eb2ed1680e9b2350d78f431849a9e8c5c1d91d97ae72767d228b2208e6f72f46

Resubmissions

29-10-2021 09:03

211029-kz7xysdac7 10

28-10-2021 13:28

211028-qq5dcsgdeq 10

23-10-2021 01:52

211023-cagepshab4 8

Analysis

max time kernel
122s
max time network
122s
platform
windows10_x64
resource
win10-en-20211014
submitted
28-10-2021 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

steriok.exe
Size

94KB
MD5

b0c615c0a4f485b2030d6e1ab98375f0
SHA1

de11e9d61e0a31dc19e8c5dd8fe06facf0ead052
SHA256

eb2ed1680e9b2350d78f431849a9e8c5c1d91d97ae72767d228b2208e6f72f46
SHA512

82342be7d388244b5b008134d6d351f669995caff94a9a532ce056130f1af54a20ec6f2b9a3ca78102200c53a73659d1043e5b213ce84642d225690a3a848024

Score

8^/10

ransomware

Malware Config

Signatures

Modifies extensions of user files 22 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

steriok.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ConvertFromConvert.tiff.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\ConvertOpen.tif => C:\Users\Admin\Pictures\ConvertOpen.tif.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\NewSave.crw => C:\Users\Admin\Pictures\NewSave.crw.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\UnlockDeny.tiff => C:\Users\Admin\Pictures\UnlockDeny.tiff.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\UseStep.tiff	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromConvert.tiff	steriok.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromConvert.tiff => C:\Users\Admin\Pictures\ConvertFromConvert.tiff.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertOpen.tif.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\CopyTest.tiff	steriok.exe
File renamed	C:\Users\Admin\Pictures\CopyTest.tiff => C:\Users\Admin\Pictures\CopyTest.tiff.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\CopyTest.tiff.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\DismountResize.png.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\ExportSwitch.tif.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\ApproveRegister.png => C:\Users\Admin\Pictures\ApproveRegister.png.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\UseStep.tiff => C:\Users\Admin\Pictures\UseStep.tiff.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\UseStep.tiff.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockDeny.tiff	steriok.exe
File renamed	C:\Users\Admin\Pictures\ExportSwitch.tif => C:\Users\Admin\Pictures\ExportSwitch.tif.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\DismountResize.png => C:\Users\Admin\Pictures\DismountResize.png.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\NewSave.crw.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockDeny.tiff.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\ApproveRegister.png.steriok	steriok.exe

Drops startup file 1 IoCs

Processes:

steriok.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk steriok.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	steriok.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

steriok.exe

description	ioc	process
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	steriok.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	steriok.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	steriok.exe

Drops file in Program Files directory 21 IoCs

Processes:

steriok.exe

description	ioc	process
File opened for modification	C:\Program Files\RepairShow.odt	steriok.exe
File opened for modification	C:\Program Files\TraceResolve.otf	steriok.exe
File opened for modification	C:\Program Files\TraceResolve.otf.steriok	steriok.exe
File created	C:\Program Files\RESTORE_FILES_INFO.txt	steriok.exe
File opened for modification	C:\Program Files\CompareSelect.M2V.steriok	steriok.exe
File opened for modification	C:\Program Files\ConvertExpand.dotm	steriok.exe
File opened for modification	C:\Program Files\MeasureFind.dwfx	steriok.exe
File opened for modification	C:\Program Files\ResumeGrant.sys.steriok	steriok.exe
File opened for modification	C:\Program Files\CompareSelect.M2V	steriok.exe
File opened for modification	C:\Program Files\RedoCopy.m4a.steriok	steriok.exe
File opened for modification	C:\Program Files\RemoveAssert.xht	steriok.exe
File opened for modification	C:\Program Files\StepRepair.asx	steriok.exe
File opened for modification	C:\Program Files\StepRepair.asx.steriok	steriok.exe
File opened for modification	C:\Program Files\ResumeGrant.sys	steriok.exe
File opened for modification	C:\Program Files\BlockWrite.clr	steriok.exe
File opened for modification	C:\Program Files\BlockWrite.clr.steriok	steriok.exe
File opened for modification	C:\Program Files\ConvertExpand.dotm.steriok	steriok.exe
File opened for modification	C:\Program Files\MeasureFind.dwfx.steriok	steriok.exe
File opened for modification	C:\Program Files\RedoCopy.m4a	steriok.exe
File opened for modification	C:\Program Files\RemoveAssert.xht.steriok	steriok.exe
File opened for modification	C:\Program Files\RepairShow.odt.steriok	steriok.exe

Drops file in Windows directory 23 IoCs

Processes:

steriok.exe

description	ioc	process
File created	C:\Windows\bootstat.dat.steriok	steriok.exe
File opened for modification	C:\Windows\setupact.log.steriok	steriok.exe
File opened for modification	C:\Windows\system.ini.steriok	steriok.exe
File opened for modification	C:\Windows\win.ini	steriok.exe
File opened for modification	C:\Windows\WindowsUpdate.log	steriok.exe
File opened for modification	C:\Windows\WMSysPr9.prx	steriok.exe
File opened for modification	C:\Windows\DtcInstall.log	steriok.exe
File opened for modification	C:\Windows\PFRO.log	steriok.exe
File opened for modification	C:\Windows\setupact.log	steriok.exe
File opened for modification	C:\Windows\WindowsShell.Manifest	steriok.exe
File opened for modification	C:\Windows\lsasetup.log	steriok.exe
File opened for modification	C:\Windows\lsasetup.log.steriok	steriok.exe
File opened for modification	C:\Windows\mib.bin	steriok.exe
File opened for modification	C:\Windows\Professional.xml	steriok.exe
File opened for modification	C:\Windows\Professional.xml.steriok	steriok.exe
File opened for modification	C:\Windows\system.ini	steriok.exe
File opened for modification	C:\Windows\WindowsUpdate.log.steriok	steriok.exe
File opened for modification	C:\Windows\bootstat.dat	steriok.exe
File opened for modification	C:\Windows\DtcInstall.log.steriok	steriok.exe
File opened for modification	C:\Windows\PFRO.log.steriok	steriok.exe
File opened for modification	C:\Windows\setuperr.log	steriok.exe
File opened for modification	C:\Windows\win.ini.steriok	steriok.exe
File created	C:\Windows\RESTORE_FILES_INFO.txt	steriok.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
68	taskkill.exe
724	taskkill.exe
1332	taskkill.exe
868	taskkill.exe
3436	taskkill.exe
2964	taskkill.exe
1728	taskkill.exe
3740	taskkill.exe
1316	taskkill.exe
1776	taskkill.exe
976	taskkill.exe
3896	taskkill.exe
2304	taskkill.exe
1488	taskkill.exe
2332	taskkill.exe
3716	taskkill.exe
3252	taskkill.exe
2852	taskkill.exe
1732	taskkill.exe
3252	taskkill.exe
1476	taskkill.exe
3708	taskkill.exe
1472	taskkill.exe
756	taskkill.exe
776	taskkill.exe
1152	taskkill.exe
2756	taskkill.exe
604	taskkill.exe
2320	taskkill.exe
2964	taskkill.exe
2216	taskkill.exe
2600	taskkill.exe
1240	taskkill.exe
1012	taskkill.exe
2284	taskkill.exe
1160	taskkill.exe
3164	taskkill.exe
1336	taskkill.exe
3712	taskkill.exe
728	taskkill.exe
2380	taskkill.exe
1672	taskkill.exe
3848	taskkill.exe
1400	taskkill.exe
1140	taskkill.exe
2084	taskkill.exe
3668	taskkill.exe
3676	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2296 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

948 notepad.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3196 PING.EXE

pid	process
2296	reg.exe

pid	process
948	notepad.exe

pid	process
3196	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

steriok.exe

pid	process
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe
2764	steriok.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

steriok.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2764	steriok.exe
Token: SeDebugPrivilege	604	taskkill.exe
Token: SeDebugPrivilege	1336	taskkill.exe
Token: SeDebugPrivilege	2084	taskkill.exe
Token: SeDebugPrivilege	1240	taskkill.exe
Token: SeDebugPrivilege	3252	taskkill.exe
Token: SeDebugPrivilege	2600	taskkill.exe
Token: SeDebugPrivilege	2304	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	2964	taskkill.exe
Token: SeDebugPrivilege	3708	taskkill.exe
Token: SeDebugPrivilege	3896	taskkill.exe
Token: SeDebugPrivilege	3712	taskkill.exe
Token: SeDebugPrivilege	3740	taskkill.exe
Token: SeDebugPrivilege	1316	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	756	taskkill.exe
Token: SeDebugPrivilege	868	taskkill.exe
Token: SeDebugPrivilege	68	taskkill.exe
Token: SeDebugPrivilege	1488	taskkill.exe
Token: SeDebugPrivilege	724	taskkill.exe
Token: SeDebugPrivilege	776	taskkill.exe
Token: SeDebugPrivilege	1012	taskkill.exe
Token: SeDebugPrivilege	3436	taskkill.exe
Token: SeDebugPrivilege	2332	taskkill.exe
Token: SeDebugPrivilege	1332	taskkill.exe
Token: SeDebugPrivilege	728	taskkill.exe
Token: SeDebugPrivilege	2380	taskkill.exe
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	3848	taskkill.exe
Token: SeDebugPrivilege	2216	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	1400	taskkill.exe
Token: SeDebugPrivilege	2964	taskkill.exe
Token: SeDebugPrivilege	3252	taskkill.exe
Token: SeDebugPrivilege	1140	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	1732	taskkill.exe
Token: SeDebugPrivilege	2756	taskkill.exe
Token: SeDebugPrivilege	976	taskkill.exe
Token: SeDebugPrivilege	3676	taskkill.exe
Token: SeDebugPrivilege	3164	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	3668	taskkill.exe
Token: SeDebugPrivilege	2656	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

steriok.exe

pid process

2764 steriok.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

steriok.exe

pid process

2764 steriok.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

steriok.exe

description	pid	process	target process
PID 2764 wrote to memory of 604	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 604	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 604	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 1092	2764	steriok.exe	reg.exe
PID 2764 wrote to memory of 1092	2764	steriok.exe	reg.exe
PID 2764 wrote to memory of 1092	2764	steriok.exe	reg.exe
PID 2764 wrote to memory of 2296	2764	steriok.exe	reg.exe
PID 2764 wrote to memory of 2296	2764	steriok.exe	reg.exe
PID 2764 wrote to memory of 2296	2764	steriok.exe	reg.exe
PID 2764 wrote to memory of 3396	2764	steriok.exe	schtasks.exe
PID 2764 wrote to memory of 3396	2764	steriok.exe	schtasks.exe
PID 2764 wrote to memory of 3396	2764	steriok.exe	schtasks.exe
PID 2764 wrote to memory of 924	2764	steriok.exe	cmd.exe
PID 2764 wrote to memory of 924	2764	steriok.exe	cmd.exe
PID 2764 wrote to memory of 924	2764	steriok.exe	cmd.exe
PID 2764 wrote to memory of 3672	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 3672	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 3672	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 3196	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 3196	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 3196	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 1376	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 1376	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 1376	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 616	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 616	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 616	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 728	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 728	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 728	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 2712	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 2712	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 2712	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 3716	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 3716	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 3716	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 3324	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 3324	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 3324	2764	steriok.exe	sc.exe
PID 2764 wrote to memory of 2084	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 2084	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 2084	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 1336	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 1336	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 1336	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 1240	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 1240	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 1240	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 3252	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 3252	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 3252	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 2304	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 2304	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 2304	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 2600	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 2600	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 2600	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 1728	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 1728	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 1728	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 1476	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 1476	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 1476	2764	steriok.exe	taskkill.exe
PID 2764 wrote to memory of 2964	2764	steriok.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\steriok.exe
"C:\Users\Admin\AppData\Local\Temp\steriok.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:604
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1092
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:2296
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:3396
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:924
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:3672
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1376
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:3196
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:616
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:728
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:2712
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:3716
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:3324
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3252
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3708
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3896
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3712
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3740
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:68
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:724
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1332
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:3716
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:728
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3848
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1400
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3252
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3676
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3164
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3668
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:948
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:1376
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:3196
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\steriok.exe
  2⤵
  PID:3164
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:2712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

MD5
7032ef06d70934d2d60781d46f8d0883

SHA1
ca3603da1abd171d85e0b15a882535ff350aebbe

SHA256
9a9419e6f3272054971717f939ed74159d145260935a21e481175bd58fd8ef5e

SHA512
e526e067988372e46909fa31779341a96520585f97a1d10604b1ba24a67373a4af429e744bb8024dfc9dac18c07efa6db3e211644208a46c629ead5cff5ac1a8

Download Submit
memory/68-149-0x0000000000000000-mapping.dmp

Download
memory/604-119-0x0000000000000000-mapping.dmp

Download
memory/616-127-0x0000000000000000-mapping.dmp

Download
memory/724-151-0x0000000000000000-mapping.dmp

Download
memory/728-128-0x0000000000000000-mapping.dmp

Download
memory/728-158-0x0000000000000000-mapping.dmp

Download
memory/756-147-0x0000000000000000-mapping.dmp

Download
memory/776-152-0x0000000000000000-mapping.dmp

Download
memory/868-148-0x0000000000000000-mapping.dmp

Download
memory/924-123-0x0000000000000000-mapping.dmp

Download
memory/948-206-0x0000000000000000-mapping.dmp

Download
memory/976-174-0x0000000000000000-mapping.dmp

Download
memory/1012-153-0x0000000000000000-mapping.dmp

Download
memory/1092-120-0x0000000000000000-mapping.dmp

Download
memory/1140-170-0x0000000000000000-mapping.dmp

Download
memory/1152-165-0x0000000000000000-mapping.dmp

Download
memory/1160-166-0x0000000000000000-mapping.dmp

Download
memory/1240-134-0x0000000000000000-mapping.dmp

Download
memory/1316-145-0x0000000000000000-mapping.dmp

Download
memory/1332-156-0x0000000000000000-mapping.dmp

Download
memory/1336-133-0x0000000000000000-mapping.dmp

Download
memory/1376-207-0x0000000000000000-mapping.dmp

Download
memory/1376-126-0x0000000000000000-mapping.dmp

Download
memory/1400-167-0x0000000000000000-mapping.dmp

Download
memory/1472-146-0x0000000000000000-mapping.dmp

Download
memory/1476-139-0x0000000000000000-mapping.dmp

Download
memory/1488-150-0x0000000000000000-mapping.dmp

Download
memory/1672-161-0x0000000000000000-mapping.dmp

Download
memory/1728-138-0x0000000000000000-mapping.dmp

Download
memory/1732-172-0x0000000000000000-mapping.dmp

Download
memory/1776-164-0x0000000000000000-mapping.dmp

Download
memory/2084-132-0x0000000000000000-mapping.dmp

Download
memory/2216-163-0x0000000000000000-mapping.dmp

Download
memory/2284-160-0x0000000000000000-mapping.dmp

Download
memory/2296-121-0x0000000000000000-mapping.dmp

Download
memory/2304-136-0x0000000000000000-mapping.dmp

Download
memory/2320-177-0x0000000000000000-mapping.dmp

Download
memory/2332-155-0x0000000000000000-mapping.dmp

Download
memory/2380-159-0x0000000000000000-mapping.dmp

Download
memory/2600-137-0x0000000000000000-mapping.dmp

Download
memory/2656-192-0x00000000081C0000-0x00000000081C1000-memory.dmp

Filesize
4KB

Download
memory/2656-182-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/2656-191-0x0000000008250000-0x0000000008251000-memory.dmp

Filesize
4KB

Download
memory/2656-185-0x0000000004742000-0x0000000004743000-memory.dmp

Filesize
4KB

Download
memory/2656-205-0x0000000004744000-0x0000000004746000-memory.dmp

Filesize
8KB

Download
memory/2656-204-0x0000000004743000-0x0000000004744000-memory.dmp

Filesize
4KB

Download
memory/2656-203-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/2656-184-0x00000000070E0000-0x00000000070E1000-memory.dmp

Filesize
4KB

Download
memory/2656-183-0x00000000046A0000-0x00000000046A1000-memory.dmp

Filesize
4KB

Download
memory/2656-190-0x0000000006D40000-0x0000000006D41000-memory.dmp

Filesize
4KB

Download
memory/2656-193-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/2656-181-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/2656-180-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/2656-187-0x00000000079C0000-0x00000000079C1000-memory.dmp

Filesize
4KB

Download
memory/2656-186-0x0000000007740000-0x0000000007741000-memory.dmp

Filesize
4KB

Download
memory/2656-179-0x0000000000000000-mapping.dmp

Download
memory/2656-189-0x0000000007B10000-0x0000000007B11000-memory.dmp

Filesize
4KB

Download
memory/2712-129-0x0000000000000000-mapping.dmp

Download
memory/2756-173-0x0000000000000000-mapping.dmp

Download
memory/2764-117-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/2764-115-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2764-118-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/2852-171-0x0000000000000000-mapping.dmp

Download
memory/2964-168-0x0000000000000000-mapping.dmp

Download
memory/2964-140-0x0000000000000000-mapping.dmp

Download
memory/3164-176-0x0000000000000000-mapping.dmp

Download
memory/3196-125-0x0000000000000000-mapping.dmp

Download
memory/3196-208-0x0000000000000000-mapping.dmp

Download
memory/3252-169-0x0000000000000000-mapping.dmp

Download
memory/3252-135-0x0000000000000000-mapping.dmp

Download
memory/3324-131-0x0000000000000000-mapping.dmp

Download
memory/3396-122-0x0000000000000000-mapping.dmp

Download
memory/3436-154-0x0000000000000000-mapping.dmp

Download
memory/3668-178-0x0000000000000000-mapping.dmp

Download
memory/3672-124-0x0000000000000000-mapping.dmp

Download
memory/3676-175-0x0000000000000000-mapping.dmp

Download
memory/3708-141-0x0000000000000000-mapping.dmp

Download
memory/3712-143-0x0000000000000000-mapping.dmp

Download
memory/3716-130-0x0000000000000000-mapping.dmp

Download
memory/3716-157-0x0000000000000000-mapping.dmp

Download
memory/3740-144-0x0000000000000000-mapping.dmp

Download
memory/3848-162-0x0000000000000000-mapping.dmp

Download
memory/3896-142-0x0000000000000000-mapping.dmp

Download