1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2

General

Target

1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Size

194KB
MD5

b7b4c97132d03eead1fa9a9352dee6c2
SHA1

c9eb1bdc528076fa9c91668addf0723294ac1575
SHA256

1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2
SHA512

cb0023bc6783a94a27d2d4a67c214e8657fd334d1a94a7dba51277363dee2a67e7ecc5fc0788cead1c4e0e2dc7d9aa758203f89dce162184869d20a44d171903
SSDEEP

3072:v6glyuxE4GsUPnliByocWepXKD0/9Wy1Og/ZK99r:v6gDBGpvEByocWehKD0/EWfg3

Score

9^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Signatures

Renames multiple (339) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

C9D4.tmp

pid process

2116 C9D4.tmp
Executes dropped EXE 1 IoCs

Processes:

C9D4.tmp

pid process

2116 C9D4.tmp
Loads dropped DLL 1 IoCs

Processes:

1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe

pid process

2088 1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

Processes:

1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\te8ZzuVLn.bmp"	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\te8ZzuVLn.bmp"	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exeC9D4.tmp

pid	process
2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
2116	C9D4.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exeC9D4.tmpcmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C9D4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\WallpaperStyle = "10"	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe

Modifies registry class 5 IoCs

Processes:

1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\te8ZzuVLn\DefaultIcon	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\te8ZzuVLn	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\te8ZzuVLn\DefaultIcon\ = "C:\\ProgramData\\te8ZzuVLn.ico"	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.te8ZzuVLn	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.te8ZzuVLn\ = "te8ZzuVLn"	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe

pid	process
2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

C9D4.tmp

pid	process
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp
2116	C9D4.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeDebugPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: 36	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeImpersonatePrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeIncBasePriorityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeIncreaseQuotaPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: 33	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeManageVolumePrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeProfSingleProcessPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeRestorePrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSystemProfilePrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeTakeOwnershipPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeShutdownPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeDebugPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeBackupPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
Token: SeSecurityPrivilege	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exeC9D4.tmp

description	pid	process	target process
PID 2088 wrote to memory of 2116	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe	C9D4.tmp
PID 2088 wrote to memory of 2116	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe	C9D4.tmp
PID 2088 wrote to memory of 2116	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe	C9D4.tmp
PID 2088 wrote to memory of 2116	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe	C9D4.tmp
PID 2088 wrote to memory of 2116	2088	1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe	C9D4.tmp
PID 2116 wrote to memory of 924	2116	C9D4.tmp	cmd.exe
PID 2116 wrote to memory of 924	2116	C9D4.tmp	cmd.exe
PID 2116 wrote to memory of 924	2116	C9D4.tmp	cmd.exe
PID 2116 wrote to memory of 924	2116	C9D4.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe
"C:\Users\Admin\AppData\Local\Temp\1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\ProgramData\C9D4.tmp
  "C:\ProgramData\C9D4.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C9D4.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:924

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x148
1⤵
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\GGGGGGGGGGG

Filesize
129B

MD5
a142521bbe486027e5ee8abc5168d474

SHA1
15fe5f3851fa42af2de366c5472a363b55925223

SHA256
02f098b72bf7c066f931384e0a73a93a3758a3aad781a72cb03fd7978618a40f

SHA512
f17227ad4deb43f3f671856cc274d83a9a5ef17265c6e0d79c1ff8dcb1f738fa9c3fc54c751defe9f606d641c77d05ab6ef495be6f8e84c52742e6e3ed32a9c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
194KB

MD5
1cf69f86654640d37fbef98305c4687d

SHA1
5f1e83970a61319f803030719baee750cfd875a8

SHA256
cb5681465fe898a2fd3225c04d24b49a99296815a0734539707d8b8f8f0de4db

SHA512
ec919dcf95d37dc4a42ce60b5cfbf61ceb601ff1eac8c307bcdd1e3cdbc49e6be73f32ab00e5fbfbb6abaa85f68c25b71fec8da7f28e5142bcdbe3d59a4ec981

Download Submit
C:\te8ZzuVLn.README.txt

Filesize
434B

MD5
ad29bd8c66e114ff57c943d16c78f72a

SHA1
5ab070ee89a36f38facae4dfc8ec5ce3e59af46e

SHA256
6fe668fe8bf69158d1fd08e90f3cff60c1df410bf752635bf152853b6112549c

SHA512
a53121e2379aa9c3bc52d073498a54f26383834f6d6636b4b3831010565c80bf0da07511907eab7bd92f9796e559958b1c0ebea4c4b0f0d869e95b7deb5da7f1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\DDDDDDDDDDD

Filesize
129B

MD5
2cb7a51587fe2c95fd7dda5ac0ec3f69

SHA1
a981a95b0be54bd1b6dba08efef8221df643a9c4

SHA256
2d5026cc9ff564c70b22a21b772f875c04070ab112c7d6f42ed730312bea3373

SHA512
1a58b49f352d2c12161d5461d814355313ddf57a87f940cb82640ac645814e9a3a274d1b294db32ef0df5d18c07dcdb9472b580c19fdf5119ef3c40038725d7d

Download Submit
\ProgramData\C9D4.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/2088-0-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/2116-874-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/2116-876-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/2116-875-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/2116-873-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/2116-906-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/2116-905-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads