096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f

Analysis

max time kernel
188s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
30-05-2022 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
Size

499KB
MD5

1004596e635c155c0b073d3d76349985
SHA1

fba141902dfc4a7331b9f9748e6f36b7dcb623f7
SHA256

096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f
SHA512

5c7afcc7bed629659ed0c02313e88255f0c2d58400c73d5aa1f860a64ffac77936e299e4be54ca59174f820d103fcc6c39e066ef1a1bc81bbbd40cd49f8d4568

Score

10^/10

evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\odt\#DECRYPT_MY_FILES#.txt

Ransom Note

S A T U R N All of your files have been encrypted! To Decrypt your files follow these steps: #---------------------------------------------# 1. Download and install the "Tor Browser" from https://www.torproject.org 2. Run it. 3. In the Tor Browser, open website: http://su34pwhpcafeiztt.onion 4. Follow the instructions on the page #---------------------------------------------#

URLs

http://su34pwhpcafeiztt.onion

Extracted

Path

C:\odt\#DECRYPT_MY_FILES#.html

Ransom Note

<html> <title>S A T U R N</title> <center> <body> <h1>S A T U R N</h1> <h4>Your documents, photos, databases, and other important files have been encrypted!</h4> <br /> To Decrypt your files follow these instructions: <br /> <div> <h4>1. Download and Install Tor Browser from <a href=https://www.torproject.org/>https://www.torproject.org/</a></h4> <br /> <h4>2. Run the browser</h4> <br /> <h4>3. In the Tor Browser, open website:</h3> <div style="background-color: #d9d9d9; margin-left: 20px; margin-right: 20px; padding-bottom: 8px; padding-left: 8px; padding-right: 8px; padding-top: 8px;"> </a><b>http://su34pwhpcafeiztt.onion</b><br/> </div> <h4>4. Follow the instructions at this website</h4> </div> </body> </center> </html> <style> html { background-color: white; font-family: Helvetica, sans-serif; } div { background-color: #f2f2f2; width: 80: %; padding: 25px; margin: 25px; overflow:hidden; } </style>

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Enumerates VirtualBox registry keys 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Modifies extensions of user files 22 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\CheckpointGroup.tiff	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File opened for modification	C:\Users\Admin\Pictures\CheckpointGroup.tiff.tmpG	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File renamed	C:\Users\Admin\Pictures\CheckpointPush.tif => C:\Users\Admin\Pictures\CheckpointPush.tif.saturn	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File created	C:\Users\Admin\Pictures\ResizeDisconnect.png.tmpQ	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File renamed	C:\Users\Admin\Pictures\ResizeDisconnect.png => C:\Users\Admin\Pictures\ResizeDisconnect.png.saturn	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File renamed	C:\Users\Admin\Pictures\SwitchConnect.tiff => C:\Users\Admin\Pictures\SwitchConnect.tiff.saturn	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File created	C:\Users\Admin\Pictures\CheckpointGroup.tiff.tmpG	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File renamed	C:\Users\Admin\Pictures\CheckpointGroup.tiff.tmpG => C:\Users\Admin\Pictures\CheckpointGroup.tiff	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File renamed	C:\Users\Admin\Pictures\CheckpointGroup.tiff => C:\Users\Admin\Pictures\CheckpointGroup.tiff.saturn	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File created	C:\Users\Admin\Pictures\ExitCompare.tif.tmps	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File renamed	C:\Users\Admin\Pictures\GroupResolve.png => C:\Users\Admin\Pictures\GroupResolve.png.saturn	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File opened for modification	C:\Users\Admin\Pictures\ResizeDisconnect.png.tmpQ	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File opened for modification	C:\Users\Admin\Pictures\ExitCompare.tif.tmps	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File opened for modification	C:\Users\Admin\Pictures\GroupResolve.png.tmpT	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File created	C:\Users\Admin\Pictures\SwitchConnect.tiff.tmpS	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File opened for modification	C:\Users\Admin\Pictures\SwitchConnect.tiff	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File renamed	C:\Users\Admin\Pictures\SwitchConnect.tiff.tmpS => C:\Users\Admin\Pictures\SwitchConnect.tiff	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File created	C:\Users\Admin\Pictures\CheckpointPush.tif.tmp2	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File opened for modification	C:\Users\Admin\Pictures\CheckpointPush.tif.tmp2	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File renamed	C:\Users\Admin\Pictures\ExitCompare.tif => C:\Users\Admin\Pictures\ExitCompare.tif.saturn	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File created	C:\Users\Admin\Pictures\GroupResolve.png.tmpT	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File opened for modification	C:\Users\Admin\Pictures\SwitchConnect.tiff.tmpS	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\#DECRYPT_MY_FILES#.txt	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\#DECRYPT_MY_FILES#.html	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c3e16b7a9e9a.lnk	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\#DECRYPT_MY_FILES#.BMP"	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3140	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2112	msedge.exe
2112	msedge.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3516	WMIC.exe
Token: SeSecurityPrivilege	3516	WMIC.exe
Token: SeTakeOwnershipPrivilege	3516	WMIC.exe
Token: SeLoadDriverPrivilege	3516	WMIC.exe
Token: SeSystemProfilePrivilege	3516	WMIC.exe
Token: SeSystemtimePrivilege	3516	WMIC.exe
Token: SeProfSingleProcessPrivilege	3516	WMIC.exe
Token: SeIncBasePriorityPrivilege	3516	WMIC.exe
Token: SeCreatePagefilePrivilege	3516	WMIC.exe
Token: SeBackupPrivilege	3516	WMIC.exe
Token: SeRestorePrivilege	3516	WMIC.exe
Token: SeShutdownPrivilege	3516	WMIC.exe
Token: SeDebugPrivilege	3516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3516	WMIC.exe
Token: SeRemoteShutdownPrivilege	3516	WMIC.exe
Token: SeUndockPrivilege	3516	WMIC.exe
Token: SeManageVolumePrivilege	3516	WMIC.exe
Token: 33	3516	WMIC.exe
Token: 34	3516	WMIC.exe
Token: 35	3516	WMIC.exe
Token: 36	3516	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3516	WMIC.exe
Token: SeSecurityPrivilege	3516	WMIC.exe
Token: SeTakeOwnershipPrivilege	3516	WMIC.exe
Token: SeLoadDriverPrivilege	3516	WMIC.exe
Token: SeSystemProfilePrivilege	3516	WMIC.exe
Token: SeSystemtimePrivilege	3516	WMIC.exe
Token: SeProfSingleProcessPrivilege	3516	WMIC.exe
Token: SeIncBasePriorityPrivilege	3516	WMIC.exe
Token: SeCreatePagefilePrivilege	3516	WMIC.exe
Token: SeBackupPrivilege	3516	WMIC.exe
Token: SeRestorePrivilege	3516	WMIC.exe
Token: SeShutdownPrivilege	3516	WMIC.exe
Token: SeDebugPrivilege	3516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3516	WMIC.exe
Token: SeRemoteShutdownPrivilege	3516	WMIC.exe
Token: SeUndockPrivilege	3516	WMIC.exe
Token: SeManageVolumePrivilege	3516	WMIC.exe
Token: 33	3516	WMIC.exe
Token: 34	3516	WMIC.exe
Token: 35	3516	WMIC.exe
Token: 36	3516	WMIC.exe
Token: SeBackupPrivilege	4636	vssvc.exe
Token: SeRestorePrivilege	4636	vssvc.exe
Token: SeAuditPrivilege	4636	vssvc.exe
Token: 33	1200	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1200	AUDIODG.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1996	1476	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	81
PID 1476 wrote to memory of 1996	1476	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	81
PID 1476 wrote to memory of 1996	1476	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	81
PID 1996 wrote to memory of 3516	1996	cmd.exe	83
PID 1996 wrote to memory of 3516	1996	cmd.exe	83
PID 1996 wrote to memory of 3516	1996	cmd.exe	83
PID 1476 wrote to memory of 1460	1476	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	92
PID 1476 wrote to memory of 1460	1476	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	92
PID 1476 wrote to memory of 1460	1476	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	92
PID 1476 wrote to memory of 564	1476	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	93
PID 1476 wrote to memory of 564	1476	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	93
PID 1476 wrote to memory of 564	1476	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	93
PID 1476 wrote to memory of 3088	1476	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	94
PID 1476 wrote to memory of 3088	1476	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	94
PID 3088 wrote to memory of 3940	3088	msedge.exe	95
PID 3088 wrote to memory of 3940	3088	msedge.exe	95
PID 1476 wrote to memory of 4332	1476	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	96
PID 1476 wrote to memory of 4332	1476	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	96
PID 1476 wrote to memory of 4332	1476	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	96
PID 4332 wrote to memory of 3140	4332	cmd.exe	99
PID 4332 wrote to memory of 3140	4332	cmd.exe	99
PID 4332 wrote to memory of 3140	4332	cmd.exe	99
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 3440	3088	msedge.exe	104
PID 3088 wrote to memory of 2112	3088	msedge.exe	105
PID 3088 wrote to memory of 2112	3088	msedge.exe	105

C:\Users\Admin\AppData\Local\Temp\096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
"C:\Users\Admin\AppData\Local\Temp\096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe"
1⤵
- Modifies extensions of user files
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet & wmic.exe shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic.exe shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3516
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.txt
  2⤵
  PID:1460
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.vbs"
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x9c,0x104,0x7ffe723046f8,0x7ffe72304708,0x7ffe72304718
    3⤵
    PID:3940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,1065259785660466374,12742793112634395858,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
    3⤵
    PID:3440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,1065259785660466374,12742793112634395858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,1065259785660466374,12742793112634395858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
    3⤵
    PID:3192
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:3140

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.txt

Filesize
407B

MD5
f3d19c544c10a8337a7d9f7aef079a43

SHA1
252612bbdbdbe790853fe560ce5ce8e1df5fcdc5

SHA256
b660c9236f4d6d9b62eb04b40599e852f979dd3dbfd1d03e545a287fe8e5d32b

SHA512
c5cd69e7134f6d587d0823f6e7f9e5ba6affd75f5398fcea96e299dfb57996234ba87abe4632b2de807a4b79bbafd1b1132ae55b18a815eb8c4112b48942fb1b

Download Submit
C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.vbs

Filesize
185B

MD5
23e0e8c821b40253c04d561a6d06e253

SHA1
5df1808c8485ad1d90f1431adfa2694dbb1ed693

SHA256
54905816b33af2b53b2e127e0a7db664d126700b3fdd360894b9d924544f639a

SHA512
87a57f1615db68d57381b1a8602c92e57e3a8bf447ed842f410e50efd13a7f7ba44998b00d5e54238f09cad24ffe59c3aa788c1390364c465c761f3da6a688e8

Download Submit
memory/1476-130-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download