prometheus | 2b5bda4a5b69baf73b091ff56f4e093af1ed26b4b6c8e8c091056d8bbf655877

General

Target

tmp.exe
Size

5.6MB
MD5

8553fce61d3e5901ac350a295ea9ab43
SHA1

a0a153fe479ced746588ad6d8507feae48a8faf7
SHA256

2b5bda4a5b69baf73b091ff56f4e093af1ed26b4b6c8e8c091056d8bbf655877
SHA512

e945653a21e6b8c9c47061634c5f99e93ad9fa0d532a2091af01e345f82ebf3bde6932b56bb453fac6e7489a4e94d0480fe1687270ca6a8aa51e945615c37ad8

Score

10^/10

prometheus ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\pss.txt

Family

prometheus

Ransom Note

!!!admin !!!admin!!! !!!Admin!!! !!!ADMIN!!! !!!administrator !!!h!!! !!!it!!! !!!pass !!!password !!!PASSWORD!!! !!@@##qqwwee !!xxx!! !@#$%^&*!. !@#$%^&*!@ !@#$%^&*.! !@#$%^&*.@ !@#$%^&*@! !@#$%^&*@. !@#$%^&*11 !@#$%^&*12 !@#$%^&*1234 !@#$%^&*12345 !@#$%^&*2005 !@#$%^&*2006 !@#$%^&*22 !@#$%^&*44 !@#$%^&*55 !@#$%^&*88 !@#$%^&*99 !@#$%2010 !@#$%54321 !@#$1234!@#$1234 !@#.abc !@#123-pass !@#321qwe !@#ABC!@# !@#Asdzxc !@#germany !@#Paris !@#qwe$%^rty !@#Qweasd !@#RTY&*( !@#rty^%$ !@#RTY^%$ !@#rty789 !@#Serveradmin !@#Servidor !@123456 !@dmin !@dmin123 !1@dmin !123@dmin !1234dmin !123abc !123Abc !123ABC !123adm1n !123Adm1n !123aDmin !123Admin !123asdf !123Asdf !123dell !123p@ssw0rd !123P@ssw0rd !123p@ssword !123P@ssword !123p4ssw0rd !123P4ssw0rd !123p4ssword !123P4ssword !123pa$$w0rd !123Pa$$w0rd !123pa$$word !123Pa$$word !123pa55word !123Pa55word !123pass@word !123Pass@word !123passw0rd !123passw0rD !123Passw0rd !123Passw0rD !123password !123passworD !123Password !123PassworD !123qaz !123Qaz !123Qaz@wsx !123qaz2wsx !123qazwsx !123Qazwsx !123Qwe !123qwer !123Qwer !123us$er !123user !123User !123Wsx !123Zxc !123Zxcv !14dmin !1abc !1Abc !1ABC !1adm1n !1Adm1n !1admin !1aDmin !1Admin !1asdf !1Asdf !1p@ssw0rd !1P@ssw0rd !1p@ssword !1P@ssword !1p4ssw0rd !1P4ssw0rd !1p4ssword !1P4ssword !1pa$$w0rd !1Pa$$w0rd !1pa$$word !1Pa$$word !1pa55word !1Pa55word !1pass@word !1Pass@word !1passw0rd !1passw0rD !1Passw0rd !1Passw0rD !1password !1passworD !1Password !1PassworD !1Qaz@wsx !1qazwsx !1Qazwsx !1qwe !1Qwe !1qwer !1Qwer !1us$er !1user !1User !1Wsx !1Zxc !1Zxcv !2345678 !23America !4dmin !4dmin123 !A2s#D4f !A3d@S4f !aA1 !Aa1 !aA12 !Aa12 !aA123 !aA1234 !Aa1234 !aA12345 !Aa12345 !aA123456 !aA1234567 !Aa1234567 !Aa12345678 !aA123456789 !Aa123456789 !aA12354678 !abc !Abc !ABC !Access123 !Access12345 !Access123456 !adm!n123 !adm1n !Adm1n !adm1n123 !aDmin !admin@pass !administrator !asdf !Asdf !az@sx !Change123 !Change12345 !Change123456 !Changeme123 !Changeme12345 !Changeme123456 !Hello123 !Hello12345 !Hello123456 !Master123 !Master12345 !Master123456 !n@123@123 !nd!@123 !nd!@1234 !nd!@12345 !nd!a@123 !nd!a@1234 !nd!a@12345 !nd!a123 !nd1@123 !nd1@1234 !nd1@12345 !nd1a@123 !nd1a@1234 !nd1a@12345 !nd1a123 !ndi@123 !ndi@1234 !ndi@12345 !ndia@123 !ndia@1234 !ndia@12345 !ndia123 !NTERNET !ovh !p@$$ !P@$$ !p@ss !P@ss !p@ssword !P30 !p4ssw0rd !P4ssw0rd !p4ssword !P4ssword !pa$$word !pa55word !Pa55word !Pass !pass@word !Pass@word !pass123 !Pass1234 !passw0rD !Passw0rD !passworD !PassworD !Q@W#E4r !Q@W#E4r5t6y !q1 !q12 !q123 !q1234 !q12345 !q1234567 !q12345678 !q123456789 !Q2w#E4r%T6y !Q2w3e4r5t^Y !Q4r@W3e !qa@WS !QA@ws !qa@ws#ed !QA2ws !QA2WS !qasdr% !QASDR% !QASW@ !qaz!edc !qaz!rfv !QAZ@WSX_PLM)OKN !qaz_plm !QAZ_PLM !QAZ1qaz@WSX2wsx !qaz2w$x !qaz2w5x !QAZ2was !QAZ2wsx- !QAZ2wsx#ED4rfv !QAZ3edc%TGB !qazplm !QAZs !QAZx !QAZxs2w !QAZXSW@#EDCvfr4 !QAZXSW@3edcvfr4 !Qwe !qwer !Qwer !Server123 !Server12345 !Server123456 !Start123 !Start12345 !Start123456 !Temp123 !Temp12345 !Temp123456 !Test123 !Test12345 !Test123456 !W@Q1w2q !Windows123 !Windows12345 !Windows123456 !Wsx !Z@X3c4v !Z@XQAWS !Z2x#C !Z2x#C4v !Zxc "admin" "Ovh" "password" #$%admin #$ERDFCV #@dmin #1@dmin #123@dmin #1234dmin #123abc #123Abc #123ABC #123adm1n #123Adm1n #123aDmin #123asdf #123Asdf #123p@ssw0rd #123P@ssw0rd #123p@ssword #123P@ssword #123p4ssw0rd #123P4ssw0rd #123p4ssword #123P4ssword #123pa$$w0rd #123Pa$$w0rd #123pa$$word #123Pa$$word #123pa55word #123Pa55word #123pass@word #123Pass@word #123passw0rd #123passw0rD #123Passw0rd #123Passw0rD #123password #123passworD #123Password #123PassworD #123qaz #123Qaz #123Qaz@wsx #123qaz2wsx #123qazwsx #123Qazwsx #123qwe #123Qwe #123qwer #123Qwer #123us$er #123user #123User #123Wsx #123Zxc #123Zxcv #14dmin #1abc #1Abc #1ABC #1adm1n #1Adm1n #1aDmin #1Admin #1asdf #1Asdf #1p@ssw0rd #1P@ssw0rd #1p@ssword #1P@ssword #1p4ssw0rd #1P4ssw0rd #1p4ssword #1P4ssword #1pa$$w0rd #1Pa$$w0rd #1pa$$word #1Pa$$word #1pa55word #1Pa55word #1pass@word #1Pass@word #1passw0rd #1passw0rD #1Passw0rd #1Passw0rD #1password #1passworD #1Password #1PassworD #1qaz #1Qaz #1Qaz@wsx #1qaz2wsx #1qazwsx #1Qazwsx #1qwe #1Qwe #1qwer #1Qwer #1us$er #1user #1User #1Wsx #1Zxc #1Zxcv #3admin #3Admin #4dmin #abc #Abc #ABC #Access123 #Access12345 #Access123456 #adm1n #Adm1n #admin #aDmin #Admin #Admin123 #admin12345 #Admin12345 #admin123456 #Admin123456 #admin2 #Admin2 #ame #asdf #Asdf #Change123 #Change12345 #Change123456 #Changeme123 #Changeme12345 #Changeme123456 #d1a@S #edc #edfgy& #EDFGY& #five #Hello123 #Hello12345 #Hello123456 #Master123 #Master12345 #Master123456 #one #p@ssw0rd #P@ssw0rd #p@ssword #P@ssword #p4ssw0rd #P4ssw0rd #p4ssword #P4ssword #pa$$w0rd #Pa$$w0rd #pa$$word #Pa$$word #pa55word #Pa55word #pass@word #Pass@word #passw0rd #passw0rD #Passw0rD #passworD #Password #PassworD #qaz #Qaz #Qaz@wsx #qaz2wsx #qazwsx #Qazwsx #qwe #Qwe #qwer #Qwer #Server123 #Server12345 #Server123456 #Start123 #Start12345 #Start123456 #Temp123 #Temp12345 #Temp123456 #Test123 #Test12345 #Test123456 #three #two #u$er#123 #u5er#123 #us$er #us3r#123 #user #User #W@E3w2e #W2e#W2e #WE@3we2 #Windows123 #Windows12345 #Windows123456 #Wsx #Zxc #Zxcv $#@!qwer $#@!qwerfdsa $#REFDVC $%^admin $%^RTY $%gfRTbv $%RTFGVB $@dmin $@msung $1@dmin $123@dmin $1234dmin $123abc $123Abc $123ABC $123adm1n $123Adm1n $123aDmin $123Admin $123asdf $123Asdf $123p@ssw0rd $123P@ssw0rd $123p@ssword $123P@ssword $123p4ssw0rd $123P4ssw0rd $123p4ssword $123P4ssword $123pa$$w0rd $123Pa$$w0rd $123pa$$word $123Pa$$word $123pa55word $123Pa55word $123pass@word $123Pass@word $123passw0rd $123passw0rD $123Passw0rd $123Passw0rD $123password $123passworD $123Password $123PassworD $123qaz $123Qaz $123Qaz@wsx $123qaz2wsx $123qazwsx $123Qazwsx $123qwe $123Qwe $123qwer $123Qwer $123us$er $123user $123User $123Wsx $123Zxc $123Zxcv $14dmin $1abc $1Abc $1ABC $1adm1n $1Adm1n $1aDmin $1Admin $1asdf $1Asdf $1p@ssw0rd $1P@ssw0rd $1p@ssword $1P@ssword $1p4ssw0rd $1P4ssw0rd $1p4ssword $1P4ssword $1pa$$w0rd $1Pa$$w0rd $1pa$$word $1Pa$$word $1pa55word $1Pa55word $1pass@word $1Pass@word $1passw0rd $1passw0rD $1Passw0rd $1Passw0rD $1password $1passworD $1Password $1PassworD $1qaz $1Qaz $1Qaz@wsx $1qaz2wsx $1qazwsx $1Qazwsx $1qwe $1Qwe $1qwer $1Qwer $1us$er $1user $1User $1Wsx $1Zxc $1Zxcv $3r73r@qw3 $3r73r@qwe $4dmin $abc $Abc $ABC $Access123 $Access12345 $Access123456 $adm1n $aDmin $Admin1 $admin12 $admin123 $Admin123 $admin12345 $Admin12345 $admin123456 $Admin123456 $amsung $asdf $Asdf $Change123 $Change12345 $Change123456 $Changeme123 $Changeme12345 $Changeme123456 $E#R2qw1 $en@t0r $en@t0r@1 $en@t0r@2016 $er73r@qw3 $er73r@qwe $erver! $erver!@# $erver!@#123 $erver!1 $erver!123456 $erver!1234567 $erver!12345678 $erver!123456789 $erver!1980 $erver!1981 $erver!1982 $erver!1983 $erver!1984 $erver!1985 $erver!1986 $erver!1987 $erver!1988 $erver!1989 $erver!1990 $erver!1991 $erver!1992 $erver!1993 $erver!1994 $erver!1995 $erver!1996 $erver!1997 $erver!1998 $erver!1999 $erver!2000 $erver!2001 $erver!2002 $erver!2004 $erver!2005 $erver!2006 $erver!2007 $erver!2009 $erver!2010 $erver!2011 $erver!2012 $erver!2013 $erver!2016 $erver!2017 $erver!2018 $erver!2019 $erver!2020 $erver# $erver#@! $erver#@!123 $erver#1 $erver#123456 $erver#1234567 $erver#12345678 $erver#123456789 $erver#1980 $erver#1981 $erver#1982 $erver#1983 $erver#1985 $erver#1986 $erver#1987 $erver#1988 $erver#1989 $erver#1990 $erver#1991 $erver#1992 $erver#1993 $erver#1994 $erver#1995 $erver#1996 $erver#1997 $erver#1998 $erver#1999 $erver#2000 $erver#2001 $erver#2002 $erver#2004 $erver#2005 $erver#2006 $erver#2007 $erver#2009 $erver#2010 $erver#2011 $erver#2012 $erver#2013 $erver#2016 $erver#2017 $erver#2018 $erver#2019 $erver#2020 $erver$ $erver$1 $erver$123456 $erver$1234567 $erver$12345678 $erver$123456789 $erver$1980 $erver$1981 $erver$1982 $erver$1983 $erver$1984 $erver$1985 $erver$1986 $erver$1987 $erver$1988 $erver$1989 $erver$1990 $erver$1991 $erver$1992 $erver$1993 $erver$1994 $erver$1995 $erver$1996 $erver$1997 $erver$1998 $erver$1999 $erver$2000 $erver$2001 $erver$2002 $erver$2004 $erver$2005 $erver$2006 $erver$2007 $erver$2009 $erver$2010 $erver$2011 $erver$2012 $erver$2013 $erver$2016 $erver$2017 $erver$2018 $erver$2019 $erver$2020 $erver.123 $erver.1234 $erver.12345 $erver.123456 $erver.1234567 $erver.12345678 $erver.123456789 $erver.1980 $erver.1981 $erver.1982 $erver.1983 $erver.1984 $erver.1985 $erver.1986 $erver.1987 $erver.1988 $erver.1989 $erver.1990 $erver.1991 $erver.1992 $erver.1993 $erver.1994 $erver.1995 $erver.1996 $erver.1997 $erver.1998 $erver.1999 $erver.2000 $erver.2001 $erver.2002 $erver.2003 $erver.2004 $erver.2005 $erver.2006 $erver.2007 $erver.2008 $erver.2009 $erver.2010 $erver.2011 $erver.2012 $erver.2013 $erver.2014 $erver.2015 $erver.2016 $erver.2017 $erver.2018 $erver.2019 $erver.2020 $erver@ $erver@1 $erver@111 $erver@111# $erver@123# $erver@123456 $erver@1234567 $erver@12345678 $erver@123456789 $erver@1980 $erver@1981 $erver@1982 $erver@1983 $erver@1984 $erver@1985 $erver@1986 $erver@1987 $erver@1988 $erver@1989 $erver@1990 $erver@1991 $erver@1992 $erver@1993 $erver@1994 $erver@1995 $erver@1996 $erver@1997 $erver@1998 $erver@1999 $erver@2000 $erver@2001 $erver@2002 $erver@2004 $erver@2005 $erver@2006 $erver@2007 $erver@2009 $erver@2010 $erver@2011 $erver@2012 $erver@2013 $erver@2016 $erver@2017 $erver@2018 $erver@2019 $erver@2020 $erver@222 $erver@222# $erver@333 $erver@333# $erver_123 $erver_1234 $erver_12345 $erver1! $erver1# $erver1$ $erver1@ $erver-123 $erver123! $erver123!# $erver123# $erver123$ $erver123. $erver123@ $erver-1234 $erver1234! $erver1234# $erver1234@ $erver-12345 $erver12345! $erver12345# $erver12345@ $erver123456 $erver123456! $erver123456# $erver123456@ $erver1234567 $erver1234567! $erver1234567# $erver1234567@ $erver12345678 $erver12345678! $erver12345678# $erver12345678@ $erver123456789 $erver123456789! $erver123456789# $erver123456789@ $erver1980! $erver1980# $erver1980@ $erver1981! $erver1981# $erver1981@ $erver1982! $erver1982# $erver1982@ $erver1983! $erver1983# $erver1983@ $erver1984! $erver1984# $erver1984@ $erver1985! $erver1985# $erver1985@ $erver1986! $erver1986# $erver1986@ $erver1987! $erver1987# $erver1987@ $erver1988! $erver1988# $erver1988@ $erver1989! $erver1989# $erver1989@ $erver1990! $erver1990# $erver1990@ $erver1991! $erver1991# $erver1991@ $erver1992! $erver1992# $erver1992@ $erver1993! $erver1993# $erver1993@ $erver1994! $erver1994# $erver1994@ $erver1995! $erver1995# $erver1995@ $erver1996! $erver1996# $erver1996@ $erver1997! $erver1997# $erver1997@ $erver1998! $erver1998# $erver1998@ $erver1999! $erver1999# $erver1999@ $erver2000! $erver2000# $erver2000@ $erver2001! $erver2001# $erver2001@ $erver2002! $erver2002# $erver2002@ $erver2003! $erver2003# $erver2003@ $erver2004! $erver2004# $erver2004@ $erver2005! $erver2005# $erver2005@ $erver2006! $erver2006# $erver2006@ $erver2007! $erver2007# $erver2007@ $erver2008! $erver2008# $erver2008@ $erver2009! $erver2009# $erver2009@ $erver2010! $erver2010# $erver2010@ $erver2011! $erver2011# $erver2011@ $erver2012! $erver2012# $erver2012@ $erver2013! $erver2013# $erver2013@ $erver2014! $erver2014# $erver2014@ $erver2015! $erver2015# $erver2015@ $erver2016! $erver2016# $erver2016@ $erver2017! $erver2017# $erver2017@ $erver2018! $erver2018# $erver2018@ $erver2019! $erver2019# $erver2019@ $erver2020! $erver2020# $erver2020@ $erverovh $esz%rdx $ESZ%RDX $ESZ%RDX^TFC $ESZ%RDX^TFC&YGV $ESZ%RDX6tfc7ygv $esz5rdx $ESZ5rdx^TFC7ygv $eszxdr%^tfc $ESZXDR%^TFCVGY& $ESZxdr5^TFC $ESZxdr5^TFCvgy7 $ESZxdr5cft6 $Hello123 $Hello12345 $Hello123456 $Master123 $Master12345 $Master123456 $nigol$ $nn$ $ovh $p@ssw0rd $P@ssw0rd $p@ssword $P@ssword $p4ssw0rd $P4ssw0rd $p4ssword $P4ssword $pa$$w0rd $Pa$$w0rd $pa$$word $Pa$$word $pa55word $Pa55word $pass@word $Pass@word $passw0rd $passw0rD $Passw0rd $Passw0rD $passworD $Password $PassworD $Password1 $Qaz $Qaz@wsx $qaz2wsx $qazwsx $Qazwsx $Qwe $qwer $Qwer $RDCVFE# $rfv $RGB%TFV $Server123 $Server12345 $Server123456 $Start123 $Start12345 $Start123456 $Temp123 $Temp12345 $Temp123456 $Test123 $Test12345 $Test123456 $uperm@n $uperman $upp0rt!!!111 $upp0rt!!!123 $upp0rt!@#123 $upp0rt!0 $upp0rt!01 $upp0rt!1 $upp0rt!123 $upp0rt!12345 $upp0rt!123456 $upp0rt!2000 $upp0rt!2003 $upp0rt!2008 $upp0rt!2012 $upp0rt!2016 $upp0rt!2017 $upp0rt!321 $upp0rt# $upp0rt###123 $upp0rt###333 $upp0rt#123 $upp0rt#12345 $upp0rt#123456 $upp0rt#2000 $upp0rt#2003 $upp0rt#2008 $upp0rt#2012 $upp0rt#2016 $upp0rt#2017 $upp0rt#321 $upp0rt$$$444 $upp0rt$123 $upp0rt$12345 $upp0rt$123456 $upp0rt$2000 $upp0rt$2003 $upp0rt$2008 $upp0rt$2012 $upp0rt$2016 $upp0rt$2017 $upp0rt$321 $upp0rt* $upp0rt***123 $upp0rt***888 $upp0rt*123 $upp0rt*12345 $upp0rt*123456 $upp0rt*2000 $upp0rt*2003 $upp0rt*2008 $upp0rt*2012 $upp0rt*2016 $upp0rt*2017 $upp0rt*321 $upp0rt. $upp0rt.123 $upp0rt.12345 $upp0rt.123456 $upp0rt.2000 $upp0rt.2003 $upp0rt.2008 $upp0rt.2012 $upp0rt.2016 $upp0rt.2017 $upp0rt.321 $upp0rt@ $upp0rt@@@123 $upp0rt@@@222 $upp0rt@123 $upp0rt@12345 $upp0rt@123456 $upp0rt@2000 $upp0rt@2003 $upp0rt@2008 $upp0rt@2012 $upp0rt@2016 $upp0rt@2017 $upp0rt@321 $upp0rt_0011 $upp0rt_123 $upp0rt_12345 $upp0rt_123456 $upp0rt_2000 $upp0rt_2003 $upp0rt_2008 $upp0rt_2012 $upp0rt_2016 $upp0rt_2017 $upp0rt_321 $upp0rt0! $upp0rt01! $upp0rt1! $upp0rt123! $upp0rt123!@# $upp0rt123# $upp0rt123$ $upp0rt123$%^ $upp0rt123* $upp0rt123. $upp0rt123.. $upp0rt123@ $upp0rt123_ $upp0rt123123 $upp0rt12345! $upp0rt12345# $upp0rt12345$ $upp0rt12345* $upp0rt12345. $upp0rt12345@ $upp0rt12345_ $upp0rt123456! $upp0rt123456# $upp0rt123456$ $upp0rt123456* $upp0rt123456. $upp0rt123456@ $upp0rt123456_ $upp0rt159753 $upp0rt2000 $upp0rt2000! $upp0rt2000# $upp0rt2000* $upp0rt2000@ $upp0rt2003 $upp0rt2003! $upp0rt2003# $upp0rt2003* $upp0rt2003@ $upp0rt2008 $upp0rt2008! $upp0rt2008# $upp0rt2008* $upp0rt2008@ $upp0rt2012 $upp0rt2012! $upp0rt2012# $upp0rt2012* $upp0rt2012@ $upp0rt2016 $upp0rt2016! $upp0rt2016# $upp0rt2016* $upp0rt2016@ $upp0rt2017! $upp0rt2017# $upp0rt2017$ $upp0rt2017* $upp0rt2017. $upp0rt2017@ $upp0rt2017_ $upp0rt321 $upp0rt654321 $upp0rt98 $upport! $upport!!!111 $upport!!!123 $upport!@#123 $upport!0 $upport!01 $upport!1 $upport!123 $upport!12345 $upport!123456 $upport!2000 $upport!2003 $upport!2008 $upport!2012 $upport!2016 $upport!2017 $upport!321 $upport# $upport###123 $upport###333 $upport#1 $upport#123 $upport#12345 $upport#123456 $upport#2000 $upport#2003 $upport#2008 $upport#2012 $upport#2016 $upport#2017 $upport#321 $upport$ $upport$$$444 $upport$123 $upport$12345 $upport$123456 $upport$2000 $upport$2003 $upport$2008 $upport$2012 $upport$2016 $upport$2017 $upport$321 $upport* $upport***123 $upport***888 $upport*123 $upport*12345 $upport*123456 $upport*2000 $upport*2003 $upport*2008 $upport*2012 $upport*2016 $upport*2017 $upport*321 $upport. $upport.123 $upport.12345 $upport.123456 $upport.2000 $upport.2003 $upport.2008 $upport.2012 $upport.2016 $upport.2017 $upport.321 $upport@ $upport@@@123 $upport@@@222 $upport@1 $upport@123 $upport@12345 $uppor

Emails

[email protected]@123

#DonOlivier,[email protected]

[email protected]

[email protected]!@#

URLs

http

http!23

http1

http12

http123

http1234

httpd

httpd!@#$

httpd112233

httpd123

httpd1234

httpdroot

httpds

https

Signatures

Prometheus Ransomware
Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.
ransomware prometheus
Executes dropped EXE 1 IoCs

Processes:

ctfmon.exe

pid process

1172 ctfmon.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

tmp.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation tmp.exe
Loads dropped DLL 3 IoCs

Processes:

ctfmon.exe

pid process

1172 ctfmon.exe
1172 ctfmon.exe
1172 ctfmon.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1172	ctfmon.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	tmp.exe

pid	process
1172	ctfmon.exe
1172	ctfmon.exe
1172	ctfmon.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 3472 wrote to memory of 1172	3472	tmp.exe	ctfmon.exe
PID 3472 wrote to memory of 1172	3472	tmp.exe	ctfmon.exe
PID 3472 wrote to memory of 1172	3472	tmp.exe	ctfmon.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Users\Admin\AppData\Local\Temp\ctfmon.exe
  "C:\Users\Admin\AppData\Local\Temp\ctfmon.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ctfmon.exe

Filesize
236KB

MD5
c0eebe72f6fe823e4280a1b31d74121e

SHA1
458cf7033bb63bcaee5b1be164d5c3249fbcde68

SHA256
e602795bf0317c1b224ef23be7d3008903c45aff31ff089e80c4b617e674dffb

SHA512
41ed42174dd7271a5c24782a584cce8fb3f7197ed85f222dc1b5198ed58bd4600ffd59f4798de6486fe2054852550a3dd582f09d073ff4df60d1f718cd6bb80e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctfmon.exe

Filesize
236KB

MD5
c0eebe72f6fe823e4280a1b31d74121e

SHA1
458cf7033bb63bcaee5b1be164d5c3249fbcde68

SHA256
e602795bf0317c1b224ef23be7d3008903c45aff31ff089e80c4b617e674dffb

SHA512
41ed42174dd7271a5c24782a584cce8fb3f7197ed85f222dc1b5198ed58bd4600ffd59f4798de6486fe2054852550a3dd582f09d073ff4df60d1f718cd6bb80e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gentee00\cab2g.dll

Filesize
20KB

MD5
c09f5e1f26c8be68974e4a0d44f452f8

SHA1
4c81290a955319c06d132eeb502fa60c795a6332

SHA256
b38561fd94ca95d63cba361fb5ae2f8982796795b95284b9bde7d656a50c3ba1

SHA512
5b5dad5b7fc54ca1e438a72d3e7c71c7d0c562086b2041b15c9fa0f64e692a6af2dcd7f3fd5c01bd0ec269d5608e3f30db2a34faec1982cbeab2f0599c67e704

Download Submit
C:\Users\Admin\AppData\Local\Temp\gentee00\cab2g.dll

Filesize
20KB

MD5
c09f5e1f26c8be68974e4a0d44f452f8

SHA1
4c81290a955319c06d132eeb502fa60c795a6332

SHA256
b38561fd94ca95d63cba361fb5ae2f8982796795b95284b9bde7d656a50c3ba1

SHA512
5b5dad5b7fc54ca1e438a72d3e7c71c7d0c562086b2041b15c9fa0f64e692a6af2dcd7f3fd5c01bd0ec269d5608e3f30db2a34faec1982cbeab2f0599c67e704

Download Submit
C:\Users\Admin\AppData\Local\Temp\gentee00\pauto.dll

Filesize
31KB

MD5
5395e2e30e9347d2292dc3b610163274

SHA1
f87597f156a460608b577da0bc4ab708d142104b

SHA256
492e67102db73433364b6a0163ce3a0f7e9d5d905033cc2fedca45a210c817cf

SHA512
73e50adf7d5967f617c0fcffa0fedbff2837f9582cf762fa62f59340e0b917354405dc5b0f15140b8bd1c719b6c23f66f338f523ac78be8ccfad5033c412783e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss.cab

Filesize
5.4MB

MD5
2a16f89dfaf79e0721812cd76ab1c2ca

SHA1
07c4d0a8a2bf6e1e0389019ecf86203363a80e32

SHA256
10bac24cd42801b44f7ad18ed955512176eceeda25dc2f4c8869d1b615214dc8

SHA512
79ffa6e2c7d4b0b227ecc676ce37332358eb5f89063f2266861110ceff000536e1bb1b705d4a73a545a3a34f58ec0dfa7a0c0b85bf01087e58e45bd16c8f04b1

Download Submit
memory/1172-139-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/1172-142-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/1172-141-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing