darkside | e34cf173d4a9a9f8c1556c52de1410f3086a1c3f080ea1a8f52726394277a994

General

Target

chrome_setup.msi
Size

304KB
MD5

6b63f4f44ed6a243acbf0ee18c5fb5a2
SHA1

3d6e13fa319d4de1393c23579753833260b3ef2e
SHA256

e34cf173d4a9a9f8c1556c52de1410f3086a1c3f080ea1a8f52726394277a994
SHA512

ba1811c4556d8bd113563d4c175795f6d76b48faa259915a30a341ac425cfa309d74d8028749fe5b87eaf26332136657aae5e34e0db08054f689276db746e809
SSDEEP

3072:NspAtO9mXwCGjtYNKbYO2gjpcm8rRuqpjCL42loHUvU0yGxr5GqM2a8hIZEZnWv:vtO9iRQYpgjpjew5DHyGxcqo8f

Score

10^/10

darkside discovery ransomware

Malware Config

Extracted

Path

C:\README.334cdd42.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 500GB data. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/XES2TUV3A9QL89IS7QX91V7TYSF13ASPGB2TASQ68R9Z6QYH69OVY833QSRSFU4I When you open our website, put the following data in the input form: Key: I3tBdXvJ3pOvnhgmupZAJ7BpD5IVUftr7deEdtoxwK0QcbZciUXfs5ChjD0Yj8H2wUXfctFHYShVQHWhwi1CBDRQVPgXqnCgVRQql7B1tS8Q6TSdHq5o0UxOaDrdKCoMCdrMZiw0RTbfpDpuRwLI52rP5YaqZx492wErocN9C7PE6eFQEcqwqiFNA1FwVD3fogTJqOdTJI84FnlCBuRd1ippdTk8y2x16ukfPvVHi4MhyU8i4K1Q25a7wXQUPXhIffgZBnTimLzalSGyaI3f2MlQeYbpFG2o4nfnZCHDMAZAUY6CaiR0eAYVEvesreMmimT1EOyGYjNVtGHrJYXuRI4tYZIVlsHm6Ord42NV9s9PftLGkO8NBScZ9dBTNtz0xw9tpgu8GegVTlMesg6xkUAQWJcy6MNt9nJ7lHydpu27bA1GL8MX8lWAldnClSoUrDYRc8RAZ1oUfMfbtmvMDBGVENh8kMUYaxOt7hD1HxKFn0p5XcCDzWRSWkKUTtt7C6OiIpNOUAYYJ3UvC5S3uoXmt4iokkGq1SSMnr7sXmnekmh9oNwJgh7 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/XES2TUV3A9QL89IS7QX91V7TYSF13ASPGB2TASQ68R9Z6QYH69OVY833QSRSFU4I

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Renames multiple (177) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 5 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

pid	process
924	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2272	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
1624	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4380	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3916	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

2876 MsiExec.exe
2876 MsiExec.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

ICACLS.EXEICACLS.EXE

pid process

1444 ICACLS.EXE
1492 ICACLS.EXE

pid	process
2876	MsiExec.exe
2876	MsiExec.exe

pid	process
1444	ICACLS.EXE
1492	ICACLS.EXE

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in System32 directory 21 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\5RGCPSTQ.cookie	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\71DC818AAEA1211A26ACC273B35C74BA	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\5RGCPSTQ.cookie	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\71DC818AAEA1211A26ACC273B35C74BA	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\K67ZDJQH.cookie	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\K67ZDJQH.cookie	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\9ZRMZ3FT.cookie	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\9ZRMZ3FT.cookie	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\334cdd42.BMP"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exeEXPAND.EXE

