SECURITY INCIDENT ANALYSIS REPORT
CASE NUMBER: 04380946
[TEAMLEASE SERVICES PVT LTD]
Trend Micro Confidential
This document was created for the specific purpose of providing a Security Incident analysis report on the data collected
from case submission. Disclosure of any of the information contained in this document to external organizations without
approval and an accompanying NDA is prohibited.
Copyright © 2020 Trend Micro Incorporated. All rights reserved.
No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the
express prior written consent of Trend Micro Incorporated.
Version Version Date Description
0.1 4/23/2021 5:00 PM GMT +8 Document Creation
0.2 4/25/2021 7:00 PM GMT +8 Analysis of machine FinanceApps
CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |2
Table of Contents
SERVICE REQUEST DETAILS.......................................................................................................................................................... 4
BACKGROUND OF THE INCIDENT................................................................................................................................................ 4
SCOPE OF ANALYSIS ..................................................................................................................................................................... 4
THREAT OVERVIEW ...................................................................................................................................................................... 5
........................................................................................................................................................................................................ 5
KEY FINDINGS................................................................................................................................................................................ 5
DETAILED FINDINGS A. FINANCEAPPS_172.50.0.52 (INFECTED APPLICATION SERVER)....................................................... 6
ACTION ITEMS............................................................................................................................................................................... 8
RESOLUTION/PREVENTION RECOMMENDATIONS................................................................................................................... 9
I. CONTAINMENT (Stopping the spread and preventing further damage) ............................................................. 9
II. ERADICATION (Removal of malware artifacts from infected systems, mitigation of weaknesses and
vulnerabilities)...................................................................................................................................................................10
III. RECOVERY (Restoring the functionality and data of infected systems in a safe manner, removing
temporary containment measures).................................................................................................................................10
APPENDIX ....................................................................................................................................................................................10
ATTK LOG ANALYSIS ...................................................................................................................................................................11
A. FINANCEAPPS_172.50.0.52 ...................................................................................................................................................11
CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |3
SERVICE REQUEST DETAILS
Service Request: 04380946
Products: Apex One
Customer Type: ENT
BACKGROUND OF THE INCIDENT
On Thursday, 8th of April 2021 around 4:32 PM GMT +8, Trend Micro received a case from Teamlease
Services Pvt ltd about a ransomware that affected 2 servers installed with Apex One. Based on the
ransomnote detection log collected from the Apex One console. It is related with Crytox ransomware
infection.
SCOPE OF ANALYSIS
This report investigation was created in reference to the data found on below collected evidence:
1. Forensic Logs
Forensic Toolkit Logs Collected
Host Name(IP) (ATTK) (TMIK/TMFK) Remarks
FinanceApps_172.50.0.52 Yes Yes Infected
Application
server
Trend Micro Forensic Toolkit (TMFK) to collect Windows Forensic Artifacts, collecting a lot of windows
Forensic artifacts such as master file table (MFT), registry hives, event logs, etc.
CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |4
THREAT OVERVIEW
Based on the information we have so far; the machines were infected by Crytox Ransomware.
This ransomware normally arrives via Remote Desktop Protocol brute force. It is also observed to encrypts
files in fixed, removable and network drives. It was also observed using Utox messaging application for the
alternative way of communication between the victim/s and the threat actor/s. It also deletes itself after
execution.
It drops the following file(s) as ransom note:
KEY FINDINGS
Compromised account: FINANCEAPPS\Administrator
Attacker tried to uninstall/disable the Apex One Agent
Multiple AV Tools detected on the day of infection
Behavior Monitoring Lightweight Protection is enabled
CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |5
DETAILED FINDINGS
A. FinanceApps_172.50.0.52 (Infected Application server)
Apex One Agent installed
TMFK Detailed Findings:
Time of infection: 04/07/2021 04:45:25 PM IST
o The appended extension is XQZZRPWO1.waiting
Compromised account: FINANCEAPPS\Administrator
Suspicious executable files observed prior to infection
o C:\collector64\Collector.exe
o C:\Users\Administrator\Desktop\collector64\Collector.exe
o D:\collector64\Collector.exe
o \\10.6.3.20\Advent\FileUploadAutomation\TEAMLEASE\BANK_LETTERS\ALCS\collector64
Lot of Power tools/AV Disable tools has been observed to be detected on the day of infection.
Behavior Monitoring Lightweight Protection is enabled
Date/Time(IST) Source Description Remarks
04/07/2021 EVT Remote Desktop Services: Session logon Suspicious login using
01:32:48 PM succeeded: FINANCEAPPS\Administrator
User: FINANCEAPPS\Administrator from 185.20.185.52
Session ID: 7
Source Network Address: 185.20.185.52
04/07/2021 MFT \Users\Administrator\AppData\Roaming\Micro
01:33:20 PM soft\Windows\Recent\OFCNTINST.lnk
04/07/2021 MFT \Users\Administrator\AppData\Roaming\Micro
Attacker tried to uninstall
01:35:09 PM soft\Windows\Recent\Uninstall a program
Apex One Agent
(2).lnk
04/07/2021 EVT The following information was included with
01:35:26 PM the event (insertion strings):
Security Agent uninstallation attempted. User:
Administrator
04/07/2021 EVT The Trend Micro Cloud Endpoint Telemetry
01:39:48 PM Service service entered the stopped state.
04/07/2021 EVT The start type of the Trend Micro Cloud
01:39:51 PM Endpoint Telemetry Service service was
changed from auto start to disabled Trend Micro services startup
04/07/2021 EVT The Trend Micro Endpoint Basecamp service type was modified
01:40:02 PM entered the stopped state
CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |6
04/07/2021 EVT The start type of the Trend Micro Endpoint
01:40:04 PM Basecamp service was changed from auto start
to disabled.
04/07/2021 EVT The program or feature
01:49:01 PM "\??\C:\Users\Administrator\Desktop\find.exe"
cannot start or run due to incompatibility with Suspicious file having issue
64-bit versions of Windows. Please contact the with compatibility
software vendor to ask if a 64-bit Windows
compatible version is available.
04/07/2021 REG C:\Windows\RegBootClean64.exe Indication that the Apex One
01:50:28 PM agent detected a file
04/07/2021 REG C:\Users\Administrator\Downloads\pscan24.ex Tool used in reconnaissance
01:52:29 PM e was executed
04/07/2021 REG C:\Users\Administrator\AppData\Local\Temp\7 Tool used in reconnaissance
01:52:49 PM \Advanced Port Scanner was executed
2\advanced_port_scanner.exe
04/07/2021 REG C:\Users\Administrator\Desktop\collector64\C
02:01:47 PM ollector.exe
04/07/2021 REG C:\collector64\Collector.exe
02:02:18 PM
04/07/2021 REG {F38BF404-1D43-42F2-9305- Suspicious file executed
02:02:57 PM 67DE0B28FC23}\collector64\Collector.exe
04/07/2021 REG D:\collector64\Collector.exe
02:04:00 PM
04/07/2021 \\10.6.3.20\Advent\FileUploadAutomation\TEA Suspicious file was accessed
02:07:00 PM REG MLEASE\BANK_LETTERS\ALCS\collector64 on a shared folder of
FINANCEAPPS machine
04/07/2021 The start type of the Trend Micro Unauthorized Trend Micro Behavior
02:07:57 PM EVT Change Prevention Service service was changed Monitoring startup type was
from demand start to disabled. changed.
04/07/2021 MFT \Windows\utox.exe
04:45:02 PM Component files normally
04/07/2021 MFT \Windows\pghdn.txt dropped by the ransomware
04:45:03 PM
04/07/2021 MFT \Users\adventbiz\AppData\Local\Google\Chro First Encrypted file
04:45:25 PM me\User Data\Default\Bookmarks.bak
XQZZRPWO1.waiting
04/07/2021 MFT \MyWork\Advent\ETL\data\TML\TML- First ransomnote dropped
04:46:32 PM COR\TML-COR-BEN\TML-COR-BEN-
0015\ZData\ReadMe.hta
04/07/2021 EVT The process Machine was shut down.
05:01:16 PM C:\Windows\system32\winlogon.exe
(FINANCEAPPS) has initiated the power off of
computer FINANCEAPPS on behalf of user NT
AUTHORITY\SYSTEM for the following reason:
No title for this reason could be found
Reason Code: 0x500ff
Shutdown Type: power off
CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |7
HackTool/Spyware detections on same day of infection:
Malware detection/s on the same day of infection:
Behavior Monitoring Lightweight Protection is enabled prior to infection:
ACTION ITEMS
Item
# Title Description Remarks
Collect the following suspicious files: Done -
Collection of C:\Users\Administrator\Desktop\collector64\Collector.e Not
1 suspicious file xe found
C:\Windows\collector64\Collector.exe
D:\collector64\Collector.exe
CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |8
Change password Reset password for Compromised account:
2 for compromised FINANCEAPPS\Administrator Done
account
Confirmation of IP 185.20.185.52 if this is known IP from
Done
3 IP verification customer’s end. If not, kindly block this with public-facing
firewall
RESOLUTION/PREVENTION RECOMMENDATIONS
I. CONTAINMENT (Stopping the spread and preventing further damage)
Make sure all TrendMicro product setting are configured to best protect against malware
infection: https://success.trendmicro.com/solution/1118282
Immediately change the password of compromised account
o FinanceApps\Administrator
Include as well all domain administrator, local administrator, and service accounts, and
enforce entirely new and strong password.
o Changing password by just adding or removing few chars is a bad habit. Example:
[Bad Habit]
Old Pass: 14YellowHorse$
New Pass: 15YellowHorse$
[Good habit]
Old Pass: 14YellowHorse$
New Pass: !jb14nhYestrday
Follow Microsoft’s recommendation for securing the built-in administrator accounts
Multi-Factor Authentication is also advisable
Attacks nowadays are advanced and sophisticated, and having solution that has coverage for
these TTPs and IOAs such as Trend Micro’s XDR will give administrators high visibility and
ability to respond quickly that common/traditional security solutions doesn’t even support.
Review current access policy and network firewall policy on machines as it is evident on the
logs that external IP is connecting to them directly.
CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |9
It is recommended to secure RDP session. Here are some RDP-related recommendations to
enhance RDP access:
o Administrators managing remote desktops are recommended to close RDP access if
possible, or otherwise change the RDP port to a non-standard port.
o Implement VPN-connected requirement before being able to access the RDP server.
o Updating and strengthening RDP credentials as well as implementing two-factor
authentication, account lockout policies and user permission/restriction rules can
make them more resistant to brute force attacks.
II. ERADICATION (Removal of malware artifacts from infected systems, mitigation of
weaknesses and vulnerabilities)
Make sure all of the machine have security agent installed.
Make sure all machines have updated pattern and perform a scan to clean the machines as
the ransomware is already covered by the signature-based pattern.
Make sure all machines Operating Systems, Applications installed, are up-to-date
III. RECOVERY (Restoring the functionality and data of infected systems in a safe manner,
removing temporary containment measures)
It is recommended to restore from back-up all encrypted files. One good safe computing
practice is to ensure you have accurate back-ups of your files. The 3-2-1 principle should be
in play: three copies, two different media, one separate location. Windows has a feature
called Volume Shadow Copy that allows you to restore files to their previous state, and is
enabled by default.
Appendix
File Hash (SHA1) Detection Comment
33C9B5767995B4E9C4B567120D91D
ReadMe.hta Ransom.HTML.CRYTOX.SM.note Ransomnote
C91F7C70927
ed3b8509ff3f9e849f2c2450d14f09a
rwjfk.bat Ransom.BAT.CRYTOX.A Component
33ea1785e
CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |10
ATTK LOG ANALYSIS
A. FinanceApps_172.50.0.52
ATTK Build Version: 1.62.0.1252
Customer's GUID: e346e259-9be6-43be-a001-3f4dda206bfb
Computer Name: FINANCEAPPS
User Name: Administrator
Local IP Address: 172.50.0.52
Date/Time: 04-22-2021 14:01:37
Suspicious files:
c:\users\.net v2.0\appdata\roaming\microsoft\windows\start
menu\programs\startup\runwallpapersetupinit.cmd
c:\users\.net v2.0 classic\appdata\roaming\microsoft\windows\start
menu\programs\startup\runwallpapersetupinit.cmd
c:\users\.net v4.5\appdata\roaming\microsoft\windows\start
menu\programs\startup\runwallpapersetupinit.cmd
c:\users\.net v4.5 classic\appdata\roaming\microsoft\windows\start
menu\programs\startup\runwallpapersetupinit.cmd
c:\users\administrator\appdata\roaming\microsoft\windows\start
menu\programs\startup\runwallpapersetup.cmd
c:\users\classic .net apppool\appdata\roaming\microsoft\windows\start
menu\programs\startup\runwallpapersetupinit.cmd
c:\users\domadmin\appdata\roaming\microsoft\windows\start
menu\programs\startup\runwallpapersetup.cmd
c:\windows\appcompat\zz.bat
c:\windows\temp\userscript.ps1
C:\Users\Administrator\Desktop\dInvest\Autoruns\a.exe
C:\Users\Administrator\Desktop\dInvest\Autoruns\Autoruns.exe
c:\tmuninst.ini XQZZRPWO1.waiting
Please upload the suspicious files (only upload files that have not been submitted) on the same service
request using Virus File Upload or File for Verification in the support portal.
We also found the following malicious fileless entries:
Location: HKLM\SOFTWARE\Classes\.waiting\Shell\Open\Command
LaunchString: C:\Windows\System32\mshta.exe "C:\ReadMe.hta"
Ransomware uses a complicated encryption method that makes restoration through tools difficult, if not
impossible. Unfortunately, ransomwares are also known to delete its copies in order to evade detection and
reverse its encryption routine. We suggest that you restore the encrypted files from backup.
For more information about RANSOMWARE, kindly follow the link below:
https://success.trendmicro.com/solution/1112223
Also, more information and best practices for preventing ransomware can be found on the following link.
https://success.trendmicro.com/solution/1099423
Other recommendations:
CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |11
Always enable your AEGIS(Behavior Monitoring)
Avoid opening e-mail attachments unless expected.
Avoid downloading crack applications.
Be aware of social engineering attacks to be safe.
Back up data regularly
CONFIDENTIAL – Release Pursuant to NDA – CONFIDENTIAL Security Incident Analysis Report |12