mimic | c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	encrypt.exe

Clears Windows event logs 1 TTPs 3 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
996	wevtutil.exe
1140	wevtutil.exe
832	wevtutil.exe

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000014186-5.dat	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Detects command variations typically used by ransomware 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000014186-5.dat	INDICATOR_SUSPICIOUS_GENRansomware

Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000014186-5.dat	INDICATOR_SUSPICIOUS_USNDeleteJournal

Detects executables containing commands for clearing Windows Event Logs 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000014186-5.dat	INDICATOR_SUSPICIOUS_ClearWinLogs

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

pid	Process
1920	bcdedit.exe
536	bcdedit.exe

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
772	wbadmin.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
572	wbadmin.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbguard.exe	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdlauncher.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServerView.exe	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineSettings.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchApp.exe	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\encsvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isqlplussvc.exe	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocssd.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\python.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocautoupds.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlagent.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlmangr.exe	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqbcoreservice.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlwriter.exe	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\encsvc.exe	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EnterpriseClient.exe	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineSettings.exe	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqbcoreservice.exe	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oracle.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wdswfsafe.exe	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\httpd.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsa_service.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ssms.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer.exe	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine_x86.exe	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineElevatedCfg.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlbrowser.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlwriter.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ssms.exe	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xfssvccon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbsnmp.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EnterpriseClient.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sql.exe	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wdswfsafe.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopservice.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld.exe	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgrN.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbirdconfig.exe	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsnapvss.exe	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xfssvccon.exe	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchProtocolHost.exe	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_w32.exe	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_w32.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbsnmp.exe	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgr.exe	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgrN.exe	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAgui.exe	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBIDPService.exe	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbirdconfig.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchApp.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	encrypt.exe

Executes dropped EXE 5 IoCs

pid	Process
1452	encrypt.exe
2592	encrypt.exe
2744	encrypt.exe
2804	encrypt.exe
2760	encrypt.exe

Loads dropped DLL 9 IoCs

pid	Process
2528	c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b.exe
2528	c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b.exe
2528	c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b.exe
1452	encrypt.exe
1452	encrypt.exe
2592	encrypt.exe
2760	encrypt.exe
2744	encrypt.exe
2804	encrypt.exe

Modifies system executable filetype association 2 TTPs 10 IoCs

persistence

Modify Registry

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*"	encrypt.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	encrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell	encrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\open	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	encrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\open\command	encrypt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*"	encrypt.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	encrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\open\command	encrypt.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\encrypt = "\"C:\\Users\\Admin\\AppData\\Local\\encrypt\\encrypt.exe\" "	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\encrypt.exe = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\HACKLENDINIZ.txt\""	encrypt.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	encrypt.exe
File opened (read-only)	\??\T:	encrypt.exe
File opened (read-only)	\??\U:	encrypt.exe
File opened (read-only)	\??\E:	encrypt.exe
File opened (read-only)	\??\G:	encrypt.exe
File opened (read-only)	\??\L:	encrypt.exe
File opened (read-only)	\??\N:	encrypt.exe
File opened (read-only)	\??\P:	encrypt.exe
File opened (read-only)	\??\Q:	encrypt.exe
File opened (read-only)	\??\V:	encrypt.exe
File opened (read-only)	\??\A:	encrypt.exe
File opened (read-only)	\??\J:	encrypt.exe
File opened (read-only)	\??\K:	encrypt.exe
File opened (read-only)	\??\W:	encrypt.exe
File opened (read-only)	\??\H:	encrypt.exe
File opened (read-only)	\??\I:	encrypt.exe
File opened (read-only)	\??\R:	encrypt.exe
File opened (read-only)	\??\X:	encrypt.exe
File opened (read-only)	\??\Y:	encrypt.exe
File opened (read-only)	\??\Z:	encrypt.exe
File opened (read-only)	\??\B:	encrypt.exe
File opened (read-only)	\??\M:	encrypt.exe
File opened (read-only)	\??\O:	encrypt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	encrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile	encrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell	encrypt.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	encrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\open\command	encrypt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*"	encrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	encrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\open\command	encrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\open	encrypt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*"	encrypt.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1620	notepad.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2760	encrypt.exe
2804	encrypt.exe
2592	encrypt.exe
2592	encrypt.exe
2592	encrypt.exe
2592	encrypt.exe
2592	encrypt.exe
2592	encrypt.exe
2592	encrypt.exe
2592	encrypt.exe
2592	encrypt.exe
2592	encrypt.exe
2592	encrypt.exe
2592	encrypt.exe
2592	encrypt.exe
2592	encrypt.exe
2592	encrypt.exe
2592	encrypt.exe
2592	encrypt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1452	encrypt.exe
Token: SeSecurityPrivilege	1452	encrypt.exe
Token: SeTakeOwnershipPrivilege	1452	encrypt.exe
Token: SeLoadDriverPrivilege	1452	encrypt.exe
Token: SeSystemProfilePrivilege	1452	encrypt.exe
Token: SeSystemtimePrivilege	1452	encrypt.exe
Token: SeProfSingleProcessPrivilege	1452	encrypt.exe
Token: SeIncBasePriorityPrivilege	1452	encrypt.exe
Token: SeCreatePagefilePrivilege	1452	encrypt.exe
Token: SeBackupPrivilege	1452	encrypt.exe
Token: SeRestorePrivilege	1452	encrypt.exe
Token: SeShutdownPrivilege	1452	encrypt.exe
Token: SeDebugPrivilege	1452	encrypt.exe
Token: SeSystemEnvironmentPrivilege	1452	encrypt.exe
Token: SeChangeNotifyPrivilege	1452	encrypt.exe
Token: SeRemoteShutdownPrivilege	1452	encrypt.exe
Token: SeUndockPrivilege	1452	encrypt.exe
Token: SeManageVolumePrivilege	1452	encrypt.exe
Token: SeImpersonatePrivilege	1452	encrypt.exe
Token: SeCreateGlobalPrivilege	1452	encrypt.exe
Token: 33	1452	encrypt.exe
Token: 34	1452	encrypt.exe
Token: 35	1452	encrypt.exe
Token: SeIncreaseQuotaPrivilege	2592	encrypt.exe
Token: SeSecurityPrivilege	2592	encrypt.exe
Token: SeTakeOwnershipPrivilege	2592	encrypt.exe
Token: SeLoadDriverPrivilege	2592	encrypt.exe
Token: SeSystemProfilePrivilege	2592	encrypt.exe
Token: SeSystemtimePrivilege	2592	encrypt.exe
Token: SeProfSingleProcessPrivilege	2592	encrypt.exe
Token: SeIncBasePriorityPrivilege	2592	encrypt.exe
Token: SeCreatePagefilePrivilege	2592	encrypt.exe
Token: SeBackupPrivilege	2592	encrypt.exe
Token: SeRestorePrivilege	2592	encrypt.exe
Token: SeShutdownPrivilege	2592	encrypt.exe
Token: SeDebugPrivilege	2592	encrypt.exe
Token: SeSystemEnvironmentPrivilege	2592	encrypt.exe
Token: SeChangeNotifyPrivilege	2592	encrypt.exe
Token: SeRemoteShutdownPrivilege	2592	encrypt.exe
Token: SeUndockPrivilege	2592	encrypt.exe
Token: SeManageVolumePrivilege	2592	encrypt.exe
Token: SeImpersonatePrivilege	2592	encrypt.exe
Token: SeCreateGlobalPrivilege	2592	encrypt.exe
Token: 33	2592	encrypt.exe
Token: 34	2592	encrypt.exe
Token: 35	2592	encrypt.exe
Token: SeIncreaseQuotaPrivilege	2760	encrypt.exe
Token: SeSecurityPrivilege	2760	encrypt.exe
Token: SeTakeOwnershipPrivilege	2760	encrypt.exe
Token: SeLoadDriverPrivilege	2760	encrypt.exe
Token: SeSystemProfilePrivilege	2760	encrypt.exe
Token: SeSystemtimePrivilege	2760	encrypt.exe
Token: SeProfSingleProcessPrivilege	2760	encrypt.exe
Token: SeIncBasePriorityPrivilege	2760	encrypt.exe
Token: SeCreatePagefilePrivilege	2760	encrypt.exe
Token: SeBackupPrivilege	2760	encrypt.exe
Token: SeRestorePrivilege	2760	encrypt.exe
Token: SeShutdownPrivilege	2760	encrypt.exe
Token: SeDebugPrivilege	2760	encrypt.exe
Token: SeSystemEnvironmentPrivilege	2760	encrypt.exe
Token: SeChangeNotifyPrivilege	2760	encrypt.exe
Token: SeRemoteShutdownPrivilege	2760	encrypt.exe
Token: SeUndockPrivilege	2760	encrypt.exe
Token: SeManageVolumePrivilege	2760	encrypt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 1452	2528	c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b.exe	28
PID 2528 wrote to memory of 1452	2528	c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b.exe	28
PID 2528 wrote to memory of 1452	2528	c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b.exe	28
PID 2528 wrote to memory of 1452	2528	c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b.exe	28
PID 1452 wrote to memory of 2592	1452	encrypt.exe	29
PID 1452 wrote to memory of 2592	1452	encrypt.exe	29
PID 1452 wrote to memory of 2592	1452	encrypt.exe	29
PID 1452 wrote to memory of 2592	1452	encrypt.exe	29
PID 2592 wrote to memory of 2744	2592	encrypt.exe	30
PID 2592 wrote to memory of 2744	2592	encrypt.exe	30
PID 2592 wrote to memory of 2744	2592	encrypt.exe	30
PID 2592 wrote to memory of 2744	2592	encrypt.exe	30
PID 2592 wrote to memory of 2804	2592	encrypt.exe	31
PID 2592 wrote to memory of 2804	2592	encrypt.exe	31
PID 2592 wrote to memory of 2804	2592	encrypt.exe	31
PID 2592 wrote to memory of 2804	2592	encrypt.exe	31
PID 2592 wrote to memory of 2760	2592	encrypt.exe	32
PID 2592 wrote to memory of 2760	2592	encrypt.exe	32
PID 2592 wrote to memory of 2760	2592	encrypt.exe	32
PID 2592 wrote to memory of 2760	2592	encrypt.exe	32
PID 2592 wrote to memory of 2296	2592	encrypt.exe	33
PID 2592 wrote to memory of 2296	2592	encrypt.exe	33
PID 2592 wrote to memory of 2296	2592	encrypt.exe	33
PID 2592 wrote to memory of 2296	2592	encrypt.exe	33
PID 2592 wrote to memory of 2900	2592	encrypt.exe	34
PID 2592 wrote to memory of 2900	2592	encrypt.exe	34
PID 2592 wrote to memory of 2900	2592	encrypt.exe	34
PID 2592 wrote to memory of 2900	2592	encrypt.exe	34
PID 2592 wrote to memory of 328	2592	encrypt.exe	35
PID 2592 wrote to memory of 328	2592	encrypt.exe	35
PID 2592 wrote to memory of 328	2592	encrypt.exe	35
PID 2592 wrote to memory of 328	2592	encrypt.exe	35
PID 2592 wrote to memory of 1904	2592	encrypt.exe	36
PID 2592 wrote to memory of 1904	2592	encrypt.exe	36
PID 2592 wrote to memory of 1904	2592	encrypt.exe	36
PID 2592 wrote to memory of 1904	2592	encrypt.exe	36
PID 2592 wrote to memory of 2000	2592	encrypt.exe	37
PID 2592 wrote to memory of 2000	2592	encrypt.exe	37
PID 2592 wrote to memory of 2000	2592	encrypt.exe	37
PID 2592 wrote to memory of 2000	2592	encrypt.exe	37
PID 2592 wrote to memory of 2688	2592	encrypt.exe	39
PID 2592 wrote to memory of 2688	2592	encrypt.exe	39
PID 2592 wrote to memory of 2688	2592	encrypt.exe	39
PID 2592 wrote to memory of 2688	2592	encrypt.exe	39
PID 2592 wrote to memory of 2696	2592	encrypt.exe	40
PID 2592 wrote to memory of 2696	2592	encrypt.exe	40
PID 2592 wrote to memory of 2696	2592	encrypt.exe	40
PID 2592 wrote to memory of 2696	2592	encrypt.exe	40
PID 2592 wrote to memory of 2660	2592	encrypt.exe	41
PID 2592 wrote to memory of 2660	2592	encrypt.exe	41
PID 2592 wrote to memory of 2660	2592	encrypt.exe	41
PID 2592 wrote to memory of 2660	2592	encrypt.exe	41
PID 2592 wrote to memory of 2684	2592	encrypt.exe	43
PID 2592 wrote to memory of 2684	2592	encrypt.exe	43
PID 2592 wrote to memory of 2684	2592	encrypt.exe	43
PID 2592 wrote to memory of 2684	2592	encrypt.exe	43
PID 2592 wrote to memory of 2700	2592	encrypt.exe	44
PID 2592 wrote to memory of 2700	2592	encrypt.exe	44
PID 2592 wrote to memory of 2700	2592	encrypt.exe	44
PID 2592 wrote to memory of 2700	2592	encrypt.exe	44
PID 2592 wrote to memory of 2676	2592	encrypt.exe	45
PID 2592 wrote to memory of 2676	2592	encrypt.exe	45
PID 2592 wrote to memory of 2676	2592	encrypt.exe	45
PID 2592 wrote to memory of 2676	2592	encrypt.exe	45

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0"	encrypt.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	encrypt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HidePowerOptions = "1"	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	encrypt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	encrypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection	encrypt.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b.exe
"C:\Users\Admin\AppData\Local\Temp\c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528
- C:\tempcrc\encrypt.exe
  "C:\tempcrc\encrypt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Users\Admin\AppData\Local\encrypt\encrypt.exe
    "C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"
    3⤵
    - Modifies security service
    - Sets file execution options in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2592
  - - C:\Users\Admin\AppData\Local\encrypt\encrypt.exe
      "C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e watch -pid 2592 -!
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2744
  - - C:\Users\Admin\AppData\Local\encrypt\encrypt.exe
      "C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e ul1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:2804
  - - C:\Users\Admin\AppData\Local\encrypt\encrypt.exe
      "C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e ul2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2760
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -H off
      4⤵
      PID:2296
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
      4⤵
      PID:2900
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
      4⤵
      PID:328
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
      4⤵
      PID:1904
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
      4⤵
      PID:2000
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
      4⤵
      PID:2688
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
      4⤵
      PID:2696
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
      4⤵
      PID:2660
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
      4⤵
      PID:2684
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
      4⤵
      PID:2700
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
      4⤵
      PID:2676
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
      4⤵
      PID:2680
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
      4⤵
      PID:2784
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
      4⤵
      PID:2864
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb61
      4⤵
      PID:2904
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1920
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:536
  - - C:\Windows\system32\wbadmin.exe
      wbadmin.exe DELETE SYSTEMSTATEBACKUP
      4⤵
      Deletes System State backups
      PID:772
  - - C:\Windows\system32\wbadmin.exe
      wbadmin.exe delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:572
  - - C:\Windows\SysWOW64\notepad.exe
      notepad.exe "C:\Users\Admin\AppData\Local\HACKLENDINIZ.txt"
      4⤵
      Opens file in notepad (likely ransom note)
      PID:1620
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl security
      4⤵
      Clears Windows event logs
      PID:996
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl system
      4⤵
      Clears Windows event logs
      PID:832
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl application
      4⤵
      Clears Windows event logs
      PID:1140

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1520

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:1012

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1200

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery