7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1

General

Target

7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
Size

146KB
MD5

23f8091893512fa2635817a2f51df391
SHA1

9f7f2ba48752e37baadd4c35febaa58d613e3194
SHA256

7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1
SHA512

b4b9fc55bb944c8c657cf737ba0c8de17a09ec121591faac468b9c89182d45d910301f248d78134d78504de437a124208b6038a0047503f65e6cd1125490755c
SSDEEP

1536:wzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDY4zGqaGKGcNY3XZ2Vsz1bl8HXo:PqJogYkcSNm9V7DLzxaGb522l83qtZT

Score

10^/10

discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\mqmQaLLxg.README.txt

Ransom Note

~~~ LockBit Black Ransomware Since 2024~~~ >>>> Your data are stolen and encrypted Price = 2000 $ Bitcoin = 328N9mKT6xFe6uTvtpxeKSymgWCbbTGbK2 Email = [email protected] Email = [email protected] >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> Your personal DECRYPTION ID: NEWWERTYFG34A48MK4D6D53 + Name.README.txt >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!

Emails

[email protected]

Wallets

328N9mKT6xFe6uTvtpxeKSymgWCbbTGbK2

Signatures

Renames multiple (5363) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

Processes:

7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe

Drops file in Program Files directory 64 IoCs

Processes:

7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\mqmQaLLxg.README.txt	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\stdole.dll	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityLetter.Dotx	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OFFOWC.DLL.mqmQaLLxg	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplate.html.mqmQaLLxg	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\MDIParent.zip	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ContactPicker.dll	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MENU.XML	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\gadget.xml	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\mqmQaLLxg.README.txt	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\timeZones.js	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Category.accft.mqmQaLLxg	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml.mqmQaLLxg	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\localizedStrings.js	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AWARDHM.POC	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBSBR.XML	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WITHCOMP.XML.mqmQaLLxg	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB3A.BDR.mqmQaLLxg	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB5B.BDR.mqmQaLLxg	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IE.XML.mqmQaLLxg	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\flyout.css	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssui.dll.mui	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Class.zip.mqmQaLLxg	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7wre_fr.dub	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_disabled.png	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\gadget.xml	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SegoeChess.ttf.mqmQaLLxg	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIcons.jpg	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_windy.png	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\weather.css	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\gadget.xml	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\WMPMediaSharing.dll.mui	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryLetter.dotx	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityResume.Dotx	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\bdcmetadata.xsd.mqmQaLLxg	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\LATIN1.SHP.mqmQaLLxg	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RECALL.DLL	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\STSCOPY.DLL	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB8.BDR.mqmQaLLxg	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_h.png	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\mqmQaLLxg.README.txt	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\mqmQaLLxg.README.txt	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\clock.css	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\mqmQaLLxg.README.txt	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\mqmQaLLxg.README.txt	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBCAL.DPV.mqmQaLLxg	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD98.POC.mqmQaLLxg	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\utilityfunctions.js	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter.png	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\currency.html	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\currency.js	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MY.XML	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.SG.XML	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WhiteboxMask.bmp	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\mqmQaLLxg.README.txt	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\alertIcon.png	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\info.png	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\sbdrop.dll.mui	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe

pid	process
1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exevssvc.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
Token: SeBackupPrivilege	1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
Token: SeDebugPrivilege	1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
Token: 36	1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
Token: SeImpersonatePrivilege	1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
Token: SeIncBasePriorityPrivilege	1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
Token: SeIncreaseQuotaPrivilege	1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
Token: 33	1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
Token: SeManageVolumePrivilege	1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
Token: SeProfSingleProcessPrivilege	1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
Token: SeRestorePrivilege	1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
Token: SeSecurityPrivilege	1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
Token: SeSystemProfilePrivilege	1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
Token: SeTakeOwnershipPrivilege	1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
Token: SeShutdownPrivilege	1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
Token: SeDebugPrivilege	1980	7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
Token: SeBackupPrivilege	2972	vssvc.exe
Token: SeRestorePrivilege	2972	vssvc.exe
Token: SeAuditPrivilege	2972	vssvc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe
"C:\Users\Admin\AppData\Local\Temp\7cb6f984f08296d33a4c316cf64ff96e352f07508a364b465a1a572bf73f4ad1.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini

Filesize
129B

MD5
5bd58caaa41c0ebbb1f8ac599434e253

SHA1
73b85e03a514b6b7a0e966f871c316f1933854a0

SHA256
14283c780d034d62ae851315206db35601fd097503734b5043c977b5385455d3

SHA512
0d31ea7b689d85dae98c3e276434ee24d1c8fcc6492e8ba6786db7be48964c02290d03cdb31db14abccfaba7e183cc1cd63831dc5d7fcd21e208c146a7462a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_6.1.7601.17514_es-es_e73df841b378a01f.manifest.mqmQaLLxg

Filesize
2KB

MD5
8c3f57f6dab9c2ed7706b7fccabd672e

SHA1
4a58ababf974121a23c1ab854240ff200f7b37b8

SHA256
7c95038740831cf9b54c4286f7da0ed6b4df638f155f15911e8c90ecdb0c7f6b

SHA512
fd77768e3b242dcc62d58fbcad75a95c23353aeff97e9648e30abb2e64a56558da756f471aa5887d83314dac54aa8fcc0118ce67b2db045e0a09a75878ac53e5

Download Submit
C:\mqmQaLLxg.README.txt

Filesize
1KB

MD5
e660a65fcf9340820aff87745a4b9074

SHA1
161bfd683350ad551ce3a6652ba43bc4f447811b

SHA256
1a0ff740dcfbd23a131c794c9b43a8cf3578b361814e89987a8ca752c936cd93

SHA512
74f332c787ae1af6369c78c072c0dfc6b5148bd5f5b95ebb0c8d5f593925d083b0a28f2e54623d12599980473fb6d541ddd8b786d0f18fd9833ff71f2790a44e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1000\DDDDDDDDDDD

Filesize
129B

MD5
a516d8487f1207ef62900ccc8154d875

SHA1
274771ac04f66609a9a222437bbf144d19a6806c

SHA256
a767cee5d531eb12a9892615ea59ae5697348665b13fe17106d81ff61706d072

SHA512
9b13c02c42e6ab1f84d1880cf2259a6b1e58302a8beeecb7f6a4d2189b478e5014dcf3b9b4122949a62dd0f838eb7113562483216dd45dabae3e364410d6de13

Download Submit
memory/1980-0-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads