e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c

General

Target

e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
Size

7KB
MD5

ebbc82f619471384f392efd5c4d05883
SHA1

17d91b45c8615d0f09d1100d2be396cbcba21fde
SHA256

e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c
SHA512

3e33bd22c440e9ab4a065d216467c1220780aa2a39a38ea4aec81d050d3e6048e87244341fbeac2cdefebae9fe987b713e0d4fcf34adf1390b5ccda6dd448241

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\!_READ_ME_!.txt

Ransom Note

Your files are encrypted with RSA-1024 algorithm. To recovery your files you need to buy our decryptor. To buy decrypting tool contact us at: saveinfo89@yahoo.com === BEGIN === AD7D6889 010200000168000000A4000094959FA68FC849B1 D588B4A8BB946B48C8C1F20785D20A609ADA6DA9 C5485641F50A2BB3CCCA0FD4712DB1702CE83D72 E2D6AD414B26ABC41356D000F956E580A000AA12 27D627D7C40D79C20AF94D62587ECA2CE3288754 81B9EA302642A744ED9F4A08DF4062A3A6E3DD8F 4977DBA10ABE5552070316A6DE8DBDDC3D7ED346 === END ===

Emails

saveinfo89@yahoo.com

Signatures

Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

1532 WScript.exe

pid	process
1532	WScript.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe

description	ioc	process
File opened (read-only)	\??\O:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\Q:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\R:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\U:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\H:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\K:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\J:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\P:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\S:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\F:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\G:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\L:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\M:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\N:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\V:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\Y:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\E:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\I:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\X:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\Z:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\T:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\W:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.SharePoint.BusinessData.Administration.Client.xml._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePageScript.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\LightSpirit.css._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.IN.XML._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LISTBOX.JPG._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\SETUP.XML._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.jpg._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\RPLBRF35.CHM._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Country.css._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL065.XML._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LETTHEAD.XML._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382836.JPG._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\BIBFORM.XML._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierCloseButton.jpg._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL002.XML._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL010.XML._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10O.CHM._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341634.JPG._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue.css._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME10.CSS._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEW.JS._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime.css._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImages.jpg._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\form_edit.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\NL.ROGERS.COM.XML._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL106.XML._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382931.JPG._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME32.CSS._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePageScript.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\TIME.XML._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382966.JPG._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SlateBlue.css._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\settings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME35.CSS._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Thatch.xml._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\SETUP.XML._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01239K.JPG._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\Microsoft.Office.InfoPath.xml._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe

description	pid	process	target process
PID 1708 wrote to memory of 1532	1708	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe	WScript.exe
PID 1708 wrote to memory of 1532	1708	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe	WScript.exe
PID 1708 wrote to memory of 1532	1708	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe	WScript.exe
PID 1708 wrote to memory of 1532	1708	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
"C:\Users\Admin\AppData\Local\Temp\e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.vbs"
2⤵
- Deletes itself
PID:1532

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.vbs
MD5
aadec5d9ed737fb7491d58088cf11345

SHA1
caaed15d7bbd693020a7dcf4a6a9866c17c6d8d9

SHA256
c8d7e47fcb3a4345202f7ef3fd0db90eb1a1b9cab44e91a9befab3ec3dfa6476

SHA512
abfdde6d7176384b5f5a92a1373f8ae41789f8a3d1d88313d1c85bd742e4d824a203430db2efa2a09bd6c43595219cf2dfdd00281de68c001fa62bc70cafb1ac

Download Submit
memory/1532-61-0x0000000000000000-mapping.dmp

Download
memory/1708-60-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads