8af2354b99c64fd9d40ddb0a1ac8f5b77ed4859ee7a0f60a93acb80bf8068187

General

Target

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Size

500KB
MD5

3a7c3e8a378cd7a4fd83910937c23b19
SHA1

395ce78f0eade3fc026122d18049edc7231827b7
SHA256

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21
SHA512

3115fac1a8590f7c9cfc50793d43cbfb9688d8bc12cb56725a7040c0471c68e4b2b3bf177c1e2233e28c3259f7086ad861b3e2ea1fb050dac83a360b24efc00a
SSDEEP

12288:5h1Lk70Tnvjc+VqXbLyMTBkAuvtmfHq6/c/1hN6+0:lk70Trc+8LLNBc8q+c/96+0

Score

10^/10

evasion ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

1108 netsh.exe
1084 netsh.exe

pid	process
1108	netsh.exe
1084	netsh.exe

Drops startup file 3 IoCs

Processes:

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

Drops file in Windows directory 2 IoCs

Processes:

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

description	ioc	process
File created	C:\Windows\winlogon.exe	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Windows\winlogon.exe	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1700 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1568 vssadmin.exe

pid	process
1700	schtasks.exe

pid	process
1568	vssadmin.exe

Modifies registry class 7 IoCs

Processes:

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.BlackBit\ = "BlackBit"	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlackBit\shell\open\command	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlackBit	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlackBit\shell	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlackBit\shell\open	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlackBit\shell\open\command\ = "C:\\ProgramData\\ei14t2px.exe \"%l\" "	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.BlackBit	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

pid	process
1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Token: SeIncreaseQuotaPrivilege	580	WMIC.exe
Token: SeSecurityPrivilege	580	WMIC.exe
Token: SeTakeOwnershipPrivilege	580	WMIC.exe
Token: SeLoadDriverPrivilege	580	WMIC.exe
Token: SeSystemProfilePrivilege	580	WMIC.exe
Token: SeSystemtimePrivilege	580	WMIC.exe
Token: SeProfSingleProcessPrivilege	580	WMIC.exe
Token: SeIncBasePriorityPrivilege	580	WMIC.exe
Token: SeCreatePagefilePrivilege	580	WMIC.exe
Token: SeBackupPrivilege	580	WMIC.exe
Token: SeRestorePrivilege	580	WMIC.exe
Token: SeShutdownPrivilege	580	WMIC.exe
Token: SeDebugPrivilege	580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	580	WMIC.exe
Token: SeRemoteShutdownPrivilege	580	WMIC.exe
Token: SeUndockPrivilege	580	WMIC.exe
Token: SeManageVolumePrivilege	580	WMIC.exe
Token: 33	580	WMIC.exe
Token: 34	580	WMIC.exe
Token: 35	580	WMIC.exe
Token: SeBackupPrivilege	1376	vssvc.exe
Token: SeRestorePrivilege	1376	vssvc.exe
Token: SeAuditPrivilege	1376	vssvc.exe
Token: SeIncreaseQuotaPrivilege	580	WMIC.exe
Token: SeSecurityPrivilege	580	WMIC.exe
Token: SeTakeOwnershipPrivilege	580	WMIC.exe
Token: SeLoadDriverPrivilege	580	WMIC.exe
Token: SeSystemProfilePrivilege	580	WMIC.exe
Token: SeSystemtimePrivilege	580	WMIC.exe
Token: SeProfSingleProcessPrivilege	580	WMIC.exe
Token: SeIncBasePriorityPrivilege	580	WMIC.exe
Token: SeCreatePagefilePrivilege	580	WMIC.exe
Token: SeBackupPrivilege	580	WMIC.exe
Token: SeRestorePrivilege	580	WMIC.exe
Token: SeShutdownPrivilege	580	WMIC.exe
Token: SeDebugPrivilege	580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	580	WMIC.exe
Token: SeRemoteShutdownPrivilege	580	WMIC.exe
Token: SeUndockPrivilege	580	WMIC.exe
Token: SeManageVolumePrivilege	580	WMIC.exe
Token: 33	580	WMIC.exe
Token: 34	580	WMIC.exe
Token: 35	580	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.execmd.execsc.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1676 wrote to memory of 1780	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1780	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1780	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1780	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1780 wrote to memory of 1700	1780	cmd.exe	schtasks.exe
PID 1780 wrote to memory of 1700	1780	cmd.exe	schtasks.exe
PID 1780 wrote to memory of 1700	1780	cmd.exe	schtasks.exe
PID 1780 wrote to memory of 1700	1780	cmd.exe	schtasks.exe
PID 1676 wrote to memory of 904	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	csc.exe
PID 1676 wrote to memory of 904	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	csc.exe
PID 1676 wrote to memory of 904	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	csc.exe
PID 1676 wrote to memory of 904	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	csc.exe
PID 904 wrote to memory of 1572	904	csc.exe	cvtres.exe
PID 904 wrote to memory of 1572	904	csc.exe	cvtres.exe
PID 904 wrote to memory of 1572	904	csc.exe	cvtres.exe
PID 904 wrote to memory of 1572	904	csc.exe	cvtres.exe
PID 1676 wrote to memory of 1528	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1528	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1528	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1528	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1144	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1144	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1144	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1144	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1440	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1440	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1440	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1440	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1528 wrote to memory of 1568	1528	cmd.exe	vssadmin.exe
PID 1528 wrote to memory of 1568	1528	cmd.exe	vssadmin.exe
PID 1528 wrote to memory of 1568	1528	cmd.exe	vssadmin.exe
PID 1528 wrote to memory of 1568	1528	cmd.exe	vssadmin.exe
PID 1676 wrote to memory of 1348	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1348	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1348	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1348	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 2024	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 2024	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 2024	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 2024	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1496	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1496	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1496	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1496	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 856	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 856	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 856	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 856	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1704	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1704	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1704	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1676 wrote to memory of 1704	1676	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1440 wrote to memory of 580	1440	cmd.exe	WMIC.exe
PID 1440 wrote to memory of 580	1440	cmd.exe	WMIC.exe
PID 1440 wrote to memory of 580	1440	cmd.exe	WMIC.exe
PID 1440 wrote to memory of 580	1440	cmd.exe	WMIC.exe
PID 856 wrote to memory of 1108	856	cmd.exe	netsh.exe
PID 856 wrote to memory of 1108	856	cmd.exe	netsh.exe
PID 856 wrote to memory of 1108	856	cmd.exe	netsh.exe
PID 856 wrote to memory of 1108	856	cmd.exe	netsh.exe
PID 1704 wrote to memory of 1084	1704	cmd.exe	netsh.exe
PID 1704 wrote to memory of 1084	1704	cmd.exe	netsh.exe
PID 1704 wrote to memory of 1084	1704	cmd.exe	netsh.exe
PID 1704 wrote to memory of 1084	1704	cmd.exe	netsh.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
"C:\Users\Admin\AppData\Local\Temp\2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN BlackBit /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN BlackBit /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bryysnhx\bryysnhx.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB433.tmp" "c:\ProgramData\CSCD9023672607A4BBEB968D76AE1522C2.TMP"
3⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP
2⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
2⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
2⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable
2⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:1084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off
2⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:1108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

2

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Disabling Security Tools

1

T1089

File Deletion

2

T1107

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ei14t2px.exe
Filesize
108KB

MD5
d21276a7602d84005196bc5924f8669c

SHA1
65f27219dcd594e9cdc91eefbb3f626d3ea39ce0

SHA256
bf11ed431c2d019c756b45f3678184b5df379436701aed590576be2a02c2f2ad

SHA512
20df8957c26efc21b61cd1fdc537ecef6de5aeab88b81951025bb733c15575e1e36b3426fa519ee01c60aef88a5ccab7576e2b8012081622e84f3d2a247bc5a6

Download Submit
C:\ProgramData\winlogon.exe
Filesize
500KB

MD5
3a7c3e8a378cd7a4fd83910937c23b19

SHA1
395ce78f0eade3fc026122d18049edc7231827b7

SHA256
2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21

SHA512
3115fac1a8590f7c9cfc50793d43cbfb9688d8bc12cb56725a7040c0471c68e4b2b3bf177c1e2233e28c3259f7086ad861b3e2ea1fb050dac83a360b24efc00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB433.tmp
Filesize
105KB

MD5
5abc7bbd99e0b2039ea70de7ce366821

SHA1
b0c30cccfb6fc5ac619dbd154ebd5bc084a7590f

SHA256
322b8bbcc5256904d038bdcfc1fb9c871782a552a96b389e05ecd3501031a9bb

SHA512
0b2c8fa046746ee00e2b5dee2eacd6cee47458292b663827e9dae0843441f2051fc5e0c8161301956bd80af9ad78b105b590cca7c32c3f95a6d982f3602bf59b

Download Submit
\??\c:\ProgramData\CSCD9023672607A4BBEB968D76AE1522C2.TMP
Filesize
103KB

MD5
71089b998c6580b934e2d4c870fae05f

SHA1
052cee577e76e14572ec5d4253e5012ce65ef73f

SHA256
b44318f3bee591d91e35d88062be21db18df3def2b6fa63984261f55f6434501

SHA512
2377ae76fb3e3bdb008415bc079986eb8486905bab2c87c547f388984ccc9a780923a69cd0ab50804dd2fbcd37ea97aaa7a95943f4077f3eddbe52e0f4f2eeb0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bryysnhx\bryysnhx.0.cs
Filesize
1KB

MD5
053d3a031be8342225d087e48cb5d968

SHA1
2d0db8f05ba2e4501668c23f300ca474a42acd26

SHA256
2155a3a033c7326ca4a55a02220a13af5f0c968a8c3590bda2d753ea36935d50

SHA512
b274c91b344b5004acdbd6564a159efbd933830c80295d4d5582942c3cd764a60badc05f6142100d4e6c73f20a9186146b97141d9ddb0fa62c0764bb8ca07f25

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bryysnhx\bryysnhx.cmdline
Filesize
236B

MD5
cb4499a892ed41d97e0dbed5473d8e1d

SHA1
9a6884e511199feb30a7a7dc2098207a5e7ed027

SHA256
8d40f9e10bffa9cf4774482760c16d34b07e61de867045a393b7a3ee7668d222

SHA512
69ae61b848cea1b0f99587b2b6826fe7a763a3a98a8f7e1d7d76be22ade2e9c3f7e86a4287f1666e8ca6aac73abe8dfc12a98a42e173598e0af66559c5e060d4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n2j41ahk.ico
Filesize
102KB

MD5
305c2042777e67710483e58acc04ac2c

SHA1
d68e4090e313e6b814ca795980c2bc054df78a77

SHA256
f9ddf619ca0266055744c2beca77673aa41702104b459a0f55de3945196b6c50

SHA512
0e55fe1cacda339cbe207d51f7d3be2e008fc3013520ce863967443332d6647c80d48959a84c5885f53c9b6cf66046e4b9065c840b35d1975bbec63b7fc24203

Download Submit
memory/1676-96-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-104-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-66-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-68-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-70-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-72-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-74-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-76-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-78-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-80-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-82-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-84-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-86-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-88-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-90-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-92-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-94-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-54-0x00000000049B0000-0x0000000004A5E000-memory.dmp

Filesize
696KB

Download
memory/1676-98-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-100-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-102-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-65-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/1676-106-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-108-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-110-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-112-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-114-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-116-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-118-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-120-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-122-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-2837-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/1676-3342-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/1676-63-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/1676-3352-0x00000000054C0000-0x00000000054F8000-memory.dmp

Filesize
224KB

Download
memory/1676-62-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-61-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/1676-59-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-57-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-56-0x0000000004860000-0x0000000004906000-memory.dmp

Filesize
664KB

Download
memory/1676-55-0x0000000004860000-0x000000000490C000-memory.dmp

Filesize
688KB

Download
memory/1676-3369-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads