________ You have way: 1) Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=LZG-ZNM-YDNM and paste it in the Tor browser. c. Start a chat and follow the further instructions. _____________________________________________________________________________________ Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: uMHRngsucG85yVzNb3BVeYfWGtNnYCNuIasLZAz24JgdctquzZNBUzXYxkVjK5e7SEj/HPdY8q9H1zt0gtIXYnMTtIbC2oDWEINzBjtbRpiZ/QC9jNQYjTLi2QASA5Ab+bksTHwWThGKrp2SY+iW00h2jmwF+FZVWDHiHHUykR36g6sLp6gIsR87jLtjCRyvWqjkWGciAy6Hsypri+IX630ssxidgL0hKrMk4hK5K9KE+cujSKcocnu5FdcX/4WbqNSBYhZ9iUx9JOJ5oFXjqjobqtKdKeEm8OL4HYkjGfCcVNdE4tvPzjJE6p0JAkn7A1hp3ZZ22I9HKVKa501Jh9P6qvqySW2fIL2Vmotg5irJB7pvNs9/3+OnaYEA20Tgm3YS09xMmB66CVotY3Sr66T+pXGcqMv9HiXnh/bFfagf9iYPokxTyvUwtIrBRlLqRcPzAs9L+HbwE7HGK4+N+AQWayyXHQu33d6TvkzNpfXwVW+ZSH9uWwuIr17PlFj+BkHNHEmrin/XFN+i8xk1L7BLLzhq7xPbFEJsx8YbhAeGJQ2LlmCodfdYDhCQz2GmTdqV9bMX/NnT3lkKMPj1T/51J2URb66XKaF6BS1NgkQRftTlI1vmz3yWk3dCFCk3OLlHIrKGF0YKMGc3Qg5ZTkMugWGoLkYWHxIeMCFZh6w=

URLs

http://promethw27cbrcot.onion/ticket.php?track=LZG-ZNM-YDNM

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after itâ€™s installation. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: You have way: 1) Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=LZG-ZNM-YDNM and paste it in the Tor browser. c. Start a chat and follow the further instructions. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: uMHRngsucG85yVzNb3BVeYfWGtNnYCNuIasLZAz24JgdctquzZNBUzXYxkVjK5e7SEj/HPdY8q9H1zt0gtIXYnMTtIbC2oDWEINzBjtbRpiZ/QC9jNQYjTLi2QASA5Ab+bksTHwWThGKrp2SY+iW00h2jmwF+FZVWDHiHHUykR36g6sLp6gIsR87jLtjCRyvWqjkWGciAy6Hsypri+IX630ssxidgL0hKrMk4hK5K9KE+cujSKcocnu5FdcX/4WbqNSBYhZ9iUx9JOJ5oFXjqjobqtKdKeEm8OL4HYkjGfCcVNdE4tvPzjJE6p0JAkn7A1hp3ZZ22I9HKVKa501Jh9P6qvqySW2fIL2Vmotg5irJB7pvNs9/3+OnaYEA20Tgm3YS09xMmB66CVotY3Sr66T+pXGcqMv9HiXnh/bFfagf9iYPokxTyvUwtIrBRlLqRcPzAs9L+HbwE7HGK4+N+AQWayyXHQu33d6TvkzNpfXwVW+ZSH9uWwuIr17PlFj+BkHNHEmrin/XFN+i8xk1L7BLLzhq7xPbFEJsx8YbhAeGJQ2LlmCodfdYDhCQz2GmTdqV9bMX/NnT3lkKMPj1T/51J2URb66XKaF6BS1NgkQRftTlI1vmz3yWk3dCFCk3OLlHIrKGF0YKMGc3Qg5ZTkMugWGoLkYWHxIeMCFZh6w=

URLs

http://promethw27cbrcot.onion/ticket.php?track=LZG-ZNM-YDNM

Signatures

Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ExportShow.tiff	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\WriteRestore.tiff	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ConnectUnprotect.tiff	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

pid	Process
3892	taskkill.exe
2696	taskkill.exe
1936	taskkill.exe
2208	taskkill.exe
2684	taskkill.exe
4056	taskkill.exe
2776	taskkill.exe
4032	taskkill.exe
720	taskkill.exe
3032	taskkill.exe
1368	taskkill.exe
3792	taskkill.exe
4060	taskkill.exe
2784	taskkill.exe
1272	taskkill.exe
3780	taskkill.exe
3784	taskkill.exe
4040	taskkill.exe
2308	taskkill.exe
808	taskkill.exe
3860	taskkill.exe
3808	taskkill.exe
3540	taskkill.exe
2192	taskkill.exe
2084	taskkill.exe
3564	taskkill.exe
2696	taskkill.exe
1588	taskkill.exe
3560	taskkill.exe
500	taskkill.exe
1116	taskkill.exe
2316	taskkill.exe
2540	taskkill.exe
1116	taskkill.exe
3952	taskkill.exe
1500	taskkill.exe
2284	taskkill.exe
1520	taskkill.exe
4052	taskkill.exe
1272	taskkill.exe
2744	taskkill.exe
1900	taskkill.exe
2856	taskkill.exe
1428	taskkill.exe
3964	taskkill.exe
4060	taskkill.exe
1004	taskkill.exe
1936	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2680	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3964	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
Token: SeDebugPrivilege	3860	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	4032	taskkill.exe
Token: SeDebugPrivilege	2856	Conhost.exe
Token: SeDebugPrivilege	3808	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	720	taskkill.exe
Token: SeDebugPrivilege	4060	taskkill.exe
Token: SeDebugPrivilege	3952	taskkill.exe
Token: SeDebugPrivilege	1500	Conhost.exe
Token: SeDebugPrivilege	2696	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	1428	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	3540	taskkill.exe
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	3780	Conhost.exe
Token: SeDebugPrivilege	3560	taskkill.exe
Token: SeDebugPrivilege	3964	Conhost.exe
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	2084	taskkill.exe
Token: SeDebugPrivilege	3564	taskkill.exe
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	3792	taskkill.exe
Token: SeDebugPrivilege	4040	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	1520	slui.exe
Token: SeDebugPrivilege	4052	Conhost.exe
Token: SeDebugPrivilege	2316	Conhost.exe
Token: SeDebugPrivilege	2308	taskkill.exe
Token: SeDebugPrivilege	3784	taskkill.exe
Token: SeDebugPrivilege	808	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	2696	taskkill.exe
Token: SeDebugPrivilege	4060	taskkill.exe
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	4056	taskkill.exe
Token: SeDebugPrivilege	2744	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	1644	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 3860	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	78
PID 3872 wrote to memory of 3860	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	78
PID 3872 wrote to memory of 1452	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	80
PID 3872 wrote to memory of 1452	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	80
PID 3872 wrote to memory of 2680	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	82
PID 3872 wrote to memory of 2680	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	82
PID 3872 wrote to memory of 1248	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	84
PID 3872 wrote to memory of 1248	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	84
PID 3872 wrote to memory of 1020	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	86
PID 3872 wrote to memory of 1020	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	86
PID 3872 wrote to memory of 1644	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	87
PID 3872 wrote to memory of 1644	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	87
PID 3872 wrote to memory of 2008	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	93
PID 3872 wrote to memory of 2008	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	93
PID 3872 wrote to memory of 1580	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	90
PID 3872 wrote to memory of 1580	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	90
PID 3872 wrote to memory of 3776	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	94
PID 3872 wrote to memory of 3776	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	94
PID 3872 wrote to memory of 3024	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	96
PID 3872 wrote to memory of 3024	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	96
PID 3872 wrote to memory of 204	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	97
PID 3872 wrote to memory of 204	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	97
PID 3872 wrote to memory of 2388	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	99
PID 3872 wrote to memory of 2388	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	99
PID 3872 wrote to memory of 3896	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	102
PID 3872 wrote to memory of 3896	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	102
PID 3872 wrote to memory of 3892	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	104
PID 3872 wrote to memory of 3892	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	104
PID 3872 wrote to memory of 2776	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	105
PID 3872 wrote to memory of 2776	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	105
PID 3872 wrote to memory of 1116	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	108
PID 3872 wrote to memory of 1116	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	108
PID 3872 wrote to memory of 4032	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	110
PID 3872 wrote to memory of 4032	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	110
PID 3872 wrote to memory of 2856	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	203
PID 3872 wrote to memory of 2856	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	203
PID 3872 wrote to memory of 3808	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	114
PID 3872 wrote to memory of 3808	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	114
PID 3872 wrote to memory of 1588	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	116
PID 3872 wrote to memory of 1588	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	116
PID 3872 wrote to memory of 720	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	118
PID 3872 wrote to memory of 720	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	118
PID 3872 wrote to memory of 4060	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	190
PID 3872 wrote to memory of 4060	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	190
PID 3872 wrote to memory of 3952	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	122
PID 3872 wrote to memory of 3952	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	122
PID 3872 wrote to memory of 1500	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	185
PID 3872 wrote to memory of 1500	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	185
PID 3872 wrote to memory of 2696	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	188
PID 3872 wrote to memory of 2696	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	188
PID 3872 wrote to memory of 2784	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	128
PID 3872 wrote to memory of 2784	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	128
PID 3872 wrote to memory of 1272	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	186
PID 3872 wrote to memory of 1272	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	186
PID 3872 wrote to memory of 1428	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	133
PID 3872 wrote to memory of 1428	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	133
PID 3872 wrote to memory of 3540	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	134
PID 3872 wrote to memory of 3540	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	134
PID 3872 wrote to memory of 2616	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	136
PID 3872 wrote to memory of 2616	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	136
PID 3872 wrote to memory of 2284	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	141
PID 3872 wrote to memory of 2284	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	141
PID 3872 wrote to memory of 1936	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	200
PID 3872 wrote to memory of 1936	3872	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe	200

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe

C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3872
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1452
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:2680
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1248
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1020
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1644
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1580
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:2008
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:3776
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:3024
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:204
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:2388
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:3896
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3892
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  PID:1116
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4032
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  PID:2856
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3808
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:720
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:4060
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3952
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:1500
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  PID:2696
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:1272
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3540
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:2616
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  PID:1936
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  PID:3780
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3560
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  PID:3964
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3564
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:500
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3792
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4040
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:2968
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  PID:1520
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  PID:4052
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  PID:2316
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:808
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3780
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4052
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4056
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2968
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:3808
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:2284
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:2296
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:2444
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
  2⤵
  PID:3196
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:2680
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:3964
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:2780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
  2⤵
  PID:1432
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:2540

C:\Windows\System32\slui.exe
C:\Windows\System32\slui.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1644-184-0x000001217F060000-0x000001217F061000-memory.dmp

Filesize
4KB

Download
memory/1644-189-0x000001217F7F0000-0x000001217F7F1000-memory.dmp

Filesize
4KB

Download
memory/1644-201-0x000001217F6E6000-0x000001217F6E8000-memory.dmp

Filesize
8KB

Download
memory/1644-185-0x000001217F6E0000-0x000001217F6E2000-memory.dmp

Filesize
8KB

Download
memory/1644-186-0x000001217F6E3000-0x000001217F6E5000-memory.dmp

Filesize
8KB

Download
memory/3872-116-0x000000001B4C0000-0x000000001B4C2000-memory.dmp

Filesize
8KB

Download
memory/3872-114-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download