********************Summary of Attack**************************

Adversary brute forced internet-exposed RDP endpoint
Copied binaries to Victim machine
Cleared Windows Event Logs
Deleted Shadow Copies
Dump credential hashes via mimikatz
Executed ransomware executable
Remotes (RDP) to other machines to perform same process

********************Mitre Attack Mapping**************************

************************Adversary Timeline**************************

***********************2020-08-01 10:08:18 UTC******************* MITRE – Initial Access – External Remote Services -T1133** The adversary successfully brute forced our internet-exposed RDP endpoint.
*******************2020-08-01 10:09:53 UTC************************* Adversary drops DefenderControl.exe to disk:
**********************2020-08-01 10:10:23 UTC********************** Adversary drops numerous windows binaries to disk (below in page)
*********************2020-08-01 10:10:32 UTC*********************** Adversary Executes DEL.exe : DEL.exe drops \Local\Temp\8B02.tmp\8B13.tmp\8B14.bat DEL.exe launches child process CMD.exe
*********************2020-08-01 10:10:38 UTC********************* MITRE – Defense Evasion -Indicator Removal on Host:** Child process CMD.exe launches multiple process invoking wevtutil.exe aiming at multiple Window event logs
**********************2020-08-01 10:10:41 UTC******************** MITRE – Discovery – Network Service Scanning – T1046** Adversary launches NS64.exe – Appears to be tools similar to nmap.exe
*********************2020-08-01 10:13:20 UTC******************** MITRE – Impact – Inhibit System Recovery – T1490** Adversary launches WMIC and vssadmin.exe to delete shadowcopies wmic SHADOWCOPY DELETE vssadmin Delete Shadows /All /Quiet
**********************2020-08-01 10:10:23 UTC********************** Adversary drops additional windows binaries to disk (below in page)
********************2020-08-01 10:15:14*********************** MITRE – OS Credential Dumping – Credential Access – T1003** Adversary executes mimikatz.exe to obtain credentials
*********************2020-08-01 10:17:37********************** MITRE – Discovery – Network Service Scanning – T1046** Adversary performed arp -a and pipes it to a files for later use.
*********************2020-08-01 10:17:39********************** MITRE – Lateral Movement – Remote Services: Remote Desktop Protocol – T1021.001** Adversary executes rdp.exe and attempts RDP connections against live hosts on the LAN
*********************2020-08-01 10:34:20********************** MITRE – Impact – Data Encrypted for Impact** Adversary launches binary that encrypts data

******************************IOCs*********************************

DefenderControl.exe	SHA256 HASH e718433938681677597d0359051a59d12c3fbf977115fcc6ea45341e4c84f098
DEL.exe	SHA256 HASH 2f579518e5610dd7b97d764741b441c2b8788581c8efe324dc3f6769298f521c
DEL32.exe	SHA256 HASH 126dbba4050ca023d2123ac78e66c03634698409e52d30a4d45d04efb2862027
NS32.exe	SHA256 HASH 2f579518e5610dd7b97d764741b441c2b8788581c8efe324dc3f6769298f521c
NS64.exe	SHA256 HASH 2f579518e5610dd7b97d764741b441c2b8788581c8efe324dc3f6769298f521c
pay.exe	SHA256 HASH 2f579518e5610dd7b97d764741b441c2b8788581c8efe324dc3f6769298f521c
rdp.exe	SHA256 HASH 2f579518e5610dd7b97d764741b441c2b8788581c8efe324dc3f6769298f521c
RDView.exe	SHA256 HASH 2de799c403eb79acf4c44de1cd9c622f5ae0054601bf187f9c581197e7c93229

***********************2020-08-01 10:08:18 UTC******************* MITRE – Initial Access – External Remote Services -T1133** The adversary successfully brute forced our internet-exposed RDP endpoint.
*******************2020-08-01 10:09:53 UTC************************* Adversary drops DefenderControl.exe to disk:
**********************2020-08-01 10:10:23 UTC********************** Adversary drops numerous windows binaries to disk (below in page)
*********************2020-08-01 10:10:32 UTC*********************** Adversary Executes DEL.exe : DEL.exe drops \Local\Temp\8B02.tmp\8B13.tmp\8B14.bat DEL.exe launches child process CMD.exe
*********************2020-08-01 10:10:38 UTC********************* MITRE – Defense Evasion -Indicator Removal on Host:** Child process CMD.exe launches multiple process invoking wevtutil.exe aiming at multiple Window event logs
**********************2020-08-01 10:10:41 UTC******************** MITRE – Discovery – Network Service Scanning – T1046** Adversary launches NS64.exe – Appears to be tools similar to nmap.exe
*********************2020-08-01 10:13:20 UTC******************** MITRE – Impact – Inhibit System Recovery – T1490** Adversary launches WMIC and vssadmin.exe to delete shadowcopies wmic SHADOWCOPY DELETE vssadmin Delete Shadows /All /Quiet
**********************2020-08-01 10:10:23 UTC********************** Adversary drops additional windows binaries to disk (below in page)
********************2020-08-01 10:15:14*********************** MITRE – OS Credential Dumping – Credential Access – T1003** Adversary executes mimikatz.exe to obtain credentials
*********************2020-08-01 10:17:37********************** MITRE – Discovery – Network Service Scanning – T1046** Adversary performed arp -a and pipes it to a files for later use.
*********************2020-08-01 10:17:39********************** MITRE – Lateral Movement – Remote Services: Remote Desktop Protocol – T1021.001** Adversary executes rdp.exe and attempts RDP connections against live hosts on the LAN
*********************2020-08-01 10:34:20********************** MITRE – Impact – Data Encrypted for Impact** Adversary launches binary that encrypts data