SECURITY INCIDENT ANALYSIS REPORT

CASE NUMBER: 04380946

[TEAMLEASE SERVICES PVT LTD]
Trend Micro Confidential

This document was created for the specific purpose of providing a Security Incident analysis report on the data collected
from case submission. Disclosure of any of the information contained in this document to external organizations without
approval and an accompanying NDA is prohibited.

Copyright © 2020 Trend Micro Incorporated. All rights reserved.

No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the
express prior written consent of Trend Micro Incorporated.

Version Version Date Description

0.1 4/23/2021 5:00 PM GMT +8 Document Creation
0.2 4/25/2021 7:00 PM GMT +8 Analysis of machine FinanceApps

CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |2

Table of Contents
SERVICE REQUEST DETAILS.......................................................................................................................................................... 4
BACKGROUND OF THE INCIDENT................................................................................................................................................ 4
SCOPE OF ANALYSIS ..................................................................................................................................................................... 4
THREAT OVERVIEW ...................................................................................................................................................................... 5
........................................................................................................................................................................................................ 5
KEY FINDINGS................................................................................................................................................................................ 5
DETAILED FINDINGS A. FINANCEAPPS_172.50.0.52 (INFECTED APPLICATION SERVER)....................................................... 6
ACTION ITEMS............................................................................................................................................................................... 8
RESOLUTION/PREVENTION RECOMMENDATIONS................................................................................................................... 9
I. CONTAINMENT (Stopping the spread and preventing further damage) ............................................................. 9
II. ERADICATION (Removal of malware artifacts from infected systems, mitigation of weaknesses and
vulnerabilities)...................................................................................................................................................................10
III. RECOVERY (Restoring the functionality and data of infected systems in a safe manner, removing
temporary containment measures).................................................................................................................................10
APPENDIX ....................................................................................................................................................................................10
ATTK LOG ANALYSIS ...................................................................................................................................................................11
A. FINANCEAPPS_172.50.0.52 ...................................................................................................................................................11

CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |3

SERVICE REQUEST DETAILS
Service Request: 04380946
Products: Apex One
Customer Type: ENT

BACKGROUND OF THE INCIDENT

On Thursday, 8th of April 2021 around 4:32 PM GMT +8, Trend Micro received a case from Teamlease
Services Pvt ltd about a ransomware that affected 2 servers installed with Apex One. Based on the
ransomnote detection log collected from the Apex One console. It is related with Crytox ransomware
infection.

SCOPE OF ANALYSIS
This report investigation was created in reference to the data found on below collected evidence:

1. Forensic Logs

Forensic Toolkit Logs Collected

Host Name(IP) (ATTK) (TMIK/TMFK) Remarks
FinanceApps_172.50.0.52 Yes Yes Infected
Application
server

Trend Micro Forensic Toolkit (TMFK) to collect Windows Forensic Artifacts, collecting a lot of windows
Forensic artifacts such as master file table (MFT), registry hives, event logs, etc.

CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |4

THREAT OVERVIEW
Based on the information we have so far; the machines were infected by Crytox Ransomware.

This ransomware normally arrives via Remote Desktop Protocol brute force. It is also observed to encrypts
files in fixed, removable and network drives. It was also observed using Utox messaging application for the
alternative way of communication between the victim/s and the threat actor/s. It also deletes itself after
execution.

It drops the following file(s) as ransom note:

KEY FINDINGS

 Compromised account: FINANCEAPPS\Administrator

 Attacker tried to uninstall/disable the Apex One Agent
 Multiple AV Tools detected on the day of infection
 Behavior Monitoring Lightweight Protection is enabled

CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |5

DETAILED FINDINGS

A. FinanceApps_172.50.0.52 (Infected Application server)

 Apex One Agent installed

TMFK Detailed Findings:

 Time of infection: 04/07/2021 04:45:25 PM IST
o The appended extension is XQZZRPWO1.waiting
 Compromised account: FINANCEAPPS\Administrator
 Suspicious executable files observed prior to infection
o C:\collector64\Collector.exe
o C:\Users\Administrator\Desktop\collector64\Collector.exe
o D:\collector64\Collector.exe
o \\10.6.3.20\Advent\FileUploadAutomation\TEAMLEASE\BANK_LETTERS\ALCS\collector64
 Lot of Power tools/AV Disable tools has been observed to be detected on the day of infection.
 Behavior Monitoring Lightweight Protection is enabled

Date/Time(IST) Source Description Remarks

04/07/2021 EVT Remote Desktop Services: Session logon Suspicious login using
01:32:48 PM succeeded: FINANCEAPPS\Administrator
User: FINANCEAPPS\Administrator from 185.20.185.52
Session ID: 7
Source Network Address: 185.20.185.52
04/07/2021 MFT \Users\Administrator\AppData\Roaming\Micro
01:33:20 PM soft\Windows\Recent\OFCNTINST.lnk

04/07/2021 MFT \Users\Administrator\AppData\Roaming\Micro

Attacker tried to uninstall
01:35:09 PM soft\Windows\Recent\Uninstall a program
Apex One Agent
(2).lnk

04/07/2021 EVT The following information was included with

01:35:26 PM the event (insertion strings):
Security Agent uninstallation attempted. User:
Administrator
04/07/2021 EVT The Trend Micro Cloud Endpoint Telemetry
01:39:48 PM Service service entered the stopped state.
04/07/2021 EVT The start type of the Trend Micro Cloud
01:39:51 PM Endpoint Telemetry Service service was
changed from auto start to disabled Trend Micro services startup
04/07/2021 EVT The Trend Micro Endpoint Basecamp service type was modified
01:40:02 PM entered the stopped state

CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |6

04/07/2021 EVT The start type of the Trend Micro Endpoint
01:40:04 PM Basecamp service was changed from auto start
to disabled.
04/07/2021 EVT The program or feature
01:49:01 PM "\??\C:\Users\Administrator\Desktop\find.exe"
cannot start or run due to incompatibility with Suspicious file having issue
64-bit versions of Windows. Please contact the with compatibility
software vendor to ask if a 64-bit Windows
compatible version is available.

04/07/2021 REG C:\Windows\RegBootClean64.exe Indication that the Apex One

01:50:28 PM agent detected a file
04/07/2021 REG C:\Users\Administrator\Downloads\pscan24.ex Tool used in reconnaissance
01:52:29 PM e was executed
04/07/2021 REG C:\Users\Administrator\AppData\Local\Temp\7 Tool used in reconnaissance
01:52:49 PM \Advanced Port Scanner was executed
2\advanced_port_scanner.exe
04/07/2021 REG C:\Users\Administrator\Desktop\collector64\C
02:01:47 PM ollector.exe
04/07/2021 REG C:\collector64\Collector.exe
02:02:18 PM
04/07/2021 REG {F38BF404-1D43-42F2-9305- Suspicious file executed
02:02:57 PM 67DE0B28FC23}\collector64\Collector.exe
04/07/2021 REG D:\collector64\Collector.exe
02:04:00 PM
04/07/2021 \\10.6.3.20\Advent\FileUploadAutomation\TEA Suspicious file was accessed
02:07:00 PM REG MLEASE\BANK_LETTERS\ALCS\collector64 on a shared folder of
FINANCEAPPS machine
04/07/2021 The start type of the Trend Micro Unauthorized Trend Micro Behavior
02:07:57 PM EVT Change Prevention Service service was changed Monitoring startup type was
from demand start to disabled. changed.
04/07/2021 MFT \Windows\utox.exe
04:45:02 PM Component files normally
04/07/2021 MFT \Windows\pghdn.txt dropped by the ransomware
04:45:03 PM
04/07/2021 MFT \Users\adventbiz\AppData\Local\Google\Chro First Encrypted file
04:45:25 PM me\User Data\Default\Bookmarks.bak
XQZZRPWO1.waiting
04/07/2021 MFT \MyWork\Advent\ETL\data\TML\TML- First ransomnote dropped
04:46:32 PM COR\TML-COR-BEN\TML-COR-BEN-
0015\ZData\ReadMe.hta
04/07/2021 EVT The process Machine was shut down.
05:01:16 PM C:\Windows\system32\winlogon.exe
(FINANCEAPPS) has initiated the power off of
computer FINANCEAPPS on behalf of user NT
AUTHORITY\SYSTEM for the following reason:
No title for this reason could be found
Reason Code: 0x500ff
Shutdown Type: power off

CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |7

HackTool/Spyware detections on same day of infection:

Malware detection/s on the same day of infection:

Behavior Monitoring Lightweight Protection is enabled prior to infection:

ACTION ITEMS

Item
# Title Description Remarks
Collect the following suspicious files: Done -
Collection of  C:\Users\Administrator\Desktop\collector64\Collector.e Not
1 suspicious file xe found
 C:\Windows\collector64\Collector.exe
 D:\collector64\Collector.exe

CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |8

 Change password
2 for compromised
account
3 IP verification
Reset password for Compromised account:
FINANCEAPPS\Administrator Done
Confirmation of IP 185.20.185.52 if this is known IP from
Done
customer’s end. If not, kindly block this with public-facing
firewall

RESOLUTION/PREVENTION RECOMMENDATIONS

I. CONTAINMENT (Stopping the spread and preventing further damage)

 Make sure all TrendMicro product setting are configured to best protect against malware
infection: https://success.trendmicro.com/solution/1118282

 Immediately change the password of compromised account

o FinanceApps\Administrator

 Include as well all domain administrator, local administrator, and service accounts, and
enforce entirely new and strong password.
o Changing password by just adding or removing few chars is a bad habit. Example:
 [Bad Habit]
Old Pass: 14YellowHorse$
New Pass: 15YellowHorse$
 [Good habit]
Old Pass: 14YellowHorse$
New Pass: !jb14nhYestrday

 Follow Microsoft’s recommendation for securing the built-in administrator accounts

 Multi-Factor Authentication is also advisable

 Attacks nowadays are advanced and sophisticated, and having solution that has coverage for
these TTPs and IOAs such as Trend Micro’s XDR will give administrators high visibility and
ability to respond quickly that common/traditional security solutions doesn’t even support.

 Review current access policy and network firewall policy on machines as it is evident on the
logs that external IP is connecting to them directly.

CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |9

  It is recommended to secure RDP session. Here are some RDP-related recommendations to
enhance RDP access:
o Administrators managing remote desktops are recommended to close RDP access if
possible, or otherwise change the RDP port to a non-standard port.
o Implement VPN-connected requirement before being able to access the RDP server.
o Updating and strengthening RDP credentials as well as implementing two-factor
authentication, account lockout policies and user permission/restriction rules can
make them more resistant to brute force attacks.

II. ERADICATION (Removal of malware artifacts from infected systems, mitigation of

weaknesses and vulnerabilities)

 Make sure all of the machine have security agent installed.

 Make sure all machines have updated pattern and perform a scan to clean the machines as
the ransomware is already covered by the signature-based pattern.

 Make sure all machines Operating Systems, Applications installed, are up-to-date

III. RECOVERY (Restoring the functionality and data of infected systems in a safe manner,
removing temporary containment measures)

 It is recommended to restore from back-up all encrypted files. One good safe computing
practice is to ensure you have accurate back-ups of your files. The 3-2-1 principle should be
in play: three copies, two different media, one separate location. Windows has a feature
called Volume Shadow Copy that allows you to restore files to their previous state, and is
enabled by default.

Appendix

File Hash (SHA1) Detection Comment

33C9B5767995B4E9C4B567120D91D
ReadMe.hta Ransom.HTML.CRYTOX.SM.note Ransomnote
C91F7C70927
ed3b8509ff3f9e849f2c2450d14f09a
rwjfk.bat Ransom.BAT.CRYTOX.A Component
33ea1785e

CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |10
 ATTK LOG ANALYSIS
A. FinanceApps_172.50.0.52

ATTK Build Version: 1.62.0.1252

Customer's GUID: e346e259-9be6-43be-a001-3f4dda206bfb
Computer Name: FINANCEAPPS
User Name: Administrator
Local IP Address: 172.50.0.52
Date/Time: 04-22-2021 14:01:37

Suspicious files:
c:\users\.net v2.0\appdata\roaming\microsoft\windows\start
menu\programs\startup\runwallpapersetupinit.cmd
c:\users\.net v2.0 classic\appdata\roaming\microsoft\windows\start
menu\programs\startup\runwallpapersetupinit.cmd
c:\users\.net v4.5\appdata\roaming\microsoft\windows\start
menu\programs\startup\runwallpapersetupinit.cmd
c:\users\.net v4.5 classic\appdata\roaming\microsoft\windows\start
menu\programs\startup\runwallpapersetupinit.cmd
c:\users\administrator\appdata\roaming\microsoft\windows\start
menu\programs\startup\runwallpapersetup.cmd
c:\users\classic .net apppool\appdata\roaming\microsoft\windows\start
menu\programs\startup\runwallpapersetupinit.cmd
c:\users\domadmin\appdata\roaming\microsoft\windows\start
menu\programs\startup\runwallpapersetup.cmd
c:\windows\appcompat\zz.bat
c:\windows\temp\userscript.ps1
C:\Users\Administrator\Desktop\dInvest\Autoruns\a.exe
C:\Users\Administrator\Desktop\dInvest\Autoruns\Autoruns.exe
c:\tmuninst.ini XQZZRPWO1.waiting

Please upload the suspicious files (only upload files that have not been submitted) on the same service
request using Virus File Upload or File for Verification in the support portal.
We also found the following malicious fileless entries:
Location: HKLM\SOFTWARE\Classes\.waiting\Shell\Open\Command
LaunchString: C:\Windows\System32\mshta.exe "C:\ReadMe.hta"

Ransomware uses a complicated encryption method that makes restoration through tools difficult, if not
impossible. Unfortunately, ransomwares are also known to delete its copies in order to evade detection and
reverse its encryption routine. We suggest that you restore the encrypted files from backup.
For more information about RANSOMWARE, kindly follow the link below:
https://success.trendmicro.com/solution/1112223

Also, more information and best practices for preventing ransomware can be found on the following link.
https://success.trendmicro.com/solution/1099423

Other recommendations:

CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |11
Always enable your AEGIS(Behavior Monitoring)
Avoid opening e-mail attachments unless expected.
Avoid downloading crack applications.
Be aware of social engineering attacks to be safe.
Back up data regularly

CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |12