MMPC troubleshooting: A process is attempting to perform a self-deletion action using cmd.exe (action typically associated with ransomware)
Here are few true positive scenarios of the File self-deletion action IOA.
Of most of the machines triggering the IOA ‘A process is attempting to perform a self-deletion action using cmd.exe (action typically associated with ransomware)’, there is a unique pattern of events on each machine.
Here are the observations, and for all the cases the similarity of pattern is uncanny:
Step 1
It usually starts with a random .exe with very low prevalence (almost a new file in each case), created out of an unknown process.
Originating File:
‘C:\Users\Administrator\AppData\Local\52CD6491-7665-0829-1BFD-2DC13F95D159}\teni.exe’
OR
‘C:\Users\xxxxxx\AppData\Local\3E4A0816-1AE2-64AE-777A-41465312BDDE}\leda.exe’
OR
‘C:\Users\xxxxxx\AppData\Local\CADDFC81-EE75-9039-83ED-B5D1A7854949}\fode.exe'
Step 2
Some suspicious command lines on CMD seen running by the .exe (not able to decode the encoded parameters passed)
teni.exe /Install /noun /s /RKL*:0S1F1O2Z2W1T1C1P1Y0M1L1R1C1F1B1F1O2Z1Y0W1L1G1Q1F2W1B1Y0C2Y1C1C1P1G2Z0V1P1C1B1L1F1G1Y0U1G1L1G1B2Z1T1I1I1Y2S0EyCyDzztD0EzyzztG0ByC0DzztG0D0FtCzztGtDyByDzztG0A0Fzyzz0DyB0DzzyB0CtCzz2Q* /RVL*:1Q1L1C1L /RLM:1* /aflt=wbf_ir_16_44 /cr=1012365987 /cd=2XzuyEtN2Y1L1Qzuzy0AyD0F0DtAtAyCzyyEyEyBtD0CyCyBtN0D0Tzu0StCyByCyCtN1L2XzutAtFtByEtFtByBtFyDtCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StD0DtBzytD0D0EyBtGyE0D0EtDtG0D0C0F0FtGtByEyBtAtG0AtD0E0AtAyEzytAyDtDzyyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StByE0AyCyDtAzy0FtG0Azy0BzytGyE0F0AzytGzyyDtByEtGyB0AtAtDtB0D0FtByEyC0B0B2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyCtDyC
OR
leda.exe /Install /noun /s /aflt=wncy_dmontlsfs_16_44 /cr=557979711 /cd=2XzuyEtN2Y1L1Qzu0Fzz0BtCyDyC0C0FyC0ByE0CyCtD0EtDtN0D0Tzu0StCyByCyCtN1L2XzutAtFtByEtFzyyBtFyDtDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StByDtD0C0CyC0B0BtGyCyC0DtDtGtByD0EzztGtC0C0F0AtGtCyB0A0BtBtByByBtByCyD0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0BtDtDtAyCzztC0FtGtDtBtAyBtGyEtDyCyDtG0AyB0BtAtG0DtC0CtByCzy0D0B0D0EyByE2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyCtDyD /RKL*:0S1F1O2Z2W1T1C1P1Y0M1L1R1C1F1B1F1O2Z1Y0W1L1G1Q1F2W1B1Y0C2Y1C1C1P1G2Z0V1P1C1B1L1F1G1Y0U1G1L1G1B2Z1T1I1I1Y2Szz0A0D0FyCtBtC0FtG0D0AyD0FtG0BtAzy0FtGyC0B0D0FtG0CtAtC0F0B0ByD0FtCtDzy0F2Q* /RVL*:2Z1T1C1F /RLM:1*
OR
fode.exe /Install /noun /s /aflt=bdr_s_16_47_wcb_camstd_16_45_cg10615 /cr=115183342 /cd=2XzuyEtN2Y1L1QzuzzyEyB0B0E0BtAzyyEyCtC0D0BzyyEyCtN0D0Tzu0StCyBzytBtN1L2XzutAtFtByDtFtCtFyDtDtN1L1Czu1S1Q1CtBzztFtDtFtCtN1L1G1B1V1N2Y1L1Qzu2StCyBzytA0A0EzztAtGtC0B0CyBtGyEtCtBtAtGyBtA0FyEtG0AtAyDtAtByC0AtB0CtB0AyC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzz0B0AtDzz0E0BtG0E0BtC0CtGyE0DyDzytG0B0BtDyBtGyDzz0F0EtD0AtD0B0AyD0DyE2QtN0A0LzuyE /UDAT0=0Czx1Y0U1B1P1C1B1Y2XtG1F1I1Q1P1G1L1Y0A1E1E0D1T2Z1T1Y0L1F1R1T1I1Y2S0C0A0D0D0F2PtC1Y1G1T1I1T /RKL:0S1F1O2Z2W1T1C1P1Y0M1L1R1C1F1B1F1O2Z1Y0W1L1G1Q1F2W1B1Y0C2Y1C1C1P1G2Z0V1P1C1B1L1F1G1Y0U1G1L1G1B2Z1T1I1I1Y2S0C0BtA0BtBtA0F0BtGzy0B0B0BtG0FtByB0BtGtB0AtA0BtGzztB0F0B0F0A0B0ByDtCyB0B2Q /RVL:1G1T1R1L /RLM:1
^^encoded parameters (have color coded them to find the similar cmdlet arguments)
* *
Step 3
Usually MOST of them made some registry changes to the Windows internet connection settings:
HKEY_CURRENT_USER\S-1-5-21-127505850-1946768599-533122814-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
or
HKEY_CURRENT_USER\S-1-5-21-2127521184-1604012920-1887927527-23470725\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
(Key values changed unavailable)
Step 4
Next, these random .exe’s join a couple of .dat binaries from C:\Users\xxxxxx\AppData\Local\Temp directory to create few other secondary .exe files, and deleting the .dat files right then:
Example1
d /c cmd /d /c copy /B /Y /V "C:\Users\xxxxxx\AppData\Local\Temp\D95315141353061.dat"+"C:\Users\xxxxxx\AppData\Local\Temp\D95315141353062.dat" "C:\Users\xxxxxx\AppData\Local\Dolot\UpdateTaskUpdate.exe" & cmd /d /c del "C:\Users\xxxxxx\AppData\Local\Temp\D95315141353061.dat" & cmd /d /c del "C:\Users\xxxxxx\AppData\Local\Temp\D95315141353062.dat"
Example2
d /c cmd /d /c copy /B /Y /V "C:\Users\xxxxxx \AppData\Local\Temp\D15617369509451.dat"+"C:\Users\xxxxxx\AppData\Local\Temp\D15617369509452.dat" "C:\Users\xxxxxx\AppData\Roaming\65763B~1\sync.exe" & cmd /d /c del "C:\Users\xxxxxx\AppData\Local\Temp\D15617369509451.dat" & cmd /d /c del "C:\Users\xxxxxx\AppData\Local\Temp\D15617369509452.dat"
Example3
d /c cmd /d /c copy /B /Y /V "C:\Users\xxxxxx\AppData\Local\Temp\D37518473685501.dat"+"C:\Users\xxxxxx \AppData\Local\Temp\D37518473685502.dat" "C:\PROGRA~2\COMMON~1\10B676~1\productupdt.exe" & cmd /d /c del "C:\Users\xxxxxx \AppData\Local\Temp\D37518473685501.dat" & cmd /d /c del "C:\Users\xxxxxx \AppData\Local\Temp\D37518473685502.dat"
^^Note the .dll files are unique with no prevalence and standard naming convention of consecutive sequence.
**we tried to fetch the secondary .exe here from the users (as in UpdateTaskUpdate.exe or sync.exe or productupdt.exe)
Step 5
Finally, the primary random .exe self-deletes as a typical sign of a ransomware infection.
“d /c TIMEOUT 3 & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\52CD6~1\teni.exe"
“d /c TIMEOUT 3 & cmd /d /c del "C:\Users\xxxxxx \AppData\Local\3E4A0~1\leda.exe"
“d /c TIMEOUT 3 & cmd /d /c del "C:\Users\xxxxxx\AppData\Local\ABB19~1\cici.exe"
“d /c TIMEOUT 3 & cmd /d /c del “C:\Users\xxxxxx \AppData\Local\CADDFC81-EE75-9039-83ED-B5D1A7854949}\fode.exe”
Outcome
MMPC doesn’t have a signature for any of the hash of the primary .exe, and none of the sample files would be found including the .dat files it accessed.
However, we did happen to retrieve few secondary .exe files from a couple of machines and submitted to MMPC, which got classified as a browser modifier (BrowserModifier:Win32/Prifou).
So, to sum up the impact that we could assess from the timeline, the primary .exe changes a registry settings for Windows internet connection, and the secondary .exe modifies the browser settings on the machine.
Analyzing further into the machine timeline reveals, the initial .exe were all created by joining of 2 similar .dat files initiated by some setup.exe file. This feature of using CMD to join intermediate .dll binaries together to create a new .exe has been a primary point of interest in the entire investigation.
Also, an important point noted for all these machines related to file self-deletion IOA’s, is that each had ‘Sqlite3.dll’ created on them again by joining .dat files, by the same setup.exe file (usually from Temp or Roaming folders) which was often found to be an application bundler as per VT.