blackcat | 609172a21642cdec38beda5a23225cf21b11de9da29e94f5f3abe3b79f9b7386

Resubmissions

22-05-2024 15:10

240522-skftxsfe43 10

22-05-2024 15:06

240522-sgpyesfd46 10

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb.exe
Size

2.9MB
MD5

817f4bf0b4d0fc327fdfc21efacddaee
SHA1

8917af3878fa49fe4ec930230b881ff0ae8d19c9
SHA256

f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb
SHA512

b0f8c0f3e18765606db9c29199b617f5a757c5b12cdddeac1e91deaadef790b1134eb3c009b0eab36096391d93c8fa6abcb983426bc506ae79a63cadb7ea954b
SSDEEP

49152:rAnCsMZjVpVbl4D5GzNMFsl4UROAUc1y32ZxJFi4NE/RgaJ2w1M:rAnCs8pVblGyNM+l4UxUc1BhFyvww1M

Score

10^/10

blackcat ransomware

Malware Config

Extracted

Family

blackcat

Attributes

enable_network_discovery
true
enable_self_propagation
true
enable_set_wallpaper
true
extension
7954i9r
note_file_name
RECOVER-${EXTENSION}-FILES.txt
note_full_text
>> Introduction Important files on your system was ENCRYPTED and now they have have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion/336eb50d-ebf8-436b-937d-ec075de46e7f/419ef3f950d9f346cf86db56db453539dcd51567ea871728e78dbc9918c7efeb >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://sty5r4hhb5oihbq2mwevrofdiqbgesi66rvxr5sr573xgvtuvr4cs5yd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Signatures

BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
ransomware blackcat

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	mspaint.exe

Suspicious behavior: AddClipboardFormatListener 5 IoCs

pid	Process
3692	POWERPNT.EXE
4008	WINWORD.EXE
4008	WINWORD.EXE
1528	EXCEL.EXE
1584	vlc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4788	mspaint.exe
4788	mspaint.exe
1428	mspaint.exe
1428	mspaint.exe
1508	chrome.exe
1508	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1584	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
4788	mspaint.exe
3224	OpenWith.exe
1428	mspaint.exe
1664	OpenWith.exe
3692	POWERPNT.EXE
3692	POWERPNT.EXE
3692	POWERPNT.EXE
3692	POWERPNT.EXE
4008	WINWORD.EXE
4008	WINWORD.EXE
4008	WINWORD.EXE
4008	WINWORD.EXE
4008	WINWORD.EXE
4008	WINWORD.EXE
4008	WINWORD.EXE
4008	WINWORD.EXE
4008	WINWORD.EXE
4008	WINWORD.EXE
4008	WINWORD.EXE
4008	WINWORD.EXE
4008	WINWORD.EXE
1528	EXCEL.EXE
1528	EXCEL.EXE
1528	EXCEL.EXE
1528	EXCEL.EXE
1528	EXCEL.EXE
1528	EXCEL.EXE
1528	EXCEL.EXE
1528	EXCEL.EXE
1528	EXCEL.EXE
1584	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 3116	1508	chrome.exe	106
PID 1508 wrote to memory of 3116	1508	chrome.exe	106
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 1040	1508	chrome.exe	107
PID 1508 wrote to memory of 4356	1508	chrome.exe	108
PID 1508 wrote to memory of 4356	1508	chrome.exe	108
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109
PID 1508 wrote to memory of 2344	1508	chrome.exe	109

C:\Users\Admin\AppData\Local\Temp\f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb.exe
"C:\Users\Admin\AppData\Local\Temp\f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb.exe"
1⤵
PID:3224

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\SelectPing.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:2900

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3224

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\GetExit.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1428

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8b194ab58,0x7ff8b194ab68,0x7ff8b194ab78
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=2108,i,4778903020522718073,6960164299774168587,131072 /prefetch:2
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1920 --field-trial-handle=2108,i,4778903020522718073,6960164299774168587,131072 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2148 --field-trial-handle=2108,i,4778903020522718073,6960164299774168587,131072 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=2108,i,4778903020522718073,6960164299774168587,131072 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=2108,i,4778903020522718073,6960164299774168587,131072 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=2108,i,4778903020522718073,6960164299774168587,131072 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3984 --field-trial-handle=2108,i,4778903020522718073,6960164299774168587,131072 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4320 --field-trial-handle=2108,i,4778903020522718073,6960164299774168587,131072 /prefetch:8
  2⤵
  PID:3240

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2232

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Desktop\SendRepair.potm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3692

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\CompressDebug.odt"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4008

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\StepInvoke.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ConvertStep.mp3"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
a1ea63317f798b4a8794feed068eb885

SHA1
89145042b32e863139c8d3b67763d1aaeb84628f

SHA256
4cb414ada8d6af38feb16ac9db9da6a1480992aa217560134e02a72fb53a5b0f

SHA512
bf7b88fc2c725e62dfa3ee08ff5d246f17fb4397bd745a99546b8083586a8aea334a431275de65c454b8c46b6ab90b9e0053d30b616cba28ccf7593697ff21dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
3a4f88420d7369e9ff89bd4b2eeeb1c4

SHA1
d2f649486be2f3a0c49f9869dfdd4ba365719433

SHA256
73f952272450c49bf6b47490ec05343b98cdfcd26b10ebb4f320c22c0da3a67e

SHA512
9a608668ed6e399b44f7a553dd53813ed18bb237316b1cbd8f14b98dcb3b0bb96f971c844821eed41be2bb979dc9128f0a4f661ac3490ae24b2463ae162bdba2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\49f7e6c6-4f2e-4351-a9e6-7e8f4c2a6136.tmp

Filesize
356B

MD5
c67485c2bb31ad9b702d58ce18ae90f0

SHA1
b30af409e7e05b2879b17784b9e954cf1255a68b

SHA256
1ff6bd6500f437d6238cf60a9427a95970984ed92ca26247b2cd54b5618e163c

SHA512
d4d8bb914450a0c075b35e843cede36561eecf4ccb3ec54761c70831a2e5115ce7118d966de1f8f645bf3e3d3fec7afaca1dc58a36976361994db2fafbbc1dc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
49c59bdb9d05116cfb2c91f1216a93c1

SHA1
3c4535e0dfb29c502e073140257bad1388f538cd

SHA256
130b43817acf99cd7c8f93999d683b60f48bc2e9bce3f5ebbdc963252d1eff1d

SHA512
c9155e827be396eeefa43d3e61e6d11349872bfde86d4b9ea7be31c89626b43919590305fcdf3d2bf690c551c2533f5e8ef7675f8bcc1bd08d142b87c0f35ec8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4099718489c88d32d091059b110d9c69

SHA1
592bc4897dc0513df5dede76756641bc66b5e83c

SHA256
6a8050e1871252b0b73e65ee24e2e5c9e1e829aba5ab9a5920b2ed15d6ac397a

SHA512
87aab679425eabc0e20ecb86a1633dbcccaf6288653c2772bc6432cbb5979b227d42c10ece0a458b98ddfbff24c0de711a49f02bb55ac428b46c2e27bcd5e04e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
62715d0d6ae90bfda45cb6e083445ae2

SHA1
c4b1267770a6ae1bd19b8a645681cda31beae729

SHA256
dc307e7cf9ebe81a445af2dac26fec8426abac416c0f53ccd6befbd77f9a331b

SHA512
39fb30ba9d74b79a8d9457369ad83e90e1472e1a7dd8f74709cfe6f6beb342f0e98767880a3998ca8c04851744e11fdac8d537027b5f6f2a2637b342e33e6b93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A92C913A-18A7-495D-8B0F-9340218F2F7E

Filesize
161KB

MD5
c08a8d66c746234d68d765b6da2b9594

SHA1
b7d09720b468468ea739fbd21f16c831e59424d6

SHA256
6583cf541acdb118876d7ccab2345b702dfab6cb9f42b40d0307c54142baefc2

SHA512
be82a73f30e76f9107abe7705c1f2ffcbc0766ce95a543525a7000bc7ee57aff66436979396ae29c596cd4b1fae48347c5c6fcab28546415540c9d49ed0d727e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
dd6148bca9f26475fbc0aeeffad0736a

SHA1
1876b000f740a38911d4e09a15c85c3098b75746

SHA256
081491b2e0ba76c69bd507a9e7ea1aa354c1814e1b526e34ea113e5393ffec05

SHA512
a7f5b7d109c85f7671841eb8868857f48995cdb65659c11a52169e09c999a49819bf6830e449e5bff8786aefbf1fed27a46ce15b07d858b31e39d0475331dad0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
8725a105aac797b083b6bef192116efc

SHA1
9b1c47b6ca952d5a3d34aeb4f9f11e7e33376406

SHA256
d9097cac323867a5733f57987fdc6bf3d922f85a9173bb8c0c733552e8038630

SHA512
8703a279ef0a1c36cd7c86bbe8668ecbe93074da3b2e9609aa49b275d91847225884fc7687bfb162504e6a72a2b79595a8ec5b4e765d9ea363f761c92319e150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres

Filesize
4KB

MD5
da97672f0a1e736b28903694182aa337

SHA1
75b497b718693474e666d0cc5b27575148e27b04

SHA256
e591c74ac9553e8816abd92b5a6a895779bb19930d52acaca3dc86986a99d3f5

SHA512
a58ae6454f399c3232f527b3c99698c59389db6aa20a7d29a6d07cf29679eb09e1662ef35eba7305f8de3835e02312b41c5d5cb422e1727a9bcaa578e02a56cb

Download Submit
memory/1584-239-0x00007FF8AFA10000-0x00007FF8AFCC6000-memory.dmp

Filesize
2.7MB

Download
memory/1584-240-0x00007FF8AE750000-0x00007FF8AF800000-memory.dmp

Filesize
16.7MB

Download
memory/1584-238-0x00007FF8C0490000-0x00007FF8C04C4000-memory.dmp

Filesize
208KB

Download
memory/1584-237-0x00007FF738C50000-0x00007FF738D48000-memory.dmp

Filesize
992KB

Download
memory/2900-14-0x00000155573D0000-0x00000155573D1000-memory.dmp

Filesize
4KB

Download
memory/2900-17-0x0000015557460000-0x0000015557461000-memory.dmp

Filesize
4KB

Download
memory/2900-18-0x0000015557460000-0x0000015557461000-memory.dmp

Filesize
4KB

Download
memory/2900-19-0x0000015557470000-0x0000015557471000-memory.dmp

Filesize
4KB

Download
memory/2900-16-0x00000155573D0000-0x00000155573D1000-memory.dmp

Filesize
4KB

Download
memory/2900-20-0x0000015557470000-0x0000015557471000-memory.dmp

Filesize
4KB

Download
memory/2900-12-0x0000015557350000-0x0000015557351000-memory.dmp

Filesize
4KB

Download
memory/2900-5-0x000001554F060000-0x000001554F070000-memory.dmp

Filesize
64KB

Download
memory/2900-1-0x000001554E7C0000-0x000001554E7D0000-memory.dmp

Filesize
64KB

Download
memory/3224-0-0x0000000000400000-0x00000000006F3000-memory.dmp

Filesize
2.9MB

Download
memory/3692-132-0x00007FF88F370000-0x00007FF88F380000-memory.dmp

Filesize
64KB

Download
memory/3692-162-0x00007FF88F370000-0x00007FF88F380000-memory.dmp

Filesize
64KB

Download
memory/3692-163-0x00007FF88F370000-0x00007FF88F380000-memory.dmp

Filesize
64KB

Download
memory/3692-161-0x00007FF88F370000-0x00007FF88F380000-memory.dmp

Filesize
64KB

Download
memory/3692-160-0x00007FF88F370000-0x00007FF88F380000-memory.dmp

Filesize
64KB

Download
memory/3692-137-0x00007FF88D290000-0x00007FF88D2A0000-memory.dmp

Filesize
64KB

Download
memory/3692-136-0x00007FF88D290000-0x00007FF88D2A0000-memory.dmp

Filesize
64KB

Download
memory/3692-135-0x00007FF88F370000-0x00007FF88F380000-memory.dmp

Filesize
64KB

Download
memory/3692-133-0x00007FF88F370000-0x00007FF88F380000-memory.dmp

Filesize
64KB

Download
memory/3692-134-0x00007FF88F370000-0x00007FF88F380000-memory.dmp

Filesize
64KB

Download
memory/3692-131-0x00007FF88F370000-0x00007FF88F380000-memory.dmp

Filesize
64KB

Download
memory/4008-169-0x00007FF88D290000-0x00007FF88D2A0000-memory.dmp

Filesize
64KB

Download
memory/4008-171-0x00007FF88D290000-0x00007FF88D2A0000-memory.dmp

Filesize
64KB

Download