Resubmissions

21-10-2021 17:46

211021-wccdbaaeg7 10

19-10-2021 05:55

211019-gmgy8agbfr 10

Analysis

  • max time kernel
    79s
  • max time network
    156s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    21-10-2021 17:46

General

  • Target

    5fa490668a9963e97d956f9a3b0c746b1d16eee9a73dfba875c9a3dc0e2c0d1b.exe

  • Size

    938KB

  • MD5

    17b447b971a4977b2bfb2c28659aa1dd

  • SHA1

    4af0fc90413fffcb4f73839adcae91ccdcc7c4f0

  • SHA256

    5fa490668a9963e97d956f9a3b0c746b1d16eee9a73dfba875c9a3dc0e2c0d1b

  • SHA512

    a92fdc07cbf295bbf90174820a1a24b7909bd55845acd6f01ca36a2540aed822f6a9fca8d5d78052917b55355c65ad2a80cde03f285493277162691f51c39949

Score
10/10

Malware Config

Extracted

Path

C:\Users\Public\index.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Atom Slio: Instructions</title> <HTA:APPLICATION APPLICATIONNAME="Atom Slio" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> .text{ text-align:center; } a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #f3f3fc; border: 2pt solid #bda; display: inline-block; padding: 1%; text-align: center; box-sizing:border-box; border-radius:20px; } .h { display: none; } .ml1{ position:absolute;width:50%;height:10rem;left:-211px;top:0;background:#f3f3fc;border:1px solid #cfd3da;box-sizing:border-box;padding:2% 2% } </style> </head> <body> <div class="container"> <div class="header"> <h1>Atom Slio</h1> <small id="title">Instructions</small> </div> <div class="text"> <span style="color:#f71b3a;font-size:40px">WARNING! YOUR FILES ARE ENCRYPTED AND LEAKED!</span> </div> <hr> <div class="info"> <p>We are AtomSilo.Sorry to inform you that your files has been obtained and encrypted by us.</p> <p>But don’t worry, your files are safe, provided that you are willing to pay the ransom.</p> <p>Any forced shutdown or attempts to restore your files with the thrid-party software will be <span style="color:#f71b3a">damage your files permanently!</span></p> <p>The only way to decrypt your files safely is to buy the special decryption software from us. </p> <p>The price of decryption software is <span style="color:#f71b3a">200000 dollars</span>. <br>If you pay within 48 hours, you only need to pay <span style="color:#f71b3a">50% off dollars</span>. No price reduction is accepted.