fedb39ac98c39b688703f1968405d75432d881ff34405d3087a989440735aa8e

Resubmissions

28/10/2021, 15:44

211028-s6m55agfbk 10

10/10/2021, 17:01

211010-vjzlragafj 8

Analysis

max time kernel
151s
max time network
143s
platform
windows7_x64
resource
win7-en-20210920
submitted
10/10/2021, 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iE8JUAJp7.bin.exe
Size

385KB
MD5

a9a0fae4766d9f7cafa1560f5f62e46f
SHA1

d582608dc07bd9f771334cdb60626755997dd56c
SHA256

f70966e32d18a1e2ed51ebdcc6b985d8f7613febf0680639076c71ebeab6a350
SHA512

5c2f89a16c5291d509f41bd5f12d18a386892738cfd5fb5cbd2156c52d46f28abde5f199461fe9a8bf3aa3f7e4644fe66c3ad48c3b114b792efdbf421468856b

Score

8^/10

evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Downloads PsExec from SysInternals website 1 IoCs

Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

description	flow	ioc
HTTP URL	15	http://live.sysinternals.com/PsExec.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\InitializeMount.crw => C:\Users\Admin\Pictures\InitializeMount.crw.cyber	iE8JUAJp7.bin.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeMount.crw.cyber	iE8JUAJp7.bin.exe
File renamed	C:\Users\Admin\Pictures\InvokeGrant.raw => C:\Users\Admin\Pictures\InvokeGrant.raw.cyber	iE8JUAJp7.bin.exe
File opened for modification	C:\Users\Admin\Pictures\InvokeGrant.raw.cyber	iE8JUAJp7.bin.exe
File renamed	C:\Users\Admin\Pictures\ExitRestore.png => C:\Users\Admin\Pictures\ExitRestore.png.cyber	iE8JUAJp7.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ExitRestore.png.cyber	iE8JUAJp7.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\W:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\T:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\G:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\K:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\L:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\M:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\E:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\A:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\Z:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\X:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\V:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\R:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\I:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\S:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\F:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\H:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\B:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\Y:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\U:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\O:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\P:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\J:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\N:	iE8JUAJp7.bin.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	icanhazip.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	iE8JUAJp7.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!!!"	iE8JUAJp7.bin.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

pid	Process
1832	taskkill.exe
1152	taskkill.exe
848	taskkill.exe
1720	taskkill.exe
1752	taskkill.exe
1528	taskkill.exe
996	taskkill.exe
1964	taskkill.exe
1700	taskkill.exe
1884	taskkill.exe
1960	taskkill.exe
1116	taskkill.exe
1708	taskkill.exe
1448	taskkill.exe
1796	taskkill.exe
764	taskkill.exe
1696	taskkill.exe
1136	taskkill.exe
1708	taskkill.exe
548	taskkill.exe
920	taskkill.exe
1920	taskkill.exe
1584	taskkill.exe
1744	taskkill.exe
1100	taskkill.exe
1920	taskkill.exe
1596	taskkill.exe
548	taskkill.exe
892	taskkill.exe
1176	taskkill.exe
2016	taskkill.exe
1556	taskkill.exe
2000	taskkill.exe
1580	taskkill.exe
1252	taskkill.exe
1652	taskkill.exe
1820	taskkill.exe
1604	taskkill.exe
1668	taskkill.exe
1240	taskkill.exe
1756	taskkill.exe
1456	taskkill.exe
1612	taskkill.exe
1960	taskkill.exe
1896	taskkill.exe
1816	taskkill.exe
1892	taskkill.exe
1448	taskkill.exe
1288	taskkill.exe
1696	taskkill.exe
1100	taskkill.exe
1508	taskkill.exe
1368	taskkill.exe
1764	taskkill.exe
1396	taskkill.exe
844	taskkill.exe
1196	taskkill.exe
1596	taskkill.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_Classes\Local Settings	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	splwow64.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1040	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	iE8JUAJp7.bin.exe
Token: SeDebugPrivilege	2032	iE8JUAJp7.bin.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	1240	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	1700	Process not Found
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	1892	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	848	taskkill.exe
Token: SeDebugPrivilege	548	taskkill.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	1580	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	764	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	920	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	548	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	1456	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	756	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1136	splwow64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1612	2032	iE8JUAJp7.bin.exe	28
PID 2032 wrote to memory of 1612	2032	iE8JUAJp7.bin.exe	28
PID 2032 wrote to memory of 1612	2032	iE8JUAJp7.bin.exe	28
PID 2032 wrote to memory of 1612	2032	iE8JUAJp7.bin.exe	28
PID 2032 wrote to memory of 1520	2032	iE8JUAJp7.bin.exe	30
PID 2032 wrote to memory of 1520	2032	iE8JUAJp7.bin.exe	30
PID 2032 wrote to memory of 1520	2032	iE8JUAJp7.bin.exe	30
PID 2032 wrote to memory of 1520	2032	iE8JUAJp7.bin.exe	30
PID 2032 wrote to memory of 1040	2032	iE8JUAJp7.bin.exe	32
PID 2032 wrote to memory of 1040	2032	iE8JUAJp7.bin.exe	32
PID 2032 wrote to memory of 1040	2032	iE8JUAJp7.bin.exe	32
PID 2032 wrote to memory of 1040	2032	iE8JUAJp7.bin.exe	32
PID 2032 wrote to memory of 1444	2032	iE8JUAJp7.bin.exe	34
PID 2032 wrote to memory of 1444	2032	iE8JUAJp7.bin.exe	34
PID 2032 wrote to memory of 1444	2032	iE8JUAJp7.bin.exe	34
PID 2032 wrote to memory of 1444	2032	iE8JUAJp7.bin.exe	34
PID 2032 wrote to memory of 1260	2032	iE8JUAJp7.bin.exe	36
PID 2032 wrote to memory of 1260	2032	iE8JUAJp7.bin.exe	36
PID 2032 wrote to memory of 1260	2032	iE8JUAJp7.bin.exe	36
PID 2032 wrote to memory of 1260	2032	iE8JUAJp7.bin.exe	36
PID 2032 wrote to memory of 1600	2032	iE8JUAJp7.bin.exe	37
PID 2032 wrote to memory of 1600	2032	iE8JUAJp7.bin.exe	37
PID 2032 wrote to memory of 1600	2032	iE8JUAJp7.bin.exe	37
PID 2032 wrote to memory of 1600	2032	iE8JUAJp7.bin.exe	37
PID 2032 wrote to memory of 1536	2032	iE8JUAJp7.bin.exe	40
PID 2032 wrote to memory of 1536	2032	iE8JUAJp7.bin.exe	40
PID 2032 wrote to memory of 1536	2032	iE8JUAJp7.bin.exe	40
PID 2032 wrote to memory of 1536	2032	iE8JUAJp7.bin.exe	40
PID 2032 wrote to memory of 1608	2032	iE8JUAJp7.bin.exe	42
PID 2032 wrote to memory of 1608	2032	iE8JUAJp7.bin.exe	42
PID 2032 wrote to memory of 1608	2032	iE8JUAJp7.bin.exe	42
PID 2032 wrote to memory of 1608	2032	iE8JUAJp7.bin.exe	42
PID 2032 wrote to memory of 996	2032	iE8JUAJp7.bin.exe	43
PID 2032 wrote to memory of 996	2032	iE8JUAJp7.bin.exe	43
PID 2032 wrote to memory of 996	2032	iE8JUAJp7.bin.exe	43
PID 2032 wrote to memory of 996	2032	iE8JUAJp7.bin.exe	43
PID 2032 wrote to memory of 1456	2032	iE8JUAJp7.bin.exe	45
PID 2032 wrote to memory of 1456	2032	iE8JUAJp7.bin.exe	45
PID 2032 wrote to memory of 1456	2032	iE8JUAJp7.bin.exe	45
PID 2032 wrote to memory of 1456	2032	iE8JUAJp7.bin.exe	45
PID 2032 wrote to memory of 2016	2032	iE8JUAJp7.bin.exe	48
PID 2032 wrote to memory of 2016	2032	iE8JUAJp7.bin.exe	48
PID 2032 wrote to memory of 2016	2032	iE8JUAJp7.bin.exe	48
PID 2032 wrote to memory of 2016	2032	iE8JUAJp7.bin.exe	48
PID 2032 wrote to memory of 284	2032	iE8JUAJp7.bin.exe	49
PID 2032 wrote to memory of 284	2032	iE8JUAJp7.bin.exe	49
PID 2032 wrote to memory of 284	2032	iE8JUAJp7.bin.exe	49
PID 2032 wrote to memory of 284	2032	iE8JUAJp7.bin.exe	49
PID 2032 wrote to memory of 1900	2032	iE8JUAJp7.bin.exe	52
PID 2032 wrote to memory of 1900	2032	iE8JUAJp7.bin.exe	52
PID 2032 wrote to memory of 1900	2032	iE8JUAJp7.bin.exe	52
PID 2032 wrote to memory of 1900	2032	iE8JUAJp7.bin.exe	52
PID 2032 wrote to memory of 1920	2032	iE8JUAJp7.bin.exe	54
PID 2032 wrote to memory of 1920	2032	iE8JUAJp7.bin.exe	54
PID 2032 wrote to memory of 1920	2032	iE8JUAJp7.bin.exe	54
PID 2032 wrote to memory of 1920	2032	iE8JUAJp7.bin.exe	54
PID 2032 wrote to memory of 1668	2032	iE8JUAJp7.bin.exe	55
PID 2032 wrote to memory of 1668	2032	iE8JUAJp7.bin.exe	55
PID 2032 wrote to memory of 1668	2032	iE8JUAJp7.bin.exe	55
PID 2032 wrote to memory of 1668	2032	iE8JUAJp7.bin.exe	55
PID 2032 wrote to memory of 1960	2032	iE8JUAJp7.bin.exe	57
PID 2032 wrote to memory of 1960	2032	iE8JUAJp7.bin.exe	57
PID 2032 wrote to memory of 1960	2032	iE8JUAJp7.bin.exe	57
PID 2032 wrote to memory of 1960	2032	iE8JUAJp7.bin.exe	57

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	iE8JUAJp7.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	iE8JUAJp7.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!!!"	iE8JUAJp7.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	iE8JUAJp7.bin.exe

C:\Users\Admin\AppData\Local\Temp\iE8JUAJp7.bin.exe
"C:\Users\Admin\AppData\Local\Temp\iE8JUAJp7.bin.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2032
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1520
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1040
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1444
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1260
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:1600
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1536
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1608
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:996
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1456
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:2016
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:284
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:1900
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:1700
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:656
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:1528
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  PID:1448
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:548
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1136
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:764
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:996
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:1252
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:1152
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1580
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1740
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:548
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\Инструкция.txt
  2⤵
  PID:1820
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/756-124-0x0000000002550000-0x000000000319A000-memory.dmp

Filesize
12.3MB

Download
memory/756-125-0x0000000002550000-0x000000000319A000-memory.dmp

Filesize
12.3MB

Download
memory/756-123-0x0000000002550000-0x000000000319A000-memory.dmp

Filesize
12.3MB

Download
memory/1136-130-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmp

Filesize
8KB

Download
memory/1136-132-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/1608-72-0x00000000759B1000-0x00000000759B3000-memory.dmp

Filesize
8KB

Download
memory/2032-53-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/2032-59-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/2032-133-0x0000000005295000-0x00000000052A6000-memory.dmp

Filesize
68KB

Download