Slide 12
Slide 12 text
Technical Analysis of Cuba Ransomware
12
REPORT
Process / Services Kill list
MySQL, MySQL80, SQLSERVERAGENT, MSSQLSERVER, SQLWriter, SQLTELEMETRY,
MSDTC, SQLBrowser, sqlagent.exe, sqlservr.exe, sqlwriter.exe, sql-
ceip.exe, msdtc.exe, sqlbrowser.exe, vmcompute, vmms, vmwp.exe, vmsp.
exe, outlook.exe, MSExchangeUMCR, MSExchangeUM, MSExchangeTransport-
LogSearch, MSExchangeTransport, MSExchangeThrottling, MSExchange-
Submission, MSExchangeServiceHost, MSExchangeRPC, MSExchangeRepl,
MSExchangePOP3BE, MSExchangePop3, MSExchangeNotificationsBroker,
MSExchangeMailboxReplication, MSExchangeMailboxAssistants, MSEx-
changeIS, MSExchangeIMAP4BE, MSExchangeImap4, MSExchangeHMRecovery,
MSExchangeHM, MSExchangeFrontEndTransport, MSExchangeFastSearch,
MSExchangeEdgeSync, MSExchangeDiagnostics, MSExchangeDelivery, MSEx-
changeDagMgmt, MSExchangeCompliance,MSExchangeAntispamUpdate
MITRE ATT&CK Techniques
Tactic Technique Observable IOCs
Execution Command and Scripting Interpreter: PowerShell
(T1059.001)
Cuba team is using PowerShell payload to drop Cuba
ransomware
f739977004981fbe4a54bc68be18ea79
68a99624f98b8cd956108fedcc44e07c
bdeb5acc7b569c783f81499f400b2745
Execution System Services: Service Execution (T1569.002)
Execution Shared Modules (T1129) Cuba ransomware links function at runtime Functions:
“GetModuleHandle”
“GetProcAddress”
“GetModuleHandleEx”
Execution Command and Scripting Interpreter (T1059) Cuba ransomware accepts command line arguments Functions:
“GetCommandLine”
Persistence Create or Modify System Process: Windows Service
(T1543.003)
Cuba ransomware can modify services Functions:
“OpenService”
“ChangeServiceConfig”
Privilege Escalation Access Token Manipulation (T1134) Cuba ransomware can adjust access privileges Functions:
“SeDebugPrivilege”
“AdjustTokenPrivileges”
“LookupPrivilegeValue”