********************Summary of Attack************************** |

- Adversary brute forced internet-exposed RDP endpoint
- Copied binaries to Victim machine
- Cleared Windows Event Logs
- Deleted Shadow Copies
- Dump credential hashes via mimikatz
- Executed ransomware executable
- Remotes (RDP) to other machines to perform same process
********************Mitre Attack Mapping************************** |

************************Adversary Timeline**************************
***********************2020-08-01 10:08:18 UTC********************* MITRE – Initial Access – External Remote Services -T1133 The adversary successfully brute forced our internet-exposed RDP endpoint. | |
*******************2020-08-01 10:09:53 UTC************************* Adversary drops DefenderControl.exe to disk: | |
**********************2020-08-01 10:10:23 UTC********************** Adversary drops numerous windows binaries to disk (below in page) | |
*********************2020-08-01 10:10:32 UTC*********************** Adversary Executes DEL.exe : DEL.exe drops \Local\Temp\8B02.tmp\8B13.tmp\8B14.bat DEL.exe launches child process CMD.exe | |
*********************2020-08-01 10:10:38 UTC*********************** MITRE – Defense Evasion -Indicator Removal on Host: Child process CMD.exe launches multiple process invoking wevtutil.exe aiming at multiple Window event logs | |
**********************2020-08-01 10:10:41 UTC********************** MITRE – Discovery – Network Service Scanning – T1046 Adversary launches NS64.exe – Appears to be tools similar to nmap.exe | |
*********************2020-08-01 10:13:20 UTC********************** MITRE – Impact – Inhibit System Recovery – T1490 Adversary launches WMIC and vssadmin.exe to delete shadowcopies wmic SHADOWCOPY DELETE vssadmin Delete Shadows /All /Quiet | |
**********************2020-08-01 10:10:23 UTC********************** Adversary drops additional windows binaries to disk (below in page) | |
**********************2020-08-01 10:15:14*************************** MITRE – OS Credential Dumping – Credential Access – T1003 Adversary executes mimikatz.exe to obtain credentials | |
***********************2020-08-01 10:17:37************************** MITRE – Discovery – Network Service Scanning – T1046 Adversary performed arp -a and pipes it to a files for later use. | |
***********************2020-08-01 10:17:39************************** MITRE – Lateral Movement – Remote Services: Remote Desktop Protocol – T1021.001 Adversary executes rdp.exe and attempts RDP connections against live hosts on the LAN | |
***********************2020-08-01 10:34:20************************** MITRE – Impact – Data Encrypted for Impact Adversary launches binary that encrypts data | |
******************************IOCs*********************************
DefenderControl.exe | SHA256 HASH e718433938681677597d0359051a59d12c3fbf977115fcc6ea45341e4c84f098 |
DEL.exe | SHA256 HASH 2f579518e5610dd7b97d764741b441c2b8788581c8efe324dc3f6769298f521c |
DEL32.exe | SHA256 HASH 126dbba4050ca023d2123ac78e66c03634698409e52d30a4d45d04efb2862027 |
NS32.exe | SHA256 HASH 2f579518e5610dd7b97d764741b441c2b8788581c8efe324dc3f6769298f521c |
NS64.exe | SHA256 HASH 2f579518e5610dd7b97d764741b441c2b8788581c8efe324dc3f6769298f521c |
pay.exe | SHA256 HASH 2f579518e5610dd7b97d764741b441c2b8788581c8efe324dc3f6769298f521c |
rdp.exe | SHA256 HASH 2f579518e5610dd7b97d764741b441c2b8788581c8efe324dc3f6769298f521c |
RDView.exe | SHA256 HASH 2de799c403eb79acf4c44de1cd9c622f5ae0054601bf187f9c581197e7c93229 |


