Kill list MySQL, MySQL80, SQLSERVERAGENT, MSSQLSERVER, SQLWriter, SQLTELEMETRY, MSDTC, SQLBrowser, sqlagent.exe, sqlservr.exe, sqlwriter.exe, sql- ceip.exe, msdtc.exe, sqlbrowser.exe, vmcompute, vmms, vmwp.exe, vmsp. exe, outlook.exe, MSExchangeUMCR, MSExchangeUM, MSExchangeTransport- LogSearch, MSExchangeTransport, MSExchangeThrottling, MSExchange- Submission, MSExchangeServiceHost, MSExchangeRPC, MSExchangeRepl, MSExchangePOP3BE, MSExchangePop3, MSExchangeNotificationsBroker, MSExchangeMailboxReplication, MSExchangeMailboxAssistants, MSEx- changeIS, MSExchangeIMAP4BE, MSExchangeImap4, MSExchangeHMRecovery, MSExchangeHM, MSExchangeFrontEndTransport, MSExchangeFastSearch, MSExchangeEdgeSync, MSExchangeDiagnostics, MSExchangeDelivery, MSEx- changeDagMgmt, MSExchangeCompliance,MSExchangeAntispamUpdate MITRE ATT&CK Techniques Tactic Technique Observable IOCs Execution Command and Scripting Interpreter: PowerShell (T1059.001) Cuba team is using PowerShell payload to drop Cuba ransomware f739977004981fbe4a54bc68be18ea79 68a99624f98b8cd956108fedcc44e07c bdeb5acc7b569c783f81499f400b2745 Execution System Services: Service Execution (T1569.002) Execution Shared Modules (T1129) Cuba ransomware links function at runtime Functions: “GetModuleHandle” “GetProcAddress” “GetModuleHandleEx” Execution Command and Scripting Interpreter (T1059) Cuba ransomware accepts command line arguments Functions: “GetCommandLine” Persistence Create or Modify System Process: Windows Service (T1543.003) Cuba ransomware can modify services Functions: “OpenService” “ChangeServiceConfig” Privilege Escalation Access Token Manipulation (T1134) Cuba ransomware can adjust access privileges Functions: “SeDebugPrivilege” “AdjustTokenPrivileges” “LookupPrivilegeValue”