96b3bcce3280a16131ef6de01f65bdc69314a7d86477321e8bb944d2fb6ff603

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
Size

2.6MB
MD5

c8ececb7cd83b938712e63f9e96e6f6c
SHA1

942597cd5e7b61721dc516793e7510580757c587
SHA256

96b3bcce3280a16131ef6de01f65bdc69314a7d86477321e8bb944d2fb6ff603
SHA512

ca9f3d13ae0c043d87ca3ab505c12dec2656ef71c05737f24a3483f9d3619cb9837a36faf71b614b77169e3486057228ba2a4e3920385cabe830033a2395a9f9
SSDEEP

24576:LbA9MGiVwmIPOaq6EUWOk/vNKj1xzb6gPvsFjG4/owGkE1Pj:yriVNI2aq6EUdkHNKjTGckowGkE1

Score

10^/10

discovery persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\temp\important.txt

Ransom Note

=============================================== | 重要通知 - 重要通知 | =============================================== 你好，尊敬的用户，我们已经成功侵入你的系统，并对你的文件进行了强力加密。你数据库和其他重要文件都已被锁定，无法访问。为了解锁你的文件，你需要支付赎金。我们采用匿名的支付方式，即比特币。以下是支付细节：支付金额：5 BTC（比特币）充币网络：BTC-Bitconin 比特币地址：3PztoCUcREzAhVhTwKT1hf2ManFP3eQQJC 请在下面的比特币地址中支付赎金。一旦支付完成，你将收到解密密钥，并能够恢复你的所有文件。倒计时：你有 72 小时来支付赎金。一旦倒计时结束，解密密钥将永久失效，文件将无法恢复。 ==================== 警告 ===================== 如果你尝试解密文件或与当地执法机关联系，你的文件将被永久销毁，并且你将失去所有数据。为避免不必要的损失，请遵循我们的指示支付赎金。联系我们：[email protected] =============================================== =============================================== | Important Notice | =============================================== Hello, dear user, We have successfully infiltrated your system and encrypted your files with strong encryption. Your photos, documents, databases, and other important files are now locked and inaccessible. To unlock your files, you need to pay a ransom. We prefer an anonymous payment method, namely Bitcoin. Below are the payment details: Payment Amount: 5 BTC (Bitcoin) Bitcoin network：BTC-Bitconin Bitcoin Address: 3PztoCUcREzAhVhTwKT1hf2ManFP3eQQJC Please pay the ransom to the Bitcoin address provided. Once the payment is complete, you will receive the decryption key and be able to recover all your files. Countdown: You have 72 hours to pay the ransom. Once the countdown expires, the decryption key will permanently expire, and your files will be unrecoverable. ==================== Warning ===================== If you attempt to decrypt the files or contact local law enforcement, your files will be permanently destroyed, and you will lose all data. To avoid unnecessary losses, follow our instructions to pay the ransom. Contact us: [email protected] ===============================================

Emails

联系我们：[email protected]

[email protected]

Wallets

3PztoCUcREzAhVhTwKT1hf2ManFP3eQQJC

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,WinHelp.exe"	reg.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\DeepMountains = "C:\\temp\\20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe"	reg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\WinHelp.exe	cmd.exe
File opened for modification	C:\Windows\System32\WinHelp.exe	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\avmx64c.inf_amd64_neutral_8ebb15bf548db022\fus2base.frm.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\avmx64c.inf_amd64_neutral_8ebb15bf548db022\fus3base.frm.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
2496	tasklist.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_m.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\notConnectedStateIcon.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)redStateIcon.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw120.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_dot.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked-loading.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_thunderstorm.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_hail.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_disabled.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-vertical.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_hail.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_pressed.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_hover.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_WMC_LogoText.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_thunderstorm.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\42.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_snow.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\8.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_rainy.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_few-showers.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_bottom.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\alertIcon.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_orange.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\add_down.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\7.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_up.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_m.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_120.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\greenStateIcon.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_rest.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\2.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_rest.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_4b7bf556f6fe4db9\glass.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\logo.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_07861dacd36a18f4\rssBackBlue_Undocked.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_blue_windy.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..35cdfcomp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_da28cd796a2b1f1b\SqlPersistenceProviderLogic.sql.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-printing-fdprint_31bf3856ad364e35_6.1.7600.16385_none_b425025e9ef3d84c\superbar.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\rings-dock.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\docked_black_few-showers.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\settings_box_bottom.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\settings_left_disabled.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Pets_frame-highlight.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_4b7bf556f6fe4db9\dialdot_lrg.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-wwfcorecomp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1248d52c93fe6e31\Tracking_Schema.sql.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\shuffle_over.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\44.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..35cdfcomp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_da28cd796a2b1f1b\SqlPersistenceProviderSchema.sql.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-installsqlstate_sql_b03f5f7f11d50a3a_6.1.7600.16385_none_16dc087b33140e2a\InstallSqlState.sql.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\modern_m.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_black_moon-full_partly-cloudy.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\trad_m.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\trad_dot.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\rings-desk.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\15.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_black_thunderstorm.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-memories_31bf3856ad364e35_6.1.7600.16385_none_51190840a935f980\16_9-frame-overlay.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_679a6ba79b07a3c0\graph_over.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\13.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_gray_few-showers.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\redStateIcon.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\bg-desk.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\docked_gray_few-showers.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_black_moon-waning-gibbous_partly-cloudy.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..adisc-style-shatter_31bf3856ad364e35_6.1.7600.16385_none_0cd72f8900478c68\NavigationLeft_SelectionSubpicture.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\novelty_settings.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\settings_box_left.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-vignette_31bf3856ad364e35_6.1.7600.16385_none_cc1304de922cc585\vignettemask25.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_6.1.7601.17514_none_61acd141e5332baf\wmpnss_bw48.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\tile16.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-flippage_31bf3856ad364e35_6.1.7600.16385_none_0f19716417635239\pagecurl.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\x86_netfx35cdf-cdf_sql_files_31bf3856ad364e35_6.1.7600.16385_none_a203944b32daa861\SqlPersistenceProviderSchema.sql.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\flower_dot.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_c3b9072b536514f6\graph_down.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_gray_few-showers.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_725857cf41f74c3f\3.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_679a6ba79b07a3c0\base-undocked-4.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\system_s.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_253e8c58002c48e1\blank.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\square_s.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_ab6782291b0ca7be\item_hover_floating.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\undocked_black_foggy.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget-insidebar_31bf3856ad364e35_6.1.7600.16385_none_04ef2896fc362397\bg_sidebar.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-oldage_31bf3856ad364e35_6.1.7600.16385_none_02ee3365ea53e1ad\NavigationLeft_SelectionSubpicture.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-printing-fdprint_31bf3856ad364e35_6.1.7600.16385_none_b425025e9ef3d84c\overlay.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\9.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\divider-vertical.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..adisc-style-shatter_31bf3856ad364e35_6.1.7600.16385_none_0cd72f8900478c68\NavigationUp_SelectionSubpicture.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\(120DPI)grayStateIcon.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\shuffle_down.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\logo.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked-loading.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_gray_cloudy.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\Perf_Scenes_Subpicture1.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\settings_left_pressed.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_07861dacd36a18f4\rss_headline_glow_flyout.png.Mirage	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3016	WMIC.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2520	ipconfig.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2680	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2668	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2152	schtasks.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3016	WMIC.exe
Token: SeSecurityPrivilege	3016	WMIC.exe
Token: SeTakeOwnershipPrivilege	3016	WMIC.exe
Token: SeLoadDriverPrivilege	3016	WMIC.exe
Token: SeSystemProfilePrivilege	3016	WMIC.exe
Token: SeSystemtimePrivilege	3016	WMIC.exe
Token: SeProfSingleProcessPrivilege	3016	WMIC.exe
Token: SeIncBasePriorityPrivilege	3016	WMIC.exe
Token: SeCreatePagefilePrivilege	3016	WMIC.exe
Token: SeBackupPrivilege	3016	WMIC.exe
Token: SeRestorePrivilege	3016	WMIC.exe
Token: SeShutdownPrivilege	3016	WMIC.exe
Token: SeDebugPrivilege	3016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3016	WMIC.exe
Token: SeRemoteShutdownPrivilege	3016	WMIC.exe
Token: SeUndockPrivilege	3016	WMIC.exe
Token: SeManageVolumePrivilege	3016	WMIC.exe
Token: 33	3016	WMIC.exe
Token: 34	3016	WMIC.exe
Token: 35	3016	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3016	WMIC.exe
Token: SeSecurityPrivilege	3016	WMIC.exe
Token: SeTakeOwnershipPrivilege	3016	WMIC.exe
Token: SeLoadDriverPrivilege	3016	WMIC.exe
Token: SeSystemProfilePrivilege	3016	WMIC.exe
Token: SeSystemtimePrivilege	3016	WMIC.exe
Token: SeProfSingleProcessPrivilege	3016	WMIC.exe
Token: SeIncBasePriorityPrivilege	3016	WMIC.exe
Token: SeCreatePagefilePrivilege	3016	WMIC.exe
Token: SeBackupPrivilege	3016	WMIC.exe
Token: SeRestorePrivilege	3016	WMIC.exe
Token: SeShutdownPrivilege	3016	WMIC.exe
Token: SeDebugPrivilege	3016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3016	WMIC.exe
Token: SeRemoteShutdownPrivilege	3016	WMIC.exe
Token: SeUndockPrivilege	3016	WMIC.exe
Token: SeManageVolumePrivilege	3016	WMIC.exe
Token: 33	3016	WMIC.exe
Token: 34	3016	WMIC.exe
Token: 35	3016	WMIC.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2496	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	32
PID 2128 wrote to memory of 2496	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	32
PID 2128 wrote to memory of 2496	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	32
PID 2128 wrote to memory of 2140	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	34
PID 2128 wrote to memory of 2140	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	34
PID 2128 wrote to memory of 2140	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	34
PID 2128 wrote to memory of 1864	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	35
PID 2128 wrote to memory of 1864	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	35
PID 2128 wrote to memory of 1864	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	35
PID 2128 wrote to memory of 2660	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	36
PID 2128 wrote to memory of 2660	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	36
PID 2128 wrote to memory of 2660	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	36
PID 2128 wrote to memory of 2152	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	37
PID 2128 wrote to memory of 2152	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	37
PID 2128 wrote to memory of 2152	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	37
PID 2128 wrote to memory of 2680	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	38
PID 2128 wrote to memory of 2680	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	38
PID 2128 wrote to memory of 2680	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	38
PID 2128 wrote to memory of 2708	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	39
PID 2128 wrote to memory of 2708	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	39
PID 2128 wrote to memory of 2708	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	39
PID 2128 wrote to memory of 2752	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	40
PID 2128 wrote to memory of 2752	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	40
PID 2128 wrote to memory of 2752	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	40
PID 2752 wrote to memory of 3016	2752	cmd.exe	41
PID 2752 wrote to memory of 3016	2752	cmd.exe	41
PID 2752 wrote to memory of 3016	2752	cmd.exe	41
PID 2140 wrote to memory of 2668	2140	cmd.exe	42
PID 2140 wrote to memory of 2668	2140	cmd.exe	42
PID 2140 wrote to memory of 2668	2140	cmd.exe	42
PID 2128 wrote to memory of 2388	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	43
PID 2128 wrote to memory of 2388	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	43
PID 2128 wrote to memory of 2388	2128	20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe	43
PID 2388 wrote to memory of 2520	2388	cmd.exe	44
PID 2388 wrote to memory of 2520	2388	cmd.exe	44
PID 2388 wrote to memory of 2520	2388	cmd.exe	44
PID 2388 wrote to memory of 1648	2388	cmd.exe	45
PID 2388 wrote to memory of 1648	2388	cmd.exe	45
PID 2388 wrote to memory of 1648	2388	cmd.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
"C:\Users\Admin\AppData\Local\Temp\20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\system32\cmd.exe
  cmd /c start C:\temp\important.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\temp\important.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2668
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe C:\temp\20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe
  2⤵
  PID:1864
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe C:\Windows\System32\WinHelp.exe
  2⤵
  - Drops file in System32 directory
  PID:2660
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn DeepMountains /tr C:\temp\20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe /sc minute /mo 5
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2152
- C:\Windows\system32\reg.exe
  reg add hkcu\Software\Microsoft\Windows\CurrentVersion\Run /v DeepMountains /d C:\temp\20240925c8ececb7cd83b938712e63f9e96e6f6cespilonredsnatch.exe /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:2680
- C:\Windows\system32\reg.exe
  reg add "hklm\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d C:\Windows\system32\userinit.exe,WinHelp.exe /f
  2⤵
  - Modifies WinLogon for persistence
  PID:2708
- C:\Windows\system32\cmd.exe
  cmd /c "wmic logicaldisk get caption /value"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic logicaldisk get caption /value
    3⤵
    - Collects information from the system
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- C:\Windows\system32\cmd.exe
  cmd /c "ipconfig | findstr IPv4"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:2520
- - C:\Windows\system32\findstr.exe
    findstr IPv4
    3⤵
    PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\19.png.Mirage

Filesize
5KB

MD5
8265284c16f6f1b30621063c1d1f6a9b

SHA1
bbbef6e6f2bcc9f380e72e9c61b329c0ee053194

SHA256
becc693b2c4e7c1a6da8a4a1d4e24d0a0b322544a3d65768d21164a5063c7894

SHA512
6a614769d70090f14907a40c1eab569556ca07627bb370c11e56de7cf097680279cc2d21fe92bff1db6fba40fffc1f1603ed7306fbd834fc1181cd6548bf0f02

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png.Mirage

Filesize
5KB

MD5
75437db3603c44ca5d5ea74e5c72da06

SHA1
8435e6985ad85a361bd8712e54c304121e87a3bb

SHA256
07f2753b9e2ca3815614d48643cc13792d96d36b27a275b0f5eac68a0357ef64

SHA512
db5c5952479632d3930bf5feb65a65a7f60c9fe5e811fd7cc661d95347632bcdf7e13352d842ba2727a76ddd79dbd392537febe7ca76820976ddea1b3dc65a75

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\26.png.Mirage

Filesize
4KB

MD5
a7235adc7bff1f216d076f8b20a646d6

SHA1
5ab1806b55c3f26a0a20800c161d51fd4ced52ff

SHA256
00742dcbb5469b612b16047883940550542a060eb30dec763f350da8df41843e

SHA512
14f92e0fd016ba75932b9d21caf69e86ba6894377cedf7ecf8cc77fcbc05c448fa0b7f824438db4fde411c65bcfd496bbd6ed4c6871281fb053c6340aa517d44

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\29.png.Mirage

Filesize
4KB

MD5
075dc652619877ddb9964c20ee9049b8

SHA1
089ddbbc4903a0e4f0fb8cad2cb184db95c1a25e

SHA256
efb1db0e41bd00f1693e35b17d4e62fc191c44a6655903f4379ab7192a28459a

SHA512
18b0ab0332f82a95bec64a1ddbbd022137b35d64e46f4124a0ddc6b5e1873169daa534216a1f11c3ae25355642e5acc1776897d1aef2e1e3d8322d0c22c8c5b9

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png.Mirage

Filesize
5KB

MD5
cbbd98afb4cbc50ee76e79131eae4cb4

SHA1
3f2fa92a31a32a72e542cb40fbcbeb76e6ae4287

SHA256
c45ebe4969e3eb8ce360018436b60e4705d19edd91ec6af16761d749a422f867

SHA512
214fba7673eb5456c8119c01a7a638c98c1f731778b796d2e2d6c5dc0c16cc323d5f9e0e8df37b3ea597a47d7ef3304b9d5bec5bfc8dcc32ca981edfcfc5eecf

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png.Mirage

Filesize
5KB

MD5
b79c6d17defb0fd0d8777e7ad271777e

SHA1
30916dc2d721d434861871a27731e0816470031d

SHA256
db2d8a84be3b15d3e8312d8eba87e1b073ff097dacaa128b46b1ff1bfccc8455

SHA512
60eeb7373b65165c93bd8aa8b89dc8e20bcda237b213ebdc9ac1d4bb21679a47c36557a865b1adbaa7148947e25715575352f8b62a5d75a7305f041b0ec2c740

Download Submit
C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png.Mirage

Filesize
4KB

MD5
b90366db937daa3792ecfa070dca6f36

SHA1
8f9b55fe372d40893a6f2d0a7885842fbb2b9192

SHA256
219b3a690bab9a540a3784417ed452b4ac2d9a20d244dba21e8f64c546cd1d61

SHA512
013e41e6ae96cc01ecf2e9c3e68bd37477eefea6ed5b448357c29cb72e0f998fef30f9ec0126e6cc2226cb152ade83fd85302baca80443e6ba9c1e8016314559

Download Submit
C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png.Mirage

Filesize
3KB

MD5
9fbf657a875fd725a0780281268b6e1e

SHA1
d586af81a93fbb5cf0a5ed2224571d21dc24f4be

SHA256
98e16bcc75bb9246a06498923d0b9bc649b47fed72264b6c20c3e400fde82ddf

SHA512
d7f4c337fc875c5715f2b26eb82186aeeb5b905017a65efde901957d530ef7fe18679a4fb1f2fd0e1558ff97d847b04735efb10491f214b22b871e93154b302d

Download Submit
C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png.Mirage

Filesize
4KB

MD5
c079578a705530957065410a13ab99f9

SHA1
ad93494e517e034f76a78a21fd6db4f5c47e9cc1

SHA256
c735ce3bf0b1df8788c93167de86df190ed2156446857eac0596435d19d461c0

SHA512
39710243aae3a160f92fd29dc83877caa79150d874008376f1457052d5341c5c3aa4897290eaac4f429c1234b1fb29c2eb209e2fc610954894a8fbb92225ff17

Download Submit
C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png.Mirage

Filesize
3KB

MD5
4398d678faa4ba9817e697f23f794533

SHA1
16d4049de4835de958ede416b06b7f0e9d7f49ed

SHA256
702bde6cb9192572b5db2f151a19e14e0069037dfdd975c7036787bce31016f5

SHA512
584ded6ee04173204f7dfcb362ec1ddbd31204bdf24a20c3648c04bc8f599b4c405b5cecc4ee3994791822841b386c906fc50a1dc8d511682c7c1282215c6b2f

Download Submit
C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png.Mirage

Filesize
4KB

MD5
a6c9236a30ff442d46bc5438d8be36b3

SHA1
ffcbf0db663d4ed2552dd9f5cb527e160444d5af

SHA256
a3d1f4c50ae21464226c3192ebea750ca106bb424791f73919c73cd0e664d6a5

SHA512
588a1eb91cd2ee4de1660f2de99129df4cc85eb66f89350c88938b41806a2a3b325789523e8588e9ecd57a1da88c4c043608302b9a6dc354d2962ec565b35443

Download Submit
C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png.Mirage

Filesize
3KB

MD5
391dfd16de323eaee2addaa1ca63e22a

SHA1
f022fab0700bbfdaf1397d60158b977d4740725d

SHA256
4e4bff5627c80ed65964f3c99ad94d128859e0132c06b08a12d3a209114542d2

SHA512
04f04f6b5358fa5088fffdb87203a665ce5d2ee6f5e95f02011076b39e0c27870b2013638ef5740a753c82a367a682c2430a7de16a4c73f6c4ec1794fd82f168

Download Submit
C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png.Mirage

Filesize
4KB

MD5
0ee9835435a9d8076d03df196a1a96ca

SHA1
5edab1ab0ccebae7e9b52df00be91ff8abf650c4

SHA256
e19987dda064a58f9117728af238ceb813ee574ca5932d14e01b162b7ede6f66

SHA512
45d8487c1667597ffc7a0345c312209d78092dd34e7293fec8646ecc8f574b47b693b8a89a80dcb7a4e9ca2f0cf771b3f200da904db0d807b6722d2fe670c3bc

Download Submit
C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png.Mirage

Filesize
2KB

MD5
6c6d21b22d8089f450773a23f13666bd

SHA1
8e4187f454d4c113f68b5308fab61ce516e3c4ce

SHA256
726e123e03822073dd807221468ed8cd392c4c181b533301903ef680d721dc3f

SHA512
08ed7c4a8fc6b2be61f8879346198a425877286f18d95d5f74752c88d824fa9a55612cb1b219eaa2590c804112e2881d7b72b72ac97a71e73e84fbeb8a17eb59

Download Submit
C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png.Mirage

Filesize
2KB

MD5
8351c00f8ce8f80505db74aadae8b719

SHA1
7abae403e6ae74ba842a772b276306e09f7ebc99

SHA256
3ed6e6623ee267cb19c537dbf130c5a80a80fa6cb2d041b737364cb24c5a2748

SHA512
09377809c8fe0afe842ff18c8779c0548cb43d6018bd1268f87b8f8f5c7650bb3862e87f5acbf1c91a5af59525e833972971278fc4dda97feec8114feced52d8

Download Submit
C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png.Mirage

Filesize
6KB

MD5
e658ffafdbe436219b741f726e7bd765

SHA1
997f11686a1047e9d103487708a06e6388d531ec

SHA256
8d8d78a53a3c6e06e42b4a05033bb69be035cb144ae736f55e2856f1b8ba4466

SHA512
346ef74c8992fdc683d9157b639136d3a86cab1185e25d25efff5d96bad4c0c28abd6ae51e2070249d0c58f14e2cf94e701b84c273a4bccb86567790aa00b1cf

Download Submit
C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\35.png.Mirage

Filesize
5KB

MD5
f4ef7c0175be21013a757cd1ed853422

SHA1
f3ab055acb6f24276f60edc83346efef045c8cd0

SHA256
e46e3da8d5090ac28426c5ff793cb8586cd264d8fcb3cee14c52809867cf6d52

SHA512
b54f8124dc3d69c06b15306c8b8b839fe029ae317387b29c1e18e8aefa68827c54e49fe2677500f1d5892ea2c01048e33ecac9e4bc0094475fbd3d86e2506a6a

Download Submit
C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\38.png.Mirage

Filesize
5KB

MD5
0955da9b56e957bb69d8218e633817c4

SHA1
f7fb0c07df6e80ca3848a67419c305c89c6d59d8

SHA256
346d0a7ce5c7e6680e4cfd2364902c565eeb0c8a1999effb0808d9bcad7b4c72

SHA512
a8d98b88b24520c4750b5d8352c73bee90e532ded045ee5d658698abde73077eebab8b585d95e85e9f946ef0f404abd7d1e1860795f48cba9e64b785af98f3fa

Download Submit
C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png.Mirage

Filesize
3KB

MD5
a396dffaeb074b502d21d38f4acf30a0

SHA1
8d978314fd845a16e1ca2f8539a05e7bb685a625

SHA256
2c3fb933756290d41459b80849955837fac7291f6e7d826720914eb93f21a8b0

SHA512
377addabce65989e71211a6f0b1fa6c755f4e1a362912e8b448ba351b0a560666dd9a80460a1614d6ff8b9a8510071c9141fe1288bc4f25faef065bf46cab238

Download Submit
C:\temp\important.txt

Filesize
2KB

MD5
0c8dcde8a2b2aac8f3bec1ba841b647c

SHA1
4e967f080f936840cd0a0e730b736b667b8effa6

SHA256
50769bf5c040a4a4c884249bf9cc8a47d19bcbaa7605869a31bb353afbf31994

SHA512
bfd743d23b17c30ca5f8b331f672604c60e0252b976a68b11ebbca685cc9bf63157bb62712ec286c2ab681c4ad276b61e6f567759f782a83103a523da2435370

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads