fedb39ac98c39b688703f1968405d75432d881ff34405d3087a989440735aa8e

Resubmissions

28-10-2021 15:44

211028-s6m55agfbk 10

10-10-2021 17:01

211010-vjzlragafj 8

Analysis

max time kernel
113s
max time network
111s
platform
windows10_x64
resource
win10-en-20210920
submitted
10-10-2021 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iE8JUAJp7.bin.exe
Size

385KB
MD5

a9a0fae4766d9f7cafa1560f5f62e46f
SHA1

d582608dc07bd9f771334cdb60626755997dd56c
SHA256

f70966e32d18a1e2ed51ebdcc6b985d8f7613febf0680639076c71ebeab6a350
SHA512

5c2f89a16c5291d509f41bd5f12d18a386892738cfd5fb5cbd2156c52d46f28abde5f199461fe9a8bf3aa3f7e4644fe66c3ad48c3b114b792efdbf421468856b

Score

8^/10

evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Downloads PsExec from SysInternals website 1 IoCs

Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

description	flow	ioc
HTTP URL	32	http://live.sysinternals.com/PsExec.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\UnlockReset.crw.cyber	iE8JUAJp7.bin.exe
File renamed	C:\Users\Admin\Pictures\EnterGet.tif => C:\Users\Admin\Pictures\EnterGet.tif.cyber	iE8JUAJp7.bin.exe
File renamed	C:\Users\Admin\Pictures\HideComplete.crw => C:\Users\Admin\Pictures\HideComplete.crw.cyber	iE8JUAJp7.bin.exe
File opened for modification	C:\Users\Admin\Pictures\HideComplete.crw.cyber	iE8JUAJp7.bin.exe
File renamed	C:\Users\Admin\Pictures\HideUndo.crw => C:\Users\Admin\Pictures\HideUndo.crw.cyber	iE8JUAJp7.bin.exe
File renamed	C:\Users\Admin\Pictures\UnlockReset.crw => C:\Users\Admin\Pictures\UnlockReset.crw.cyber	iE8JUAJp7.bin.exe
File opened for modification	C:\Users\Admin\Pictures\EnterGet.tif.cyber	iE8JUAJp7.bin.exe
File opened for modification	C:\Users\Admin\Pictures\HideUndo.crw.cyber	iE8JUAJp7.bin.exe
File renamed	C:\Users\Admin\Pictures\RestartUpdate.crw => C:\Users\Admin\Pictures\RestartUpdate.crw.cyber	iE8JUAJp7.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RestartUpdate.crw.cyber	iE8JUAJp7.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\O:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\G:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\Z:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\V:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\N:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\E:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\S:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\K:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\L:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\X:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\Y:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\A:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\F:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\B:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\P:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\W:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\R:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\U:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\I:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\H:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\J:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\M:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\Q:	iE8JUAJp7.bin.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	icanhazip.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!!!"	iE8JUAJp7.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	iE8JUAJp7.bin.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\2483382631\1144272743.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3418783148\4223189797.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4185669309\1880392806.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1476457207\263943467.pri	netsh.exe
File created	C:\Windows\rescache\_merged\423379043\2764571712.pri	netsh.exe
File created	C:\Windows\rescache\_merged\81479705\2284120958.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4272278488\927794230.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1974107395\1506172464.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2878165772\3312292840.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	netsh.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

pid	Process
3944	taskkill.exe
2332	taskkill.exe
1368	taskkill.exe
3052	taskkill.exe
2512	taskkill.exe
2108	taskkill.exe
1448	taskkill.exe
2832	taskkill.exe
2496	taskkill.exe
960	taskkill.exe
1104	taskkill.exe
348	taskkill.exe
1068	taskkill.exe
1292	taskkill.exe
3716	taskkill.exe
2908	taskkill.exe
3232	taskkill.exe
1676	taskkill.exe
1104	taskkill.exe
996	taskkill.exe
900	taskkill.exe
2544	taskkill.exe
3012	taskkill.exe
3164	taskkill.exe
984	taskkill.exe
1176	taskkill.exe
4068	taskkill.exe
2532	taskkill.exe
1516	taskkill.exe
2288	taskkill.exe
1908	taskkill.exe
1264	taskkill.exe
1896	taskkill.exe
2136	taskkill.exe
3124	taskkill.exe
3460	taskkill.exe
2040	taskkill.exe
1696	taskkill.exe
3200	taskkill.exe
3980	taskkill.exe
2888	taskkill.exe
2676	taskkill.exe
2396	taskkill.exe
3976	taskkill.exe
1676	taskkill.exe
3740	taskkill.exe
1020	taskkill.exe
840	taskkill.exe
1080	taskkill.exe
1788	taskkill.exe
3608	taskkill.exe
988	taskkill.exe
1620	taskkill.exe
4008	taskkill.exe
3492	taskkill.exe
1056	taskkill.exe
1536	taskkill.exe
1828	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3832	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
68	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeDebugPrivilege	3940	iE8JUAJp7.bin.exe
Token: SeDebugPrivilege	3940	iE8JUAJp7.bin.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	4068	taskkill.exe
Token: SeDebugPrivilege	2288	taskkill.exe
Token: SeDebugPrivilege	2544	taskkill.exe
Token: SeDebugPrivilege	3492	taskkill.exe
Token: SeDebugPrivilege	3232	netsh.exe
Token: SeDebugPrivilege	2136	Conhost.exe
Token: SeDebugPrivilege	3608	taskkill.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	3012	taskkill.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	3944	taskkill.exe
Token: SeDebugPrivilege	900	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	3164	taskkill.exe
Token: SeDebugPrivilege	4008	taskkill.exe
Token: SeDebugPrivilege	2532	taskkill.exe
Token: SeDebugPrivilege	2332	taskkill.exe
Token: SeDebugPrivilege	2512	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	3124	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeDebugPrivilege	348	taskkill.exe
Token: SeDebugPrivilege	1264	taskkill.exe
Token: SeDebugPrivilege	1068	taskkill.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	1020	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	1292	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	3460	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	3740	taskkill.exe
Token: SeDebugPrivilege	1080	taskkill.exe
Token: SeDebugPrivilege	3200	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	2496	taskkill.exe
Token: SeDebugPrivilege	960	taskkill.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	3716	taskkill.exe
Token: SeDebugPrivilege	2396	taskkill.exe
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	3980	taskkill.exe
Token: SeDebugPrivilege	2908	taskkill.exe
Token: SeDebugPrivilege	3052	taskkill.exe
Token: SeDebugPrivilege	3632	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 1104	3940	iE8JUAJp7.bin.exe	71
PID 3940 wrote to memory of 1104	3940	iE8JUAJp7.bin.exe	71
PID 3940 wrote to memory of 1104	3940	iE8JUAJp7.bin.exe	71
PID 3940 wrote to memory of 816	3940	iE8JUAJp7.bin.exe	73
PID 3940 wrote to memory of 816	3940	iE8JUAJp7.bin.exe	73
PID 3940 wrote to memory of 816	3940	iE8JUAJp7.bin.exe	73
PID 3940 wrote to memory of 3832	3940	iE8JUAJp7.bin.exe	75
PID 3940 wrote to memory of 3832	3940	iE8JUAJp7.bin.exe	75
PID 3940 wrote to memory of 3832	3940	iE8JUAJp7.bin.exe	75
PID 3940 wrote to memory of 3716	3940	iE8JUAJp7.bin.exe	77
PID 3940 wrote to memory of 3716	3940	iE8JUAJp7.bin.exe	77
PID 3940 wrote to memory of 3716	3940	iE8JUAJp7.bin.exe	77
PID 3940 wrote to memory of 380	3940	iE8JUAJp7.bin.exe	79
PID 3940 wrote to memory of 380	3940	iE8JUAJp7.bin.exe	79
PID 3940 wrote to memory of 380	3940	iE8JUAJp7.bin.exe	79
PID 3940 wrote to memory of 1424	3940	iE8JUAJp7.bin.exe	81
PID 3940 wrote to memory of 1424	3940	iE8JUAJp7.bin.exe	81
PID 3940 wrote to memory of 1424	3940	iE8JUAJp7.bin.exe	81
PID 3940 wrote to memory of 2912	3940	iE8JUAJp7.bin.exe	82
PID 3940 wrote to memory of 2912	3940	iE8JUAJp7.bin.exe	82
PID 3940 wrote to memory of 2912	3940	iE8JUAJp7.bin.exe	82
PID 3940 wrote to memory of 1792	3940	iE8JUAJp7.bin.exe	85
PID 3940 wrote to memory of 1792	3940	iE8JUAJp7.bin.exe	85
PID 3940 wrote to memory of 1792	3940	iE8JUAJp7.bin.exe	85
PID 3940 wrote to memory of 1152	3940	iE8JUAJp7.bin.exe	87
PID 3940 wrote to memory of 1152	3940	iE8JUAJp7.bin.exe	87
PID 3940 wrote to memory of 1152	3940	iE8JUAJp7.bin.exe	87
PID 3940 wrote to memory of 2924	3940	iE8JUAJp7.bin.exe	88
PID 3940 wrote to memory of 2924	3940	iE8JUAJp7.bin.exe	88
PID 3940 wrote to memory of 2924	3940	iE8JUAJp7.bin.exe	88
PID 3940 wrote to memory of 1544	3940	iE8JUAJp7.bin.exe	92
PID 3940 wrote to memory of 1544	3940	iE8JUAJp7.bin.exe	92
PID 3940 wrote to memory of 1544	3940	iE8JUAJp7.bin.exe	92
PID 3940 wrote to memory of 836	3940	iE8JUAJp7.bin.exe	93
PID 3940 wrote to memory of 836	3940	iE8JUAJp7.bin.exe	93
PID 3940 wrote to memory of 836	3940	iE8JUAJp7.bin.exe	93
PID 3940 wrote to memory of 60	3940	iE8JUAJp7.bin.exe	94
PID 3940 wrote to memory of 60	3940	iE8JUAJp7.bin.exe	94
PID 3940 wrote to memory of 60	3940	iE8JUAJp7.bin.exe	94
PID 3940 wrote to memory of 1828	3940	iE8JUAJp7.bin.exe	97
PID 3940 wrote to memory of 1828	3940	iE8JUAJp7.bin.exe	97
PID 3940 wrote to memory of 1828	3940	iE8JUAJp7.bin.exe	97
PID 3940 wrote to memory of 1368	3940	iE8JUAJp7.bin.exe	99
PID 3940 wrote to memory of 1368	3940	iE8JUAJp7.bin.exe	99
PID 3940 wrote to memory of 1368	3940	iE8JUAJp7.bin.exe	99
PID 3940 wrote to memory of 4068	3940	iE8JUAJp7.bin.exe	100
PID 3940 wrote to memory of 4068	3940	iE8JUAJp7.bin.exe	100
PID 3940 wrote to memory of 4068	3940	iE8JUAJp7.bin.exe	100
PID 3940 wrote to memory of 2288	3940	iE8JUAJp7.bin.exe	103
PID 3940 wrote to memory of 2288	3940	iE8JUAJp7.bin.exe	103
PID 3940 wrote to memory of 2288	3940	iE8JUAJp7.bin.exe	103
PID 3940 wrote to memory of 2544	3940	iE8JUAJp7.bin.exe	105
PID 3940 wrote to memory of 2544	3940	iE8JUAJp7.bin.exe	105
PID 3940 wrote to memory of 2544	3940	iE8JUAJp7.bin.exe	105
PID 3940 wrote to memory of 3492	3940	iE8JUAJp7.bin.exe	107
PID 3940 wrote to memory of 3492	3940	iE8JUAJp7.bin.exe	107
PID 3940 wrote to memory of 3492	3940	iE8JUAJp7.bin.exe	107
PID 3940 wrote to memory of 3232	3940	iE8JUAJp7.bin.exe	168
PID 3940 wrote to memory of 3232	3940	iE8JUAJp7.bin.exe	168
PID 3940 wrote to memory of 3232	3940	iE8JUAJp7.bin.exe	168
PID 3940 wrote to memory of 2136	3940	iE8JUAJp7.bin.exe	169
PID 3940 wrote to memory of 2136	3940	iE8JUAJp7.bin.exe	169
PID 3940 wrote to memory of 2136	3940	iE8JUAJp7.bin.exe	169
PID 3940 wrote to memory of 3608	3940	iE8JUAJp7.bin.exe	113

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	iE8JUAJp7.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	iE8JUAJp7.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!!!"	iE8JUAJp7.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	iE8JUAJp7.bin.exe

C:\Users\Admin\AppData\Local\Temp\iE8JUAJp7.bin.exe
"C:\Users\Admin\AppData\Local\Temp\iE8JUAJp7.bin.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3940
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:816
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:3832
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:3716
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:380
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  - Drops file in Windows directory
  PID:1424
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:2912
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1792
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1152
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:2924
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1544
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:836
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:60
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4068
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3492
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:3232
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:2136
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3608
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:1676
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3944
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3164
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4008
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3124
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:984
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:1056
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:348
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1020
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3232
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3460
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:1912
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3740
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3200
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  PID:1536
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:996
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3716
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3632
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:820
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1056
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1420
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:4008
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\Инструкция.txt
  2⤵
  PID:2624
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:3956
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:68
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:820
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\iE8JUAJp7.bin.exe
  2⤵
  PID:984

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
1⤵
PID:2332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3632-185-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3632-195-0x0000000008A90000-0x0000000008A91000-memory.dmp

Filesize
4KB

Download
memory/3632-208-0x0000000004F94000-0x0000000004F96000-memory.dmp

Filesize
8KB

Download
memory/3632-207-0x0000000004F93000-0x0000000004F94000-memory.dmp

Filesize
4KB

Download
memory/3632-206-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/3632-196-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/3632-194-0x0000000008C10000-0x0000000008C11000-memory.dmp

Filesize
4KB

Download
memory/3632-193-0x0000000008690000-0x0000000008691000-memory.dmp

Filesize
4KB

Download
memory/3632-184-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/3632-183-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/3632-191-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/3632-186-0x0000000007A50000-0x0000000007A51000-memory.dmp

Filesize
4KB

Download
memory/3632-187-0x00000000078F0000-0x00000000078F1000-memory.dmp

Filesize
4KB

Download
memory/3632-188-0x00000000079A0000-0x00000000079A1000-memory.dmp

Filesize
4KB

Download
memory/3632-190-0x00000000080F0000-0x00000000080F1000-memory.dmp

Filesize
4KB

Download
memory/3632-192-0x0000000004F92000-0x0000000004F93000-memory.dmp

Filesize
4KB

Download
memory/3940-119-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/3940-115-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3940-209-0x0000000009D80000-0x0000000009D81000-memory.dmp

Filesize
4KB

Download
memory/3940-210-0x0000000007600000-0x0000000007601000-memory.dmp

Filesize
4KB

Download
memory/3940-117-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download