6c6ccbcae271b48022c12d3aa28447f420a486a1841e25b81ea9ac14ac33ef22

Analysis

max time kernel
150s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
10/10/2024, 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SaMarinDa Free V1 (JulVer) (3).exe
Size

1.1MB
MD5

8cf2b5fa7470b308ba9c7f09151be875
SHA1

9761cb21cc622624b27145e52c0e2e40257eaba3
SHA256

9db3df4c8e22fb309a02992db57ad11200e1255d90f044c05e2631ad73c7c2ab
SHA512

c901386d235200b59ae7e377a2d8d4a6f6cf9c72f9c0e1a4a57a8720571fdfa88adb73a4b64f9bec52b0e82157c8409b9a717ff587ad2e27ed318543c779c88e
SSDEEP

24576:AJmbQ7Po/bg3snDXFLmNSRDpY9SQFG1BWPOfIfgRrDfBRZeRggZ7JE7F2:xb4UX4gRD29XFG1i4tDpzg3Ep

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3492	CB.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CB.exe	SaMarinDa Free V1 (JulVer) (3).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SaMarinDa Free V1 (JulVer) (3).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4728	notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe
3492	CB.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 4344	1448	SaMarinDa Free V1 (JulVer) (3).exe	72
PID 1448 wrote to memory of 4344	1448	SaMarinDa Free V1 (JulVer) (3).exe	72
PID 1448 wrote to memory of 4344	1448	SaMarinDa Free V1 (JulVer) (3).exe	72
PID 4344 wrote to memory of 376	4344	cmd.exe	73
PID 4344 wrote to memory of 376	4344	cmd.exe	73
PID 4344 wrote to memory of 376	4344	cmd.exe	73
PID 1448 wrote to memory of 1604	1448	SaMarinDa Free V1 (JulVer) (3).exe	74
PID 1448 wrote to memory of 1604	1448	SaMarinDa Free V1 (JulVer) (3).exe	74
PID 1448 wrote to memory of 1604	1448	SaMarinDa Free V1 (JulVer) (3).exe	74
PID 1448 wrote to memory of 4296	1448	SaMarinDa Free V1 (JulVer) (3).exe	75
PID 1448 wrote to memory of 4296	1448	SaMarinDa Free V1 (JulVer) (3).exe	75
PID 1448 wrote to memory of 4296	1448	SaMarinDa Free V1 (JulVer) (3).exe	75
PID 1448 wrote to memory of 1968	1448	SaMarinDa Free V1 (JulVer) (3).exe	76
PID 1448 wrote to memory of 1968	1448	SaMarinDa Free V1 (JulVer) (3).exe	76
PID 1448 wrote to memory of 1968	1448	SaMarinDa Free V1 (JulVer) (3).exe	76
PID 1448 wrote to memory of 2140	1448	SaMarinDa Free V1 (JulVer) (3).exe	77
PID 1448 wrote to memory of 2140	1448	SaMarinDa Free V1 (JulVer) (3).exe	77
PID 1448 wrote to memory of 2140	1448	SaMarinDa Free V1 (JulVer) (3).exe	77
PID 1448 wrote to memory of 2504	1448	SaMarinDa Free V1 (JulVer) (3).exe	78
PID 1448 wrote to memory of 2504	1448	SaMarinDa Free V1 (JulVer) (3).exe	78
PID 1448 wrote to memory of 2504	1448	SaMarinDa Free V1 (JulVer) (3).exe	78
PID 1448 wrote to memory of 2152	1448	SaMarinDa Free V1 (JulVer) (3).exe	79
PID 1448 wrote to memory of 2152	1448	SaMarinDa Free V1 (JulVer) (3).exe	79
PID 1448 wrote to memory of 2152	1448	SaMarinDa Free V1 (JulVer) (3).exe	79
PID 1448 wrote to memory of 828	1448	SaMarinDa Free V1 (JulVer) (3).exe	80
PID 1448 wrote to memory of 828	1448	SaMarinDa Free V1 (JulVer) (3).exe	80
PID 1448 wrote to memory of 828	1448	SaMarinDa Free V1 (JulVer) (3).exe	80
PID 1448 wrote to memory of 4428	1448	SaMarinDa Free V1 (JulVer) (3).exe	81
PID 1448 wrote to memory of 4428	1448	SaMarinDa Free V1 (JulVer) (3).exe	81
PID 1448 wrote to memory of 4428	1448	SaMarinDa Free V1 (JulVer) (3).exe	81
PID 1448 wrote to memory of 5084	1448	SaMarinDa Free V1 (JulVer) (3).exe	82
PID 1448 wrote to memory of 5084	1448	SaMarinDa Free V1 (JulVer) (3).exe	82
PID 1448 wrote to memory of 5084	1448	SaMarinDa Free V1 (JulVer) (3).exe	82
PID 1448 wrote to memory of 2216	1448	SaMarinDa Free V1 (JulVer) (3).exe	83
PID 1448 wrote to memory of 2216	1448	SaMarinDa Free V1 (JulVer) (3).exe	83
PID 1448 wrote to memory of 2216	1448	SaMarinDa Free V1 (JulVer) (3).exe	83
PID 1448 wrote to memory of 4104	1448	SaMarinDa Free V1 (JulVer) (3).exe	84
PID 1448 wrote to memory of 4104	1448	SaMarinDa Free V1 (JulVer) (3).exe	84
PID 1448 wrote to memory of 4104	1448	SaMarinDa Free V1 (JulVer) (3).exe	84
PID 1448 wrote to memory of 2584	1448	SaMarinDa Free V1 (JulVer) (3).exe	85
PID 1448 wrote to memory of 2584	1448	SaMarinDa Free V1 (JulVer) (3).exe	85
PID 1448 wrote to memory of 2584	1448	SaMarinDa Free V1 (JulVer) (3).exe	85
PID 1448 wrote to memory of 4628	1448	SaMarinDa Free V1 (JulVer) (3).exe	86
PID 1448 wrote to memory of 4628	1448	SaMarinDa Free V1 (JulVer) (3).exe	86
PID 1448 wrote to memory of 4628	1448	SaMarinDa Free V1 (JulVer) (3).exe	86
PID 1448 wrote to memory of 608	1448	SaMarinDa Free V1 (JulVer) (3).exe	87
PID 1448 wrote to memory of 608	1448	SaMarinDa Free V1 (JulVer) (3).exe	87
PID 1448 wrote to memory of 608	1448	SaMarinDa Free V1 (JulVer) (3).exe	87
PID 1448 wrote to memory of 4340	1448	SaMarinDa Free V1 (JulVer) (3).exe	88
PID 1448 wrote to memory of 4340	1448	SaMarinDa Free V1 (JulVer) (3).exe	88
PID 1448 wrote to memory of 4340	1448	SaMarinDa Free V1 (JulVer) (3).exe	88
PID 1448 wrote to memory of 192	1448	SaMarinDa Free V1 (JulVer) (3).exe	89
PID 1448 wrote to memory of 192	1448	SaMarinDa Free V1 (JulVer) (3).exe	89
PID 1448 wrote to memory of 192	1448	SaMarinDa Free V1 (JulVer) (3).exe	89
PID 1448 wrote to memory of 1284	1448	SaMarinDa Free V1 (JulVer) (3).exe	90
PID 1448 wrote to memory of 1284	1448	SaMarinDa Free V1 (JulVer) (3).exe	90
PID 1448 wrote to memory of 1284	1448	SaMarinDa Free V1 (JulVer) (3).exe	90
PID 1448 wrote to memory of 2588	1448	SaMarinDa Free V1 (JulVer) (3).exe	91
PID 1448 wrote to memory of 2588	1448	SaMarinDa Free V1 (JulVer) (3).exe	91
PID 1448 wrote to memory of 2588	1448	SaMarinDa Free V1 (JulVer) (3).exe	91
PID 1448 wrote to memory of 4524	1448	SaMarinDa Free V1 (JulVer) (3).exe	92
PID 1448 wrote to memory of 4524	1448	SaMarinDa Free V1 (JulVer) (3).exe	92
PID 1448 wrote to memory of 4524	1448	SaMarinDa Free V1 (JulVer) (3).exe	92
PID 1448 wrote to memory of 316	1448	SaMarinDa Free V1 (JulVer) (3).exe	93

C:\Users\Admin\AppData\Local\Temp\SaMarinDa Free V1 (JulVer) (3).exe
"C:\Users\Admin\AppData\Local\Temp\SaMarinDa Free V1 (JulVer) (3).exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c MODE CON COLS=19 LINES=2
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\SysWOW64\mode.com
    MODE CON COLS=19 LINES=2
    3⤵
    PID:376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:1604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:2504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:5084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:1284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:2252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:4544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:3112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:2540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:3868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:3028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:2104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:1260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:5076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:3644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:2176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:2224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:2112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:5036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:4056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:4740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:1152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:1612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:3188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:2964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:4432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:2960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:3688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:3708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:3196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:4496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:3836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:1128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:5088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:3892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:1132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:1256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:1404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:5044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:2524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:3888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:1552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:4880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:4924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:4188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:3692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:1916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:2232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:4624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:1224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:4340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:1284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:2252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:3808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:4356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:4312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:2540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:3868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4828
- C:\Windows\CB.exe
  "C:\Windows\CB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c MODE CON COLS=82 LINES=10
    3⤵
    PID:3648
  - - C:\Windows\SysWOW64\mode.com
      MODE CON COLS=82 LINES=10
      4⤵
      System Location Discovery: System Language Discovery
      PID:3756
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\hwid.ini
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CB.exe

Filesize
1.1MB

MD5
74736444cc08c8ac50a87f9dcfd0438f

SHA1
11acf6742d38bfa33785f5dfe1097956cffb4c22

SHA256
3784f86f098d8ae791d1d253557fb1f8230cd6984452268f3415a2ced95d066f

SHA512
49df42a251790282d4b6854a8d4364cb06bc204910bdce09ad4af8e3f17f6689c23c21270a2840db57f3de4d6389efbe86584ea3a44b916114bb37c490b2510a

Download Submit
C:\hwid.ini

Filesize
131B

MD5
2cea69010703339a2c06214677bc0a9d

SHA1
f5c9de8de3c27bc1380e60270b3cdff9f1bff93e

SHA256
dfc13b87b915e5dc6ba3f27bcb97b711972dadb5491ebfb8d19588f93f91b2e8

SHA512
480aa6e6e2dc6ce703e3f179acd827ba55068001ace03f7838c133faaea25c941bc7c751dd32e7dc5989b2b30ac2d160cc7c5e293777ab4d4883f3bceef864ae

Download Submit
memory/1448-0-0x0000000000A80000-0x0000000000D66000-memory.dmp

Filesize
2.9MB

Download
memory/1448-1-0x0000000000A80000-0x0000000000D66000-memory.dmp

Filesize
2.9MB

Download
memory/1448-6-0x0000000000A80000-0x0000000000D66000-memory.dmp

Filesize
2.9MB

Download
memory/3492-8-0x0000000000C30000-0x0000000000F48000-memory.dmp

Filesize
3.1MB

Download
memory/3492-12-0x0000000000C30000-0x0000000000F48000-memory.dmp

Filesize
3.1MB

Download