</p> <p>We only accept Bitcoin payment,you can buy it from bitpay,coinbase,binance or others. </p> <p>You have five days to decide whether to pay or not. After a week, we will no longer provide decryption tools and publish your files</p> </div> <hr></hr> <div align="center"> <span style="color:#f71b3a;font-size:200%">Time starts at 0:00 on September 28</span> <hr></hr> <span style="color:#f71b3a;font-size:300%"> <a>Survival time:</a> <span id="td"></span> <span id="th"></span> <span id="tm"></span> <span id="ts"></span> </span> </div> <script type="text/javascript"> function getRTime(){ var EndTime= new Date('2021/09/28 00:00:00'); var NowTime = new Date(); var t =EndTime.getTime() - NowTime.getTime(); var d=Math.floor(t/1000/60/60/24); var h=Math.floor(t/1000/60/60%24); var m=Math.floor(t/1000/60%60); var s=Math.floor(t/1000%60); document.getElementById("td").innerHTML = d + " Day "; document.getElementById("th").innerHTML = h + " Hour "; document.getElementById("tm").innerHTML = m + " Min "; document.getElementById("ts").innerHTML = s + " Sec "; } setInterval(getRTime,1000); </script> <hr></hr> <p>You can contact us with the following email: <p><a href="mailto:uteco@atomsilo.com"><span class="info">Email:uteco@atomsilo.com </span></a></p> <p>If this email can't be contacted, you can find the latest email address on the following website:</p> <p><span class="info"><a href="http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion" target="_blank">http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion</a></span></p> <hr> <p>If you don’t know how to open this dark web site, please follow the steps below to installation and use TorBrowser:</p> <ol> <li>run your Internet browser</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER</li> <li>wait for the site loading</li> <li>on the site you will be offered to download TorBrowser; download and run it, follow the installation instructions, wait until the installation is completed</li> <li>run TorBrowser</li> <li>connect with the button "Connect" (if you use the English version)</li> <li>a normal Internet browser window will be opened after the initialization</li> <li>type or copy the address in this browser address bar and press ENTER</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or use of TorBrowser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the search bar "Install TorBrowser Windows" and you will find a lot of training videos about TorBrowser installation and use.</p> <hr> <p><strong>Additional information:</strong></p> <p>You will find the instructions ("README-FILE-#COMPUTER#-#TIME#.hta") for restoring your files in any folder with your encrypted files.</p> <p>The instructions "README-FILE-#COMPUTER#-#TIME#.hta" in the folders with your encrypted files are not viruses! The instructions "README-FILE-#COMPUTER#-#TIME#.hta" will help you to decrypt your files.