so after abit of research heres my conclusion .
above 4 pcs (the dc server aswell) were infected , some of them are windows 7 and some are windows 10.
the server itself is a windows server 2012 R2
all pcs had their sys version above eternal blue version, meaning they did not transfer this way.
i thought about keepblue (since on the windows 7 didn't had the patch), however that does not answer why win 10s and the server itself got infected.
u could say it infected the active directory files and some one clicked it, however no one was in work at 02:20 AM to click on a file.
when searching on the infected PCs, i saw the first files that showed up with ares666 was at 02:01 AM (8 jul,19) (reception pc)
on the pc i did the investigation on, the first file show up at 02:20
BUT right before the first file aka ".DF7ADA61E0284DDD4F1E" showed up awhost32 was open.
the most important information is right after this file ".DF7ADA61E0284DDD4F1E" showed up , processhacker.exe was run apparently the ransomware downloaded it and ran it, since i dont have it.
now i've looked something really intresting , no one of the files were crypted right away, FIRST it went into all directory and begun to infect all directory with .DF7ADA61E0284DDD4F1E and the HOW TO text file
after a 1 min+- it begun to crypt the files, now u are asking urself how?
another process was run named ares666.exe which my guess is the file that crypted the files.
note that this .DF7ADA61E0284DDD4F1E is an excutable file but crypted, i can that because it runs on startup,
my thought was if it runs on startup and the file is crypted, than it must have something in the registery , however i could not find anything (perhaps im lacking of experience )
but i did manage to find something interesting when searching for ares666.
in PendingFileRenameOperations
(just to mention it is just an imported hive, system inf= system reg file) HKEY_LOCAL_MACHINE\system inf\ControlSet001\Control\Session Manager
this what was find there.
C:\Users\administrator\Downloads\build\PH 2.39\Ares666.exe
thats it about the ares666
but when searching PROCESSHACKER in the registery , u found multiple registery
LEGACY_KPROCESSHACKER3
HKEY_LOCAL_MACHINE\system inf\ControlSet001\Enum\Root\LEGACY_KPROCESSHACKER3
next was HKEY_LOCAL_MACHINE\system inf\ControlSet001\services\KProcessHacker3
this this reg directory
ImagePath
C:\Users\administrator\Downloads\build\PH 2.39\x86\kprocesshacker.sys this was find
inside the build folder, those files were not there (unfortunately ) , i tried to use easus recovery to maybe recover the file but i could not,
instead i found out that. a file named ids.txt was there.
inside of that file, u can find all encrypted files (the path of them)
and the ur "id" probably the pub key.
i'd like to mention that user administrator was not in used by anyone.
inside %appdata% i could find "Process Hacker 2" folder funny thing is his files were crypted aswell (extension ares666)
inside %temp% in appdata (of administrator user), a file named ArmUI.ini was there. can be find here > https://pastebin.com/6aW64w2v
thats about it i think.
hope i helped the community with all of this.
i gathered some of the files crypted one , and the one that i showed here (register directories and pf files ) and the HOW TO(from a different pc),
if u'd like the files to investigate or w.e drop ur email here.
i have yet found how it got transfer and infected to other pc on the network, and how its possible it reached so many pcs on the network, which they were pretty updated (against eternalblue , and keepblue)
if u could help me to find how and where to look for that would be great .
thanks.