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIA921.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIACFA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD0B.tmp	msiexec.exe
File created	C:\Windows\Installer\e57a875.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57a875.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{178E9072-0290-429F-B7B6-81A3776A0164}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000\Control Panel\Desktop	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000\Control Panel\Desktop\WallpaperStyle = "10"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Modifies data under HKEY_USERS 29 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = e086e4919b51418479211735d8ed61e34dc2ad1bccd2cf39f5072a03cf16e047	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 2aea4409bc4701050be2a50146367155a4f3352268d11264897c7e770907ce75	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = f2b1bee3408ea6f5bf17ed7ab9e71637233e35ea13a275ea1897548447196cf1	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\334cdd42.BMP"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 1189d050550642cc12147a829e4d4bb48fc7602d31c73a8ab8ccc890c35fc743	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d002e0062006c00660000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 1c1100007fd732b25c51da01	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 75b858d6d9fcc588166e07cdebb1c409ec08ce2fde0392d70f68fe0c44d77ec4	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 5792938b15b35660084f3dd9e68fb96f4de88951a5d52ff5862ada3f41643dce	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Modifies registry class 5 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\334cdd42	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\334cdd42\DefaultIcon\ = "C:\\ProgramData\\334cdd42.ico"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.334cdd42	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.334cdd42\ = "334cdd42"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\334cdd42\DefaultIcon	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

msiexec.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

pid	process
4108	msiexec.exe
4108	msiexec.exe
1624	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
1624	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4380	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4380	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4380	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4380	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4380	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4380	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4380	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4380	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4380	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4380	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4380	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4380	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4380	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4380	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4380	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4380	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4380	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4380	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	512	msiexec.exe
Token: SeIncreaseQuotaPrivilege	512	msiexec.exe
Token: SeSecurityPrivilege	4108	msiexec.exe
Token: SeCreateTokenPrivilege	512	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	512	msiexec.exe
Token: SeLockMemoryPrivilege	512	msiexec.exe
Token: SeIncreaseQuotaPrivilege	512	msiexec.exe
Token: SeMachineAccountPrivilege	512	msiexec.exe
Token: SeTcbPrivilege	512	msiexec.exe
Token: SeSecurityPrivilege	512	msiexec.exe
Token: SeTakeOwnershipPrivilege	512	msiexec.exe
Token: SeLoadDriverPrivilege	512	msiexec.exe
Token: SeSystemProfilePrivilege	512	msiexec.exe
Token: SeSystemtimePrivilege	512	msiexec.exe
Token: SeProfSingleProcessPrivilege	512	msiexec.exe
Token: SeIncBasePriorityPrivilege	512	msiexec.exe
Token: SeCreatePagefilePrivilege	512	msiexec.exe
Token: SeCreatePermanentPrivilege	512	msiexec.exe
Token: SeBackupPrivilege	512	msiexec.exe
Token: SeRestorePrivilege	512	msiexec.exe
Token: SeShutdownPrivilege	512	msiexec.exe
Token: SeDebugPrivilege	512	msiexec.exe
Token: SeAuditPrivilege	512	msiexec.exe
Token: SeSystemEnvironmentPrivilege	512	msiexec.exe
Token: SeChangeNotifyPrivilege	512	msiexec.exe
Token: SeRemoteShutdownPrivilege	512	msiexec.exe
Token: SeUndockPrivilege	512	msiexec.exe
Token: SeSyncAgentPrivilege	512	msiexec.exe
Token: SeEnableDelegationPrivilege	512	msiexec.exe
Token: SeManageVolumePrivilege	512	msiexec.exe
Token: SeImpersonatePrivilege	512	msiexec.exe
Token: SeCreateGlobalPrivilege	512	msiexec.exe
Token: SeBackupPrivilege	4168	vssvc.exe
Token: SeRestorePrivilege	4168	vssvc.exe
Token: SeAuditPrivilege	4168	vssvc.exe
Token: SeBackupPrivilege	4108	msiexec.exe
Token: SeRestorePrivilege	4108	msiexec.exe
Token: SeRestorePrivilege	4108	msiexec.exe
Token: SeTakeOwnershipPrivilege	4108	msiexec.exe
Token: SeRestorePrivilege	4108	msiexec.exe
Token: SeTakeOwnershipPrivilege	4108	msiexec.exe
Token: SeRestorePrivilege	4108	msiexec.exe
Token: SeTakeOwnershipPrivilege	4108	msiexec.exe
Token: SeRestorePrivilege	4108	msiexec.exe
Token: SeTakeOwnershipPrivilege	4108	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

512 msiexec.exe
512 msiexec.exe

pid	process
512	msiexec.exe
512	msiexec.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

msiexec.exeMsiExec.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	pid	process	target process
PID 4108 wrote to memory of 3992	4108	msiexec.exe	srtasks.exe
PID 4108 wrote to memory of 3992	4108	msiexec.exe	srtasks.exe
PID 4108 wrote to memory of 2876	4108	msiexec.exe	MsiExec.exe
PID 4108 wrote to memory of 2876	4108	msiexec.exe	MsiExec.exe
PID 4108 wrote to memory of 2876	4108	msiexec.exe	MsiExec.exe
PID 2876 wrote to memory of 1444	2876	MsiExec.exe	ICACLS.EXE
PID 2876 wrote to memory of 1444	2876	MsiExec.exe	ICACLS.EXE
PID 2876 wrote to memory of 1444	2876	MsiExec.exe	ICACLS.EXE
PID 2876 wrote to memory of 3188	2876	MsiExec.exe	EXPAND.EXE
PID 2876 wrote to memory of 3188	2876	MsiExec.exe	EXPAND.EXE
PID 2876 wrote to memory of 3188	2876	MsiExec.exe	EXPAND.EXE
PID 2876 wrote to memory of 924	2876	MsiExec.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 2876 wrote to memory of 924	2876	MsiExec.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 2876 wrote to memory of 924	2876	MsiExec.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 2272 wrote to memory of 1624	2272	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 2272 wrote to memory of 1624	2272	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 2272 wrote to memory of 1624	2272	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 2272 wrote to memory of 1624	2272	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 2876 wrote to memory of 1492	2876	MsiExec.exe	ICACLS.EXE
PID 2876 wrote to memory of 1492	2876	MsiExec.exe	ICACLS.EXE
PID 2876 wrote to memory of 1492	2876	MsiExec.exe	ICACLS.EXE
PID 1624 wrote to memory of 4380	1624	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 1624 wrote to memory of 4380	1624	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 1624 wrote to memory of 4380	1624	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 1624 wrote to memory of 3916	1624	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 1624 wrote to memory of 3916	1624	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 1624 wrote to memory of 3916	1624	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\chrome_setup.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:512

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:3992

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B7AE79B0D7CCE2D15882E16946F589D5
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-8a5b1279-19e2-4631-b0e8-a81144eb43d6\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
3⤵
- Modifies file permissions
PID:1444

C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
3⤵
- Drops file in Windows directory
PID:3188

C:\Users\Admin\AppData\Local\Temp\MW-8a5b1279-19e2-4631-b0e8-a81144eb43d6\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
"C:\Users\Admin\AppData\Local\Temp\MW-8a5b1279-19e2-4631-b0e8-a81144eb43d6\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe"
3⤵
- Executes dropped EXE
PID:924

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-8a5b1279-19e2-4631-b0e8-a81144eb43d6\." /SETINTEGRITYLEVEL (CI)(OI)LOW
3⤵
- Modifies file permissions
PID:1492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Users\Admin\AppData\Local\Temp\MW-8a5b1279-19e2-4631-b0e8-a81144eb43d6\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
"C:\Users\Admin\AppData\Local\Temp\MW-8a5b1279-19e2-4631-b0e8-a81144eb43d6\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\MW-8a5b1279-19e2-4631-b0e8-a81144eb43d6\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
"C:\Users\Admin\AppData\Local\Temp\MW-8a5b1279-19e2-4631-b0e8-a81144eb43d6\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\MW-8a5b1279-19e2-4631-b0e8-a81144eb43d6\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
C:\Users\Admin\AppData\Local\Temp\MW-8a5b1279-19e2-4631-b0e8-a81144eb43d6\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe -work worker0 job0-1624
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4380

C:\Users\Admin\AppData\Local\Temp\MW-8a5b1279-19e2-4631-b0e8-a81144eb43d6\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
C:\Users\Admin\AppData\Local\Temp\MW-8a5b1279-19e2-4631-b0e8-a81144eb43d6\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe -work worker1 job1-1624
3⤵
- Executes dropped EXE
- Enumerates connected drives
PID:3916

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\README.334cdd42.TXT
Filesize
2KB

MD5
cc9673216d53012c400856b86968c4a2

SHA1
80945bfdc6f2b30fd7b47e92ae762ab4ad792659

SHA256
5dfc11166e6b0e978aa5b95aaf2a51733033379b7e7980f5fa1d42b6333cf9e0

SHA512
f556026b31927923f385325adb493934e45750f401bf4787a0f0602f8309f520c967da72b9924f1872895718a5376eb8c433084496f5903670ad1e1d47cc4266

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8a5b1279-19e2-4631-b0e8-a81144eb43d6\files.cab
Filesize
56KB

MD5
f8ba117f135d10e3eb80472c1ec46469

SHA1
6c084a82bf4ebafde30c5b3182f83dcb66933671

SHA256
9bc48ce1d31060a52f1f879fd140d96d60f60dd2d53d83efca323819b048b9f1

SHA512
3985a44a1a0907153f1a1eeaf8e91dcf25c0f6f27abc70edbbe5922e281b70fd7c308df022200a35daf2044eb2323f101ded0a5f0f592aed2bd8a50de4f0e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8a5b1279-19e2-4631-b0e8-a81144eb43d6\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Filesize
56KB

MD5
84c1567969b86089cc33dccf41562bcd

SHA1
53f2133cb25186e9fa6d4ea3b0e41eee5aba5ef2

SHA256
516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b

SHA512
72a411cacd503b6fadb15dc90f1f9beb79ff79c620df76da381e5c780c53e11258aae72db2848c241ec55af403d67d62340e429e86c23bbf8a71287738de7eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8a5b1279-19e2-4631-b0e8-a81144eb43d6\msiwrapper.ini
Filesize
1KB

MD5
3a81bc471bc5aa8771b4d111bfa795f3

SHA1
19ffa97edd3c385092a14835e7e2712bee184b95

SHA256
a65bf7b5f5767f2d0cf4704d2a9f222bd711c5a027d0ac2c29222f91b8957944

SHA512
59c0c57fe1d210aa9473fe76d00820e97c3f0889e8dd91849be5a897af1e2b6eeddeddfcd35052a4657065bc58acf189b6dcc37457d7a7a1f52f5ff2f0e9d000

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8a5b1279-19e2-4631-b0e8-a81144eb43d6\msiwrapper.ini
Filesize
1KB

MD5
7ba7add749b3027a520fb6d8f678edae

SHA1
e2038a73ea8ead34f52eff88299b5d927f5f6c1c

SHA256
396132bf22366d127f3c901022a3a450ef9c68eca9483313128c27daccf2a198

SHA512
6f03e314d07647448c495b314a3d43770cfdbd7493aaafbc8f4bbe769274e6b1fa5445c861cafbe904070bc8d0d976d26d9016d5c54c65ba9e69f2f74acb88fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8a5b1279-19e2-4631-b0e8-a81144eb43d6\msiwrapper.ini
Filesize
1KB

MD5
407728803acc59a626f20385e8381780

SHA1
6cfe1af5ba015e921faa28d08e1cbce26d8e4f38

SHA256
234f9e60bd320978c1a4e64e6c03f0efde51d10662edec74d3475031c6715340

SHA512
dfc363b75976c3679840d9c1c30ebc45e716afbae0a15bda7ff0fc1c50a6e4121fa77ea264ab0d924a0cfa176144b8a9c1546d033bb57cd2ba1df1c5e0b37d82

Download Submit
C:\Windows\Installer\MSIA921.tmp
Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads