zeppelin | 8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

Analysis

max time kernel
151s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2022 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe
Size

218KB
MD5

b8845a76e3942ff4d20ba4660ae926bb
SHA1

eb90f945087c270a2ecc11753180ba4ecc270696
SHA256

8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee
SHA512

9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc
SSDEEP

6144:aC61i972rJmciP98f2H64DQFu/U3buRKlemZ9DnGAe/Ix3Sd7+:aK972I/Gf2a4DQFu/U3buRKlemZ9DnG9

Score

10^/10

zeppelin persistence ransomware

Malware Config

Signatures

Detects Zeppelin payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000b000000022e12-133.dat	family_zeppelin
behavioral2/files/0x000b000000022e12-134.dat	family_zeppelin
behavioral2/files/0x000b000000022e12-143.dat	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
316	explorer.exe
5104	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start"	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\W:	explorer.exe
File opened (read-only)	\??\V:	explorer.exe
File opened (read-only)	\??\T:	explorer.exe
File opened (read-only)	\??\O:	explorer.exe
File opened (read-only)	\??\K:	explorer.exe
File opened (read-only)	\??\H:	explorer.exe
File opened (read-only)	\??\J:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\Y:	explorer.exe
File opened (read-only)	\??\X:	explorer.exe
File opened (read-only)	\??\U:	explorer.exe
File opened (read-only)	\??\R:	explorer.exe
File opened (read-only)	\??\Q:	explorer.exe
File opened (read-only)	\??\N:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\Z:	explorer.exe
File opened (read-only)	\??\I:	explorer.exe
File opened (read-only)	\??\G:	explorer.exe
File opened (read-only)	\??\B:	explorer.exe
File opened (read-only)	\??\S:	explorer.exe
File opened (read-only)	\??\P:	explorer.exe
File opened (read-only)	\??\M:	explorer.exe
File opened (read-only)	\??\L:	explorer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties.ORCA.29C-1D3-A74	explorer.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\HOW_TO_RECOVER_DATA.hta	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyclient.jar.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jawt.h	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCalls.c.ORCA.29C-1D3-A74	explorer.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\HOW_TO_RECOVER_DATA.hta	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\README.txt	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.security	explorer.exe
File opened for modification	C:\Program Files\ExportExpand.crw.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_CN.jar	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\LINEAR_RGB.pf	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_sv.properties	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties	explorer.exe
File created	C:\Program Files\Common Files\.sys	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\logging.properties	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ko_KR.jar	explorer.exe
File created	C:\Program Files\Common Files\microsoft shared\.sys	explorer.exe
File opened for modification	C:\Program Files\UnblockEnter.mov	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\javafx-src.zip	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ja_JP.jar	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jce.jar	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\LICENSE	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt.ORCA.29C-1D3-A74	explorer.exe
File created	C:\Program Files\Internet Explorer\HOW_TO_RECOVER_DATA.hta	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\classfile_constants.h	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\calendars.properties	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jvm.lib	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\config.ini.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\RELEASE-NOTES.html.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_de_DE.jar	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_fr.jar	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	explorer.exe
File created	C:\Program Files\7-Zip\.sys	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\javaws.jar	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\ffjcext.zip.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	explorer.exe
File opened for modification	C:\Program Files\MeasureBackup.mhtml.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\7-Zip\License.txt.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfxswt.jar.ORCA.29C-1D3-A74	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.security.ORCA.29C-1D3-A74	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe
Token: SeDebugPrivilege	2208	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe
Token: SeIncreaseQuotaPrivilege	2264	WMIC.exe
Token: SeSecurityPrivilege	2264	WMIC.exe
Token: SeTakeOwnershipPrivilege	2264	WMIC.exe
Token: SeLoadDriverPrivilege	2264	WMIC.exe
Token: SeSystemProfilePrivilege	2264	WMIC.exe
Token: SeSystemtimePrivilege	2264	WMIC.exe
Token: SeProfSingleProcessPrivilege	2264	WMIC.exe
Token: SeIncBasePriorityPrivilege	2264	WMIC.exe
Token: SeCreatePagefilePrivilege	2264	WMIC.exe
Token: SeBackupPrivilege	2264	WMIC.exe
Token: SeRestorePrivilege	2264	WMIC.exe
Token: SeShutdownPrivilege	2264	WMIC.exe
Token: SeDebugPrivilege	2264	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2264	WMIC.exe
Token: SeRemoteShutdownPrivilege	2264	WMIC.exe
Token: SeUndockPrivilege	2264	WMIC.exe
Token: SeManageVolumePrivilege	2264	WMIC.exe
Token: 33	2264	WMIC.exe
Token: 34	2264	WMIC.exe
Token: 35	2264	WMIC.exe
Token: 36	2264	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2956	WMIC.exe
Token: SeSecurityPrivilege	2956	WMIC.exe
Token: SeTakeOwnershipPrivilege	2956	WMIC.exe
Token: SeLoadDriverPrivilege	2956	WMIC.exe
Token: SeSystemProfilePrivilege	2956	WMIC.exe
Token: SeSystemtimePrivilege	2956	WMIC.exe
Token: SeProfSingleProcessPrivilege	2956	WMIC.exe
Token: SeIncBasePriorityPrivilege	2956	WMIC.exe
Token: SeCreatePagefilePrivilege	2956	WMIC.exe
Token: SeBackupPrivilege	2956	WMIC.exe
Token: SeRestorePrivilege	2956	WMIC.exe
Token: SeShutdownPrivilege	2956	WMIC.exe
Token: SeDebugPrivilege	2956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2956	WMIC.exe
Token: SeRemoteShutdownPrivilege	2956	WMIC.exe
Token: SeUndockPrivilege	2956	WMIC.exe
Token: SeManageVolumePrivilege	2956	WMIC.exe
Token: 33	2956	WMIC.exe
Token: 34	2956	WMIC.exe
Token: 35	2956	WMIC.exe
Token: 36	2956	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2264	WMIC.exe
Token: SeSecurityPrivilege	2264	WMIC.exe
Token: SeTakeOwnershipPrivilege	2264	WMIC.exe
Token: SeLoadDriverPrivilege	2264	WMIC.exe
Token: SeSystemProfilePrivilege	2264	WMIC.exe
Token: SeSystemtimePrivilege	2264	WMIC.exe
Token: SeProfSingleProcessPrivilege	2264	WMIC.exe
Token: SeIncBasePriorityPrivilege	2264	WMIC.exe
Token: SeCreatePagefilePrivilege	2264	WMIC.exe
Token: SeBackupPrivilege	2264	WMIC.exe
Token: SeRestorePrivilege	2264	WMIC.exe
Token: SeShutdownPrivilege	2264	WMIC.exe
Token: SeDebugPrivilege	2264	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2264	WMIC.exe
Token: SeRemoteShutdownPrivilege	2264	WMIC.exe
Token: SeUndockPrivilege	2264	WMIC.exe
Token: SeManageVolumePrivilege	2264	WMIC.exe
Token: 33	2264	WMIC.exe
Token: 34	2264	WMIC.exe
Token: 35	2264	WMIC.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 316	2208	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe	86
PID 2208 wrote to memory of 316	2208	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe	86
PID 2208 wrote to memory of 316	2208	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe	86
PID 2208 wrote to memory of 224	2208	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe	87
PID 2208 wrote to memory of 224	2208	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe	87
PID 2208 wrote to memory of 224	2208	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe	87
PID 2208 wrote to memory of 224	2208	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe	87
PID 2208 wrote to memory of 224	2208	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe	87
PID 2208 wrote to memory of 224	2208	8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe	87
PID 316 wrote to memory of 4416	316	explorer.exe	92
PID 316 wrote to memory of 4416	316	explorer.exe	92
PID 316 wrote to memory of 4416	316	explorer.exe	92
PID 316 wrote to memory of 3300	316	explorer.exe	93
PID 316 wrote to memory of 3300	316	explorer.exe	93
PID 316 wrote to memory of 3300	316	explorer.exe	93
PID 316 wrote to memory of 2448	316	explorer.exe	94
PID 316 wrote to memory of 2448	316	explorer.exe	94
PID 316 wrote to memory of 2448	316	explorer.exe	94
PID 316 wrote to memory of 3500	316	explorer.exe	95
PID 316 wrote to memory of 3500	316	explorer.exe	95
PID 316 wrote to memory of 3500	316	explorer.exe	95
PID 316 wrote to memory of 3840	316	explorer.exe	96
PID 316 wrote to memory of 3840	316	explorer.exe	96
PID 316 wrote to memory of 3840	316	explorer.exe	96
PID 316 wrote to memory of 3752	316	explorer.exe	97
PID 316 wrote to memory of 3752	316	explorer.exe	97
PID 316 wrote to memory of 3752	316	explorer.exe	97
PID 316 wrote to memory of 5104	316	explorer.exe	98
PID 316 wrote to memory of 5104	316	explorer.exe	98
PID 316 wrote to memory of 5104	316	explorer.exe	98
PID 3752 wrote to memory of 2956	3752	cmd.exe	107
PID 4416 wrote to memory of 2264	4416	cmd.exe	108
PID 3752 wrote to memory of 2956	3752	cmd.exe	107
PID 3752 wrote to memory of 2956	3752	cmd.exe	107
PID 4416 wrote to memory of 2264	4416	cmd.exe	108
PID 4416 wrote to memory of 2264	4416	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe
"C:\Users\Admin\AppData\Local\Temp\8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:3300
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:3500
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:3840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2956
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:5104
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
521B

MD5
8a55e9dcda6d9b5b2a7c0ecaccf13068

SHA1
4804d35c80a15f7d63c3a143aa26778391537e2b

SHA256
db6cd89149e838122410fd50253ce2460444dea299d5c49b1a2f97b561b0d749

SHA512
c849477241bc950994dd85387f51be5e050604c7d46f10c4b9fb3bc7e308d658a08a7f3aa0b691eefb5fac2baaf7a5dd799bb159758b600e4f8d332329b44e9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

Filesize
218KB

MD5
b8845a76e3942ff4d20ba4660ae926bb

SHA1
eb90f945087c270a2ecc11753180ba4ecc270696

SHA256
8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

SHA512
9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

Filesize
218KB

MD5
b8845a76e3942ff4d20ba4660ae926bb

SHA1
eb90f945087c270a2ecc11753180ba4ecc270696

SHA256
8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

SHA512
9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

Filesize
218KB

MD5
b8845a76e3942ff4d20ba4660ae926bb

SHA1
eb90f945087c270a2ecc11753180ba4ecc270696

SHA256
8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

SHA512
9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc

Download Submit