086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529

General

Target

2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Size

160KB
MD5

7e488e4928dd33d8aaf738da2baaba46
SHA1

6caa45286b4f92555cb4cb5f2ff8ccdb37e09a1e
SHA256

086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529
SHA512

643e834c0281803f44e85e8a3e50f0795a2f41c1bfdd62873cc509536e8752b736729a7ab6c8af4177ae0bbe90229d31f5fffe1d1d4539b710d9aa94acce931b
SSDEEP

3072:JDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368DCH2C+7cSFaCaqWGnW:D5d/zugZqll33n7CKW

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\gqtDmx4Hj.README.txt

Ransom Note

~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: ED45A38511580A6424BE505105EE4764 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.

URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Signatures

Renames multiple (162) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

2AF7.tmp

pid process

2508 2AF7.tmp
Executes dropped EXE 1 IoCs

Processes:

2AF7.tmp

pid process

2508 2AF7.tmp
Loads dropped DLL 1 IoCs

Processes:

2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe

pid process

2100 2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\gqtDmx4Hj.bmp"	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\gqtDmx4Hj.bmp"	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe2AF7.tmp

pid	process
2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp

Modifies Control Panel 2 IoCs

evasion

Processes:

2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\WallpaperStyle = "10"	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe

Modifies registry class 5 IoCs

Processes:

2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gqtDmx4Hj\ = "gqtDmx4Hj"	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gqtDmx4Hj\DefaultIcon	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gqtDmx4Hj	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gqtDmx4Hj\DefaultIcon\ = "C:\\ProgramData\\gqtDmx4Hj.ico"	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gqtDmx4Hj	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe

pid	process
2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

2AF7.tmp

pid	process
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp
2508	2AF7.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exevssvc.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeDebugPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: 36	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeImpersonatePrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeIncBasePriorityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeIncreaseQuotaPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: 33	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeManageVolumePrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeProfSingleProcessPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeRestorePrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSystemProfilePrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeTakeOwnershipPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeShutdownPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeDebugPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	1604	vssvc.exe
Token: SeRestorePrivilege	1604	vssvc.exe
Token: SeAuditPrivilege	1604	vssvc.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeSecurityPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
Token: SeBackupPrivilege	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe2AF7.tmp

description	pid	process	target process
PID 2100 wrote to memory of 2508	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe	2AF7.tmp
PID 2100 wrote to memory of 2508	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe	2AF7.tmp
PID 2100 wrote to memory of 2508	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe	2AF7.tmp
PID 2100 wrote to memory of 2508	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe	2AF7.tmp
PID 2100 wrote to memory of 2508	2100	2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe	2AF7.tmp
PID 2508 wrote to memory of 2856	2508	2AF7.tmp	cmd.exe
PID 2508 wrote to memory of 2856	2508	2AF7.tmp	cmd.exe
PID 2508 wrote to memory of 2856	2508	2AF7.tmp	cmd.exe
PID 2508 wrote to memory of 2856	2508	2AF7.tmp	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_7e488e4928dd33d8aaf738da2baaba46_darkside.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\ProgramData\2AF7.tmp
"C:\ProgramData\2AF7.tmp"
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2AF7.tmp >> NUL
3⤵
PID:2856

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x154
1⤵
PID:2460

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini
Filesize
129B

MD5
ad81299c550c707f802df4daf209febe

SHA1
5bf048d9be8f96606143e3db529ff3cb2a62e42e

SHA256
e50564fff8caec0c7399e9bc53e0c60429940029bf369762d3c438478e4fbc11

SHA512
593df6433f887ce6a85a17cbd4e61726b9f61cca319605f22e529ee2d51e1d24cd4b0e85d2367252344427c08d9a19fa51b04db40bdaefd70b1759235c73ae6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize
160KB

MD5
c8a6f05d2d815bd2b6a47d8bc1510713

SHA1
9e3ebcf482276a110c6371db03ebe2a21df740c5

SHA256
1f2bc06401327636198d5b482539a708b7e31a2cbb6ef3e907ca433e0fb1cc8b

SHA512
acf82d52bc3cfd78dfb67138e9eb00ef1a3873c433b21e8ad009fa1cd9482bfa8e5fa279a3357af3a399be0847dced862c9b96ae5b8fed3702d028bf9a8483b1

Download Submit
C:\Users\gqtDmx4Hj.README.txt
Filesize
3KB

MD5
c5a4859c5e2388c7c3db90e6b5bb5ada

SHA1
b3ad5512a5894d63c61594431c7d0bfd6bce3f28

SHA256
be065df5a42525f80e367f0f3a293050fbb395423aa567661737f180a5e3cbce

SHA512
e1ae655717281f7e169b0639a82ea7f28b911cba6f646eaf1166c8f7716127244e2522030813c540a26ab7c897c7a375570708b3898e0b718444ae6e12fe7272

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\DDDDDDDDDDD
Filesize
129B

MD5
4f1c2ea421566c58a08ed761853fc680

SHA1
f245baa9ee83da657b192c0f6f43bba4621fd20b

SHA256
e3081ea314e4c597d81f469786f14d61b95b98f6e3b3d38222f3b1bc7341a48e

SHA512
ac40f9579812b43f3a4730f85131699ff86d19cc8071b68ed253a0e3c35e91420462b2f3929bba189f7b4b19977e1c5178a1212deaa7ea4727b6b244d511b683

Download Submit
\ProgramData\2AF7.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/2100-0-0x0000000000B70000-0x0000000000BB0000-memory.dmp

Filesize
256KB

Download
memory/2508-292-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2508-294-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2508-323-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2508-326-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads