5e006f895382525e762a33e5dd5e8416bef56ae859f5e96f820cfba5c4c11226

General

Target

2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Size

156KB
MD5

b927dd845c06e97594ffbc299f624eec
SHA1

b22dd1fee007b95ddef5f30c41891e25a30f5a96
SHA256

5e006f895382525e762a33e5dd5e8416bef56ae859f5e96f820cfba5c4c11226
SHA512

53e55d0378f4609bb521a6b34a717510d147175c189065dfa3e547e9d65bccda85ca30b262b6cc718544c1709d7058172af2d755884b500b73c942e08666a4db
SSDEEP

3072:GDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368+K3PvFQpr5S8JSG7Is1g2mxn:g5d/zugZqll37fqjSyJcTO

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\lee4RKPOu.README.txt

Ransom Note

~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: 15690C2B17B6D36D888C91B12D6FBBBA << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.

URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Signatures

Renames multiple (151) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

1A25.tmp

pid process

1612 1A25.tmp
Executes dropped EXE 1 IoCs

Processes:

1A25.tmp

pid process

1612 1A25.tmp
Loads dropped DLL 1 IoCs

Processes:

2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe

pid process

2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe

description	ioc	process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\lee4RKPOu.bmp"	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\lee4RKPOu.bmp"	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe1A25.tmp

pid	process
2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallpaperStyle = "10"	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe

Modifies registry class 5 IoCs

Processes:

2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lee4RKPOu	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lee4RKPOu\DefaultIcon\ = "C:\\ProgramData\\lee4RKPOu.ico"	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lee4RKPOu	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lee4RKPOu\ = "lee4RKPOu"	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lee4RKPOu\DefaultIcon	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe

pid	process
2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

1A25.tmp

pid	process
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp
1612	1A25.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exevssvc.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeDebugPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: 36	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeImpersonatePrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeIncBasePriorityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeIncreaseQuotaPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: 33	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeManageVolumePrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeProfSingleProcessPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeRestorePrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSystemProfilePrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeTakeOwnershipPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeShutdownPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeDebugPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2028	vssvc.exe
Token: SeRestorePrivilege	2028	vssvc.exe
Token: SeAuditPrivilege	2028	vssvc.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeSecurityPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Token: SeBackupPrivilege	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe1A25.tmp

description	pid	process	target process
PID 2412 wrote to memory of 1612	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe	1A25.tmp
PID 2412 wrote to memory of 1612	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe	1A25.tmp
PID 2412 wrote to memory of 1612	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe	1A25.tmp
PID 2412 wrote to memory of 1612	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe	1A25.tmp
PID 2412 wrote to memory of 1612	2412	2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe	1A25.tmp
PID 1612 wrote to memory of 2236	1612	1A25.tmp	cmd.exe
PID 1612 wrote to memory of 2236	1612	1A25.tmp	cmd.exe
PID 1612 wrote to memory of 2236	1612	1A25.tmp	cmd.exe
PID 1612 wrote to memory of 2236	1612	1A25.tmp	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412

C:\ProgramData\1A25.tmp
"C:\ProgramData\1A25.tmp"
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1A25.tmp >> NUL
3⤵
PID:2236

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x148
1⤵
PID:3016

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini
Filesize
129B

MD5
5e8508819975de7a29606a54bf54430f

SHA1
386a77b42b6f32d5bfb501343833679a73e034d6

SHA256
8387de03ef1c30248a193d0422d84917cbe627cc356006fc73fe74517f1275fc

SHA512
61a37f964c591ecf3d64945301ce2c89bd65d6609b7972240bd4f85457edc6ef47c9f624d109abafea8f95482ea981d2b14201e07425a294c751fc7e13b4ded2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize
156KB

MD5
bd0fab9ff8f6b05d14e14685cc9488e5

SHA1
4358fde8fec110af45f4ef15fab54b7bc81b0f54

SHA256
d3afe631e207d263f6b16fae2a71da67ff870205350f28a1c1fc94bca52262f9

SHA512
16f0b9085594f517fe9533cfc115702479394ae696ed622f5be06b168cf06c46bbf1c6b9de959f8cf06780dd5cc75ba48bf6545effe0293aefef3026141e8f71

Download Submit
C:\Users\lee4RKPOu.README.txt
Filesize
2KB

MD5
14c330092a41f34c63253d1280857da1

SHA1
5c2f2df55c2f20b05be82d56b5aae3175ac3ea89

SHA256
ff435771961f4cc48367ca315cedb76e17247cf46875b55d7c6bad412fcb4c62

SHA512
a2a5006b723ea5f1cc200cbdc39a318967b0f0ac4dcf2050dc12bd0681a69ddeaeb466f365eb7a2832cbf6bb47dca65196e96f068eb48a2b929b33eba1d241b4

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\DDDDDDDDDDD
Filesize
129B

MD5
3301f021d052085d27fc47daf64f64dd

SHA1
ad154a77f3484d05a8fc7803eca8a497517782cc

SHA256
04e322a5d89e24fec36a8fbdfd3c08d3c9eba62144d78d5cb74550d7ff08c863

SHA512
f69885b1beaee84ebba663fdeee1dc80b05eedc78e9a893cd77f89c3ed98ff60d32d746069e8caeac015a391781d85a57003ba70cdb541f95a9d185c3140bb1b

Download Submit
\ProgramData\1A25.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1612-282-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/1612-285-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/1612-293-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/1612-294-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/1612-317-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/1612-316-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/2412-0-0x0000000000810000-0x0000000000850000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads