a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913

General

Target

a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe
Size

178KB
MD5

9465ee00e3234ff267a50058d159cb07
SHA1

088f0370eec1a9b5d8735ef29f0fcd30a43dc11b
SHA256

a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913
SHA512

7cb503aac56311ec97c4dc099b3406c2007f2cc08ded0e3d170724eda570c0ad1e775878558c2fe1f308e19a3530e2bc7a4892e6a1f910191d4bc2faa90bd3d9
SSDEEP

3072:W79hVbcR2QNXdQ61gLufjDHeIVVr0r4K7TFnCE/oYtsjTujCI4nD34UcO:ajcn861gLurDHlT0rzrk/ujaIUcO

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3385717845-2518323428-350143044-1000\HELP_RESTORE_FILES.txt

Ransom Note

All your documents, photos, databases and other important files have been encrypted with strongest encryption RSA-2048 key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main encryptor red window, examine it and follow the instructions. Otherwise, it seems that you or your antivirus deleted the encryptor program. Now you have the last chance to decrypt your files. Open http://34r6hq26q2h4jkzj.42k2b14.net or https://34r6hq26q2h4jkzj.tor2web.fi in your browser. They are public gates to the secret server. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 15VRG9UeWNLfwgTz19rwYBPWdAeACKSL2Z Follow the instructions on the server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://34r6hq26q2h4jkzj.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 15VRG9UeWNLfwgTz19rwYBPWdAeACKSL2Z Follow the instructions on the server.

Wallets

15VRG9UeWNLfwgTz19rwYBPWdAeACKSL2Z

URLs

http://34r6hq26q2h4jkzj.42k2b14.net

https://34r6hq26q2h4jkzj.tor2web.fi

http://34r6hq26q2h4jkzj.onion/

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

sntaspc.exesntaspc.exe

pid process

2036 sntaspc.exe
1068 sntaspc.exe
Loads dropped DLL 1 IoCs

Processes:

a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe

pid process

1552 a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe

pid	process
2036	sntaspc.exe
1068	sntaspc.exe

pid	process
1552	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sntaspc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	sntaspc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscfg = "C:\\Users\\Admin\\AppData\\Roaming\\sntaspc.exe"	sntaspc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	sntaspc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*mscfg = "C:\\Users\\Admin\\AppData\\Roaming\\sntaspc.exe"	sntaspc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exesntaspc.exe

description	pid	process	target process
PID 960 set thread context of 1552	960	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe
PID 2036 set thread context of 1068	2036	sntaspc.exe	sntaspc.exe

Drops file in Program Files directory 64 IoCs

Processes:

sntaspc.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\History.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\HELP_RESTORE_FILES.txt	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\HELP_RESTORE_FILES.txt	sntaspc.exe
File created	C:\Program Files\Common Files\HELP_RESTORE_FILES.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\HELP_RESTORE_FILES.txt	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\HELP_RESTORE_FILES.txt	sntaspc.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\HELP_RESTORE_FILES.txt	sntaspc.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\HELP_RESTORE_FILES.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\HELP_RESTORE_FILES.txt	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\HELP_RESTORE_FILES.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\HELP_RESTORE_FILES.txt	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VC\HELP_RESTORE_FILES.txt	sntaspc.exe
File created	C:\Program Files\Common Files\System\de-DE\HELP_RESTORE_FILES.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\HELP_RESTORE_FILES.txt	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\HELP_RESTORE_FILES.txt	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VGX\HELP_RESTORE_FILES.txt	sntaspc.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\HELP_RESTORE_FILES.txt	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\HELP_RESTORE_FILES.txt	sntaspc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\HELP_RESTORE_FILES.txt	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\HELP_RESTORE_FILES.txt	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\HELP_RESTORE_FILES.txt	sntaspc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg	sntaspc.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\HELP_RESTORE_FILES.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	sntaspc.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\HELP_RESTORE_FILES.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	sntaspc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi	sntaspc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\HELP_RESTORE_FILES.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\HELP_RESTORE_FILES.txt	sntaspc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg	sntaspc.exe
File opened for modification	C:\Program Files\DenyDismount.odt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\HELP_RESTORE_FILES.txt	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\HELP_RESTORE_FILES.txt	sntaspc.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\HELP_RESTORE_FILES.txt	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\HELP_RESTORE_FILES.txt	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\HELP_RESTORE_FILES.txt	sntaspc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\HELP_RESTORE_FILES.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	sntaspc.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\HELP_RESTORE_FILES.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	sntaspc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	sntaspc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	sntaspc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1328 vssadmin.exe

pid	process
1328	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sntaspc.exe

pid	process
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe
1068	sntaspc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exesntaspc.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1552	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe
Token: SeDebugPrivilege	1068	sntaspc.exe
Token: SeBackupPrivilege	1036	vssvc.exe
Token: SeRestorePrivilege	1036	vssvc.exe
Token: SeAuditPrivilege	1036	vssvc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exea79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exesntaspc.exesntaspc.exe

description	pid	process	target process
PID 960 wrote to memory of 1552	960	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe
PID 960 wrote to memory of 1552	960	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe
PID 960 wrote to memory of 1552	960	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe
PID 960 wrote to memory of 1552	960	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe
PID 960 wrote to memory of 1552	960	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe
PID 960 wrote to memory of 1552	960	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe
PID 960 wrote to memory of 1552	960	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe
PID 960 wrote to memory of 1552	960	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe
PID 960 wrote to memory of 1552	960	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe
PID 960 wrote to memory of 1552	960	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe
PID 1552 wrote to memory of 2036	1552	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe	sntaspc.exe
PID 1552 wrote to memory of 2036	1552	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe	sntaspc.exe
PID 1552 wrote to memory of 2036	1552	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe	sntaspc.exe
PID 1552 wrote to memory of 2036	1552	a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe	sntaspc.exe
PID 2036 wrote to memory of 1068	2036	sntaspc.exe	sntaspc.exe
PID 2036 wrote to memory of 1068	2036	sntaspc.exe	sntaspc.exe
PID 2036 wrote to memory of 1068	2036	sntaspc.exe	sntaspc.exe
PID 2036 wrote to memory of 1068	2036	sntaspc.exe	sntaspc.exe
PID 2036 wrote to memory of 1068	2036	sntaspc.exe	sntaspc.exe
PID 2036 wrote to memory of 1068	2036	sntaspc.exe	sntaspc.exe
PID 2036 wrote to memory of 1068	2036	sntaspc.exe	sntaspc.exe
PID 2036 wrote to memory of 1068	2036	sntaspc.exe	sntaspc.exe
PID 2036 wrote to memory of 1068	2036	sntaspc.exe	sntaspc.exe
PID 2036 wrote to memory of 1068	2036	sntaspc.exe	sntaspc.exe
PID 1068 wrote to memory of 1328	1068	sntaspc.exe	vssadmin.exe
PID 1068 wrote to memory of 1328	1068	sntaspc.exe	vssadmin.exe
PID 1068 wrote to memory of 1328	1068	sntaspc.exe	vssadmin.exe
PID 1068 wrote to memory of 1328	1068	sntaspc.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe
"C:\Users\Admin\AppData\Local\Temp\a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe
C:\Users\Admin\AppData\Local\Temp\a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913.exe
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Roaming\sntaspc.exe
C:\Users\Admin\AppData\Roaming\sntaspc.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Roaming\sntaspc.exe
C:\Users\Admin\AppData\Roaming\sntaspc.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
5⤵
- Interacts with shadow copies
PID:1328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A79D1D~1.EXE >> NUL
3⤵
PID:1864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1036

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\sntaspc.exe
Filesize
178KB

MD5
9465ee00e3234ff267a50058d159cb07

SHA1
088f0370eec1a9b5d8735ef29f0fcd30a43dc11b

SHA256
a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913

SHA512
7cb503aac56311ec97c4dc099b3406c2007f2cc08ded0e3d170724eda570c0ad1e775878558c2fe1f308e19a3530e2bc7a4892e6a1f910191d4bc2faa90bd3d9

Download Submit
C:\Users\Admin\AppData\Roaming\sntaspc.exe
Filesize
178KB

MD5
9465ee00e3234ff267a50058d159cb07

SHA1
088f0370eec1a9b5d8735ef29f0fcd30a43dc11b

SHA256
a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913

SHA512
7cb503aac56311ec97c4dc099b3406c2007f2cc08ded0e3d170724eda570c0ad1e775878558c2fe1f308e19a3530e2bc7a4892e6a1f910191d4bc2faa90bd3d9

Download Submit
C:\Users\Admin\AppData\Roaming\sntaspc.exe
Filesize
178KB

MD5
9465ee00e3234ff267a50058d159cb07

SHA1
088f0370eec1a9b5d8735ef29f0fcd30a43dc11b

SHA256
a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913

SHA512
7cb503aac56311ec97c4dc099b3406c2007f2cc08ded0e3d170724eda570c0ad1e775878558c2fe1f308e19a3530e2bc7a4892e6a1f910191d4bc2faa90bd3d9

Download Submit
\Users\Admin\AppData\Roaming\sntaspc.exe
Filesize
178KB

MD5
9465ee00e3234ff267a50058d159cb07

SHA1
088f0370eec1a9b5d8735ef29f0fcd30a43dc11b

SHA256
a79d1d1727c2ef415157da46d4afa89e1c8ff815af08c3932bf74acb12438913

SHA512
7cb503aac56311ec97c4dc099b3406c2007f2cc08ded0e3d170724eda570c0ad1e775878558c2fe1f308e19a3530e2bc7a4892e6a1f910191d4bc2faa90bd3d9

Download Submit
memory/1068-80-0x000000000042C221-mapping.dmp

Download
memory/1068-87-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1068-86-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1328-89-0x0000000000000000-mapping.dmp

Download
memory/1552-66-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1552-67-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1552-54-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1552-59-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1552-61-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1552-57-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1552-55-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1552-65-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1552-63-0x000000000042C221-mapping.dmp

Download
memory/1552-88-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1552-62-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2036-69-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads