b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-en-20211014
submitted
29-10-2021 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
Size

147KB
MD5

59f9c44f79f86a42138b77caaa4404c9
SHA1

2f32d3cdbd8bec75a605bec112d3fac8e0ea4e6d
SHA256

b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de
SHA512

971d397e0684515a221ce3e89cb1651283a402de5e6c96cbf863313a57b1bc6aabe199e4fd75c4ff9dbc868346de45de838aceac9da60b6215bf283a2a1fb773

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note

YOUR COMPANY WAS HACKED AND COMPROMISED!!! All your important files have been encrypted! Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. ____________________________________________________________________________________ For us this is just business and to prove to you our seriousness, we will decrypt you three files for free. Just open our website, upload the encrypted files and get the decrypted files for free. ____________________________________________________________________________________ ! WARNING ! Whole your network was fully COMPROMISED! We has DOWNLOADED of your PRIVATE SENSITIVE Data, including your Billing info, Insuranse cases, Financial reports, Business audit, Banking Accounts! Also we have corporate correspondence, information about your clients. We got even more info about your partners and even about your staff. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. ____________________________________________________________________________________ IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY. YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU. ____________________________________________________________________________________ WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE. THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT. Instructions for contacting us: ____________________________________________________________________________________ You have way: 1) Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=R4131MNE85 and paste it in the Tor browser. c. Start a chat and follow the further instructions. Key Identifier: eFRUEmhqglxhhP4ves3MPHSqMVP/FM9z0Oz97ISCQUqmKdd9U2nt++3NdeklyrrIEvZkjlGA2GbJN20ykhZZiQswdhy9rmtQh/y7rWymsF82Nkmg6PVT+S+iqczI5BczybZog25SP1in3YMpmVoH7FIz5X/dpKB3GaFyKpalZgwJxfxP3hv6F2QH4e5aveSQMtOncOJMgiIU5ArqEmeXldlHCRlq9hBrQICCapW8dWJWeSOwCYqHAwi2WBr3mZ8qyMdVgZFnfmh5C3uNo7M68qjmuL9dt5Ed3ZLa8g+dKUrcGBWXr67HgGDBJnZUUrER3UuqZug3eiJ/zUtNJblDNhyCm8B8w/x76HJiS5F2Cv0zH+vrY5ox7kyNG9rGd2MVeaXPOI4rC5oPgKIGccP8pfXyGm8HEqBhkBRyxcAA9lFDBSkqIVt7dkCOfPTF2auzMTFN3/iZ05RyKRZLj3GVDg1YKr0s1Jt7eJ5i+BHdKEt36bgmvoei02c7gYM41qgK9M0/T3uZxv+tjdFFdsTYM/ieeyp8TWgHRsChuwHuXPm2fAGLyYtFHrPSYZmiIsT9/MrqBO2w+/RievChyHLcKKUo3RI3oaRlQhwXrNm4q4Hv2xZIwdKMZsD7S/HPz40MYrAwOGh8bNAc2fj7aYp4Hpk0haPRYrpz3n1fzTJaDJA=

URLs

http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=R4131MNE85

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Ransom Note

URLs

http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=R4131MNE85

Signatures

Downloads MZ/PE file
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

Processes:

description flow ioc

HTTP URL 11 http://live.sysinternals.com/PsExec.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

description	flow	ioc
HTTP URL	11	http://live.sysinternals.com/PsExec.exe

Modifies extensions of user files 20 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\CheckpointUnpublish.png.R4131MNE85	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened for modification	C:\Users\Admin\Pictures\WriteDisconnect.png.R4131MNE85	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File renamed	C:\Users\Admin\Pictures\DismountSkip.raw => C:\Users\Admin\Pictures\DismountSkip.raw.R4131MNE85	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened for modification	C:\Users\Admin\Pictures\TraceFind.raw.R4131MNE85	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened for modification	C:\Users\Admin\Pictures\FindMove.tif.R4131MNE85	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File renamed	C:\Users\Admin\Pictures\ImportExit.crw => C:\Users\Admin\Pictures\ImportExit.crw.R4131MNE85	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File renamed	C:\Users\Admin\Pictures\WriteDisconnect.png => C:\Users\Admin\Pictures\WriteDisconnect.png.R4131MNE85	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File renamed	C:\Users\Admin\Pictures\CheckpointUnpublish.png => C:\Users\Admin\Pictures\CheckpointUnpublish.png.R4131MNE85	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File renamed	C:\Users\Admin\Pictures\InstallRegister.tif => C:\Users\Admin\Pictures\InstallRegister.tif.R4131MNE85	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened for modification	C:\Users\Admin\Pictures\InstallRegister.tif.R4131MNE85	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File renamed	C:\Users\Admin\Pictures\TraceFind.raw => C:\Users\Admin\Pictures\TraceFind.raw.R4131MNE85	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File renamed	C:\Users\Admin\Pictures\RenameMerge.crw => C:\Users\Admin\Pictures\RenameMerge.crw.R4131MNE85	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened for modification	C:\Users\Admin\Pictures\RenameMerge.crw.R4131MNE85	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File renamed	C:\Users\Admin\Pictures\InitializeAssert.png => C:\Users\Admin\Pictures\InitializeAssert.png.R4131MNE85	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeAssert.png.R4131MNE85	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened for modification	C:\Users\Admin\Pictures\DismountSkip.raw.R4131MNE85	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File renamed	C:\Users\Admin\Pictures\ShowSearch.crw => C:\Users\Admin\Pictures\ShowSearch.crw.R4131MNE85	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened for modification	C:\Users\Admin\Pictures\ShowSearch.crw.R4131MNE85	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File renamed	C:\Users\Admin\Pictures\FindMove.tif => C:\Users\Admin\Pictures\FindMove.tif.R4131MNE85	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened for modification	C:\Users\Admin\Pictures\ImportExit.crw.R4131MNE85	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

296 cmd.exe

pid	process
296	cmd.exe

Drops startup file 1 IoCs

Processes:

b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reload1.lnk	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe

Drops desktop.ini file(s) 6 IoCs

Processes:

b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe

description	ioc	process
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe

description	ioc	process
File opened (read-only)	\??\Y:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\A:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\S:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\X:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\Q:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\W:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\T:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\G:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\J:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\Z:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\V:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\R:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\U:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\O:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\H:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\K:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\N:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\E:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\I:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\P:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\F:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\L:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\B:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
File opened (read-only)	\??\M:	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\nWe has DOWNLOADED of your PRIVATE SENSITIVE Data!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY WAS HACKED AND COMPROMISED!!!"	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1756	taskkill.exe
1192	taskkill.exe
1960	taskkill.exe
972	taskkill.exe
1752	taskkill.exe
968	taskkill.exe
2032	taskkill.exe
412	taskkill.exe
1820	taskkill.exe
1584	taskkill.exe
1632	taskkill.exe
1028	taskkill.exe
1872	taskkill.exe
1000	taskkill.exe
944	taskkill.exe
1080	taskkill.exe
1604	taskkill.exe
1652	taskkill.exe
336	taskkill.exe
1000	taskkill.exe
1716	taskkill.exe
1876	taskkill.exe
920	taskkill.exe
1816	taskkill.exe
296	taskkill.exe
1068	taskkill.exe
2044	taskkill.exe
1776	taskkill.exe
2020	taskkill.exe
1648	taskkill.exe
540	taskkill.exe
1884	taskkill.exe
1948	taskkill.exe
940	taskkill.exe
980	taskkill.exe
1180	taskkill.exe
900	taskkill.exe
1744	taskkill.exe
1936	taskkill.exe
840	taskkill.exe
1952	taskkill.exe
1660	taskkill.exe
1708	taskkill.exe
1348	taskkill.exe
1364	taskkill.exe
972	taskkill.exe
1308	taskkill.exe
412	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1560 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1736 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1560	reg.exe

pid	process
1736	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe

pid	process
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
Token: SeDebugPrivilege	412	taskkill.exe
Token: SeDebugPrivilege	972	taskkill.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	336	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	296	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	1068	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	1876	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	920	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	940	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	1308	taskkill.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	412	taskkill.exe
Token: SeDebugPrivilege	972	taskkill.exe
Token: SeDebugPrivilege	1080	taskkill.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	1180	taskkill.exe
Token: SeDebugPrivilege	1028	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	900	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	1676	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe

pid	process
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe

pid	process
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe

description	pid	process	target process
PID 796 wrote to memory of 412	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	taskkill.exe
PID 796 wrote to memory of 412	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	taskkill.exe
PID 796 wrote to memory of 412	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	taskkill.exe
PID 796 wrote to memory of 412	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	taskkill.exe
PID 796 wrote to memory of 816	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	reg.exe
PID 796 wrote to memory of 816	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	reg.exe
PID 796 wrote to memory of 816	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	reg.exe
PID 796 wrote to memory of 816	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	reg.exe
PID 796 wrote to memory of 1560	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	reg.exe
PID 796 wrote to memory of 1560	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	reg.exe
PID 796 wrote to memory of 1560	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	reg.exe
PID 796 wrote to memory of 1560	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	reg.exe
PID 796 wrote to memory of 2032	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	schtasks.exe
PID 796 wrote to memory of 2032	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	schtasks.exe
PID 796 wrote to memory of 2032	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	schtasks.exe
PID 796 wrote to memory of 2032	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	schtasks.exe
PID 796 wrote to memory of 1364	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1364	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1364	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1364	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1676	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1676	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1676	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1676	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1948	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1948	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1948	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1948	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1080	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1080	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1080	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1080	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 668	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 668	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 668	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 668	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1832	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1832	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1832	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1832	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1964	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1964	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1964	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 1964	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 860	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 860	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 860	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 860	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	sc.exe
PID 796 wrote to memory of 972	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	taskkill.exe
PID 796 wrote to memory of 972	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	taskkill.exe
PID 796 wrote to memory of 972	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	taskkill.exe
PID 796 wrote to memory of 972	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	taskkill.exe
PID 796 wrote to memory of 1652	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	taskkill.exe
PID 796 wrote to memory of 1652	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	taskkill.exe
PID 796 wrote to memory of 1652	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	taskkill.exe
PID 796 wrote to memory of 1652	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	taskkill.exe
PID 796 wrote to memory of 1872	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	taskkill.exe
PID 796 wrote to memory of 1872	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	taskkill.exe
PID 796 wrote to memory of 1872	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	taskkill.exe
PID 796 wrote to memory of 1872	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	taskkill.exe
PID 796 wrote to memory of 336	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	taskkill.exe
PID 796 wrote to memory of 336	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	taskkill.exe
PID 796 wrote to memory of 336	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	taskkill.exe
PID 796 wrote to memory of 336	796	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY WAS HACKED AND COMPROMISED!!!"	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\nWe has DOWNLOADED of your PRIVATE SENSITIVE Data!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe

C:\Users\Admin\AppData\Local\Temp\b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
"C:\Users\Admin\AppData\Local\Temp\b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:796
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:412
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:816
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1560
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:2032
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1364
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1676
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:1948
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1080
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:668
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1832
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:1964
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:860
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:972
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:336
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:296
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  PID:1952
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:1708
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:412
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:972
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1180
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:540
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:2036
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1388
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:1452
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:1776
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1000
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:968
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:1456
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
  2⤵
  - Modifies Internet Explorer settings
  PID:1616
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:860
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:1736
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:980
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de.exe
  2⤵
  - Deletes itself
  PID:296
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

MD5
1c8f5754e17588b6bc0f20a9e11d4e4c

SHA1
47cc29362e1975df47730dd56c9afbf6af092b26

SHA256
e394147677554f1725d842faef1764129c7328ca2c686b9f6d59dd457e4e9ebe

SHA512
b7180a6a56cef634404cec4571e4dc9c26c32498d7576f0dca4d72d4d555d179bf4b525b577c83cc04ad260f8f756cd65a6f77a64cd665f565fd81f73f59a244

Download Submit
memory/296-77-0x0000000000000000-mapping.dmp

Download
memory/336-73-0x0000000000000000-mapping.dmp

Download
memory/412-58-0x0000000000000000-mapping.dmp

Download
memory/412-103-0x0000000000000000-mapping.dmp

Download
memory/540-112-0x0000000000000000-mapping.dmp

Download
memory/668-66-0x0000000000000000-mapping.dmp

Download
memory/796-55-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download
memory/796-57-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/816-59-0x0000000000000000-mapping.dmp

Download
memory/840-84-0x0000000000000000-mapping.dmp

Download
memory/860-69-0x0000000000000000-mapping.dmp

Download
memory/900-115-0x0000000000000000-mapping.dmp

Download
memory/920-91-0x0000000000000000-mapping.dmp

Download
memory/940-98-0x0000000000000000-mapping.dmp

Download
memory/944-99-0x0000000000000000-mapping.dmp

Download
memory/968-111-0x0000000000000000-mapping.dmp

Download
memory/972-70-0x0000000000000000-mapping.dmp

Download
memory/972-104-0x0000000000000000-mapping.dmp

Download
memory/980-102-0x0000000000000000-mapping.dmp

Download
memory/1000-86-0x0000000000000000-mapping.dmp

Download
memory/1000-75-0x0000000000000000-mapping.dmp

Download
memory/1028-110-0x0000000000000000-mapping.dmp

Download
memory/1068-81-0x0000000000000000-mapping.dmp

Download
memory/1080-105-0x0000000000000000-mapping.dmp

Download
memory/1080-65-0x0000000000000000-mapping.dmp

Download
memory/1180-109-0x0000000000000000-mapping.dmp

Download
memory/1192-82-0x0000000000000000-mapping.dmp

Download
memory/1308-101-0x0000000000000000-mapping.dmp

Download
memory/1348-100-0x0000000000000000-mapping.dmp

Download
memory/1364-106-0x0000000000000000-mapping.dmp

Download
memory/1364-62-0x0000000000000000-mapping.dmp

Download
memory/1388-124-0x0000000000000000-mapping.dmp

Download
memory/1452-126-0x0000000000000000-mapping.dmp

Download
memory/1560-60-0x0000000000000000-mapping.dmp

Download
memory/1584-79-0x0000000000000000-mapping.dmp

Download
memory/1604-114-0x0000000000000000-mapping.dmp

Download
memory/1632-96-0x0000000000000000-mapping.dmp

Download
memory/1648-107-0x0000000000000000-mapping.dmp

Download
memory/1652-71-0x0000000000000000-mapping.dmp

Download
memory/1660-90-0x0000000000000000-mapping.dmp

Download
memory/1676-118-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/1676-119-0x00000000022E0000-0x0000000002F2A000-memory.dmp

Filesize
12.3MB

Download
memory/1676-117-0x0000000000000000-mapping.dmp

Download
memory/1676-122-0x00000000022E0000-0x0000000002F2A000-memory.dmp

Filesize
12.3MB

Download
memory/1676-121-0x00000000022E0000-0x0000000002F2A000-memory.dmp

Filesize
12.3MB

Download
memory/1676-63-0x0000000000000000-mapping.dmp

Download
memory/1708-95-0x0000000000000000-mapping.dmp

Download
memory/1716-80-0x0000000000000000-mapping.dmp

Download
memory/1744-116-0x0000000000000000-mapping.dmp

Download
memory/1752-108-0x0000000000000000-mapping.dmp

Download
memory/1756-78-0x0000000000000000-mapping.dmp

Download
memory/1776-93-0x0000000000000000-mapping.dmp

Download
memory/1776-127-0x0000000000000000-mapping.dmp

Download
memory/1816-92-0x0000000000000000-mapping.dmp

Download
memory/1820-74-0x0000000000000000-mapping.dmp

Download
memory/1832-67-0x0000000000000000-mapping.dmp

Download
memory/1872-72-0x0000000000000000-mapping.dmp

Download
memory/1876-89-0x0000000000000000-mapping.dmp

Download
memory/1884-88-0x0000000000000000-mapping.dmp

Download
memory/1936-76-0x0000000000000000-mapping.dmp

Download
memory/1948-94-0x0000000000000000-mapping.dmp

Download
memory/1948-64-0x0000000000000000-mapping.dmp

Download
memory/1952-87-0x0000000000000000-mapping.dmp

Download
memory/1960-83-0x0000000000000000-mapping.dmp

Download
memory/1964-68-0x0000000000000000-mapping.dmp

Download
memory/2020-97-0x0000000000000000-mapping.dmp

Download
memory/2032-113-0x0000000000000000-mapping.dmp

Download
memory/2032-61-0x0000000000000000-mapping.dmp

Download
memory/2036-120-0x0000000000000000-mapping.dmp

Download
memory/2044-85-0x0000000000000000-mapping.dmp

Download