</p> <p>Remember! The worst situation already happened and now the future of your files depends on your determination and speed of your actions.</p> </div> <span class="h">AESKEY</span> </body> </html>a:<asf>banVI9v7U9w8/0Up7mwLsQznz+fvMSpii9QegtNo2Jt+gTTHlmQMeZyl00c3I3EdxrTk4v5xyPM3C7IKaLjp+w4MP9N0rGj74zb6Oqm8jboiVswnisrZ7gaW5VLjC99hKW9FN2nMXrTHH9JBArPjdSxNXFghqUUh7xJoDSC5d66x9r/b7tChmQBfMEU15VmdNsRW/mmmM5ikgKh5wsZrDV63N3cMgRxGsvAH7MD882VjM9mcyCvWgNuTCemdDlvY5eI+/gNBvr/QMeO+BKKWZoEydRjm4O/7/0NI+qglMpPwIpvVxoOPrV3Q1qwNZbeBGnGxYUOmiQQn8jdD0J6ErMWu42RKMBXn47w6Tk9x2a0+uJxWtwV0aatpwWv+TgCFktLUcRsK3eviK5H81w+xQUjjCdzmpvn2MUQnqCoUNDw9ocJH8+910M9G/eGaKOJfKDaQyUQpos38qeH5akmneDzLbZo8sXUCvBXDFsQpxhaPTe7OyKM57OHG67DUTntTaGZFzQVt/V6rmimWTwJWFdc1eiQ/KXUKy7cQc7CAeKsVTIV3lsUfTkzViJ5N0bxduUMPwJIyg1vjlcSe1OdP4aYDj1iFnnAw/DY+YSExQUu6gzSXNd1z63uJHPJYWCh2TT2OKrk8qYLJOsllSi1aZQnGLB/iT7yJAkBQzZdHgVYpZPL3VwYm7zJ6IHsLKN4AkB01Z6rlpZITxXx+KPTLawobarXxn4cU9gX0UcZSil+pXbKlv2g59GfSI++yCoPDcmDWdDDpEpmWx06gMmw4wl/96d1yUM/rg/uA5z2pWjb9cqZbeSr3eaQVkMNZvyOypm/H/BoGf8hWJTYEBP7gafGrqkhmgW3Os9Fz5QX+9r+dG2/qCGVz0u722hJhTd2/i2mv1jGJ7QgA7aDEjaGygrFmLvaWPANQj8zD4fKAcQ8fC2Nb0fj1OodS6jpLIleJ4TRW458tFbqJdg8SoDTALVAOoWbpHmuFoLqg+RCVEymP+PrPZEhhJ6F3J6XHmelqvWtq9vVk0lUfJMmHh7jYJGLaj6yQhT+xkGwTD6kfF3Yy8YX13581WFlDpe5IqMnR8KjSZOM5z2vNlZD9iLsQNPvVrKSP7QiVFoyBP/grbUoCO0gWjRjxs4Rg8GuIsb9su+xgFo1BufiGr8MaGWLwcvq2jA6QqnxxcAEOzuPnZTopylZ5mKG8j8wUapkJDzD9a855RCZ6Upirp+U4lIk7iLSvm1EbIUa+2LmEfl5uiST1jxHot74OU84+T6Obltnh2yqL4fY+OwjMHnMq3OZ+9OQ2IIMy1KgwMsKshNYqYu+HSLUK+OmA/9/mAYtHbEXJq1jgWCFQ1fT0gIkTZXAPxCp5OtYy5T6HiHd2nrtAMOtQl9lmDl4geBX7k7VCutWddE6/CojcUoq+mFFhR2zuWrx0wsx7H66MnhFClXwae+ei5hSvj1noDe8Yi7M7wFEPlH490ixX/qk01B6S9Bh1my5OlSg6FbxDPMUvAoMEyN8tUthppmaI/m/LDau4E15DU3i9TPvXipIQVSX1+2PasJ/Qh37XPEZ4nYUQJUnjLPzAJyY0bj4N3SbQ1GRobcncS4OzsaXa8451Bq/AREM+T146N0FuV6TXj3Y1Ferfk8X9fHQh6aotPloxMlWgJk2pWyd6YKYXDRG9Cmz/fAMML/NchdYD+5i1ZMvPbYphMLMWl9d9kCinCLBeYfMFnOOqQc/IzIBf/5u8ZxWBti0yKSY0kr5LHbQdxb3SMlC6paUK8MPdsmJGF8FXvccNzhSQOODQKRCjUMoFhgDyXachXp0SjkCXvFGaD8FQR+kpOlZVwpKqHKauyEXbw1bsqgdE/mcl/nwtVIA3y4nYkQD+A1GdRC67Q3f65Gl++LP2yTE9hhvijdqHx9TjpQbYTzz5Q2zR6Vz1zevoGel0o5TfBP3+SJh3cS4+e0H0HMwfjFeUF/fvUTidGFNSsnGcgIIZR9Z0cLPC/2NCc1ViBpsXJk+KyKyGVpOcIz5BW6r0fIesErVLOUqhw+H7+4FTFISFShH8ukPUQXUauzzji5SrWxlol3AVCaBeDFPv+09ljnlaRwO9+YJtrsE3xC6UUHNiQJhttLmjTKv2oIM3kG54XWXgYNoeSqZN5PQNuzuaiOfMbkCBsRWzLERDCp9XEeO73fYNBdLeX5Umpd9PqJdy33AaKr9kljzU3F5zC/lEg9FU/e8mgwAP3ClDuo47YUydozEg6gT1GTqqojARKWT+yf7Vhkrx9pkGrhZHD0OJh7vsHQQmdop8ERMW7SSrtTq9530OFaF5B6TW021qDJ/lgFYTmOObSmEbDQ+7br8LD5nbr2nc1q23ErAH20TuinRWAG4P2UH63t+euLQbKvtQLcdFgRweVf4EHXGpk5rX+yWhDwT2RSFpjASn+SUQe+s4K+faBDjp0ztBfgbQZooicpbgu7+Kzj0vE+cBgPhpgCiclzrbx+0QADdajLXSStI+stQ1Bj2ENiLbX6DU3URczmrjsZ+Li5KSszD9dy97xwLtPDiHGd7gg0+Ns1P3Q729UOP9rtdDIO3r/6crdK9rozjFaJGaCTS8v/lwDfVT0RqCSDeBEftCTJ2kyDNnNb+UoC+nO6KdA6oIDP/+ZFmXrPWpMcWVukJlS8bMcV5IWQAnyidetK5FBCgTeevBVY9DySvaOrP7IyC0VIhVKgQyKQTrJRP3TU3v6akNeM2cJN6CvNIRc7vWNW2WioHuMRY2kVkty95TpGKcvodeNytHLxwjIUWT14xWWbowwcSPFHDV9aIlUXLK+GdtUTZ5ftVKO4D7yiz1exBab37zEPZWS8we5BC+cTp1EZHUKgv5CuhgTDAQ+AyFjj8lIgxOcImOOuOfyKE63W8MKN9munevt0xeiP0yk/5YlBxaP7CdVX2Q7/MjMjuzyBL1teeSLHBEpb/56ewPEsGCj12tBueauEtQS/pnUOfFF6v4PgkL5AcWKDp+NzH05/AXKLbG4qEdpsa7oXlOhNOScZRJJE7zr5zd2/TzlJbkZBg1mV7O/UoScFAkjewPw8/H+YYdJs/GYhhGdJsARaadTj+Fad5q9WQp2BLYWxLD9Ho6MbrajShl9C96wjlHZFIsMOiQQZA3uagoU+g/tFaqS/oXs+R+D1YIvkfu2EcGcOBZJnwzjORSrF47CY05gW+zRfgm8RRttkUDNP05lbHM8kw0Lh9pAKHwkDyDxEhgIE4mIjwm2xloK8ZEaTHIDI199ci5MbxXtZ2HteymBPOBx8o2e8FatEqDQqmDNkXjjPWtRGqOkf0pQaOqkjUXTBncO+ELq8AVyNpk66d93SX5qbIpmYOv0vqaFZ1Ed++lLToc73SAKXfE6wXhdYzEeaFZde8G6UGIe+iYfbk2lvxyTjBrmG9D6m3eanhHW0rflNUMlF3h69pDPmg6D+TiuTt22tqXBd5NiaHUijIKyy6cXIKVuz690oft4X+qQXxExM1fPvEkBGJhc5qVrmuUrrYQgQuHdSFdWtz9HpgqMcZKg1NOrISLMLbVjy7B/pjFiW9gmv0MWXlzQYDMs9cCGlNvncCidXEzlY3xLj61tszsk3hKcqBblIFAGsKg+pYFPSE9E2tOKagjMf9SmBEHd81b0ru1AIxlQ04iK3lIo600VULJZkKQdvJkhSVQL2bkoeYGlecg83YxEtzqQNrcwRQPn9xPrBkW8d8Tq9lQlpu1gpmx6Dq/gvUN+/5L7BaWB9oxmczij4W5pgNnM6i3FOPt+o49ZYCSQc7kQGhEp65yfN3e7xjBBtPSUlHAUvbO9f6kcAuZJNIsX+0oD1532dVVGlMOZ92FNWmZndrMDr+Ab9LrZmRyNbdTVwYfQUC/Jl5gyXISOyagPZN0y7s6t+/fhnSulZR9ojyr+ip6zfKP18/njRqySYPrem2mnoCoiPXadHq+J9gqkK7ygvnTn9nf6bkkYZAjaE0fxNQ7CTJqKNvAYONwmG4bTTmblrrMbcazSgl3N7SzXM/enuoHsGvR4YyD4dYaxPbUcZD3iquRlnZRAtgOCae0bAbim7AD5TYy/HRh3q/J5K3wIZkLUnCvFD3uLhab</asf><csf>3</csf><pub>MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAlxVq1cMd5947wxwJv2q7I7P7aRD/8dJQ4otaZhSf0FjaqE0hluiGn/Z1GGqoygpP772BuTcCBboJR8TUfMwp5SZd/uQZuCkV1WMYVqmBwjp07Y91y7wXTPH/q2S6TxT/UIjHwEBNm0ZOwc0+mXSHU8sVwCp8y5jIVEVDL3NbWhwPJuLLM3XXSdfwyp/ZkoW0QNP5ZB1cfuq8Z0bK1fG3RoAQgF8C+ACX//E7wjyuLrOy8H4zjQk8dlRfEIHOqglfxcfM/4KwhweaVtJ9Fe63fARiW+NvRRFfJxYOuKxdWqWtHljlZxnHQfj/9j/vZtIvfemqZ61+D+jHL0VblNRaABY/Jo7DfKLIdkUjAEiZF2uu2u1T8164o6rgvqNj0pPPIvUYtjc0KpeIJUq98Ba1TwHxvfthJJpKn2Aqo7Wrj79PUnzGaUZs7QOyXdNHWReCiuFZQnsAYCStdWXEhF9rEPd1PNRIpgcymgY5A9rwquptoolIbiCbuLnXd5H3ecFparmd5miezNGAB4vmr1V4+nEyuRkhU7cof4HHb3UvL4sfT0pwfIVfRypvKOjxHU4jpUCI/5UjFCg2LO0OEQJFKgrDtVzq2maZgOgnFhF54WTmxd2p7o1r42QOGB2h18fdKuB5AmCdcwlNHo5xQAziC18tXq/9vZB380uQeOkCf78CARE=</pub><bsf>YJTUIPJF</bsf></span></body></html>
Emails

href="mailto:uteco@atomsilo.com"><span

class="info">Email:uteco@atomsilo.com

Extracted

Path

C:\Users\Admin\Desktop\README-FILE-YJTUIPJF-1630767067.hta

Family

atomsilo

Ransom Note
Atom Slio Instructions WARNING! YOUR FILES ARE ENCRYPTED AND LEAKED! We are AtomSilo.Sorry to inform you that your files has been obtained and encrypted by us. But don’t worry, your files are safe, provided that you are willing to pay the ransom. Any forced shutdown or attempts to restore your files with the thrid-party software will be damage your files permanently! The only way to decrypt your files safely is to buy the special decryption software from us. The price of decryption software is 200000 dollars . If you pay within 48 hours, you only need to pay 50% off dollars . No price reduction is accepted. We only accept Bitcoin payment,you can buy it from bitpay,coinbase,binance or others. You have five days to decide whether to pay or not. After a week, we will no longer provide decryption tools and publish your files Time starts at 0:00 on September 28 Survival time: You can contact us with the following email: Email:uteco@atomsilo.com If this email can't be contacted, you can find the latest email address on the following website: http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion If you don’t know how to open this dark web site, please follow the steps below to installation and use TorBrowser: run your Internet browser enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER wait for the site loading on the site you will be offered to download TorBrowser; download and run it, follow the installation instructions, wait until the installation is completed run TorBrowser connect with the button "Connect" (if you use the English version) a normal Internet browser window will be opened after the initialization type or copy the address in this browser address bar and press ENTER the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or use of TorBrowser, please, visit https://www.youtube.com and type request in the search bar "Install TorBrowser Windows" and you will find a lot of training videos about TorBrowser installation and use. Additional information: You will find the instructions ("README-FILE-#COMPUTER#-#TIME#.hta") for restoring your files in any folder with your encrypted files. The instructions "README-FILE-#COMPUTER#-#TIME#.hta" in the folders with your encrypted files are not viruses! The instructions "README-FILE-#COMPUTER#-#TIME#.hta" will help you to decrypt your files. Remember! The worst situation already happened and now the future of your files depends on your determination and speed of your actions. AESKEY a:
Emails

Email:uteco@atomsilo.com

URLs

http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion

Extracted

Path

C:\Users\Public\ATOMSILO-README.hta

Family

atomsilo

Ransom Note
Atom Slio Instructions WARNING! YOUR FILES ARE ENCRYPTED AND LEAKED! We are AtomSilo.Sorry to inform you that your files has been obtained and encrypted by us. But don’t worry, your files are safe, provided that you are willing to pay the ransom. Any forced shutdown or attempts to restore your files with the thrid-party software will be damage your files permanently! The only way to decrypt your files safely is to buy the special decryption software from us. The price of decryption software is 200000 dollars . If you pay within 48 hours, you only need to pay 50% off dollars . No price reduction is accepted. We only accept Bitcoin payment,you can buy it from bitpay,coinbase,binance or others. You have five days to decide whether to pay or not. After a week, we will no longer provide decryption tools and publish your files Time starts at 0:00 on September 28 Survival time: You can contact us with the following email: Email:uteco@atomsilo.com If this email can't be contacted, you can find the latest email address on the following website: http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion If you don’t know how to open this dark web site, please follow the steps below to installation and use TorBrowser: run your Internet browser enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER wait for the site loading on the site you will be offered to download TorBrowser; download and run it, follow the installation instructions, wait until the installation is completed run TorBrowser connect with the button "Connect" (if you use the English version) a normal Internet browser window will be opened after the initialization type or copy the address in this browser address bar and press ENTER the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or use of TorBrowser, please, visit https://www.youtube.com and type request in the search bar "Install TorBrowser Windows" and you will find a lot of training videos about TorBrowser installation and use. Additional information: You will find the instructions ("README-FILE-#COMPUTER#-#TIME#.hta") for restoring your files in any folder with your encrypted files. The instructions "README-FILE-#COMPUTER#-#TIME#.hta" in the folders with your encrypted files are not viruses! The instructions "README-FILE-#COMPUTER#-#TIME#.hta" will help you to decrypt your files. Remember! The worst situation already happened and now the future of your files depends on your determination and speed of your actions. AESKEY
Emails

Email:uteco@atomsilo.com

URLs

http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion

Signatures

  • AtomSilo

    Ransomware family first seen in September 2021.

  • Drops startup file 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5fa490668a9963e97d956f9a3b0c746b1d16eee9a73dfba875c9a3dc0e2c0d1b.exe
    "C:\Users\Admin\AppData\Local\Temp\5fa490668a9963e97d956f9a3b0c746b1d16eee9a73dfba875c9a3dc0e2c0d1b.exe"
    1⤵
    • Drops startup file
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Windows\SYSTEM32\mshta.exe
      mshta "C:\Users\Public\ATOMSILO-README.hta"
      2⤵
        PID:2056
      • C:\Windows\SYSTEM32\mshta.exe
        mshta "C:\Users\Public\ATOMSILO-README.hta"
        2⤵
          PID:2232
        • C:\Windows\SYSTEM32\mshta.exe
          mshta "C:\Users\Public\ATOMSILO-README.hta"
          2⤵
            PID:4324
          • C:\Windows\SYSTEM32\mshta.exe
            mshta "C:\Users\Public\ATOMSILO-README.hta"
            2⤵
              PID:2064
            • C:\Windows\SYSTEM32\mshta.exe
              mshta "C:\Users\Public\ATOMSILO-README.hta"
              2⤵
                PID:2952
              • C:\Windows\SYSTEM32\mshta.exe
                mshta "C:\Users\Public\ATOMSILO-README.hta"
                2⤵
                  PID:2848
                • C:\Windows\SYSTEM32\mshta.exe
                  mshta "C:\Users\Public\ATOMSILO-README.hta"
                  2⤵
                    PID:2400
                  • C:\Windows\SYSTEM32\cmd.exe
                    cmd /c ping 127.0.0.1 -n 6 && del "C:\Users\Admin\AppData\Local\Temp\5fa490668a9963e97d956f9a3b0c746b1d16eee9a73dfba875c9a3dc0e2c0d1b.exe"
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3184
                    • C:\Windows\system32\PING.EXE
                      ping 127.0.0.1 -n 6
                      3⤵
                      • Runs ping.exe
                      PID:4888
                  • C:\Windows\SYSTEM32\mshta.exe
                    mshta "C:\Users\Public\ATOMSILO-README.hta"
                    2⤵
                      PID:3136
                    • C:\Windows\SYSTEM32\mshta.exe
                      mshta "C:\Users\Public\ATOMSILO-README.hta"
                      2⤵
                        PID:4796
                      • C:\Windows\SYSTEM32\mshta.exe
                        mshta "C:\Users\Public\ATOMSILO-README.hta"
                        2⤵
                          PID:2864
                      • C:\Windows\SysWOW64\mshta.exe
                        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\README-FILE-YJTUIPJF-1630767067.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                        1⤵
                          PID:1468
                        • C:\Windows\system32\LogonUI.exe
                          "LogonUI.exe" /flags:0x4 /state0:0xa3a5f855 /state1:0x41c64e6d
                          1⤵
                          • Modifies data under HKEY_USERS
                          • Suspicious use of SetWindowsHookEx
                          PID:680

                        Network

                        MITRE ATT&CK Matrix ATT&CK v6

                        Discovery

                        Remote System Discovery

                        1
                        T1018

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\Desktop\README-FILE-YJTUIPJF-1630767067.hta
                          MD5

                          026d20369d9d0955f8fc36132bdab68c

                          SHA1

                          aa0823dddfaf4fa1fefac6b848c29fcd23f6e231

                          SHA256

                          4c2f8046e9a64de770649c7ffb76ab9f59ad821f80352beaad03e0c2b4b6eaa8

                          SHA512

                          802e9636c71514276fa9f62cbb569b44ca70170c5b06779d9eeaf5ebb94141d69e46d590852c731cbf7122d904ce16154e9fbf41d1ce652187b3468f9c73b1c0

                        • C:\Users\Public\ATOMSILO-README.hta
                          MD5

                          aa93d342bd0f81cc147de7a280e022b2

                          SHA1

                          d6d2ae4def8fa1414faba0cdbc031b5919bb43f9

                          SHA256

                          a87a80d452899f4c98aee55cefcce897faca567e8e9763ed20f41f7dc7b48071

                          SHA512

                          aeed5f93daebbec7241719a6903e0463e9d204f699d317adb498c6262dbecf61d68b1f77f6ec369ee45fe703a849086fbd407247fb021350fcec6a8b0950f375

                        • memory/2056-146-0x0000000000000000-mapping.dmp
                        • memory/2064-150-0x0000000000000000-mapping.dmp
                        • memory/2232-147-0x0000000000000000-mapping.dmp
                        • memory/2400-154-0x0000000000000000-mapping.dmp
                        • memory/2848-153-0x0000000000000000-mapping.dmp
                        • memory/2864-149-0x0000000000000000-mapping.dmp
                        • memory/2952-152-0x0000000000000000-mapping.dmp
                        • memory/3136-155-0x0000000000000000-mapping.dmp
                        • memory/3184-156-0x0000000000000000-mapping.dmp
                        • memory/4324-148-0x0000000000000000-mapping.dmp
                        • memory/4796-151-0x0000000000000000-mapping.dmp
                        • memory/4796-159-0x0000028448088000-0x0000028448090000-memory.dmp
                          Filesize

                          32KB

                        • memory/4888-157-0x0000000000000000-mapping.dmp