ransomexx_win | 926da8f5eafdb6a22a2ffd01fe737a589f001f2da87a244f4fa9fd2626348898

Data Destruction

T1485

pid	Process
4784	fsutil.exe

RansomEXX Ransomware 6 IoCs

Targeted ransomware with variants which affect Windows and Linux systems.

ransomware ransomexx_win

description	ioc	pid	Process
File renamed	C:\Users\Admin\Pictures\DebugUndo.png => C:\Users\Admin\Pictures\DebugUndo.png.txd0t		4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
		1140	wevtutil.exe
		1212	wevtutil.exe
		4784	fsutil.exe
		3980	wevtutil.exe
		1576	wevtutil.exe

Clears Windows event logs 1 TTPs 4 IoCs

evasion ransomware

Indicator Removal on Host

T1070

pid	Process
1140	wevtutil.exe
1212	wevtutil.exe
3980	wevtutil.exe
1576	wevtutil.exe

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

pid	Process
3464	bcdedit.exe
4064	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

pid	Process
3324	wbadmin.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\SplitConnect.tif => C:\Users\Admin\Pictures\SplitConnect.tif.txd0t	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
File renamed	C:\Users\Admin\Pictures\UnlockUnregister.crw => C:\Users\Admin\Pictures\UnlockUnregister.crw.txd0t	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
File renamed	C:\Users\Admin\Pictures\UseRename.raw => C:\Users\Admin\Pictures\UseRename.raw.txd0t	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
File renamed	C:\Users\Admin\Pictures\DebugUndo.png => C:\Users\Admin\Pictures\DebugUndo.png.txd0t	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
File renamed	C:\Users\Admin\Pictures\ExpandProtect.crw => C:\Users\Admin\Pictures\ExpandProtect.crw.txd0t	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
File renamed	C:\Users\Admin\Pictures\GrantOut.raw => C:\Users\Admin\Pictures\GrantOut.raw.txd0t	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
File opened for modification	C:\Users\Admin\Pictures\GrantUse.tiff	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
File renamed	C:\Users\Admin\Pictures\GrantUse.tiff => C:\Users\Admin\Pictures\GrantUse.tiff.txd0t	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe

Overwrites deleted data with Cipher tool 1 TTPs
Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.
ransomware

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	cipher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3980	wevtutil.exe
Token: SeBackupPrivilege	3980	wevtutil.exe
Token: SeSecurityPrivilege	1576	wevtutil.exe
Token: SeBackupPrivilege	1576	wevtutil.exe
Token: SeSecurityPrivilege	3508	wevtutil.exe
Token: SeBackupPrivilege	3508	wevtutil.exe
Token: SeSecurityPrivilege	1140	wevtutil.exe
Token: SeBackupPrivilege	1140	wevtutil.exe
Token: SeSecurityPrivilege	1212	wevtutil.exe
Token: SeBackupPrivilege	1212	wevtutil.exe
Token: SeBackupPrivilege	3368	wbengine.exe
Token: SeRestorePrivilege	3368	wbengine.exe
Token: SeSecurityPrivilege	3368	wbengine.exe
Token: SeManageVolumePrivilege	1052	svchost.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 4064	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	92
PID 3836 wrote to memory of 4064	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	92
PID 3836 wrote to memory of 456	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	93
PID 3836 wrote to memory of 456	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	93
PID 3836 wrote to memory of 3980	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	90
PID 3836 wrote to memory of 3980	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	90
PID 3836 wrote to memory of 3464	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	89
PID 3836 wrote to memory of 3464	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	89
PID 3836 wrote to memory of 3324	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	88
PID 3836 wrote to memory of 3324	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	88
PID 3836 wrote to memory of 5068	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	87
PID 3836 wrote to memory of 5068	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	87
PID 3836 wrote to memory of 5068	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	87
PID 3836 wrote to memory of 1576	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	91
PID 3836 wrote to memory of 1576	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	91
PID 3836 wrote to memory of 3508	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	86
PID 3836 wrote to memory of 3508	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	86
PID 3836 wrote to memory of 1212	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	85
PID 3836 wrote to memory of 1212	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	85
PID 3836 wrote to memory of 1388	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	83
PID 3836 wrote to memory of 1388	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	83
PID 3836 wrote to memory of 1388	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	83
PID 3836 wrote to memory of 4784	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	94
PID 3836 wrote to memory of 4784	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	94
PID 3836 wrote to memory of 1140	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	84
PID 3836 wrote to memory of 1140	3836	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe	84

C:\Users\Admin\AppData\Local\Temp\4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
"C:\Users\Admin\AppData\Local\Temp\4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe"
1⤵
- RansomEXX Ransomware
- Modifies extensions of user files
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\SysWOW64\cipher.exe
  "C:\Windows\System32\cipher.exe" /w:C:
  2⤵
  PID:1388
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl Application
  2⤵
  - RansomEXX Ransomware
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl Security
  2⤵
  - RansomEXX Ransomware
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1212
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" sl Security /e:false
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3508
- C:\Windows\SysWOW64\cipher.exe
  "C:\Windows\System32\cipher.exe" /w:D:
  2⤵
  - Enumerates connected drives
  PID:5068
- C:\Windows\System32\wbadmin.exe
  "C:\Windows\System32\wbadmin.exe" delete catalog -quiet
  2⤵
  - Deletes backup catalog
  PID:3324
- C:\Windows\System32\bcdedit.exe
  "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3464
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl System
  2⤵
  - RansomEXX Ransomware
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl Setup
  2⤵
  - RansomEXX Ransomware
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\System32\bcdedit.exe
  "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4064
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
  2⤵
  PID:456
- C:\Windows\System32\fsutil.exe
  "C:\Windows\System32\fsutil.exe" usn deletejournal /D C:
  2⤵
  - Deletes NTFS Change Journal
  - RansomEXX Ransomware
  PID:4784

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2028

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Indicator Removal on Host

T1070

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

5