darkside | e34cf173d4a9a9f8c1556c52de1410f3086a1c3f080ea1a8f52726394277a994

General

Target

chrome_setup.msi
Size

304KB
MD5

6b63f4f44ed6a243acbf0ee18c5fb5a2
SHA1

3d6e13fa319d4de1393c23579753833260b3ef2e
SHA256

e34cf173d4a9a9f8c1556c52de1410f3086a1c3f080ea1a8f52726394277a994
SHA512

ba1811c4556d8bd113563d4c175795f6d76b48faa259915a30a341ac425cfa309d74d8028749fe5b87eaf26332136657aae5e34e0db08054f689276db746e809
SSDEEP

3072:NspAtO9mXwCGjtYNKbYO2gjpcm8rRuqpjCL42loHUvU0yGxr5GqM2a8hIZEZnWv:vtO9iRQYpgjpjew5DHyGxcqo8f

Score

10^/10

darkside discovery ransomware

Malware Config

Extracted

Path

C:\README.29c27192.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 500GB data. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/XES2TUV3A9QL89IS7QX91V7TYSF13ASPGB2TASQ68R9Z6QYH69OVY833QSRSFU4I When you open our website, put the following data in the input form: Key: I3tBdXvJ3pOvnhgmupZAJ7BpD5IVUftr7deEdtoxwK0QcbZciUXfs5ChjD0Yj8H2wUXfctFHYShVQHWhwi1CBDRQVPgXqnCgVRQql7B1tS8Q6TSdHq5o0UxOaDrdKCoMCdrMZiw0RTbfpDpuRwLI52rP5YaqZx492wErocN9C7PE6eFQEcqwqiFNA1FwVD3fogTJqOdTJI84FnlCBuRd1ippdTk8y2x16ukfPvVHi4MhyU8i4K1Q25a7wXQUPXhIffgZBnTimLzalSGyaI3f2MlQeYbpFG2o4nfnZCHDMAZAUY6CaiR0eAYVEvesreMmimT1EOyGYjNVtGHrJYXuRI4tYZIVlsHm6Ord42NV9s9PftLGkO8NBScZ9dBTNtz0xw9tpgu8GegVTlMesg6xkUAQWJcy6MNt9nJ7lHydpu27bA1GL8MX8lWAldnClSoUrDYRc8RAZ1oUfMfbtmvMDBGVENh8kMUYaxOt7hD1HxKFn0p5XcCDzWRSWkKUTtt7C6OiIpNOUAYYJ3UvC5S3uoXmt4iokkGq1SSMnr7sXmnekmh9oNwJgh7 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/XES2TUV3A9QL89IS7QX91V7TYSF13ASPGB2TASQ68R9Z6QYH69OVY833QSRSFU4I

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Renames multiple (152) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 5 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

pid	process
4776	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3744	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2332	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
4640	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

4924 MsiExec.exe
4924 MsiExec.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

ICACLS.EXEICACLS.EXE

pid process

696 ICACLS.EXE
4796 ICACLS.EXE

pid	process
4924	MsiExec.exe
4924	MsiExec.exe

pid	process
696	ICACLS.EXE
4796	ICACLS.EXE

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in System32 directory 14 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\71DC818AAEA1211A26ACC273B35C74BA	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\71DC818AAEA1211A26ACC273B35C74BA	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\29c27192.BMP"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Drops file in Windows directory 15 IoCs

Processes:

msiexec.exeEXPAND.EXE

description	ioc	process
File opened for modification	C:\Windows\Installer\e5782cc.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFEC1681A0D33DBDF1.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8359.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI85EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI85FB.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFB41BBF98E85D7069.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{178E9072-0290-429F-B7B6-81A3776A0164}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2FA466380B3B2AFD.TMP	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File created	C:\Windows\SystemTemp\~DF5995289069171904.TMP	msiexec.exe
File created	C:\Windows\Installer\e5782cc.msi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d0e58b6daa8f61000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d0e58b6d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d0e58b6d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd0e58b6d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d0e58b6d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Control Panel\Desktop	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Control Panel\Desktop\WallpaperStyle = "10"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Modifies data under HKEY_USERS 30 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = d05d570f2494a212c60db558aa6c9df1235321dc466ccf64aa1bab607887521e	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = cea1a5c11d1c77d59ff8b491afdcb2807d318534637fac3370a65ac0d4aca66c	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 3023616a0f77b27dfb2f784e9a0002be09ac0c17ac2f9a973190d77f100eab70	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00320066006100370032006300660033002d0033003400630061002d0031003100650064002d0061006300610065002d006300620066003100650064006300380032006100390039007d002e0054004d002e0062006c00660000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 511c5590ace92c937045889b59fbdeb6292b93ce955b6bfc25d79bbd0b4ec38a	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 88a0dfc82a0ebca9f4762f390bf6b426f2c9319dd6bb2af8fcd39afe608d8394	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\29c27192.BMP"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700320000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00320066006100370032006300660033002d0033003400630061002d0031003100650064002d0061006300610065002d006300620066003100650064006300380032006100390039007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 501d7fdd6697920f74818a2518261ec0a82fa933af7043dc7073925e2f7c924e	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00320066006100370032006300660033002d0033003400630061002d0031003100650064002d0061006300610065002d006300620066003100650064006300380032006100390039007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 85cc4aff399b38f65c64bd8babfd8c723e4c9cc159270f519beb984f877b46de	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = e80e00002fcb20ae5c51da01	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 4f52d04a8e362f740cfcea4bfe39903a5b087467bc785ee6b3efce840408d839	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Modifies registry class 5 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.29c27192\ = "29c27192"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\29c27192\DefaultIcon	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\29c27192	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\29c27192\DefaultIcon\ = "C:\\ProgramData\\29c27192.ico"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.29c27192	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

msiexec.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

pid	process
4604	msiexec.exe
4604	msiexec.exe
2332	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
2332	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
3816	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	2324	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2324	msiexec.exe
Token: SeSecurityPrivilege	4604	msiexec.exe
Token: SeCreateTokenPrivilege	2324	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2324	msiexec.exe
Token: SeLockMemoryPrivilege	2324	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2324	msiexec.exe
Token: SeMachineAccountPrivilege	2324	msiexec.exe
Token: SeTcbPrivilege	2324	msiexec.exe
Token: SeSecurityPrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeLoadDriverPrivilege	2324	msiexec.exe
Token: SeSystemProfilePrivilege	2324	msiexec.exe
Token: SeSystemtimePrivilege	2324	msiexec.exe
Token: SeProfSingleProcessPrivilege	2324	msiexec.exe
Token: SeIncBasePriorityPrivilege	2324	msiexec.exe
Token: SeCreatePagefilePrivilege	2324	msiexec.exe
Token: SeCreatePermanentPrivilege	2324	msiexec.exe
Token: SeBackupPrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeShutdownPrivilege	2324	msiexec.exe
Token: SeDebugPrivilege	2324	msiexec.exe
Token: SeAuditPrivilege	2324	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2324	msiexec.exe
Token: SeChangeNotifyPrivilege	2324	msiexec.exe
Token: SeRemoteShutdownPrivilege	2324	msiexec.exe
Token: SeUndockPrivilege	2324	msiexec.exe
Token: SeSyncAgentPrivilege	2324	msiexec.exe
Token: SeEnableDelegationPrivilege	2324	msiexec.exe
Token: SeManageVolumePrivilege	2324	msiexec.exe
Token: SeImpersonatePrivilege	2324	msiexec.exe
Token: SeCreateGlobalPrivilege	2324	msiexec.exe
Token: SeBackupPrivilege	1808	vssvc.exe
Token: SeRestorePrivilege	1808	vssvc.exe
Token: SeAuditPrivilege	1808	vssvc.exe
Token: SeBackupPrivilege	4604	msiexec.exe
Token: SeRestorePrivilege	4604	msiexec.exe
Token: SeRestorePrivilege	4604	msiexec.exe
Token: SeTakeOwnershipPrivilege	4604	msiexec.exe
Token: SeRestorePrivilege	4604	msiexec.exe
Token: SeTakeOwnershipPrivilege	4604	msiexec.exe
Token: SeRestorePrivilege	4604	msiexec.exe
Token: SeTakeOwnershipPrivilege	4604	msiexec.exe
Token: SeRestorePrivilege	4604	msiexec.exe
Token: SeTakeOwnershipPrivilege	4604	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2324 msiexec.exe
2324 msiexec.exe

pid	process
2324	msiexec.exe
2324	msiexec.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

msiexec.exeMsiExec.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

description	pid	process	target process
PID 4604 wrote to memory of 1228	4604	msiexec.exe	srtasks.exe
PID 4604 wrote to memory of 1228	4604	msiexec.exe	srtasks.exe
PID 4604 wrote to memory of 4924	4604	msiexec.exe	MsiExec.exe
PID 4604 wrote to memory of 4924	4604	msiexec.exe	MsiExec.exe
PID 4604 wrote to memory of 4924	4604	msiexec.exe	MsiExec.exe
PID 4924 wrote to memory of 696	4924	MsiExec.exe	ICACLS.EXE
PID 4924 wrote to memory of 696	4924	MsiExec.exe	ICACLS.EXE
PID 4924 wrote to memory of 696	4924	MsiExec.exe	ICACLS.EXE
PID 4924 wrote to memory of 1232	4924	MsiExec.exe	EXPAND.EXE
PID 4924 wrote to memory of 1232	4924	MsiExec.exe	EXPAND.EXE
PID 4924 wrote to memory of 1232	4924	MsiExec.exe	EXPAND.EXE
PID 4924 wrote to memory of 4776	4924	MsiExec.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 4924 wrote to memory of 4776	4924	MsiExec.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 4924 wrote to memory of 4776	4924	MsiExec.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 3744 wrote to memory of 2332	3744	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 3744 wrote to memory of 2332	3744	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 3744 wrote to memory of 2332	3744	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 3744 wrote to memory of 2332	3744	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 4924 wrote to memory of 4796	4924	MsiExec.exe	ICACLS.EXE
PID 4924 wrote to memory of 4796	4924	MsiExec.exe	ICACLS.EXE
PID 4924 wrote to memory of 4796	4924	MsiExec.exe	ICACLS.EXE
PID 2332 wrote to memory of 3816	2332	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 2332 wrote to memory of 3816	2332	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 2332 wrote to memory of 3816	2332	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 2332 wrote to memory of 4640	2332	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 2332 wrote to memory of 4640	2332	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
PID 2332 wrote to memory of 4640	2332	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\chrome_setup.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2324

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:1228

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0EF44287CF92CA2551E93EA17C2ABBCD
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-4fdac820-842f-465c-9042-e4656f2ba426\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
3⤵
- Modifies file permissions
PID:696

C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
3⤵
- Drops file in Windows directory
PID:1232

C:\Users\Admin\AppData\Local\Temp\MW-4fdac820-842f-465c-9042-e4656f2ba426\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
"C:\Users\Admin\AppData\Local\Temp\MW-4fdac820-842f-465c-9042-e4656f2ba426\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe"
3⤵
- Executes dropped EXE
PID:4776

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-4fdac820-842f-465c-9042-e4656f2ba426\." /SETINTEGRITYLEVEL (CI)(OI)LOW
3⤵
- Modifies file permissions
PID:4796

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Users\Admin\AppData\Local\Temp\MW-4fdac820-842f-465c-9042-e4656f2ba426\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
"C:\Users\Admin\AppData\Local\Temp\MW-4fdac820-842f-465c-9042-e4656f2ba426\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744

C:\Users\Admin\AppData\Local\Temp\MW-4fdac820-842f-465c-9042-e4656f2ba426\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
"C:\Users\Admin\AppData\Local\Temp\MW-4fdac820-842f-465c-9042-e4656f2ba426\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2332

C:\Users\Admin\AppData\Local\Temp\MW-4fdac820-842f-465c-9042-e4656f2ba426\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
C:\Users\Admin\AppData\Local\Temp\MW-4fdac820-842f-465c-9042-e4656f2ba426\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe -work worker0 job0-2332
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3816

C:\Users\Admin\AppData\Local\Temp\MW-4fdac820-842f-465c-9042-e4656f2ba426\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
C:\Users\Admin\AppData\Local\Temp\MW-4fdac820-842f-465c-9042-e4656f2ba426\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe -work worker1 job1-2332
3⤵
- Executes dropped EXE
- Enumerates connected drives
PID:4640

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\README.29c27192.TXT
Filesize
2KB

MD5
cc9673216d53012c400856b86968c4a2

SHA1
80945bfdc6f2b30fd7b47e92ae762ab4ad792659

SHA256
5dfc11166e6b0e978aa5b95aaf2a51733033379b7e7980f5fa1d42b6333cf9e0

SHA512
f556026b31927923f385325adb493934e45750f401bf4787a0f0602f8309f520c967da72b9924f1872895718a5376eb8c433084496f5903670ad1e1d47cc4266

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4fdac820-842f-465c-9042-e4656f2ba426\files.cab
Filesize
56KB

MD5
f8ba117f135d10e3eb80472c1ec46469

SHA1
6c084a82bf4ebafde30c5b3182f83dcb66933671

SHA256
9bc48ce1d31060a52f1f879fd140d96d60f60dd2d53d83efca323819b048b9f1

SHA512
3985a44a1a0907153f1a1eeaf8e91dcf25c0f6f27abc70edbbe5922e281b70fd7c308df022200a35daf2044eb2323f101ded0a5f0f592aed2bd8a50de4f0e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4fdac820-842f-465c-9042-e4656f2ba426\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
Filesize
56KB

MD5
84c1567969b86089cc33dccf41562bcd

SHA1
53f2133cb25186e9fa6d4ea3b0e41eee5aba5ef2

SHA256
516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b

SHA512
72a411cacd503b6fadb15dc90f1f9beb79ff79c620df76da381e5c780c53e11258aae72db2848c241ec55af403d67d62340e429e86c23bbf8a71287738de7eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4fdac820-842f-465c-9042-e4656f2ba426\msiwrapper.ini
Filesize
1KB

MD5
35873de27915e52906419555cc07a709

SHA1
10e3157d214c55f64974dcab09472b3d9281ca0a

SHA256
71ad6db3931ba19b58ad4f0061fe010f0e0b5b541095d9b2d7ffee3be54669f7

SHA512
a309e3412f053ac17ef6ad81e9dee0e6bd169cce512f28deaf752c819acfa62c625dd470bd422aceb5d3831e09b80d39f33448201c1f3abe9be637f36bac2690

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4fdac820-842f-465c-9042-e4656f2ba426\msiwrapper.ini
Filesize
1KB

MD5
e8ad32b7fa595ad04e3fe402bb6e74fc

SHA1
3cace4f7deade94ac7560745c50a9a06745fe05c

SHA256
43aaf3dbfc2f9468bb01c7e84a5ce501e24e0c7a54e9d53beae31a20f57fbede

SHA512
a080edd0f3884c116ac9e21f559bb7dcb2ea24a08cc0fc3dbd98a77abf951b5c709205fae5a89cfb672565f41026d205f203ce45fa45f9b09929bac3b75d08e6

Download Submit
C:\Windows\Installer\MSI8359.tmp
Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads