cyrat | 3c50ef708fd72b96187e91c30cd80fb3eddd8cc6530e1e81dfaefbe6bc50ef34

Analysis

max time kernel
872s
max time network
1700s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virus.zip
Size

17.2MB
MD5

08fdbf17d1288af24e2ab492e6d27dca
SHA1

a7c8822cf5ed6a455a1e755422355a9e63dfb037
SHA256

3c50ef708fd72b96187e91c30cd80fb3eddd8cc6530e1e81dfaefbe6bc50ef34
SHA512

7dc1156f5b26612bf1d05a089f0e1344f5a1bc9d7a4927f504fbf395cfc295507553934d33f19cbaf1c7b2de1080ea30f6013dadc905b6bd464bf99a2c367e39
SSDEEP

393216:2UwzvsTsjqXVhqNsnhtlZeRjPLRmh/eDaXxUGZaH4:2UwbsTSqTq6nl4mh/eDzH4

Score

10^/10

cyrat discovery pyinstaller ransomware

Malware Config

Signatures

Cyrat Ransomware
Python-based ransomware which encrypts files using the Fernet library.
ransomware cyrat

Cyrat executable 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\virus\4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6\4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6.exe	family_cyrat

Executes dropped EXE 1 IoCs

Processes:

4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6.exe

pid process

3004 4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6.exe
Loads dropped DLL 10 IoCs

Processes:

pid process

1228
1228
1228
1228
1228
1228
1228
1228
1228
1856
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

pid	process
3004	4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6.exe

pid	process
1228
1228
1228
1228
1228
1228
1228
1228
1228
1856

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\virus\4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6\4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 13 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\unknown_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\unknown_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.unknown	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\unknown_auto_file\shell\edit\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\unknown_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\unknown_auto_file\shell\open	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\unknown_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\unknown_auto_file\shell\edit	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.unknown\ = "unknown_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\unknown_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\unknown_auto_file\shell\open\command	rundll32.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

1548 NOTEPAD.EXE
2924 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

chrome.exe

pid process

3016 chrome.exe
3016 chrome.exe
3016 chrome.exe
3016 chrome.exe
3016 chrome.exe

pid	process
1548	NOTEPAD.EXE
2924	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exe

description	pid	process
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeRestorePrivilege	1956	7zG.exe
Token: 35	1956	7zG.exe
Token: SeSecurityPrivilege	1956	7zG.exe
Token: SeSecurityPrivilege	1956	7zG.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exe7zG.exe7zG.exe

pid	process
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
1956	7zG.exe
2476	7zG.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3016 wrote to memory of 3024	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 3024	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 3024	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2604	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2504	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2504	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2504	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2564	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2564	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2564	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2564	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2564	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2564	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2564	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2564	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2564	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2564	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2564	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2564	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2564	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2564	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2564	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2564	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2564	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2564	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2564	3016	chrome.exe	chrome.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\virus.zip
1⤵
PID:2640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7b89758,0x7fef7b89768,0x7fef7b89778
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1244,i,12590592658080994033,8381567289058698811,131072 /prefetch:2
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1536 --field-trial-handle=1244,i,12590592658080994033,8381567289058698811,131072 /prefetch:8
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 --field-trial-handle=1244,i,12590592658080994033,8381567289058698811,131072 /prefetch:8
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2364 --field-trial-handle=1244,i,12590592658080994033,8381567289058698811,131072 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2388 --field-trial-handle=1244,i,12590592658080994033,8381567289058698811,131072 /prefetch:1
  2⤵
  PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1408 --field-trial-handle=1244,i,12590592658080994033,8381567289058698811,131072 /prefetch:2
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3260 --field-trial-handle=1244,i,12590592658080994033,8381567289058698811,131072 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 --field-trial-handle=1244,i,12590592658080994033,8381567289058698811,131072 /prefetch:8
  2⤵
  PID:1800

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1060

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2080

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\virus\" -spe -an -ai#7zMap15460:90:7zEvent25439
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1956

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\virus\*\" -spe -an -ai#7zMap28439:1092:7zEvent30904
1⤵
- Suspicious use of FindShellTrayWindow
PID:2476

C:\Users\Admin\AppData\Local\Temp\virus\4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6\4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6.exe
"C:\Users\Admin\AppData\Local\Temp\virus\4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6\4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6.exe"
1⤵
- Executes dropped EXE
PID:3004

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\virus\40ae709cb1d6335c3a41863d2dca21bfa7bd493ebb3d7ddd72da4e09b09b2988\40ae709cb1d6335c3a41863d2dca21bfa7bd493ebb3d7ddd72da4e09b09b2988.unknown
1⤵
- Modifies registry class
PID:2276
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\virus\40ae709cb1d6335c3a41863d2dca21bfa7bd493ebb3d7ddd72da4e09b09b2988\40ae709cb1d6335c3a41863d2dca21bfa7bd493ebb3d7ddd72da4e09b09b2988.unknown
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1548

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\virus\40ae709cb1d6335c3a41863d2dca21bfa7bd493ebb3d7ddd72da4e09b09b2988\40ae709cb1d6335c3a41863d2dca21bfa7bd493ebb3d7ddd72da4e09b09b2988.elf
1⤵
- Modifies registry class
PID:428

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\virus\a8f6a74bd11b294d3b6805da9c4157f6c042acfbef4a63c54fd3b2ec7f557170\a8f6a74bd11b294d3b6805da9c4157f6c042acfbef4a63c54fd3b2ec7f557170.unknown
1⤵
- Opens file in notepad (likely ransom note)
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
c4c3aec3f449210879f16cf73328b9c7

SHA1
09c7ff82036e89cbbfd9ced27217be3e826f32f4

SHA256
453d5b881db0f937eeb280cee8c98dfc3fb49a5b05c02a48a2364eae45896cb6

SHA512
c6ec06f40cba77bbd080165f39f60129cd8f6d6e173350728cacbbacdbcf9efc353dd2a0c08973f1e472ba73110c2fcfc37a01d68cc9b9d4f2aba357675ef935

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c9ae6a7d360f5a79b24dfd20b24f432e

SHA1
125eeef1db3e92c93b706f5c1bb5b39e43b06fb8

SHA256
fb9adac909ad43401a8c52b1c10acbe0cd8efe5c5a65702d2512548e9fe15cff

SHA512
f2e2b39a9176f833db2e34af379cd4b5dbf11354c21952efadd57c3a6def5b4e81ed7b5c6884f2d67dcbf06e748d44ecd14e061ef165c9600c1a8fee25156c8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4d0f9f0f9ec9229b176c1fb333aab5fb

SHA1
1d756d45b243a96b5c5173a474e43772a70f4f9c

SHA256
8f3187db3f81939895fe84baa4af9d41aabd7f39242b1c444e1af753e5214c21

SHA512
73d652361f44e94a3311cf75b65f3304717654e8651ba1c866bee520c955d5b0fab77d61f4771bf965eed8dc408761a8f95918dcb0ab24e6b76102011affe73d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
4830ebcfbafe85b417fa1fb769c864fd

SHA1
4f3bbb48e562aefda3ab72c483459b3734c8cf4d

SHA256
1fb967956c4f8cec768bca99ee51fe85edd93289f7f94b8c763e904d931d4452

SHA512
abfd775990d8989ecd7c5fff5b2ac21ad5b51e9721fb0029a59aa9692b50e9eb00305e14555521e613aa10ad8fcdd435e339bc6c3205307833b9af2e5bef6dc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
65839d31186008d85b80d3315c33b326

SHA1
656ad4eb1bbf81229bd46c492c13474b7a1e7005

SHA256
68205e167a20b685d5dff10d3a3de4e872fae7dcd487e4ec9823016ae2a7e03e

SHA512
b2b91ab2e5b5004a706be4b1e5b135d654bc1f42a41641ff8463b9137239796417b824639c1d5e3e4ef189338884b52e7386b7e5fd24b74c3c429b4c98dffdb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\virus\04d136f4c2bac4196b1795bcd9e625029d686c696e7decabd17970da22a35caf.zip

Filesize
70KB

MD5
addcb94a0bfaacb6f5934d0bd7b24f94

SHA1
53aa9b0e50828ea5af71c372ab59a498a344fe13

SHA256
f2756444bce98573079726c7f38b2347c4494f36e50770f9d9cbda13d53cd7ca

SHA512
456c99c21ece58035ab046e5104dc84a4842bfa29373cda67a7f8f1ff684ea23a6127cf88597d551f8e8cd00c7336dd5ee932263d98dfe85710cceee59957637

Download Submit
C:\Users\Admin\AppData\Local\Temp\virus\3782e0dedbfe37028a0848f9cce0647083dade4969e3ca2edde847536c76652d.zip

Filesize
4.7MB

MD5
45e7f4c1c389ee677c93089f35a45a20

SHA1
5cf11d7a6322f7015ea0f063a1ab94f17335a85a

SHA256
b05507be94a0a3f2f64383a472c82167403c416f8cfa2448bad8f47ef68d836b

SHA512
f55c26d505a76ac1cd4df7da121306474fb8f844028ed5f35b8b2d759eae05e196a331543c1308fa8d49249b8bd75d87aa01509028a4d9932178300def69e174

Download Submit
C:\Users\Admin\AppData\Local\Temp\virus\40ae709cb1d6335c3a41863d2dca21bfa7bd493ebb3d7ddd72da4e09b09b2988.zip

Filesize
926B

MD5
2f82ef2719957e3a33c84c5d45d47b91

SHA1
b10dd342006a34e2e1f8f2d3dc7c4c684f107ca1

SHA256
bac98954b5c4e10d42159d5d6496037ee6b464ec5df3612f385862c54f177516

SHA512
0003ba5a94adc3714b050d6499bfa09fd310c9886f376dfb7f5621ccaae534216285e547559447c08a6ff51a5fa1f1b8160a076eef1e0cb823729f3c54d290b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\virus\40ae709cb1d6335c3a41863d2dca21bfa7bd493ebb3d7ddd72da4e09b09b2988\40ae709cb1d6335c3a41863d2dca21bfa7bd493ebb3d7ddd72da4e09b09b2988.unknown

Filesize
3KB

MD5
aa82d625a666a0939c4e9f50d7310354

SHA1
945bb251a3d7463bffb0e1b7d86c971bc280b9c8

SHA256
40ae709cb1d6335c3a41863d2dca21bfa7bd493ebb3d7ddd72da4e09b09b2988

SHA512
693730dd33f9b8bc9eeaa244cfe6f2989d4fdf9bcc8898973681045589dd771b96882973b87efe29c553a3419285dfc52bc608d7ab427a9c303d70d1f8a763d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\virus\4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6.zip

Filesize
12.4MB

MD5
b2594cf0c91e105e04060dc7780d089e

SHA1
b9f4f4ffa203f0269717fa3188d8e0e2177e5d07

SHA256
8ff5ca708bd30c57d9667400cc139e49a9a4817d08b15080ece3d5f63c496d98

SHA512
9f82eb813d5126d9caaf8eb9832122c42c0f4f5edcf655b09fcbf0b8f0a69d3ea68495f4f9a003c57362552f811e1ae6ea0ea2b84d7620f214d1eb414a244626

Download Submit
C:\Users\Admin\AppData\Local\Temp\virus\a8f6a74bd11b294d3b6805da9c4157f6c042acfbef4a63c54fd3b2ec7f557170.zip

Filesize
1KB

MD5
d75565cba6da6ee2a1c43759f35e1727

SHA1
9dcc1b871821a21c367adf94978c4bc85900eed9

SHA256
1d24624b0bbdd4b6324fed490a60ba7fadc24580ff9247d0aaface65b094ae33

SHA512
4979b4a0b4ca3354e9038922f3c0ceb6eed14db95c5b4a613ba2ee6ba8960d9db9dd3edf4b3c14234abc8a1b38566d87a30ad10ccf381a65a25d039660284c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\virus\a8f6a74bd11b294d3b6805da9c4157f6c042acfbef4a63c54fd3b2ec7f557170\a8f6a74bd11b294d3b6805da9c4157f6c042acfbef4a63c54fd3b2ec7f557170.unknown

Filesize
2KB

MD5
bea036bd88b7cae786b434681adc6b85

SHA1
ee34980911a88a7fca146ba086fbbde54cae8305

SHA256
a8f6a74bd11b294d3b6805da9c4157f6c042acfbef4a63c54fd3b2ec7f557170

SHA512
8dc1e0b7c18b9e622b8da8c9af62d1f67daaf85710b3ed2b1b9cc38cd071a99de0aff294c4243bee0440fc66bf7a66945ff84fd2ca384ce3302f3447f97c6e70

Download Submit
\??\pipe\crashpad_3016_OSVCJIUZUQCMAVSK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\virus\4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6\4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6.exe

Filesize
12.6MB

MD5
d427390e9fad598ec3288c9275c84628

SHA1
7b88e1eaa07151fc0d7639574fc7f40fa5be8aa3

SHA256
4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6

SHA512
83ecc48386999ec6d05999d88e9a81eae5267ea807441727cd60d44f17ead8a0ca6e8a0ffa7d5e4e9fc800d858fb2ee824815abe4299e0ec85639384b75324a8

Download Submit