darkside | e34cf173d4a9a9f8c1556c52de1410f3086a1c3f080ea1a8f52726394277a994

General

Target

chrome_setup.msi
Size

304KB
MD5

6b63f4f44ed6a243acbf0ee18c5fb5a2
SHA1

3d6e13fa319d4de1393c23579753833260b3ef2e
SHA256

e34cf173d4a9a9f8c1556c52de1410f3086a1c3f080ea1a8f52726394277a994
SHA512

ba1811c4556d8bd113563d4c175795f6d76b48faa259915a30a341ac425cfa309d74d8028749fe5b87eaf26332136657aae5e34e0db08054f689276db746e809
SSDEEP

3072:NspAtO9mXwCGjtYNKbYO2gjpcm8rRuqpjCL42loHUvU0yGxr5GqM2a8hIZEZnWv:vtO9iRQYpgjpjew5DHyGxcqo8f

Score

10^/10

darkside discovery ransomware

Malware Config

Extracted

Path

C:\README.5ae4bc4e.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 500GB data. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/XES2TUV3A9QL89IS7QX91V7TYSF13ASPGB2TASQ68R9Z6QYH69OVY833QSRSFU4I When you open our website, put the following data in the input form: Key: I3tBdXvJ3pOvnhgmupZAJ7BpD5IVUftr7deEdtoxwK0QcbZciUXfs5ChjD0Yj8H2wUXfctFHYShVQHWhwi1CBDRQVPgXqnCgVRQql7B1tS8Q6TSdHq5o0UxOaDrdKCoMCdrMZiw0RTbfpDpuRwLI52rP5YaqZx492wErocN9C7PE6eFQEcqwqiFNA1FwVD3fogTJqOdTJI84FnlCBuRd1ippdTk8y2x16ukfPvVHi4MhyU8i4K1Q25a7wXQUPXhIffgZBnTimLzalSGyaI3f2MlQeYbpFG2o4nfnZCHDMAZAUY6CaiR0eAYVEvesreMmimT1EOyGYjNVtGHrJYXuRI4tYZIVlsHm6Ord42NV9s9PftLGkO8NBScZ9dBTNtz0xw9tpgu8GegVTlMesg6xkUAQWJcy6MNt9nJ7lHydpu27bA1GL8MX8lWAldnClSoUrDYRc8RAZ1oUfMfbtmvMDBGVENh8kMUYaxOt7hD1HxKFn0p5XcCDzWRSWkKUTtt7C6OiIpNOUAYYJ3UvC5S3uoXmt4iokkGq1SSMnr7sXmnekmh9oNwJgh7 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/XES2TUV3A9QL89IS7QX91V7TYSF13ASPGB2TASQ68R9Z6QYH69OVY833QSRSFU4I

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Renames multiple (182) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 5 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

pid	process
4848	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4524	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3128	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3524	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

4444 MsiExec.exe
4444 MsiExec.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

ICACLS.EXEICACLS.EXE

pid process

1596 ICACLS.EXE
4156 ICACLS.EXE

pid	process
4444	MsiExec.exe
4444	MsiExec.exe

pid	process
1596	ICACLS.EXE
4156	ICACLS.EXE

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in System32 directory 12 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\71DC818AAEA1211A26ACC273B35C74BA	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\71DC818AAEA1211A26ACC273B35C74BA	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\5ae4bc4e.BMP"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exeEXPAND.EXE

description	ioc	process
File created	C:\Windows\Installer\e578165.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e578165.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8211.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI8732.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{178E9072-0290-429F-B7B6-81A3776A0164}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8743.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000083dd7964f79773090000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000083dd79640000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090083dd7964000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d83dd7964000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000083dd796400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\WallpaperStyle = "10"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Modifies data under HKEY_USERS 37 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 18c00380d5e1d89e5f2382b19c3e11f031cb7ae9150dc6988171145da93f70e7	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 22597a8d773a793ab9df4bb308f4f4406d85bcac4f69ff9cecb58673f62fb6d0	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 97baa2091a35cce0a63375b0e842ea834cd7b44d4ff64747c5d5158239063195	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d002e0062006c00660000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 82a56fca032bab1d8dbfabc15fcd1b3b198c4c5190537cf0a1d0e23166785c40	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 040800001f5909b15c51da01	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = c26f3a33a0e17a183e8be2d3e753541ac5b7a7f1281b42e8820fcd2197dc26fa	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = b67d83b09303ddbca4a651ff39555ede98ec1ed9eba3f32d35e1a2a343616360	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 349295a948b69cee2748d1199724ee3beb3bc0c2634e3953979c2cfe036b354d	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\5ae4bc4e.BMP"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = a2a539e6235f56a1274a25503eb03b82986ebdf5a105c1e0e8e5246a1a6d6d7e	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Modifies registry class 5 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\5ae4bc4e\DefaultIcon\ = "C:\\ProgramData\\5ae4bc4e.ico"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.5ae4bc4e	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.5ae4bc4e\ = "5ae4bc4e"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\5ae4bc4e\DefaultIcon	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\5ae4bc4e	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

msiexec.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

pid	process
1844	msiexec.exe
1844	msiexec.exe
3128	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3128	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	4436	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4436	msiexec.exe
Token: SeSecurityPrivilege	1844	msiexec.exe
Token: SeCreateTokenPrivilege	4436	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4436	msiexec.exe
Token: SeLockMemoryPrivilege	4436	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4436	msiexec.exe
Token: SeMachineAccountPrivilege	4436	msiexec.exe
Token: SeTcbPrivilege	4436	msiexec.exe
Token: SeSecurityPrivilege	4436	msiexec.exe
Token: SeTakeOwnershipPrivilege	4436	msiexec.exe
Token: SeLoadDriverPrivilege	4436	msiexec.exe
Token: SeSystemProfilePrivilege	4436	msiexec.exe
Token: SeSystemtimePrivilege	4436	msiexec.exe
Token: SeProfSingleProcessPrivilege	4436	msiexec.exe
Token: SeIncBasePriorityPrivilege	4436	msiexec.exe
Token: SeCreatePagefilePrivilege	4436	msiexec.exe
Token: SeCreatePermanentPrivilege	4436	msiexec.exe
Token: SeBackupPrivilege	4436	msiexec.exe
Token: SeRestorePrivilege	4436	msiexec.exe
Token: SeShutdownPrivilege	4436	msiexec.exe
Token: SeDebugPrivilege	4436	msiexec.exe
Token: SeAuditPrivilege	4436	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4436	msiexec.exe
Token: SeChangeNotifyPrivilege	4436	msiexec.exe
Token: SeRemoteShutdownPrivilege	4436	msiexec.exe
Token: SeUndockPrivilege	4436	msiexec.exe
Token: SeSyncAgentPrivilege	4436	msiexec.exe
Token: SeEnableDelegationPrivilege	4436	msiexec.exe
Token: SeManageVolumePrivilege	4436	msiexec.exe
Token: SeImpersonatePrivilege	4436	msiexec.exe
Token: SeCreateGlobalPrivilege	4436	msiexec.exe
Token: SeBackupPrivilege	3200	vssvc.exe
Token: SeRestorePrivilege	3200	vssvc.exe
Token: SeAuditPrivilege	3200	vssvc.exe
Token: SeBackupPrivilege	1844	msiexec.exe
Token: SeRestorePrivilege	1844	msiexec.exe
Token: SeRestorePrivilege	1844	msiexec.exe
Token: SeTakeOwnershipPrivilege	1844	msiexec.exe
Token: SeRestorePrivilege	1844	msiexec.exe
Token: SeTakeOwnershipPrivilege	1844	msiexec.exe
Token: SeRestorePrivilege	1844	msiexec.exe
Token: SeTakeOwnershipPrivilege	1844	msiexec.exe
Token: SeRestorePrivilege	1844	msiexec.exe
Token: SeTakeOwnershipPrivilege	1844	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4436 msiexec.exe
4436 msiexec.exe

pid	process
4436	msiexec.exe
4436	msiexec.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

msiexec.exeMsiExec.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	pid	process	target process
PID 1844 wrote to memory of 2884	1844	msiexec.exe	srtasks.exe
PID 1844 wrote to memory of 2884	1844	msiexec.exe	srtasks.exe
PID 1844 wrote to memory of 4444	1844	msiexec.exe	MsiExec.exe
PID 1844 wrote to memory of 4444	1844	msiexec.exe	MsiExec.exe
PID 1844 wrote to memory of 4444	1844	msiexec.exe	MsiExec.exe
PID 4444 wrote to memory of 1596	4444	MsiExec.exe	ICACLS.EXE
PID 4444 wrote to memory of 1596	4444	MsiExec.exe	ICACLS.EXE
PID 4444 wrote to memory of 1596	4444	MsiExec.exe	ICACLS.EXE
PID 4444 wrote to memory of 2576	4444	MsiExec.exe	EXPAND.EXE
PID 4444 wrote to memory of 2576	4444	MsiExec.exe	EXPAND.EXE
PID 4444 wrote to memory of 2576	4444	MsiExec.exe	EXPAND.EXE
PID 4444 wrote to memory of 4848	4444	MsiExec.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 4444 wrote to memory of 4848	4444	MsiExec.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 4444 wrote to memory of 4848	4444	MsiExec.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 4524 wrote to memory of 3128	4524	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 4524 wrote to memory of 3128	4524	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 4524 wrote to memory of 3128	4524	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 4524 wrote to memory of 3128	4524	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 4444 wrote to memory of 4156	4444	MsiExec.exe	ICACLS.EXE
PID 4444 wrote to memory of 4156	4444	MsiExec.exe	ICACLS.EXE
PID 4444 wrote to memory of 4156	4444	MsiExec.exe	ICACLS.EXE
PID 3128 wrote to memory of 2052	3128	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 3128 wrote to memory of 2052	3128	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 3128 wrote to memory of 2052	3128	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 3128 wrote to memory of 3524	3128	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 3128 wrote to memory of 3524	3128	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 3128 wrote to memory of 3524	3128	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\chrome_setup.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4436

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2884

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding AE2A18D0B97073E5372372F0FA051ED2
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ea6cf7d6-50f1-4d31-8c31-631c7a95d9e1\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
3⤵
- Modifies file permissions
PID:1596

C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
3⤵
- Drops file in Windows directory
PID:2576

C:\Users\Admin\AppData\Local\Temp\MW-ea6cf7d6-50f1-4d31-8c31-631c7a95d9e1\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
"C:\Users\Admin\AppData\Local\Temp\MW-ea6cf7d6-50f1-4d31-8c31-631c7a95d9e1\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe"
3⤵
- Executes dropped EXE
PID:4848

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ea6cf7d6-50f1-4d31-8c31-631c7a95d9e1\." /SETINTEGRITYLEVEL (CI)(OI)LOW
3⤵
- Modifies file permissions
PID:4156

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Users\Admin\AppData\Local\Temp\MW-ea6cf7d6-50f1-4d31-8c31-631c7a95d9e1\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
"C:\Users\Admin\AppData\Local\Temp\MW-ea6cf7d6-50f1-4d31-8c31-631c7a95d9e1\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524

C:\Users\Admin\AppData\Local\Temp\MW-ea6cf7d6-50f1-4d31-8c31-631c7a95d9e1\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
"C:\Users\Admin\AppData\Local\Temp\MW-ea6cf7d6-50f1-4d31-8c31-631c7a95d9e1\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\MW-ea6cf7d6-50f1-4d31-8c31-631c7a95d9e1\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
C:\Users\Admin\AppData\Local\Temp\MW-ea6cf7d6-50f1-4d31-8c31-631c7a95d9e1\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe -work worker0 job0-3128
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2052

C:\Users\Admin\AppData\Local\Temp\MW-ea6cf7d6-50f1-4d31-8c31-631c7a95d9e1\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
C:\Users\Admin\AppData\Local\Temp\MW-ea6cf7d6-50f1-4d31-8c31-631c7a95d9e1\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe -work worker1 job1-3128
3⤵
- Executes dropped EXE
- Enumerates connected drives
PID:3524

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\README.5ae4bc4e.TXT
Filesize
2KB

MD5
cc9673216d53012c400856b86968c4a2

SHA1
80945bfdc6f2b30fd7b47e92ae762ab4ad792659

SHA256
5dfc11166e6b0e978aa5b95aaf2a51733033379b7e7980f5fa1d42b6333cf9e0

SHA512
f556026b31927923f385325adb493934e45750f401bf4787a0f0602f8309f520c967da72b9924f1872895718a5376eb8c433084496f5903670ad1e1d47cc4266

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ea6cf7d6-50f1-4d31-8c31-631c7a95d9e1\files.cab
Filesize
56KB

MD5
f8ba117f135d10e3eb80472c1ec46469

SHA1
6c084a82bf4ebafde30c5b3182f83dcb66933671

SHA256
9bc48ce1d31060a52f1f879fd140d96d60f60dd2d53d83efca323819b048b9f1

SHA512
3985a44a1a0907153f1a1eeaf8e91dcf25c0f6f27abc70edbbe5922e281b70fd7c308df022200a35daf2044eb2323f101ded0a5f0f592aed2bd8a50de4f0e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ea6cf7d6-50f1-4d31-8c31-631c7a95d9e1\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Filesize
56KB

MD5
84c1567969b86089cc33dccf41562bcd

SHA1
53f2133cb25186e9fa6d4ea3b0e41eee5aba5ef2

SHA256
516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b

SHA512
72a411cacd503b6fadb15dc90f1f9beb79ff79c620df76da381e5c780c53e11258aae72db2848c241ec55af403d67d62340e429e86c23bbf8a71287738de7eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ea6cf7d6-50f1-4d31-8c31-631c7a95d9e1\msiwrapper.ini
Filesize
1KB

MD5
7b322987a003cc458cb6d3c7edd77ea6

SHA1
e13aef6f9caf04dc8fb654404f6a75f099e2c17b

SHA256
6dc0a8c4fc8ae0b064164f1cbd095628c51076050c672b1c0b1e95fc5a3b7875

SHA512
49e4a67a7b99ab23b2108d852fce1bf435508d349d09f43757471ee7ba693b1cb8486467cadab7a80fd43d83fb506d2cc449c11e298197014b89be718f769add

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ea6cf7d6-50f1-4d31-8c31-631c7a95d9e1\msiwrapper.ini
Filesize
1KB

MD5
6076c98442aa0158c992786cabbe7303

SHA1
2b9ed6a38a3ac29f85e4830b64cf43315765cff1

SHA256
9c230b92ddaf2fc022e1f4a1cd84e7194e9aeef2b4b7ff0a35179907bd40ebd9

SHA512
e91c9f87bfb1c2c97f7baf5956d00f5cdc3a5dafcc64d973b71f6bdbf5775b1ffe4173e5c5870c2b9fcbde846b7a080b912bd42ff91ff62efa68adf396a4ab3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ea6cf7d6-50f1-4d31-8c31-631c7a95d9e1\msiwrapper.ini
Filesize
1KB

MD5
87b32da922b3c9ca9d0ad71fdc82bc15

SHA1
703bed793a70de06fcd2644105289ceb40ec1106

SHA256
724e6c1e1603d0cc1b06cf7c52866d1f8a04ab3a79fee0bdc3d155b005cccd4e

SHA512
7e7ce714cf655513304544a80e69ba0b21ff918d5cd022674815afeba03fbcf96eb5b12b11ab3d1c15f8ee800e4e3164356f974d726860e189ef6346e4a58aec

Download Submit
C:\Windows\Installer\MSI8211.tmp
Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads