eb2ed1680e9b2350d78f431849a9e8c5c1d91d97ae72767d228b2208e6f72f46

Resubmissions

29-10-2021 09:03

211029-kz7xysdac7 10

28-10-2021 13:28

211028-qq5dcsgdeq 10

23-10-2021 01:52

211023-cagepshab4 8

Analysis

max time kernel
184s
max time network
161s
platform
windows7_x64
resource
win7-en-20211014
submitted
23-10-2021 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

steriok.exe
Size

94KB
MD5

b0c615c0a4f485b2030d6e1ab98375f0
SHA1

de11e9d61e0a31dc19e8c5dd8fe06facf0ead052
SHA256

eb2ed1680e9b2350d78f431849a9e8c5c1d91d97ae72767d228b2208e6f72f46
SHA512

82342be7d388244b5b008134d6d351f669995caff94a9a532ce056130f1af54a20ec6f2b9a3ca78102200c53a73659d1043e5b213ce84642d225690a3a848024

Score

8^/10

ransomware

Malware Config

Signatures

Modifies extensions of user files 26 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

steriok.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\PushSet.crw => C:\Users\Admin\Pictures\PushSet.crw.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\RenameRemove.crw => C:\Users\Admin\Pictures\RenameRemove.crw.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\SendPublish.tiff => C:\Users\Admin\Pictures\SendPublish.tiff.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\StartUnlock.tiff.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\CopyMove.tiff	steriok.exe
File renamed	C:\Users\Admin\Pictures\CopyMove.tiff => C:\Users\Admin\Pictures\CopyMove.tiff.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\CopyMove.tiff.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\ProtectWatch.png => C:\Users\Admin\Pictures\ProtectWatch.png.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\UnprotectExport.png => C:\Users\Admin\Pictures\UnprotectExport.png.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\ExitConfirm.tiff	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\RenameRemove.crw.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\SendPublish.tiff.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\SendPublish.tiff	steriok.exe
File renamed	C:\Users\Admin\Pictures\StartUnlock.tiff => C:\Users\Admin\Pictures\StartUnlock.tiff.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\ExitConfirm.tiff.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\InvokeConvertFrom.png => C:\Users\Admin\Pictures\InvokeConvertFrom.png.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\InvokeConvertFrom.png.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\ProtectWatch.png.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\StartUnlock.tiff	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectExport.png.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\WaitResume.tif => C:\Users\Admin\Pictures\WaitResume.tif.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\WaitResume.tif.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\ExitConfirm.tiff => C:\Users\Admin\Pictures\ExitConfirm.tiff.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\PushSet.crw.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\ReceiveDeny.crw => C:\Users\Admin\Pictures\ReceiveDeny.crw.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\ReceiveDeny.crw.steriok	steriok.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
460	cmd.exe

Drops startup file 1 IoCs

Processes:

steriok.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	steriok.exe

Drops desktop.ini file(s) 6 IoCs

Processes:

steriok.exe

description	ioc	Process
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	steriok.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	steriok.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	steriok.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	steriok.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	steriok.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	steriok.exe

Drops file in Program Files directory 61 IoCs

Processes:

steriok.exe

description	ioc	Process
File opened for modification	C:\Program Files\SaveFind.rmi	steriok.exe
File opened for modification	C:\Program Files\WatchWrite.mpeg	steriok.exe
File opened for modification	C:\Program Files\WriteDebug.emf.steriok	steriok.exe
File opened for modification	C:\Program Files\MergeRestart.temp	steriok.exe
File opened for modification	C:\Program Files\OutOpen.mpe.steriok	steriok.exe
File opened for modification	C:\Program Files\ResetEnable.dib	steriok.exe
File opened for modification	C:\Program Files\DismountRemove.ocx	steriok.exe
File opened for modification	C:\Program Files\HideSubmit.asx	steriok.exe
File opened for modification	C:\Program Files\ResetEnable.dib.steriok	steriok.exe
File opened for modification	C:\Program Files\UninstallUpdate.ods	steriok.exe
File opened for modification	C:\Program Files\UnpublishLock.dotx.steriok	steriok.exe
File opened for modification	C:\Program Files\NewTest.crw.steriok	steriok.exe
File opened for modification	C:\Program Files\OutOpen.mpe	steriok.exe
File opened for modification	C:\Program Files\PushUse.wmx.steriok	steriok.exe
File opened for modification	C:\Program Files\UnpublishLock.dotx	steriok.exe
File created	C:\Program Files\RESTORE_FILES_INFO.txt	steriok.exe
File opened for modification	C:\Program Files\ConvertFromPop.wm.steriok	steriok.exe
File opened for modification	C:\Program Files\ConvertToSubmit.midi.steriok	steriok.exe
File opened for modification	C:\Program Files\MountSearch.wmf.steriok	steriok.exe
File opened for modification	C:\Program Files\RevokeRead.xps	steriok.exe
File opened for modification	C:\Program Files\StartEnable.wpl.steriok	steriok.exe
File opened for modification	C:\Program Files\ApproveUninstall.lnk	steriok.exe
File opened for modification	C:\Program Files\MergeRestart.temp.steriok	steriok.exe
File opened for modification	C:\Program Files\PushUndo.html	steriok.exe
File opened for modification	C:\Program Files\ResolveMount.mp3.steriok	steriok.exe
File opened for modification	C:\Program Files\WriteDebug.emf	steriok.exe
File opened for modification	C:\Program Files\CopyConnect.wdp	steriok.exe
File opened for modification	C:\Program Files\HideSubmit.asx.steriok	steriok.exe
File opened for modification	C:\Program Files\RevokeRead.xps.steriok	steriok.exe
File opened for modification	C:\Program Files\CompleteShow.jtx.steriok	steriok.exe
File opened for modification	C:\Program Files\ConvertCompress.asf.steriok	steriok.exe
File opened for modification	C:\Program Files\ConvertToSubmit.midi	steriok.exe
File opened for modification	C:\Program Files\TraceReset.dwfx	steriok.exe
File opened for modification	C:\Program Files\ApproveMeasure.eps	steriok.exe
File opened for modification	C:\Program Files\SearchConvertTo.ps1xml.steriok	steriok.exe
File opened for modification	C:\Program Files\TraceReset.dwfx.steriok	steriok.exe
File opened for modification	C:\Program Files\UninstallUpdate.ods.steriok	steriok.exe
File opened for modification	C:\Program Files\RegisterHide.odp	steriok.exe
File opened for modification	C:\Program Files\SaveFind.rmi.steriok	steriok.exe
File opened for modification	C:\Program Files\WatchWrite.mpeg.steriok	steriok.exe
File opened for modification	C:\Program Files\ClearDismount.vb.steriok	steriok.exe
File opened for modification	C:\Program Files\CompleteShow.jtx	steriok.exe
File opened for modification	C:\Program Files\PushUndo.html.steriok	steriok.exe
File opened for modification	C:\Program Files\RegisterHide.odp.steriok	steriok.exe
File opened for modification	C:\Program Files\ResolveMount.mp3	steriok.exe
File opened for modification	C:\Program Files\ApproveMeasure.eps.steriok	steriok.exe
File opened for modification	C:\Program Files\ApproveUninstall.lnk.steriok	steriok.exe
File opened for modification	C:\Program Files\ClearDismount.vb	steriok.exe
File opened for modification	C:\Program Files\ConvertFromPop.wm	steriok.exe
File opened for modification	C:\Program Files\ConvertFromRestore.dxf	steriok.exe
File opened for modification	C:\Program Files\ClearJoin.vssx	steriok.exe
File opened for modification	C:\Program Files\ClearJoin.vssx.steriok	steriok.exe
File opened for modification	C:\Program Files\PushUse.wmx	steriok.exe
File opened for modification	C:\Program Files\StartEnable.wpl	steriok.exe
File opened for modification	C:\Program Files\ConvertCompress.asf	steriok.exe
File opened for modification	C:\Program Files\NewTest.crw	steriok.exe
File opened for modification	C:\Program Files\CopyConnect.wdp.steriok	steriok.exe
File opened for modification	C:\Program Files\DismountRemove.ocx.steriok	steriok.exe
File opened for modification	C:\Program Files\MountSearch.wmf	steriok.exe
File opened for modification	C:\Program Files\SearchConvertTo.ps1xml	steriok.exe
File opened for modification	C:\Program Files\ConvertFromRestore.dxf.steriok	steriok.exe

Drops file in Windows directory 28 IoCs

Processes:

steriok.exe

description	ioc	Process
File opened for modification	C:\Windows\setupact.log.steriok	steriok.exe
File opened for modification	C:\Windows\win.ini	steriok.exe
File created	C:\Windows\RESTORE_FILES_INFO.txt	steriok.exe
File opened for modification	C:\Windows\DtcInstall.log	steriok.exe
File opened for modification	C:\Windows\setuperr.log	steriok.exe
File opened for modification	C:\Windows\WMSysPr9.prx	steriok.exe
File opened for modification	C:\Windows\WindowsUpdate.log.steriok	steriok.exe
File opened for modification	C:\Windows\DtcInstall.log.steriok	steriok.exe
File opened for modification	C:\Windows\PFRO.log.steriok	steriok.exe
File opened for modification	C:\Windows\setupact.log	steriok.exe
File opened for modification	C:\Windows\system.ini.steriok	steriok.exe
File opened for modification	C:\Windows\Ultimate.xml	steriok.exe
File opened for modification	C:\Windows\Starter.xml	steriok.exe
File opened for modification	C:\Windows\Ultimate.xml.steriok	steriok.exe
File opened for modification	C:\Windows\WindowsShell.Manifest	steriok.exe
File opened for modification	C:\Windows\mib.bin	steriok.exe
File opened for modification	C:\Windows\TSSysprep.log	steriok.exe
File created	C:\Windows\bootstat.dat.steriok	steriok.exe
File opened for modification	C:\Windows\PFRO.log	steriok.exe
File opened for modification	C:\Windows\Starter.xml.steriok	steriok.exe
File opened for modification	C:\Windows\system.ini	steriok.exe
File opened for modification	C:\Windows\WindowsUpdate.log	steriok.exe
File opened for modification	C:\Windows\bootstat.dat	steriok.exe
File opened for modification	C:\Windows\msdfmap.ini	steriok.exe
File opened for modification	C:\Windows\TSSysprep.log.steriok	steriok.exe
File opened for modification	C:\Windows\win.ini.steriok	steriok.exe
File opened for modification	C:\Windows\WindowsShell.Manifest.steriok	steriok.exe
File opened for modification	C:\Windows\msdfmap.ini.steriok	steriok.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
920	taskkill.exe
1716	taskkill.exe
2024	taskkill.exe
1372	taskkill.exe
1644	taskkill.exe
1572	taskkill.exe
1144	taskkill.exe
1408	taskkill.exe
1656	taskkill.exe
1944	taskkill.exe
1508	taskkill.exe
1740	taskkill.exe
1620	taskkill.exe
592	taskkill.exe
544	taskkill.exe
1996	taskkill.exe
1928	taskkill.exe
1844	taskkill.exe
1728	taskkill.exe
900	taskkill.exe
328	taskkill.exe
1596	taskkill.exe
1424	taskkill.exe
2040	taskkill.exe
1972	taskkill.exe
288	taskkill.exe
1752	taskkill.exe
1592	taskkill.exe
1972	taskkill.exe
1740	taskkill.exe
1096	taskkill.exe
1828	taskkill.exe
980	taskkill.exe
1604	taskkill.exe
908	taskkill.exe
940	taskkill.exe
108	taskkill.exe
1132	taskkill.exe
544	taskkill.exe
1608	taskkill.exe
1680	taskkill.exe
1956	taskkill.exe
592	taskkill.exe
792	taskkill.exe
992	taskkill.exe
1760	taskkill.exe
816	taskkill.exe
1732	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
1348	reg.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

Processes:

NOTEPAD.EXEnotepad.exe

pid	Process
1372	NOTEPAD.EXE
956	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1832	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

steriok.exe

pid	Process
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe
1060	steriok.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

steriok.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exeAUDIODG.EXE

description	pid	Process
Token: SeDebugPrivilege	1060	steriok.exe
Token: SeDebugPrivilege	108	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	1132	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	1408	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	920	taskkill.exe
Token: SeDebugPrivilege	900	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	544	taskkill.exe
Token: SeDebugPrivilege	592	taskkill.exe
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	1096	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	328	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	1732	taskkill.exe
Token: SeDebugPrivilege	792	taskkill.exe
Token: SeDebugPrivilege	288	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	908	taskkill.exe
Token: SeDebugPrivilege	592	taskkill.exe
Token: SeDebugPrivilege	544	taskkill.exe
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	1372	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	940	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: 33	1348	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1348	AUDIODG.EXE
Token: 33	1348	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1348	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

steriok.exe

pid	Process
1060	steriok.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

steriok.exe

pid	Process
1060	steriok.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

steriok.exe

description	pid	Process	procid_target
PID 1060 wrote to memory of 108	1060	steriok.exe	29
PID 1060 wrote to memory of 108	1060	steriok.exe	29
PID 1060 wrote to memory of 108	1060	steriok.exe	29
PID 1060 wrote to memory of 108	1060	steriok.exe	29
PID 1060 wrote to memory of 1068	1060	steriok.exe	31
PID 1060 wrote to memory of 1068	1060	steriok.exe	31
PID 1060 wrote to memory of 1068	1060	steriok.exe	31
PID 1060 wrote to memory of 1068	1060	steriok.exe	31
PID 1060 wrote to memory of 1348	1060	steriok.exe	33
PID 1060 wrote to memory of 1348	1060	steriok.exe	33
PID 1060 wrote to memory of 1348	1060	steriok.exe	33
PID 1060 wrote to memory of 1348	1060	steriok.exe	33
PID 1060 wrote to memory of 1844	1060	steriok.exe	35
PID 1060 wrote to memory of 1844	1060	steriok.exe	35
PID 1060 wrote to memory of 1844	1060	steriok.exe	35
PID 1060 wrote to memory of 1844	1060	steriok.exe	35
PID 1060 wrote to memory of 1240	1060	steriok.exe	37
PID 1060 wrote to memory of 1240	1060	steriok.exe	37
PID 1060 wrote to memory of 1240	1060	steriok.exe	37
PID 1060 wrote to memory of 1240	1060	steriok.exe	37
PID 1060 wrote to memory of 1344	1060	steriok.exe	39
PID 1060 wrote to memory of 1344	1060	steriok.exe	39
PID 1060 wrote to memory of 1344	1060	steriok.exe	39
PID 1060 wrote to memory of 1344	1060	steriok.exe	39
PID 1060 wrote to memory of 972	1060	steriok.exe	40
PID 1060 wrote to memory of 972	1060	steriok.exe	40
PID 1060 wrote to memory of 972	1060	steriok.exe	40
PID 1060 wrote to memory of 972	1060	steriok.exe	40
PID 1060 wrote to memory of 900	1060	steriok.exe	41
PID 1060 wrote to memory of 900	1060	steriok.exe	41
PID 1060 wrote to memory of 900	1060	steriok.exe	41
PID 1060 wrote to memory of 900	1060	steriok.exe	41
PID 1060 wrote to memory of 1460	1060	steriok.exe	45
PID 1060 wrote to memory of 1460	1060	steriok.exe	45
PID 1060 wrote to memory of 1460	1060	steriok.exe	45
PID 1060 wrote to memory of 1460	1060	steriok.exe	45
PID 1060 wrote to memory of 904	1060	steriok.exe	47
PID 1060 wrote to memory of 904	1060	steriok.exe	47
PID 1060 wrote to memory of 904	1060	steriok.exe	47
PID 1060 wrote to memory of 904	1060	steriok.exe	47
PID 1060 wrote to memory of 2032	1060	steriok.exe	49
PID 1060 wrote to memory of 2032	1060	steriok.exe	49
PID 1060 wrote to memory of 2032	1060	steriok.exe	49
PID 1060 wrote to memory of 2032	1060	steriok.exe	49
PID 1060 wrote to memory of 1208	1060	steriok.exe	51
PID 1060 wrote to memory of 1208	1060	steriok.exe	51
PID 1060 wrote to memory of 1208	1060	steriok.exe	51
PID 1060 wrote to memory of 1208	1060	steriok.exe	51
PID 1060 wrote to memory of 1696	1060	steriok.exe	53
PID 1060 wrote to memory of 1696	1060	steriok.exe	53
PID 1060 wrote to memory of 1696	1060	steriok.exe	53
PID 1060 wrote to memory of 1696	1060	steriok.exe	53
PID 1060 wrote to memory of 1740	1060	steriok.exe	59
PID 1060 wrote to memory of 1740	1060	steriok.exe	59
PID 1060 wrote to memory of 1740	1060	steriok.exe	59
PID 1060 wrote to memory of 1740	1060	steriok.exe	59
PID 1060 wrote to memory of 1132	1060	steriok.exe	58
PID 1060 wrote to memory of 1132	1060	steriok.exe	58
PID 1060 wrote to memory of 1132	1060	steriok.exe	58
PID 1060 wrote to memory of 1132	1060	steriok.exe	58
PID 1060 wrote to memory of 1620	1060	steriok.exe	56
PID 1060 wrote to memory of 1620	1060	steriok.exe	56
PID 1060 wrote to memory of 1620	1060	steriok.exe	56
PID 1060 wrote to memory of 1620	1060	steriok.exe	56

C:\Users\Admin\AppData\Local\Temp\steriok.exe
"C:\Users\Admin\AppData\Local\Temp\steriok.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:108
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1068
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1348
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1844
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:1240
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1344
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:972
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:900
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1460
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:904
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:2032
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1208
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:1696
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1132
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:592
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1096
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:792
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:288
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:1752
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:592
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:956
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:1068
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:1832
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\steriok.exe
  2⤵
  - Deletes itself
  PID:460
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1688

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1144

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x538
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

MD5
9900dd1d8de9f62b81cfc45b84d73893

SHA1
ee9256b33dd065f8c6f4dc2a90789eedcce0e802

SHA256
c8150cf762da2bf1fbbeb2e89d64f78d855d42bc6a06be6507a687b065b85642

SHA512
eac2bb341130255916d9868f1ec8ba3b91f97d7cf0491bdc6d49bd22656f9b79e435a65e6d53101c0e3ffb651faba74e320187ebbeca05e1aab78418794f4eec

Download Submit
memory/108-58-0x0000000000000000-mapping.dmp

Download
memory/288-95-0x0000000000000000-mapping.dmp

Download
memory/328-91-0x0000000000000000-mapping.dmp

Download
memory/544-100-0x0000000000000000-mapping.dmp

Download
memory/544-87-0x0000000000000000-mapping.dmp

Download
memory/592-99-0x0000000000000000-mapping.dmp

Download
memory/592-85-0x0000000000000000-mapping.dmp

Download
memory/792-94-0x0000000000000000-mapping.dmp

Download
memory/816-83-0x0000000000000000-mapping.dmp

Download
memory/900-80-0x0000000000000000-mapping.dmp

Download
memory/900-65-0x0000000000000000-mapping.dmp

Download
memory/904-67-0x0000000000000000-mapping.dmp

Download
memory/908-97-0x0000000000000000-mapping.dmp

Download
memory/920-81-0x0000000000000000-mapping.dmp

Download
memory/940-114-0x0000000000000000-mapping.dmp

Download
memory/956-125-0x0000000000000000-mapping.dmp

Download
memory/972-64-0x0000000000000000-mapping.dmp

Download
memory/980-88-0x0000000000000000-mapping.dmp

Download
memory/992-101-0x0000000000000000-mapping.dmp

Download
memory/1060-57-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/1060-55-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1068-59-0x0000000000000000-mapping.dmp

Download
memory/1068-126-0x0000000000000000-mapping.dmp

Download
memory/1096-90-0x0000000000000000-mapping.dmp

Download
memory/1132-72-0x0000000000000000-mapping.dmp

Download
memory/1144-74-0x0000000000000000-mapping.dmp

Download
memory/1144-122-0x000007FEFBA71000-0x000007FEFBA73000-memory.dmp

Filesize
8KB

Download
memory/1208-69-0x0000000000000000-mapping.dmp

Download
memory/1240-62-0x0000000000000000-mapping.dmp

Download
memory/1344-63-0x0000000000000000-mapping.dmp

Download
memory/1348-60-0x0000000000000000-mapping.dmp

Download
memory/1372-106-0x0000000000000000-mapping.dmp

Download
memory/1408-75-0x0000000000000000-mapping.dmp

Download
memory/1424-110-0x0000000000000000-mapping.dmp

Download
memory/1460-66-0x0000000000000000-mapping.dmp

Download
memory/1508-108-0x0000000000000000-mapping.dmp

Download
memory/1572-113-0x0000000000000000-mapping.dmp

Download
memory/1592-107-0x0000000000000000-mapping.dmp

Download
memory/1596-102-0x0000000000000000-mapping.dmp

Download
memory/1604-89-0x0000000000000000-mapping.dmp

Download
memory/1608-104-0x0000000000000000-mapping.dmp

Download
memory/1620-73-0x0000000000000000-mapping.dmp

Download
memory/1632-120-0x0000000002400000-0x000000000304A000-memory.dmp

Filesize
12.3MB

Download
memory/1632-118-0x0000000000000000-mapping.dmp

Download
memory/1632-119-0x0000000075821000-0x0000000075823000-memory.dmp

Filesize
8KB

Download
memory/1632-121-0x0000000002400000-0x000000000304A000-memory.dmp

Filesize
12.3MB

Download
memory/1644-112-0x0000000000000000-mapping.dmp

Download
memory/1656-117-0x0000000000000000-mapping.dmp

Download
memory/1680-115-0x0000000000000000-mapping.dmp

Download
memory/1696-70-0x0000000000000000-mapping.dmp

Download
memory/1716-82-0x0000000000000000-mapping.dmp

Download
memory/1728-86-0x0000000000000000-mapping.dmp

Download
memory/1732-93-0x0000000000000000-mapping.dmp

Download
memory/1740-116-0x0000000000000000-mapping.dmp

Download
memory/1740-71-0x0000000000000000-mapping.dmp

Download
memory/1752-96-0x0000000000000000-mapping.dmp

Download
memory/1760-105-0x0000000000000000-mapping.dmp

Download
memory/1828-76-0x0000000000000000-mapping.dmp

Download
memory/1832-128-0x0000000000000000-mapping.dmp

Download
memory/1844-61-0x0000000000000000-mapping.dmp

Download
memory/1844-84-0x0000000000000000-mapping.dmp

Download
memory/1928-111-0x0000000000000000-mapping.dmp

Download
memory/1944-98-0x0000000000000000-mapping.dmp

Download
memory/1956-78-0x0000000000000000-mapping.dmp

Download
memory/1972-109-0x0000000000000000-mapping.dmp

Download
memory/1972-79-0x0000000000000000-mapping.dmp

Download
memory/1996-103-0x0000000000000000-mapping.dmp

Download
memory/2024-92-0x0000000000000000-mapping.dmp

Download
memory/2032-68-0x0000000000000000-mapping.dmp

Download
memory/2040-77-0x0000000000000000-mapping.dmp

Download