Professional Documents
Culture Documents
This document was created for the specific purpose of providing a Security Incident analysis report on the data collected
from case submission. Disclosure of any of the information contained in this document to external organizations without
approval and an accompanying NDA is prohibited.
No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the
express prior written consent of Trend Micro Incorporated.
On Thursday, 8th of April 2021 around 4:32 PM GMT +8, Trend Micro received a case from Teamlease
Services Pvt ltd about a ransomware that affected 2 servers installed with Apex One. Based on the
ransomnote detection log collected from the Apex One console. It is related with Crytox ransomware
infection.
SCOPE OF ANALYSIS
This report investigation was created in reference to the data found on below collected evidence:
1. Forensic Logs
Trend Micro Forensic Toolkit (TMFK) to collect Windows Forensic Artifacts, collecting a lot of windows
Forensic artifacts such as master file table (MFT), registry hives, event logs, etc.
This ransomware normally arrives via Remote Desktop Protocol brute force. It is also observed to encrypts
files in fixed, removable and network drives. It was also observed using Utox messaging application for the
alternative way of communication between the victim/s and the threat actor/s. It also deletes itself after
execution.
KEY FINDINGS
ACTION ITEMS
Item
# Title Description Remarks
Collect the following suspicious files: Done -
Collection of C:\Users\Administrator\Desktop\collector64\Collector.e Not
1 suspicious file xe found
C:\Windows\collector64\Collector.exe
D:\collector64\Collector.exe
RESOLUTION/PREVENTION RECOMMENDATIONS
Make sure all TrendMicro product setting are configured to best protect against malware
infection: https://success.trendmicro.com/solution/1118282
Include as well all domain administrator, local administrator, and service accounts, and
enforce entirely new and strong password.
o Changing password by just adding or removing few chars is a bad habit. Example:
[Bad Habit]
Old Pass: 14YellowHorse$
New Pass: 15YellowHorse$
[Good habit]
Old Pass: 14YellowHorse$
New Pass: !jb14nhYestrday
Attacks nowadays are advanced and sophisticated, and having solution that has coverage for
these TTPs and IOAs such as Trend Micro’s XDR will give administrators high visibility and
ability to respond quickly that common/traditional security solutions doesn’t even support.
Review current access policy and network firewall policy on machines as it is evident on the
logs that external IP is connecting to them directly.
Make sure all machines have updated pattern and perform a scan to clean the machines as
the ransomware is already covered by the signature-based pattern.
Make sure all machines Operating Systems, Applications installed, are up-to-date
III. RECOVERY (Restoring the functionality and data of infected systems in a safe manner,
removing temporary containment measures)
It is recommended to restore from back-up all encrypted files. One good safe computing
practice is to ensure you have accurate back-ups of your files. The 3-2-1 principle should be
in play: three copies, two different media, one separate location. Windows has a feature
called Volume Shadow Copy that allows you to restore files to their previous state, and is
enabled by default.
Appendix
CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |10
ATTK LOG ANALYSIS
A. FinanceApps_172.50.0.52
Suspicious files:
c:\users\.net v2.0\appdata\roaming\microsoft\windows\start
menu\programs\startup\runwallpapersetupinit.cmd
c:\users\.net v2.0 classic\appdata\roaming\microsoft\windows\start
menu\programs\startup\runwallpapersetupinit.cmd
c:\users\.net v4.5\appdata\roaming\microsoft\windows\start
menu\programs\startup\runwallpapersetupinit.cmd
c:\users\.net v4.5 classic\appdata\roaming\microsoft\windows\start
menu\programs\startup\runwallpapersetupinit.cmd
c:\users\administrator\appdata\roaming\microsoft\windows\start
menu\programs\startup\runwallpapersetup.cmd
c:\users\classic .net apppool\appdata\roaming\microsoft\windows\start
menu\programs\startup\runwallpapersetupinit.cmd
c:\users\domadmin\appdata\roaming\microsoft\windows\start
menu\programs\startup\runwallpapersetup.cmd
c:\windows\appcompat\zz.bat
c:\windows\temp\userscript.ps1
C:\Users\Administrator\Desktop\dInvest\Autoruns\a.exe
C:\Users\Administrator\Desktop\dInvest\Autoruns\Autoruns.exe
c:\tmuninst.ini XQZZRPWO1.waiting
Please upload the suspicious files (only upload files that have not been submitted) on the same service
request using Virus File Upload or File for Verification in the support portal.
We also found the following malicious fileless entries:
Location: HKLM\SOFTWARE\Classes\.waiting\Shell\Open\Command
LaunchString: C:\Windows\System32\mshta.exe "C:\ReadMe.hta"
Ransomware uses a complicated encryption method that makes restoration through tools difficult, if not
impossible. Unfortunately, ransomwares are also known to delete its copies in order to evade detection and
reverse its encryption routine. We suggest that you restore the encrypted files from backup.
For more information about RANSOMWARE, kindly follow the link below:
https://success.trendmicro.com/solution/1112223
Also, more information and best practices for preventing ransomware can be found on the following link.
https://success.trendmicro.com/solution/1099423
Other recommendations:
CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |11
Always enable your AEGIS(Behavior Monitoring)
Avoid opening e-mail attachments unless expected.
Avoid downloading crack applications.
Be aware of social engineering attacks to be safe.
Back up data regularly
CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |12