Overview

overview

10

Static

static

3

5f614a8e35...e4.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    160s
  • max time network
    155s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24-07-2024 15:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe

  • Size

    6.0MB

  • MD5

    5559e9f5e1645f8554ea020a29a5a3ee

  • SHA1

    d74bd70862707cd2c7ab946903f6fa0aab066151

  • SHA256

    5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4

  • SHA512

    56835d08f64887c4bd7b0fecd111f4b89411c45398618d815ed9652a0addbf25939fee9f40c4a0315e5e1539c0e87fcd5a9bd73cd7ad43d97d1484763abc5540

  • SSDEEP

    98304:YqqGLqEfydHgelcdpKCEAlFcyXSbSOK8AvpDggzc8LeAf5pNR0N75E6:dpLqEWJcd0CEzyibGpDpRRpYtO

Score
10/10
atomsilocredential_accessdiscoveryransomwarestealer

Malware Config

Extracted

Path

F:\README-FILE-UOKLYWYH-1721836790.hta

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Atom Slio: Instructions</title> <HTA:APPLICATION APPLICATIONNAME="Atom Slio" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> .text{ text-align:center; } a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #f3f3fc; border: 2pt solid #bda; display: inline-block; padding: 1%; text-align: center; box-sizing:border-box; border-radius:20px; } .h { display: none; } .ml1{ position:absolute;width:50%;height:10rem;left:-211px;top:0;background:#f3f3fc;border:1px solid #cfd3da;box-sizing:border-box;padding:2% 2% } </style> </head> <body> <div class="container"> <div class="header"> <h1>Atom Slio</h1> <small id="title">Instructions</small> </div> <div class="text"> <span style="color:#f71b3a;font-size:40px">WARNING! YOUR FILES ARE ENCRYPTED AND LEAKED!</span> </div> <hr> <div class="info"> <p>We are AtomSilo.Sorry to inform you that your files has been obtained and encrypted by us.</p> <p>But don’t worry, your files are safe, provided that you are willing to pay the ransom.</p> <p>Any forced shutdown or attempts to restore your files with the thrid-party software will be <span style="color:#f71b3a">damage your files permanently!</span></p> <p>The only way to decrypt your files safely is to buy the special decryption software from us. </p> <p>The price of decryption software is <span style="color:#f71b3a">500000 dollars</span>. <br>If you pay within 48 hours, you only need to pay <span style="color:#f71b3a">70% off dollars</span>. No price reduction is accepted.</p> <p>We only accept Bitcoin payment,you can buy it from bitpay,coinbase,binance or others. </p> <p>You have five days to decide whether to pay or not. After a week, we will no longer provide decryption tools and publish your files</p> </div> <hr></hr> <div align="center"> <span style="color:#f71b3a;font-size:200%">Time starts at 0:00 on December 10 </span> <hr></hr> <span style="color:#f71b3a;font-size:300%"> <a>Survival time:</a> <span id="td"></span> <span id="th"></span> <span id="tm"></span> <span id="ts"></span> </span> </div> <script type="text/javascript"> function getRTime(){ var EndTime= new Date('2021/12/12 00:00:00'); var NowTime = new Date(); var t =EndTime.getTime() - NowTime.getTime(); var d=Math.floor(t/1000/60/60/24); var h=Math.floor(t/1000/60/60%24); var m=Math.floor(t/1000/60%60); var s=Math.floor(t/1000%60); document.getElementById("td").innerHTML = d + " Day "; document.getElementById("th").innerHTML = h + " Hour "; document.getElementById("tm").innerHTML = m + " Min "; document.getElementById("ts").innerHTML = s + " Sec "; } setInterval(getRTime,1000); </script> <hr></hr> <p>You can contact us with the following email: <p><a href="mailto:[email protected]"><span class="info">Email:[email protected] </span></a></p> <p>If this email can't be contacted, you can find the latest email address on the following website:</p> <p><span class="info"><a href="http://l5cjga2ksw6rxumu5l4xxn3cmahhi2irkbwg3amx6ajroyfmfgpfllid.onion" target="_blank">http://l5cjga2ksw6rxumu5l4xxn3cmahhi2irkbwg3amx6ajroyfmfgpfllid.onion</a></span></p> <hr> <p>If you don’t know how to open this dark web site, please follow the steps below to installation and use TorBrowser:</p> <ol> <li>run your Internet browser</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER</li> <li>wait for the site loading</li> <li>on the site you will be offered to download TorBrowser; download and run it, follow the installation instructions, wait until the installation is completed</li> <li>run TorBrowser</li> <li>connect with the button "Connect" (if you use the English version)</li> <li>a normal Internet browser window will be opened after the initialization</li> <li>type or copy the address in this browser address bar and press ENTER</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or use of TorBrowser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the search bar "Install TorBrowser Windows" and you will find a lot of training videos about TorBrowser installation and use.</p> <hr> <p><strong>Additional information:</strong></p> <p>You will find the instructions ("README-FILE-#COMPUTER#-#TIME#.hta") for restoring your files in any folder with your encrypted files.</p> <p>The instructions "README-FILE-#COMPUTER#-#TIME#.hta" in the folders with your encrypted files are not viruses! The instructions "README-FILE-#COMPUTER#-#TIME#.hta" will help you to decrypt your files.</p> <p>Remember! The worst situation already happened and now the future of your files depends on your determination and speed of your actions.</p> </div> <span class="h">AESKEY</span> </body> </html><asf>XqWkXKV68v50lE/nxVWEO4EX+PnhkIHkTe/CsnvixFFHjzKSBVJ9fT2lm8RREoM0DJoxa0ROUd6E4yvTq81bvQPAQTZJQ0v7ZWoXoNKYfhrHrhtUou9f/jbv85u57yz1anHdsdFHb7mBmjbXzXDOnKRRsSJPezIFDZtWqvid3qZqThyVwp40SAuhbbab7BxBjvBAhz9r0KHOR/yux5fP8zWN/z/xb/EgatF2EqdRTPTlnoyvBfYRJ+lUlNAsyd6VU5QwgObfE0Hbob1ZTsjcWU4hOa+kx7P5YoxZUUzLBM/2lHTAoDtqHhQYQ9+eR7Yupi7A7RejldmtJQqVAbUoUvhKAo42WiDqqzYFRwIj/Svn9lXxs30K/BszyPQzTNIXUu1K/fisWhUTc9wshzcKHehQVk0otwfNFxUEBa+H1DhyW9M0MxMklo2kxwnhEAP3HfMoHpesFq4mtgwz+9v1CO+PjcU9P+F+4Qid2JUV8QNLt79bbAK8EqeyKZ3aZqHWx3iFZxolEAoUaXGxb4flyQDrHzI1hZ10s3tx+coNHjjUfG6P02wKC/ISQLKPqka1gkuHveTWLmT9apVvVwdDp1G4RXSya82mWPKQ4cn++cpF2RqvCadEdsuP5Gzk33tocPoPuu+38aNoomOnB9VxAI+BqwF7iXSPQnzDIXgkYobHwEliu3YbKoxgJtSGLLcqXohlAXPCc0TeQKZ7k/tHHb6jDspV3Uay0AONSgja9kdFxenYxYH7RCNGEv9Qa5IUnIxju7gtdgoyS6IamTya0tGZaXAVyXw5iJOfyQAldHz+gphRx1pRCr9fDgr8rmxRT7gKicjlYXKvf2wnqxTPPkOfLbejUrrBCiTL2JYmgEYNGIOwFjXHhvttkY424vqDJquAPQZtZvHcoG0zc5IbQY5DeLtmNJ6CQKIoLu2Ee7iL6h9B/sXpmHln3GmegoJGjUfyQIT2yWSCKUB6jqFcxm6fNdIJUNCHF6POtzFibkWwdqgEQ32d+3+8uWMkZTaYfK4jd438YpjiTkjsE+7c05sSTUWI9KNCfS0rMEkn/+x6o3th88OEM+tu/WsXDQcOpm5inipTJj2Wn6yKsC9kgBMV9mpnC3+SAgi13Z1soMruIvGFtVgzYiDFxxQkNvxhe0vaaQGPrHDoqmZ6BoJ7TVrvL5V1CkJejQPHOPRsW12LRjkK47bpGkDXf6r7yb8wgA0ZAWcqB9v3eI0AFtiQU0ZSZkE3Tv0/eU/ZNP8A5Qq+xjFF6cmsAFma6rNDyXZtu155Ky3qjf7ze9BopxQka9jcJjZ9AXKU7gLFnFOdKPsN46gF/uZGvpZwKFGOZr7oGrFGx57DWu59Xv2eyKzvnN16083ER/Nk+xhxWz98f+ZE4rbRc7osfKoa+Q0O9rXQ1cATAX19ksAajohlYap7HJhzEZRkgu/U0wu9Crj8Q87mYKXNYQqiKzorZeWI+QrB20hUKloCX+kbMTu0n1djwIIqH7DNfbvPJv6/3zrZXFRb5FTs55q1Psx+yoUO4CG7FR9SVCrOH8pjpDJ5sOvcd7h2oEboA44Pg2iCnXPr04oQOFHlMBaW8gGRfCJ3dP/LsfaBxFCbw7GL4QNfBpRCxxhQObX7fspKD/IcKTIA6LeYFdvJDb5qflIOrMPfW0QSupZUYUS/auCWvnxiUU90Q5ia+k5A4T95ZFnzIsbcCh4PylGNJt+GbQwySKb+ObvhZ3F95UW6DTH3DvMKOSD7FRZpppubm8E1HSjeXT3cgqCTIeS67P7toCkjK003pB0F7QjxIhmCmz5kvnioBEOzeS1kxy55CmJ11eU+6dKtJOb9xbNaLDbr/H3ryFTfNIAqsQoFU01N9OOsmjKVgjYVSI+7EWG+ssSBPz9p66sKrbQIxrlSLBPtJ91fx8rS3D34+F8VDHUI85B63sDEXYemxHmItX7Byum3YSjK9VjbyVxUYD6gL3DrmJfXbc/V3UgDnZzltZN1TiygVHiDLeaVyikg9lQYADr/9lIadWRBFQls/qhxa9tMa1+6C+IRx/Xjar+2NYWQlcdGyNRFaf7ugkimPElMg96IJ3j0zjalHJlF81/4KjIY8zmp4G74Xd7odn4lq8jTL2ypnDf1pNue4YKb53fwqlKB9w9ja/DwBLjhC9vLaeUFWIX62SFO3dTBaNFpa5bUmjrW485WoZIrjx+S7XKcwSsiOWoYl+EtSeKyWTthIMjN5hks4Fv/aiuba4O13L0OJcYPnwOAILoaG+Z3C2K8+32VoxsvvtjoiQsis7sqVqAkG7J42La0WZLidotnHgJQJrYBVulmCk8dHDOFi0uRVyAkp+NKt1BpeKbd7NRpKesfJ5v8BTpXXra+TvxSEcoiFCGAo+78PbdslWRD1KK3FjcakmOV0Y6xQc81ervLrJ12Kj8g25k8znPtzwcr4ZNTukB9ydz6PywfvLLUxn10mfuzT8SYvC/lONfvhsaW701Xuy/krHFpfifDEb5+5GDaYid85wdanNMdPnogS90D73C5P0FhoKlktK8N5Sptiepg1V2IOuubd3a0V7ZVEFquK36j2MxDxfpnLLDeTB+M5nbrXP8/QZsRNxl15X8Nj0No/DWChgJd5COyvSbfwbO1pEm/oPBD2zO1pXsEJFdrlSXhk5jsCRgNCXeC3Xqwka2boHtL2nAvaw38KZh7ueaJceCrW3l97yUhQjoNrzehRe4nXio6iy7AGxDb0Efj1WMtdodJq86yPDeAPlc7Sm7vOCehu9SxKzkXbE5URPjkUDwOxFuNGPNYqETWTYAKix7VhnM1irG2cQ+c4z7qKV6/aPJHuvpUGZww95hGxvFP3HFQn/hi+OOPNabfH/xN6wxJ3F7IIhY+4n+zMZ5EKxHUL7NaV/HBeIa9X3capraQ+Ewp6ecEe1WQw1z8TEgJXg6MAFzd1Q3nAxXMLrqL3q6TcKjZ3EVo93yS0GR9RimkpCmP95lSj5f1AiCA4ZRtMGq6AhHznMOQa8x03IkeNAFbdwChHqqOLDpoQrqzciDKHcsn5p1dW+rfIsVwWpcRmKHSuGumPiVd670kougAsc27d0VCwk5EHnyYdd1KA6dwHMgvazbzMsl97G/ZnsbozgJeTfgoDE5f7Svex2MRP2eUcF3wwCPA0VJBcxao3XeS7HyptRUL/lB5l60xLiBmgkLrhJLeomLhaxag/q7pXW5usnKQcskB5QtjJkvH8EDusfeBZNoNLHgnhYPg4p9q5KlUMW6sxhPvtcBQvVTPEqGTHecjHveV7SJX090z/sDB7qhVSx9WncQ9ZgkjjfcRW/xVa+1ilHEsQCPVf5Yju6n89ZgWj7kM93z7HMsJJcMajv7a4CMOSxhHM4miSPCm8BLjBj/hSMpz+yUThP4DnE4HUNTSf0Samgixot+iwK5g6M/EDC4xEJuR07+XuqC8GNp0PUoJyw8F/TfAJRDSYEfAYtGGDPHN4ncDcms2iIlgC1ka3Begnk7XntS25r0wedJPDtYgT45DjK5lqFYXOpbpin6lInYXLt7Tq81iMXaA3Zvfkz8j4SWNYzAqLRWGinhEIoARlPm3AHfQK8MhfINFLrnzdafKo94pi4gbKsf7fBDsZC/uMzhEEHX+v85U7FESxNYl/hh98YrSEoOD5h4EnMDNUMKTX7TKHnj33CfcS0zeoOFkgDUFioqAZ27L1ne72Rez+gmwusPLsIY8mhbVn8v6zEw7fFxFDIaGGkCT1YZHclnzayoh9qnct6rmqEN7KlKvBMcx/Ja34nhvIwqPme9HC1dOkL8Wt3dCF2F0tjqVDoyB6opTKHxmkJSaavlho0cXOIyqVlR7ux7fjkTKZyf8hNmwMEDZJtzDTSK+dh5eAo7HKLwltwpyxsxcJw5N+TYgNwWM4t6yDMIwWUEQvsyPzPFaaQmjIgqYAalRXxYoMz0lqt3Uy3rKpuwqoi+xu5Qj6ELYvhxbAxcOwpwxrrXsI5XMIt10E90u2Jv7yKi1Jd/Luu5bLYCQVEbvUyLd9bAIwFgMYeo4SM4NEN81ISjinz/jcVryBhxMLIDU5w+6yZCoKmUyGUDDixqRQoz/a42WvvUqy8XK</asf><csf>2</csf><pub>MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAlIKqaiDl1w58nwKdz7Z+tgFnDl5IGkSf+D1fv9AXZuUcdCKm9mE5Y5qpOkqRhFuk7BcQrGT1JlseTGouCb9EiLIozhoR9TAR7DeZCkqlYn4fZhTsn8tegLgrD3O+zY31z0KBIPjlCC4TDXIwe2ZB0m49fDIV7l2vCFJZ72TSYqME/H2n3N0pLPt/r04gOWv6X5OUmt7fs/L8NP5bL5I+NEHMVbC3Us7QAIk83milbw6lxCY7PbmYoxCC6IGsIakpAIWB2wHP6gnF71Zvwt4h1FqV9LD3UCQLnMxIob51MYZKkWf9ZkDVnmffcoXyGbB8uGgg2hJbGcAzqcLnAXuY13/1zZE1ThWwv9ApqBx/HqfPpLSKOVNh6DWU0n7vSJZdXBCuGmMc2gGn+JCxjBtkegmSJTh9bVdyUnjqgYbD0/b8zi7BhAIF5ZFUhK9FBGjkRk1tEUGf3s25DH1ihoWmLDb5Jr3eERWto3d/TN+Xxixrb32BIDLhKDiqPDP3ruOZLPn2cyPctFYKCugSD9BTZKALgKmWNa3CdP/m4eiVrymsaPYC/ARPHwGGvZns7yU8uEENQfT2mIEgLhwxoyYxA8rsLfpcHbtbcR3Pz5zyNHVAsAe9Wi2bgI77lNdg9vEqNc/iFEaKzwz6I40mKgv9HdbdpOyfMII0sGKX7MK5in8CARE=</pub><bsf>UOKLYWYH</bsf></span></body></html>
Emails

href="mailto:[email protected]"><span

class="info">Email:[email protected]

Extracted

Path

C:\Users\Public\ATOMSILO-README.hta

Family

atomsilo

Ransom Note
Atom Slio Instructions WARNING! YOUR FILES ARE ENCRYPTED AND LEAKED! We are AtomSilo.Sorry to inform you that your files has been obtained and encrypted by us. But don’t worry, your files are safe, provided that you are willing to pay the ransom. Any forced shutdown or attempts to restore your files with the thrid-party software will be damage your files permanently! The only way to decrypt your files safely is to buy the special decryption software from us. The price of decryption software is 500000 dollars . If you pay within 48 hours, you only need to pay 70% off dollars . No price reduction is accepted. We only accept Bitcoin payment,you can buy it from bitpay,coinbase,binance or others. You have five days to decide whether to pay or not. After a week, we will no longer provide decryption tools and publish your files Time starts at 0:00 on December 10 Survival time: You can contact us with the following email: Email:[email protected] If this email can't be contacted, you can find the latest email address on the following website: http://l5cjga2ksw6rxumu5l4xxn3cmahhi2irkbwg3amx6ajroyfmfgpfllid.onion If you don’t know how to open this dark web site, please follow the steps below to installation and use TorBrowser: run your Internet browser enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER wait for the site loading on the site you will be offered to download TorBrowser; download and run it, follow the installation instructions, wait until the installation is completed run TorBrowser connect with the button "Connect" (if you use the English version) a normal Internet browser window will be opened after the initialization type or copy the address in this browser address bar and press ENTER the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or use of TorBrowser, please, visit https://www.youtube.com and type request in the search bar "Install TorBrowser Windows" and you will find a lot of training videos about TorBrowser installation and use. Additional information: You will find the instructions ("README-FILE-#COMPUTER#-#TIME#.hta") for restoring your files in any folder with your encrypted files. The instructions "README-FILE-#COMPUTER#-#TIME#.hta" in the folders with your encrypted files are not viruses! The instructions "README-FILE-#COMPUTER#-#TIME#.hta" will help you to decrypt your files. Remember! The worst situation already happened and now the future of your files depends on your determination and speed of your actions. AESKEY
Emails
URLs

http://l5cjga2ksw6rxumu5l4xxn3cmahhi2irkbwg3amx6ajroyfmfgpfllid.onion

Signatures

  • AtomSilo

    Ransomware family first seen in September 2021.

    ransomwareatomsilo
  • AtomSilo Ransomware 2 IoCs
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 7 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe
    "C:\Users\Admin\AppData\Local\Temp\5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe"
    1⤵
    • Drops startup file
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:404
    • C:\Windows\SYSTEM32\mshta.exe
      mshta "C:\Users\Public\ATOMSILO-README.hta"
      2⤵
        PID:1600
      • C:\Windows\SYSTEM32\mshta.exe
        mshta "C:\Users\Public\ATOMSILO-README.hta"
        2⤵
          PID:4404
        • C:\Windows\SYSTEM32\mshta.exe
          mshta "C:\Users\Public\ATOMSILO-README.hta"
          2⤵
            PID:1304
          • C:\Windows\SYSTEM32\mshta.exe
            mshta "C:\Users\Public\ATOMSILO-README.hta"
            2⤵
              PID:4212
            • C:\Windows\SYSTEM32\mshta.exe
              mshta "C:\Users\Public\ATOMSILO-README.hta"
              2⤵
                PID:4268
              • C:\Windows\SYSTEM32\mshta.exe
                mshta "C:\Users\Public\ATOMSILO-README.hta"
                2⤵
                  PID:1884
                • C:\Windows\SYSTEM32\mshta.exe
                  mshta "C:\Users\Public\ATOMSILO-README.hta"
                  2⤵
                    PID:1764
                  • C:\Windows\SYSTEM32\mshta.exe
                    mshta "C:\Users\Public\ATOMSILO-README.hta"
                    2⤵
                      PID:3808
                    • C:\Windows\SYSTEM32\mshta.exe
                      mshta "C:\Users\Public\ATOMSILO-README.hta"
                      2⤵
                        PID:4164
                      • C:\Windows\SYSTEM32\mshta.exe
                        mshta "C:\Users\Public\ATOMSILO-README.hta"
                        2⤵
                          PID:4944
                        • C:\Windows\SYSTEM32\cmd.exe
                          cmd /c ping 127.0.0.1 -n 6 && del "C:\Users\Admin\AppData\Local\Temp\5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe"
                          2⤵
                          • System Network Configuration Discovery: Internet Connection Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:1308
                          • C:\Windows\system32\PING.EXE
                            ping 127.0.0.1 -n 6
                            3⤵
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:1932
                      • C:\Windows\system32\taskmgr.exe
                        "C:\Windows\system32\taskmgr.exe" /4
                        1⤵
                        • Drops file in Windows directory
                        • Checks SCSI registry key(s)
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: GetForegroundWindowSpam
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:3676
                      • C:\Windows\system32\werfault.exe
                        werfault.exe /h /shared Global\1599b214eb5e481b8a90c81ac4a27b9e /t 1520 /p 4268
                        1⤵
                          PID:696
                        • C:\Windows\SysWOW64\mshta.exe
                          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\README-FILE-UOKLYWYH-1721836790.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                          1⤵
                          • System Location Discovery: System Language Discovery
                          PID:1496
                        • C:\Windows\SysWOW64\werfault.exe
                          werfault.exe /h /shared Global\295241137f05400795b7f64ba0eea108 /t 4280 /p 1496
                          1⤵
                            PID:4432
                          • C:\Windows\system32\OpenWith.exe
                            C:\Windows\system32\OpenWith.exe -Embedding
                            1⤵
                            • Suspicious behavior: GetForegroundWindowSpam
                            • Suspicious use of SetWindowsHookEx
                            • Suspicious use of WriteProcessMemory
                            PID:3732
                            • C:\Windows\system32\NOTEPAD.EXE
                              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README-FILE-UOKLYWYH-1721836790.hta
                              2⤵
                                PID:4968
                            • C:\Windows\System32\rundll32.exe
                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                              1⤵
                                PID:3900
                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                1⤵
                                • Drops file in Windows directory
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of SetWindowsHookEx
                                PID:4916
                              • C:\Windows\system32\browser_broker.exe
                                C:\Windows\system32\browser_broker.exe -Embedding
                                1⤵
                                • Modifies Internet Explorer settings
                                PID:4276
                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                1⤵
                                • Modifies registry class
                                • Suspicious behavior: MapViewOfSection
                                • Suspicious use of SetWindowsHookEx
                                • Suspicious use of WriteProcessMemory
                                PID:4268
                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                1⤵
                                • Drops file in Windows directory
                                • Modifies Internet Explorer settings
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3232
                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                1⤵
                                • Drops file in Windows directory
                                • Modifies registry class
                                PID:4920

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
                                Filesize

                                14KB

                                MD5

                                cd4e72cdb4a83ec5c992f2b47c0502b5

                                SHA1

                                88913730a0b51248339d3a0e87a339c98805c5ec

                                SHA256

                                3ed284404472a3c6d395237de56d45bdf83f029798f48d1427c53dd826f82c34

                                SHA512

                                c9870a0771ea879769ef87498adda48b7e06ecfd45a41550f567c97818dde11f77b34b43d8d1bc8335a7d03d5639de28d5800890e2a25ac2c73669bb451ab7bb

                                Download Submit

                              • C:\Users\Public\ATOMSILO-README.hta
                                Filesize

                                6KB

                                MD5

                                5744127b4fb72acc81db2b912d590fdc

                                SHA1

                                2926eeafc7d15f51a12bc1199a514ace40f33dcb

                                SHA256

                                02c3c7d8896ac0516bae1420bdacbd9d7fa1452bbefbed499048732da95d741b

                                SHA512

                                031394da51882141ca3f718a21967288214194341bff1fa63f5cc97cb285205e69bb3c65c2df42993bfbf06740bf4858b3f9c13b7e1ba47739b260b66525ba65

                                Download Submit

                              • F:\README-FILE-UOKLYWYH-1721836790.hta
                                Filesize

                                11KB

                                MD5

                                9d101ec1854e98ddf39a1bc49f2a994e

                                SHA1

                                2e94e7a3f92422ba04e8d58ca5af2db20551ca2c

                                SHA256

                                5602dcba818f4ac47a33e01c4b80065a0655d018ec601dcd44c0471aaf1f2a75

                                SHA512

                                9f1944f619a9b8ee173800febe631d375e046db96283e12c9204f8c77b198be3680527ecd8d3ac53890563881a33bc68c8c7bf8e6c56d2d738cbcfe1f60a0ed7

                                Download Submit

                              • memory/404-3-0x00007FF660B51000-0x00007FF660EA4000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/404-1-0x00007FF660A60000-0x00007FF66149A000-memory.dmp

                                Filesize

                                10.2MB

                                Download

                              • memory/404-0-0x00007FFE93E80000-0x00007FFE93E82000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/404-3809-0x00007FF660B51000-0x00007FF660EA4000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/404-3831-0x00007FF660B51000-0x00007FF660EA4000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/404-3830-0x00007FF660A60000-0x00007FF66149A000-memory.dmp

                                Filesize

                                10.2MB

                                Download

                              • memory/3232-3906-0x0000025D76110000-0x0000025D76112000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/3232-3916-0x0000025D761B0000-0x0000025D761B2000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/3232-3908-0x0000025D76130000-0x0000025D76132000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/3232-3910-0x0000025D76150000-0x0000025D76152000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/3232-3912-0x0000025D76170000-0x0000025D76172000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/3232-3914-0x0000025D76190000-0x0000025D76192000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/3232-3902-0x0000025D63E00000-0x0000025D63F00000-memory.dmp

                                Filesize

                                1024KB

                                Download

                              • memory/3232-3903-0x0000025D63E00000-0x0000025D63F00000-memory.dmp

                                Filesize

                                1024KB

                                Download

                              • memory/3232-3901-0x0000025D63E00000-0x0000025D63F00000-memory.dmp

                                Filesize

                                1024KB

                                Download

                              • memory/4916-3896-0x0000026029790000-0x0000026029792000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/4916-3857-0x0000026025130000-0x0000026025140000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4916-3872-0x0000026025220000-0x0000026025230000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4916-3895-0x0000026029760000-0x0000026029762000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/4916-3891-0x0000026022500000-0x0000026022501000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4916-3893-0x0000026022550000-0x0000026022552000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/4916-3966-0x0000026022650000-0x0000026022652000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/4916-3969-0x0000026022500000-0x0000026022501000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4916-3973-0x00000260223E0000-0x00000260223E1000-memory.dmp

                                Filesize

                                4KB

                                Download