Analysis
-
max time kernel
150s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
24-08-2024 22:34
General
-
Target
51716929656f2a988e167a5b13e7cc55aa93e061e0e5cda5681071cba8faf1dc.exe
-
Size
347KB
-
MD5
b5ff844d298650467e7d45a18bfb1303
-
SHA1
a1dab1a6cdd93b0aa06bedcf4088a93f2e8127a4
-
SHA256
51716929656f2a988e167a5b13e7cc55aa93e061e0e5cda5681071cba8faf1dc
-
SHA512
b4c47ed3aef8b5f9c160572824b1a167a6a5a10143254f6b8908f9d37b227f5036feb5345f48eb6dadaed2c884d31dbc7b46de0fd343b9b8b3240869d518bdfa
-
SSDEEP
6144:hgOh2p1qF8C8gDL5GXAHsZC1JxvkChUQxL0hkMVKnzL:hgOgPqFqgD1GVg1J5pdxikfzL
Score
10/10
Malware Config
Extracted
Path
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
Family
cerber
Ransom Note
C E R B E R R A N S O M W A R E
#########################################################################
Cannot you find the files you need?
Is the content of the files that you looked for not readable?
It is normal because the files' names, as well as the data in your files
have been encrypted.
Great!
You have turned to be a part of a big community #Cerber+Rans0mware.
#########################################################################
!!! If you are reading this message it means the software
!!! "Cerber Rans0mware" has been removed from your computer.
#########################################################################
What is encryption?
-------------------
Encryption is a reversible modification of information for security
reasons but providing full access to it for authorized users.
To become an authorized user and keep the modification absolutely
reversible (in other words to have a possibility to decrypt your files)
you should have an individual private key.
But not only it.
It is required also to have the special decryption software
(in your case "Cerber Decryptor" software) for safe and complete
decryption of all your files and data.
#########################################################################
Everything is clear for me but what should I do?
------------------------------------------------
The first step is reading these instructions to the end.
Your files have been encrypted with the "Cerber Ransomware" software; the
instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt")
in the folders with your encrypted files are not viruses, they will
help you.
After reading this text the most part of people start searching in the
Internet the words the "Cerber Ransomware" where they find a lot of
ideas, recommendations and instructions.
It is necessary to realize that we are the ones who closed the lock on
your files and we are the only ones who have this secret key to
open them.
!!! Any attempts to get back your files with the third-party tools can
!!! be fatal for your encrypted files.
The most part of the third-party software change data within the
encrypted file to restore it but this causes damage to the files.
Finally it will be impossible to decrypt your files.
When you make a puzzle but some items are lost, broken or not put in its
place - the puzzle items will never match, the same way the third-party
software will ruin your files completely and irreversibly.
You should realize that any intervention of the third-party software to
restore files encrypted with the "Cerber Ransomware" software may be
fatal for your files.
#########################################################################
!!! There are several plain steps to restore your files but if you do
!!! not follow them we will not be able to help you, and we will not try
!!! since you have read this warning already.
#########################################################################
For your information the software to decrypt your files (as well as the
private key provided together) are paid products.
After purchase of the software package you will be able to:
1. decrypt all your files;
2. work with your documents;
3. view your photos and other media;
4. continue your usual and comfortable work at the computer.
If you understand all importance of the situation then we propose to you
to go directly to your personal page where you will receive the complete
instructions and guarantees to restore your files.
#########################################################################
There is a list of temporary addresses to go on your personal page below:
_______________________________________________________________________
|
| 1. http://52uo5k3t73ypjije.wht5py.top/4041-1F46-6A2B-006D-FC83
|
| 2. http://52uo5k3t73ypjije.ssd5gt.top/4041-1F46-6A2B-006D-FC83
|
| 3. http://52uo5k3t73ypjije.lwbi59.top/4041-1F46-6A2B-006D-FC83
|
| 4. http://52uo5k3t73ypjije.3odvfb.top/4041-1F46-6A2B-006D-FC83
|
| 5. http://52uo5k3t73ypjije.onion.to/4041-1F46-6A2B-006D-FC83
|_______________________________________________________________________
#########################################################################
What should you do with these addresses?
----------------------------------------
If you read the instructions in TXT format (if you have instruction in
HTML (the file with an icon of your Internet browser) then the easiest
way is to run it):
1. take a look at the first address (in this case it is
http://52uo5k3t73ypjije.wht5py.top/4041-1F46-6A2B-006D-FC83);
2. select it with the mouse cursor holding the left mouse button and
moving the cursor to the right;
3. release the left mouse button and press the right one;
4. select "Copy" in the appeared menu;
5. run your Internet browser (if you do not know what it is run the
Internet Explorer);
6. move the mouse cursor to the address bar of the browser (this is the
place where the site address is written);
7. click the right mouse button in the field where the site address
is written;
8. select the button "Insert" in the appeared menu;
9. then you will see the address
http://52uo5k3t73ypjije.wht5py.top/4041-1F46-6A2B-006D-FC83
appeared there;
10. press ENTER;
11. the site should be loaded; if it is not loaded repeat the same
instructions with the second address and continue until the last
address if falling.
If for some reason the site cannot be opened check the connection to the
Internet; if the site still cannot be opened take a look at the
instructions on omitting the point about working with the addresses in
the HTML instructions.
If you browse the instructions in HTML format:
1. click the left mouse button on the first address (in this case it is
http://52uo5k3t73ypjije.wht5py.top/4041-1F46-6A2B-006D-FC83);
2. in a new tab or window of your web browser the site should be loaded;
if it is not loaded repeat the same instructions with the second
address and continue until the last address.
If for some reason the site cannot be opened check the connection to
the Internet.
#########################################################################
Unfortunately these sites are short-term since the antivirus companies
are interested in you do not have a chance to restore your files but
continue to buy their products.
Unlike them we are ready to help you always.
If you need our help but the temporary sites are not available:
1. run your Internet browser (if you do not know what it is run the
Internet Explorer);
2. enter or copy the address
https://www.torproject.org/download/download-easy.html.en into the
address bar of your browser and press ENTER;
3. wait for the site loading;
4. on the site you will be offered to download Tor Browser; download and
run it, follow the installation instructions, wait until the
installation is completed;
5. run Tor Browser;
6. connect with the button "Connect" (if you use the English version);
7. a normal Internet browser window will be opened after
the initialization;
8. type or copy the address
________________________________________________________
| |
| http://52uo5k3t73ypjije.onion/4041-1F46-6A2B-006D-FC83 |
|________________________________________________________|
in this browser address bar;
9. press ENTER;
10. the site should be loaded; if for some reason the site is not loading
wait for a moment and try again.
If you have any problems during installation or operation of Tor Browser,
please, visit https://www.youtube.com/ and type request in the search bar
"install tor browser windows" and you will find a lot of training videos
about Tor Browser installation and operation.
If TOR address is not available for a long period (2-3 days) it means you
are late; usually you have about 2-3 weeks after reading the instructions
to restore your files.
#########################################################################
Additional information:
You will find the instructions for restoring your files in those folders
where you have your encrypted files only.
The instructions are made in two file formats - HTML and TXT for
your convenience.
Unfortunately antivirus companies cannot protect or restore your files
but they can make the situation worse removing the instructions how to
restore your encrypted files.
The instructions are not viruses; they have informative nature only, so
any claims on the absence of any instruction files you can send to your
antivirus company.
#########################################################################
Cerber Ransomware Project is not malicious and is not intended to harm a
person and his/her information data.
The project is created for the sole purpose of instruction regarding
information security, as well as certification of antivirus software for
their suitability for data protection.
Together we make the Internet a better and safer place.
#########################################################################
If you look through this text in the Internet and realize that something
is wrong with your files but you do not have any instructions to restore
your files, please, contact your antivirus support.
#########################################################################
Remember that the worst situation already happened and now it depends on
your determination and speed of your actions the further life of
your files.
URLs
http://52uo5k3t73ypjije.wht5py.top/4041-1F46-6A2B-006D-FC83
http://52uo5k3t73ypjije.ssd5gt.top/4041-1F46-6A2B-006D-FC83
http://52uo5k3t73ypjije.lwbi59.top/4041-1F46-6A2B-006D-FC83
http://52uo5k3t73ypjije.3odvfb.top/4041-1F46-6A2B-006D-FC83
http://52uo5k3t73ypjije.onion.to/4041-1F46-6A2B-006D-FC83
http://52uo5k3t73ypjije.onion/4041-1F46-6A2B-006D-FC83
Extracted
Path
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Cerber Ransomware</title>
<style>
a {
color: #47c;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #333;
font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";
font-size: 16px;
line-height: 1.6;
margin: 0;
padding: 0;
}
hr {
background-color: #e7e7e7;
border: 0 none;
border-bottom: 1px solid #c7c7c7;
height: 5px;
margin: 30px 0;
}
li {
padding: 0 0 7px 7px;
}
ol {
padding-left: 3em;
}
.container {
background-color: #fff;
border: 1px solid #c7c7c7;
margin: 40px;
padding: 40px 40px 20px 40px;
}
.info, .tor {
background-color: #efe;
border: 1px solid #bda;
display: block;
padding: 0px 20px;
}
.logo {
font-size: 12px;
font-weight: bold;
line-height: 1;
margin: 0;
}
.tor {
padding: 10px 0;
text-align: center;
}
.warning {
background-color: #f5e7e7;
border: 1px solid #ebccd1;
color: #a44;
display: block;
padding: 15px 10px;
text-align: center;
}
</style>
</head>
<body>
<div class="container">
<h3>C E R B E R R A N S O M W A R E</h3>
<hr>
<p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p>
<p>It is normal because the files' names, as well as the data in your files have been encrypted.</p>
<p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p>
<hr>
<p><span class="warning">If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer.</span></p>
<hr>
<h3>What is encryption?</h3>
<p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p>
<p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p>
<p>But not only it.</p>
<p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p>
<hr>
<h3>Everything is clear for me but what should I do?</h3>
<p>The first step is reading these instructions to the end.</p>
<p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p>
<p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p>
<p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p>
<p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p>
<p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p>
<p>Finally it will be impossible to decrypt your files.</p>
<p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p>
<p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p>
<hr>
<p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p>
<hr>
<p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p>
<p>After purchase of the software package you will be able to:</p>
<ol>
<li>decrypt all your files;</li>
<li>work with your documents;</li>
<li>view your photos and other media;</li>
<li>continue your usual and comfortable work at the computer.</li>
</ol>
<p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p>
<hr>
<div class="info">
<p>There is a list of temporary addresses to go on your personal page below:</p>
<ol>
<li><a href="http://52uo5k3t73ypjije.wht5py.top/4041-1F46-6A2B-006D-FC83" target="_blank">http://52uo5k3t73ypjije.wht5py.top/4041-1F46-6A2B-006D-FC83</a></li>
<li><a href="http://52uo5k3t73ypjije.ssd5gt.top/4041-1F46-6A2B-006D-FC83" target="_blank">http://52uo5k3t73ypjije.ssd5gt.top/4041-1F46-6A2B-006D-FC83</a></li>
<li><a href="http://52uo5k3t73ypjije.lwbi59.top/4041-1F46-6A2B-006D-FC83" target="_blank">http://52uo5k3t73ypjije.lwbi59.top/4041-1F46-6A2B-006D-FC83</a></li>
<li><a href="http://52uo5k3t73ypjije.3odvfb.top/4041-1F46-6A2B-006D-FC83" target="_blank">http://52uo5k3t73ypjije.3odvfb.top/4041-1F46-6A2B-006D-FC83</a></li>
<li><a href="http://52uo5k3t73ypjije.onion.to/4041-1F46-6A2B-006D-FC83" target="_blank">http://52uo5k3t73ypjije.onion.to/4041-1F46-6A2B-006D-FC83</a></li>
</ol>
</div>
<hr>
<h3>What should you do with these addresses?</h3>
<p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p>
<ol>
<li>take a look at the first address (in this case it is <a href="http://52uo5k3t73ypjije.wht5py.top/4041-1F46-6A2B-006D-FC83" target="_blank">http://52uo5k3t73ypjije.wht5py.top/4041-1F46-6A2B-006D-FC83</a>);</li>
<li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li>
<li>release the left mouse button and press the right one;</li>
<li>select "Copy" in the appeared menu;</li>
<li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>
<li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li>
<li>click the right mouse button in the field where the site address is written;</li>
<li>select the button "Insert" in the appeared menu;</li>
<li>then you will see the address <a href="http://52uo5k3t73ypjije.wht5py.top/4041-1F46-6A2B-006D-FC83" target="_blank">http://52uo5k3t73ypjije.wht5py.top/4041-1F46-6A2B-006D-FC83</a> appeared there;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li>
</ol>
<p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p>
<p>If you browse the instructions in HTML format:</p>
<ol>
<li>click the left mouse button on the first address (in this case it is <a href="http://52uo5k3t73ypjije.wht5py.top/4041-1F46-6A2B-006D-FC83" target="_blank">http://52uo5k3t73ypjije.wht5py.top/4041-1F46-6A2B-006D-FC83</a>);</li>
<li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li>
</ol>
<p>If for some reason the site cannot be opened check the connection to the Internet.</p>
<hr>
<p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p>
<p>Unlike them we are ready to help you always.</p>
<p>If you need our help but the temporary sites are not available:</p>
<ol>
<li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>
<li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li>
<li>wait for the site loading;</li>
<li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li>
<li>run Tor Browser;</li>
<li>connect with the button "Connect" (if you use the English version);</li>
<li>a normal Internet browser window will be opened after the initialization;</li>
<li>type or copy the address <span class="tor">http://52uo5k3t73ypjije.onion/4041-1F46-6A2B-006D-FC83</span> in this browser address bar;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li>
</ol>
<p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p>
<p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p>
<hr>
<h3>Additional information:</h3>
<p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p>
<p>The instructions are made in two file formats - HTML and TXT for your convenience.</p>
<p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p>
<p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p>
<hr>
<p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p>
<p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p>
<p>Together we make the Internet a better and safer place.</p>
<hr>
<p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p>
<hr>
<p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p>
</div>
</body>
</html>
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Contacts a large (516) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Kills process with taskkill 2 IoCs
-
Modifies Control Panel 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 59 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 58 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\51716929656f2a988e167a5b13e7cc55aa93e061e0e5cda5681071cba8faf1dc.exe"C:\Users\Admin\AppData\Local\Temp\51716929656f2a988e167a5b13e7cc55aa93e061e0e5cda5681071cba8faf1dc.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{3AEA9A82-4E28-13C0-DB4D-43AE90C05B1C}\MuiUnattend.exe"C:\Users\Admin\AppData\Roaming\{3AEA9A82-4E28-13C0-DB4D-43AE90C05B1C}\MuiUnattend.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2008 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2008 CREDAT:537601 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "MuiUnattend.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{3AEA9A82-4E28-13C0-DB4D-43AE90C05B1C}\MuiUnattend.exe" > NUL3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "MuiUnattend.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "51716929656f2a988e167a5b13e7cc55aa93e061e0e5cda5681071cba8faf1dc.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\51716929656f2a988e167a5b13e7cc55aa93e061e0e5cda5681071cba8faf1dc.exe" > NUL2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "51716929656f2a988e167a5b13e7cc55aa93e061e0e5cda5681071cba8faf1dc.exe"3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {240FD13C-AF2B-4D43-BD03-78DD488AB528} S-1-5-21-2212144002-1172735686-1556890956-1000:MVFYZPLM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{3AEA9A82-4E28-13C0-DB4D-43AE90C05B1C}\MuiUnattend.exeC:\Users\Admin\AppData\Roaming\{3AEA9A82-4E28-13C0-DB4D-43AE90C05B1C}\MuiUnattend.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Users\Admin\AppData\Roaming\{3AEA9A82-4E28-13C0-DB4D-43AE90C05B1C}\MuiUnattend.exeC:\Users\Admin\AppData\Roaming\{3AEA9A82-4E28-13C0-DB4D-43AE90C05B1C}\MuiUnattend.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1812 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5681⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5208dbb6876bf687104081a70622aee4b
SHA18580196fa9a108495210ebb33a24ca4bbfcbfc86
SHA256b6eb65d1b28df8520b257eca13d692f5660d9663126c887695b9f66aae36ae8d
SHA512bd6a1e26546b624f01a18fbf54af8d1b149d7e7c91ad38cfe619b7c715b9b0bedba722b9fc71114e311a08c91ab201ab2e994096c7c5c8eadddc699bd6c8b70c
-
Filesize
90B
MD5304cf4ec3e8011e3eb7700195eef6e77
SHA1a90058f77b3cb5e489f7014248142fe93f26a5a9
SHA25614e47dce837695285db2c99c4833bb49d5330294c2dad34e3bfc1cc945f9d4f2
SHA512b624cc3a90be8afecbadd525146f9afb1ab55b265c502dca0fa8ae0cb2c28ff6f24544ba63b3c47923a61fbee23b9701e1db996a66840d328950bcf4b1b7d0c4
-
Filesize
234B
MD56f84dbf74ef41dc3d861f5fb3e0f45ff
SHA13e5f17e9b9589f33ce6add7f2518a666ff2253a4
SHA256df5f432d7e0d2bd1c4dddb1fabbf1e77bd1065b9020f71abaf1a45fbb950bbb8
SHA5129f9ec25b815be7b20df26244d31848c9a4896b130241b63636d63511a290eaad78d289a9bb04592c0ba31492064671351b4c7359310f03469e27764132a20a5a
-
Filesize
12KB
MD579e59b7b1488363d5bb908e5edf2f9fe
SHA1829f58f69830cff8021410d0bb004143ed9aaab3
SHA256c71357adcf1d22c9f5de5bd24cf3ee4aa76a44b5854428aa521f1838ce875bac
SHA5129a38da60dce2b61cda0e5c0728e5032bddad4c36f929da0aecf92d85b6dbf5c33b649248d724aed18c86d91ad52e04de05905f9399631231742c844f4cc15f86
-
Filesize
342B
MD56e625d138f1b3e7aede12bf7ad947b52
SHA1281a27982b429e1cc08a311cbd4d5c37d9f6840d
SHA2564582823891e3fcb70a335459229c064af3a3a958324eb2f91362225185234edb
SHA51273d70a5c92a51395660bf02bafcb4c8a3736e61d320c91f960c2e451bb8dd899ebfbe1b464cba8ed95fb04d5882db30d386e07d7456186dd31fc31b498bf2c50
-
Filesize
342B
MD5e89da0980892b8bc0ce4aad1adb7c82c
SHA1ced829ed41cda440efe91bda4afed5d9a218a53b
SHA256310a0dfd69ab9a9fb1bdbbd8bb2f8113924a369cee1e33d6f26f097b9db5d310
SHA51204a4dd97aa7e5ba27f8cb4ce75efc909a3efc9b0e6dbe66edd8cdbf84f8577deeba64955eb910270baa41f7954bd5ee2d61eb59a8966bcd0006d7bd046030f63
-
Filesize
342B
MD5b5e2741d2c8efd5214b7cd2468253500
SHA1ed7a10dfab27315645d2f587da73cd11a9d1a412
SHA2569ac03a676dfd41e8a4a0b5aac39c59671fd443c2f48d630ef28659fe57bd24e1
SHA5126edf0098d841a221f8c48a6fbd013ba2c6d7d185adc85883a388d7da7398391161826a0751a34dd7b5db402adb6326252c13033aac7fb3069b52379fe1597714
-
Filesize
342B
MD5e300d899f2ebb92b2e58589c1337c8f8
SHA1a9d00b5e11fd4ac0cfe4c76529223c076659f560
SHA25627868e40717a240fa396dce53ede04995f28330a1cea227fa061492d9220c5e8
SHA512eb40464fc61f82770410decb386ea1b0f99894bec7e5ab59ee3d4dcda3bb2cd272289e80868228b41ac12ca85f431a239a934c6baaf065c8bb0b428f7000072f
-
Filesize
342B
MD56cdec14b11445e64f55d2e7cb43497a0
SHA15ac75cffeb77572829c4177f6506a1c0670a0bdf
SHA256ac0635396b7ffee650d580e7157ae0d21b0020ae5461fefe8589396ef351bba2
SHA5125f852e3f53cd46f13784b164f23ddae141a536b817c6375e6a381da9d657e0e456f34a906d03ea0e2ae0ec36b0338b86c9948f0714920502b98cbf9697a71f18
-
Filesize
342B
MD5291e32b251a8b366e6c60ace2ee33fef
SHA157e77cc1e38b9ef9cb838437379aebfdebce29af
SHA256dbab1b1b183c900e2f0a0e52d74736e386d49eede79614ecf8c3c22c3c06cf57
SHA512014ac4007d222477a9cdd7b6a4dc0b589c881f98ce19717a28b6d9ff8283b5b608e5f6e054902707556bf4568a3e7bb1c5de2d9869147b2b48fe47b61a62946b
-
Filesize
342B
MD5657dd594b77faf7c635a075d6e32622c
SHA1a9fdfdd473f1acf1660973746ef3e03999df8629
SHA256a3c87017d873527ee0d9956e8083754a357c174b3c1421c66f0e30dc7d82e1e3
SHA512105f4fc3302cd8dbc6a5c85cefb9efaf5de6877e7a8d605cd108545c20d863c268d8ecc6d028ffbaf624766e277be511b4327090a4786f6ed276228ddee1594c
-
Filesize
6KB
MD5ef11f72f8b1542d24f34b3433154a9e5
SHA10347071b8a7dde00d46fc77818ac6a122b6d4204
SHA256898c956bce6491a92ea111dd3778b83cea52cf6b9eab8773df7c1809ef5464dd
SHA51207f1697dec3d1ea7f7648600ecdf6d32df2f41540bc73a2012ddd337baf48415a72ea512a67e4d296267145d9faea2dcf2e5d5e0a4ca7054129e0fabaceb9a45
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1KB
MD566585fce736fdfc0ba45077976606b67
SHA1dab8be8cc3ef83c54ab1e0af3fc49c5a23fedea9
SHA256b03371e1db44c56c15a5c834bfc04541ca741bbed409763b53a751187b57ad82
SHA512b9303bc8111912fce6c578c512956c94656c3f5ff09a9a34c3c91697731402d245707fe01e143408973ae94b160d7267d9904ee7144fb17744eb8ed043398f37
-
Filesize
347KB
MD5b5ff844d298650467e7d45a18bfb1303
SHA1a1dab1a6cdd93b0aa06bedcf4088a93f2e8127a4
SHA25651716929656f2a988e167a5b13e7cc55aa93e061e0e5cda5681071cba8faf1dc
SHA512b4c47ed3aef8b5f9c160572824b1a167a6a5a10143254f6b8908f9d37b227f5036feb5345f48eb6dadaed2c884d31dbc7b46de0fd343b9b8b3240869d518bdfa
-
Filesize
372KB
-
Filesize
372KB
-
Filesize
384KB
-
Filesize
4KB
-
Filesize
384KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
372KB
-
Filesize
4KB
-
Filesize
372KB
-
Filesize
372KB
-
Filesize
372KB
-
Filesize
8KB
-
Filesize
372KB
-
Filesize
372KB
-
Filesize
372KB
-
Filesize
372KB
-
Filesize
372KB