c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae

General

Target

c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
Size

2.7MB
MD5

235c65d98cae9133afd6357bef878061
SHA1

cf5c6c1ce68dcd06152b29c763711ebcb25f45b0
SHA256

c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae
SHA512

e836e2a38ed2e01b4d391be9b5dabcdc52bee2d70dc64c495aaa541a5f53f92f93c125123aa734d56cd141dba71695e256b236659a058d47eb357c586a3ef354

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\Unlock_All_Files.txt

Ransom Note

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hack For Life <<<<<<<<<<<<<<<<<<<<<<<<<<<<<< All Your Files Has Been Locked! If you think you can decrypt the files we would be happy :) But all your files are protected by strong encryption with AES RSA 256 using military-grade encryption algorithm Video Decrypt: Due to the deletion of video on video sharing sites You can download and watch the video from the link below: https://drive.google.com/file/d/1L1qeBgY_AfjYVgO8FEZsViJxK4TBWXZI/view What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. You Can Send some Files that not Contains Valuable Data To make Sure That Your Files Can be Back with our Tool Your unique Id : CEXBQIGGAKJPKMFB Contact : [email protected] or https://t.me/filedecrypt002 What are the guarantees that I can decrypt my files after paying the ransom? Your main guarantee is the ability to decrypt test files. This means that we can decrypt all your files after paying the ransom. We have no reason to deceive you after receiving the ransom, since we are not barbarians and moreover it will harm our business. You Have 2days to Decide to Pay after 2 Days Decryption Price will Be Double And after 1 week it will be triple Try to Contact late and You will know Therefore, we recommend that you make payment within a few hours. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Again, we emphasize that no one can decrypt files, so don't be a victim of fraud. It's just a business Warning : If you email us late You may miss the Decrypt program Because our emails are blocked quickly So it is better as soon as they read email Email us ;) You Can Learn How to Buy Bitcoin From This links Below https://localbitcoins.com/buy_bitcoins https://www.coindesk.com/information/how-can-i-buy-bitcoins https://www.bestbitcoinexchange.io >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hack For Security <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Emails

[email protected]

URLs

https://drive.google.com/file/d/1L1qeBgY_AfjYVgO8FEZsViJxK4TBWXZI/view

https://t.me/filedecrypt002

https://www.bestbitcoinexchange.io

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00440_.WMF.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcr100.dll.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\wordpad.exe.mui.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR29B.GIF.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\setup_wm.exe.mui.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Norfolk.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107328.WMF.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285820.WMF.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00452_.WMF.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SPANISH.LNG.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\vlc.mo.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107264.WMF.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178639.JPG.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200289.WMF.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14539_.GIF.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVELOPE.XML.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\gadget.xml.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\JNGLE_01.MID.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\localizedStrings.js.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\currency.css.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00459_.WMF.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\calendar.html.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\core_visualvm.jar.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_F_COL.HXK.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\ACTIP10.HLP.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-2.png.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSO.ACL.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jar.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\STSUCRES.DLL.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OFFXML.DLL.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\INDOMAIN.ICO.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_10_p010_plugin.dll.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\icon.png.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105320.WMF.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02252_.WMF.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\WMPDMCCore.dll.mui.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-14.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00828_.WMF.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCRD98.POC.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CHECKER.POC.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Blanc-Sablon.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo.Email=[[email protected]]ID=[CEXBQIGGAKJPKMFB].encrypt	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1744 taskkill.exe
1096 taskkill.exe
676 taskkill.exe
Runs net.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1744 taskkill.exe
Token: SeDebugPrivilege 1096 taskkill.exe
Token: SeDebugPrivilege 676 taskkill.exe

pid	process
1744	taskkill.exe
1096	taskkill.exe
676	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	1096	taskkill.exe
Token: SeDebugPrivilege	676	taskkill.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.execmd.execmd.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 1944 wrote to memory of 820	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1944 wrote to memory of 820	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1944 wrote to memory of 820	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 820 wrote to memory of 1744	820	cmd.exe	taskkill.exe
PID 820 wrote to memory of 1744	820	cmd.exe	taskkill.exe
PID 820 wrote to memory of 1744	820	cmd.exe	taskkill.exe
PID 1944 wrote to memory of 1996	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1944 wrote to memory of 1996	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1944 wrote to memory of 1996	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1996 wrote to memory of 1096	1996	cmd.exe	taskkill.exe
PID 1996 wrote to memory of 1096	1996	cmd.exe	taskkill.exe
PID 1996 wrote to memory of 1096	1996	cmd.exe	taskkill.exe
PID 1944 wrote to memory of 1760	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1944 wrote to memory of 1760	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1944 wrote to memory of 1760	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1760 wrote to memory of 676	1760	cmd.exe	taskkill.exe
PID 1760 wrote to memory of 676	1760	cmd.exe	taskkill.exe
PID 1760 wrote to memory of 676	1760	cmd.exe	taskkill.exe
PID 1944 wrote to memory of 1036	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1944 wrote to memory of 1036	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1944 wrote to memory of 1036	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1944 wrote to memory of 596	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1944 wrote to memory of 596	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1944 wrote to memory of 596	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1944 wrote to memory of 1500	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1944 wrote to memory of 1500	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1944 wrote to memory of 1500	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1944 wrote to memory of 1200	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1944 wrote to memory of 1200	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1944 wrote to memory of 1200	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1200 wrote to memory of 1476	1200	cmd.exe	attrib.exe
PID 1200 wrote to memory of 1476	1200	cmd.exe	attrib.exe
PID 1200 wrote to memory of 1476	1200	cmd.exe	attrib.exe
PID 1944 wrote to memory of 1672	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1944 wrote to memory of 1672	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1944 wrote to memory of 1672	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1672 wrote to memory of 524	1672	cmd.exe	net.exe
PID 1672 wrote to memory of 524	1672	cmd.exe	net.exe
PID 1672 wrote to memory of 524	1672	cmd.exe	net.exe
PID 524 wrote to memory of 1816	524	net.exe	net1.exe
PID 524 wrote to memory of 1816	524	net.exe	net1.exe
PID 524 wrote to memory of 1816	524	net.exe	net1.exe
PID 1944 wrote to memory of 1064	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1944 wrote to memory of 1064	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe
PID 1944 wrote to memory of 1064	1944	c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1476 attrib.exe

pid	process
1476	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
"C:\Users\Admin\AppData\Local\Temp\c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /F /IM sqlservr.exe /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sqlservr.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /F /IM sqlceip.exe /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sqlceip.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1096
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /F /IM sqlwriter.exe /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sqlwriter.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:676
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir C:\Users\Admin\AppData /s /q"
  2⤵
  PID:1036
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir C:\Users\Default\AppData /s /q"
  2⤵
  PID:596
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir C:\Users\Public\AppData /s /q"
  2⤵
  PID:1500
- C:\Windows\system32\cmd.exe
  cmd /C "attrib +h +s Encrypt.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\system32\attrib.exe
    attrib +h +s Encrypt.exe
    3⤵
    - Views/modifies file attributes
    PID:1476
- C:\Windows\system32\cmd.exe
  cmd /C "net stop MSSQL$SQLEXPRESS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\system32\net.exe
    net stop MSSQL$SQLEXPRESS
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
      4⤵
      PID:1816
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir C:\$Recycle.Bin /s /q"
  2⤵
  PID:1064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/524-66-0x0000000000000000-mapping.dmp

Download
memory/596-61-0x0000000000000000-mapping.dmp

Download
memory/676-59-0x0000000000000000-mapping.dmp

Download
memory/820-54-0x0000000000000000-mapping.dmp

Download
memory/1036-60-0x0000000000000000-mapping.dmp

Download
memory/1064-68-0x0000000000000000-mapping.dmp

Download
memory/1096-57-0x0000000000000000-mapping.dmp

Download
memory/1200-63-0x0000000000000000-mapping.dmp

Download
memory/1476-64-0x0000000000000000-mapping.dmp

Download
memory/1500-62-0x0000000000000000-mapping.dmp

Download
memory/1672-65-0x0000000000000000-mapping.dmp

Download
memory/1744-55-0x0000000000000000-mapping.dmp

Download
memory/1760-58-0x0000000000000000-mapping.dmp

Download
memory/1816-67-0x0000000000000000-mapping.dmp

Download
memory/1996-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing