darkside | e34cf173d4a9a9f8c1556c52de1410f3086a1c3f080ea1a8f52726394277a994

General

Target

chrome_setup.msi
Size

304KB
MD5

6b63f4f44ed6a243acbf0ee18c5fb5a2
SHA1

3d6e13fa319d4de1393c23579753833260b3ef2e
SHA256

e34cf173d4a9a9f8c1556c52de1410f3086a1c3f080ea1a8f52726394277a994
SHA512

ba1811c4556d8bd113563d4c175795f6d76b48faa259915a30a341ac425cfa309d74d8028749fe5b87eaf26332136657aae5e34e0db08054f689276db746e809
SSDEEP

3072:NspAtO9mXwCGjtYNKbYO2gjpcm8rRuqpjCL42loHUvU0yGxr5GqM2a8hIZEZnWv:vtO9iRQYpgjpjew5DHyGxcqo8f

Score

10^/10

darkside discovery ransomware

Malware Config

Extracted

Path

C:\README.f6e0f448.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 500GB data. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/XES2TUV3A9QL89IS7QX91V7TYSF13ASPGB2TASQ68R9Z6QYH69OVY833QSRSFU4I When you open our website, put the following data in the input form: Key: I3tBdXvJ3pOvnhgmupZAJ7BpD5IVUftr7deEdtoxwK0QcbZciUXfs5ChjD0Yj8H2wUXfctFHYShVQHWhwi1CBDRQVPgXqnCgVRQql7B1tS8Q6TSdHq5o0UxOaDrdKCoMCdrMZiw0RTbfpDpuRwLI52rP5YaqZx492wErocN9C7PE6eFQEcqwqiFNA1FwVD3fogTJqOdTJI84FnlCBuRd1ippdTk8y2x16ukfPvVHi4MhyU8i4K1Q25a7wXQUPXhIffgZBnTimLzalSGyaI3f2MlQeYbpFG2o4nfnZCHDMAZAUY6CaiR0eAYVEvesreMmimT1EOyGYjNVtGHrJYXuRI4tYZIVlsHm6Ord42NV9s9PftLGkO8NBScZ9dBTNtz0xw9tpgu8GegVTlMesg6xkUAQWJcy6MNt9nJ7lHydpu27bA1GL8MX8lWAldnClSoUrDYRc8RAZ1oUfMfbtmvMDBGVENh8kMUYaxOt7hD1HxKFn0p5XcCDzWRSWkKUTtt7C6OiIpNOUAYYJ3UvC5S3uoXmt4iokkGq1SSMnr7sXmnekmh9oNwJgh7 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/XES2TUV3A9QL89IS7QX91V7TYSF13ASPGB2TASQ68R9Z6QYH69OVY833QSRSFU4I

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Renames multiple (157) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 5 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

pid	process
5040	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2844	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4132	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4020	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

3608 MsiExec.exe
3608 MsiExec.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

ICACLS.EXEICACLS.EXE

pid process

4996 ICACLS.EXE
4668 ICACLS.EXE

pid	process
3608	MsiExec.exe
3608	MsiExec.exe

pid	process
4996	ICACLS.EXE
4668	ICACLS.EXE

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in System32 directory 21 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\71DC818AAEA1211A26ACC273B35C74BA	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\IYLLK16P.cookie	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\3FE14DOR.cookie	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\YCL8J565.cookie	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\71DC818AAEA1211A26ACC273B35C74BA	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\IYLLK16P.cookie	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\YCL8J565.cookie	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\3FE14DOR.cookie	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\f6e0f448.BMP"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exeEXPAND.EXE

description	ioc	process
File created	C:\Windows\Installer\SourceHash{178E9072-0290-429F-B7B6-81A3776A0164}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI9EE1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9EE2.tmp	msiexec.exe
File created	C:\Windows\Installer\e579b75.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e579b75.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9BF2.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000\Control Panel\Desktop	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000\Control Panel\Desktop\WallpaperStyle = "10"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Modifies data under HKEY_USERS 32 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 90f6bd521d9d1bdd5210b3c2b9257a243da99a95195fbf84dec862e5a543e0cc	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = b75f693b1afa20b560117ee33c5f546b5e41cf234c27b47f1c7d05f937bed486	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 172159a4e14e44ea5b839086e3726453339f871b81c5d22c06247d4420490de7	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 0bd16d4671175bed94d2f76c87e5a9dbc40e80b420ee161b518dc20e8aaceddb	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 579791b6958f5782351bdaf3858ca3e1aff9a171cea1a80261651f7fb35059d1	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 53c061483727658521500808dd98a5451cf545b30d7182be494f53130b7ca478	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 607bd38c5b8aafee802a66688e784f919a28a2cbbad79a0d5702908e9eb3e592	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\f6e0f448.BMP"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700320000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = cc1000008b088b22164dda01	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d002e0062006c00660000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = f77c31400723fdce35febedda09110e3d7f45f43bc4c8625d79b46fe7b6e05b0	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Modifies registry class 5 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.f6e0f448	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.f6e0f448\ = "f6e0f448"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\f6e0f448\DefaultIcon	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\f6e0f448	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\f6e0f448\DefaultIcon\ = "C:\\ProgramData\\f6e0f448.ico"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

msiexec.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

pid	process
4216	msiexec.exe
4216	msiexec.exe
4132	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4132	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4300	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	168	msiexec.exe
Token: SeIncreaseQuotaPrivilege	168	msiexec.exe
Token: SeSecurityPrivilege	4216	msiexec.exe
Token: SeCreateTokenPrivilege	168	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	168	msiexec.exe
Token: SeLockMemoryPrivilege	168	msiexec.exe
Token: SeIncreaseQuotaPrivilege	168	msiexec.exe
Token: SeMachineAccountPrivilege	168	msiexec.exe
Token: SeTcbPrivilege	168	msiexec.exe
Token: SeSecurityPrivilege	168	msiexec.exe
Token: SeTakeOwnershipPrivilege	168	msiexec.exe
Token: SeLoadDriverPrivilege	168	msiexec.exe
Token: SeSystemProfilePrivilege	168	msiexec.exe
Token: SeSystemtimePrivilege	168	msiexec.exe
Token: SeProfSingleProcessPrivilege	168	msiexec.exe
Token: SeIncBasePriorityPrivilege	168	msiexec.exe
Token: SeCreatePagefilePrivilege	168	msiexec.exe
Token: SeCreatePermanentPrivilege	168	msiexec.exe
Token: SeBackupPrivilege	168	msiexec.exe
Token: SeRestorePrivilege	168	msiexec.exe
Token: SeShutdownPrivilege	168	msiexec.exe
Token: SeDebugPrivilege	168	msiexec.exe
Token: SeAuditPrivilege	168	msiexec.exe
Token: SeSystemEnvironmentPrivilege	168	msiexec.exe
Token: SeChangeNotifyPrivilege	168	msiexec.exe
Token: SeRemoteShutdownPrivilege	168	msiexec.exe
Token: SeUndockPrivilege	168	msiexec.exe
Token: SeSyncAgentPrivilege	168	msiexec.exe
Token: SeEnableDelegationPrivilege	168	msiexec.exe
Token: SeManageVolumePrivilege	168	msiexec.exe
Token: SeImpersonatePrivilege	168	msiexec.exe
Token: SeCreateGlobalPrivilege	168	msiexec.exe
Token: SeBackupPrivilege	3484	vssvc.exe
Token: SeRestorePrivilege	3484	vssvc.exe
Token: SeAuditPrivilege	3484	vssvc.exe
Token: SeBackupPrivilege	4216	msiexec.exe
Token: SeRestorePrivilege	4216	msiexec.exe
Token: SeRestorePrivilege	4216	msiexec.exe
Token: SeTakeOwnershipPrivilege	4216	msiexec.exe
Token: SeRestorePrivilege	4216	msiexec.exe
Token: SeTakeOwnershipPrivilege	4216	msiexec.exe
Token: SeBackupPrivilege	4844	srtasks.exe
Token: SeRestorePrivilege	4844	srtasks.exe
Token: SeSecurityPrivilege	4844	srtasks.exe
Token: SeTakeOwnershipPrivilege	4844	srtasks.exe
Token: SeRestorePrivilege	4216	msiexec.exe
Token: SeTakeOwnershipPrivilege	4216	msiexec.exe
Token: SeRestorePrivilege	4216	msiexec.exe
Token: SeTakeOwnershipPrivilege	4216	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

168 msiexec.exe
168 msiexec.exe

pid	process
168	msiexec.exe
168	msiexec.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

msiexec.exeMsiExec.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	pid	process	target process
PID 4216 wrote to memory of 4844	4216	msiexec.exe	srtasks.exe
PID 4216 wrote to memory of 4844	4216	msiexec.exe	srtasks.exe
PID 4216 wrote to memory of 3608	4216	msiexec.exe	MsiExec.exe
PID 4216 wrote to memory of 3608	4216	msiexec.exe	MsiExec.exe
PID 4216 wrote to memory of 3608	4216	msiexec.exe	MsiExec.exe
PID 3608 wrote to memory of 4668	3608	MsiExec.exe	ICACLS.EXE
PID 3608 wrote to memory of 4668	3608	MsiExec.exe	ICACLS.EXE
PID 3608 wrote to memory of 4668	3608	MsiExec.exe	ICACLS.EXE
PID 3608 wrote to memory of 4660	3608	MsiExec.exe	EXPAND.EXE
PID 3608 wrote to memory of 4660	3608	MsiExec.exe	EXPAND.EXE
PID 3608 wrote to memory of 4660	3608	MsiExec.exe	EXPAND.EXE
PID 3608 wrote to memory of 5040	3608	MsiExec.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 3608 wrote to memory of 5040	3608	MsiExec.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 3608 wrote to memory of 5040	3608	MsiExec.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 2844 wrote to memory of 4132	2844	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 2844 wrote to memory of 4132	2844	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 2844 wrote to memory of 4132	2844	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 2844 wrote to memory of 4132	2844	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 3608 wrote to memory of 4996	3608	MsiExec.exe	ICACLS.EXE
PID 3608 wrote to memory of 4996	3608	MsiExec.exe	ICACLS.EXE
PID 3608 wrote to memory of 4996	3608	MsiExec.exe	ICACLS.EXE
PID 4132 wrote to memory of 4300	4132	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 4132 wrote to memory of 4300	4132	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 4132 wrote to memory of 4300	4132	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 4132 wrote to memory of 4020	4132	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 4132 wrote to memory of 4020	4132	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 4132 wrote to memory of 4020	4132	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\chrome_setup.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:168

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding AD15D29A4F59BE1FCFC7DA3964B3D41E
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-e99b0ac8-8c3d-4e39-91c4-962a69a97684\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
3⤵
- Modifies file permissions
PID:4668

C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
3⤵
- Drops file in Windows directory
PID:4660

C:\Users\Admin\AppData\Local\Temp\MW-e99b0ac8-8c3d-4e39-91c4-962a69a97684\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
"C:\Users\Admin\AppData\Local\Temp\MW-e99b0ac8-8c3d-4e39-91c4-962a69a97684\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe"
3⤵
- Executes dropped EXE
PID:5040

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-e99b0ac8-8c3d-4e39-91c4-962a69a97684\." /SETINTEGRITYLEVEL (CI)(OI)LOW
3⤵
- Modifies file permissions
PID:4996

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Users\Admin\AppData\Local\Temp\MW-e99b0ac8-8c3d-4e39-91c4-962a69a97684\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
"C:\Users\Admin\AppData\Local\Temp\MW-e99b0ac8-8c3d-4e39-91c4-962a69a97684\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4132

C:\Users\Admin\AppData\Local\Temp\MW-e99b0ac8-8c3d-4e39-91c4-962a69a97684\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
C:\Users\Admin\AppData\Local\Temp\MW-e99b0ac8-8c3d-4e39-91c4-962a69a97684\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe -work worker0 job0-4132
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4300

C:\Users\Admin\AppData\Local\Temp\MW-e99b0ac8-8c3d-4e39-91c4-962a69a97684\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
C:\Users\Admin\AppData\Local\Temp\MW-e99b0ac8-8c3d-4e39-91c4-962a69a97684\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe -work worker1 job1-4132
2⤵
- Executes dropped EXE
- Enumerates connected drives
PID:4020

C:\Users\Admin\AppData\Local\Temp\MW-e99b0ac8-8c3d-4e39-91c4-962a69a97684\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
"C:\Users\Admin\AppData\Local\Temp\MW-e99b0ac8-8c3d-4e39-91c4-962a69a97684\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\README.f6e0f448.TXT
Filesize
2KB

MD5
cc9673216d53012c400856b86968c4a2

SHA1
80945bfdc6f2b30fd7b47e92ae762ab4ad792659

SHA256
5dfc11166e6b0e978aa5b95aaf2a51733033379b7e7980f5fa1d42b6333cf9e0

SHA512
f556026b31927923f385325adb493934e45750f401bf4787a0f0602f8309f520c967da72b9924f1872895718a5376eb8c433084496f5903670ad1e1d47cc4266

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e99b0ac8-8c3d-4e39-91c4-962a69a97684\files.cab
Filesize
56KB

MD5
f8ba117f135d10e3eb80472c1ec46469

SHA1
6c084a82bf4ebafde30c5b3182f83dcb66933671

SHA256
9bc48ce1d31060a52f1f879fd140d96d60f60dd2d53d83efca323819b048b9f1

SHA512
3985a44a1a0907153f1a1eeaf8e91dcf25c0f6f27abc70edbbe5922e281b70fd7c308df022200a35daf2044eb2323f101ded0a5f0f592aed2bd8a50de4f0e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e99b0ac8-8c3d-4e39-91c4-962a69a97684\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Filesize
56KB

MD5
84c1567969b86089cc33dccf41562bcd

SHA1
53f2133cb25186e9fa6d4ea3b0e41eee5aba5ef2

SHA256
516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b

SHA512
72a411cacd503b6fadb15dc90f1f9beb79ff79c620df76da381e5c780c53e11258aae72db2848c241ec55af403d67d62340e429e86c23bbf8a71287738de7eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e99b0ac8-8c3d-4e39-91c4-962a69a97684\msiwrapper.ini
Filesize
1KB

MD5
20283e8790489c5548e5113384f694c7

SHA1
db3587b7b625e5f2a2fbe682cd17974615383825

SHA256
570b1e74824bb9ebf565150c013d299fcd903548e88136c7d4f94c7f4be73ebf

SHA512
fa5f23ac1f6cb8cec24d94bdb2f39d64ad29574ed84f47d9d915ca33c82f0c00a7ef5a020bd65901c2193c9d85bc680347cde882255a5ee8c6a9b36e80b2d441

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e99b0ac8-8c3d-4e39-91c4-962a69a97684\msiwrapper.ini
Filesize
1KB

MD5
04ad07d438894734b39e141a1c3d5d6f

SHA1
e16661997dd5dcb5c3c33a71de9da6530238969e

SHA256
fe4afa53e05353d4bd0bb095f36748d5c546ba2dd6616a3dbbfd62903fc23271

SHA512
ba4da499340fa98823b6150cf70d75d2dda80bf67af20133ff2ca3aa8534a099820b10aa2acd3e09fec0bfb76992db54dccff535db2e3960dd93cca35f492ce4

Download Submit
C:\Windows\Installer\MSI9BF2.tmp
Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
4.4MB

MD5
e95a4345845c446be7113cbc2c2fdb88

SHA1
03e76b2686b94ea4a8f5e99609dc0954147018d0

SHA256
2e57b116041b4fc7d9096a5658eac5f8c439d4fb335f02c4b3cb81cd2dd65436

SHA512
cdbe8f929f3c1914a4d60541470aa009435a1b3b579cc90141b43e10b1a23fa3f704a96dadcd9040db06bc36209134962d7a90a753331a9ad3747d5c03fd2cd1

Download Submit
\??\Volume{57c63f37-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f4b7699a-a6f1-4129-823e-f970bfac97f0}_OnDiskSnapshotProp
Filesize
5KB

MD5
8f861e5fb9009181bcfff303d52e451b

SHA1
7af35c6486137b1f21c1e83d3ae7ecd5112fa5e2

SHA256
38b2ac2ad76ef7a066297c89aaf1db561cedae85220621ebe8ea0dc44db9218b

SHA512
8fc1a9592d05b324ec622ec67c1904bceec4961eb8e428d14feb2d755821f313775b9cfe5d11f7798f1cb9ed7a616e3fafac68be7cf1952fca0a566cac4b2fe2

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads