Overview

overview

10

Static

static

3

2423f6e4b6...68.exe

windows7-x64

10

2423f6e4b6...68.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2423f6e4b6f015042c4de4a4ad457629b7c4737ec19352abac9dd6136ba46d68.exe

  • Size

    2.2MB

  • MD5

    801c430414f434df6fc24a9891b3b118

  • SHA1

    27301b1a6c2078f4eec06ec6f1f947f22a1598fc

  • SHA256

    2423f6e4b6f015042c4de4a4ad457629b7c4737ec19352abac9dd6136ba46d68

  • SHA512

    e2c5e42a09c235d89ceb298ed27815c5b922e547568111ae916032f5cb85d89b197080d6641cf697f2fa18e11aebe66bef1669dc2155e9a89bfeb5e05eff1c29

  • SSDEEP

    49152:wgwRwifu1DBgutBPNcpwcjVpNMkCZZpsYpmwZ3hQ8cTEo8:wgwRwvguPP4wc3NMkCGGmugTEt

Score
10/10
mimicdiscoveryevasionexecutionpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\README.txt

Ransom Note
Hello my dear friend (Do not scan the files with antivirus in any case. In case of data loss, the consequences are yours) Your data is encrypted Your personal ID: 7Z-tqjqXXQrFdts9ktmGZ5kdMqlPIpWgEte4gu8wCgE*[email protected] Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted The only method of recovering files is to purchase decrypt tool and unique key for you. Write to our mail - [email protected] In case of no answer in 24 hours write us to this backup e-mail: [email protected] Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software - it may cause permanent data loss. We are always ready to cooperate and find the best way to solve your problem. The faster you write - the more favorable conditions will be for you. Our company values its reputation. We give all guarantees of your files decryption. What are your recommendations? - Never change the name of the files, if you want to manipulate the files, be sure to back them up. If there are any problems with the files, we are not responsible for them. - Never work with intermediary companies because they charge you more money.Don't be afraid of us, just email us. Sensitive data on your system was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. - Manufacturing documents including: datagrams, schemas, drawings in solidworks format - And more... What are the dangers of leaking your company's data. First of all, you will receive fines from the government such as the GDRP and many others, you can be sued by customers of your firm for leaking information that was confidential. Your leaked data will be used by all the hackers on the planet for various unpleasant things. For example, social engineering, your employees' personal data can be used to re-infiltrate your company. Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered. On another vacation trip, you will have to explain to the FBI where you got millions of dollars worth of stolen cryptocurrency transferred through your accounts on cryptocurrency exchanges. Your personal information could be used to make loans or buy appliances. You would later have to prove in court that it wasn't you who took out the loan and pay off someone else's loan. Your competitors may use the stolen information to steal technology or to improve their processes, your working methods, suppliers, investors, sponsors, employees, it will all be in the public domain. You won't be happy if your competitors lure your employees to other firms offering better wages, will you? Your competitors will use your information against you. For example, look for tax violations in the financial documents or any other violations, so you have to close your firm. According to statistics, two thirds of small and medium-sized companies close within half a year after a data breach. You will have to find and fix the vulnerabilities in your network, work with the customers affected by data leaks. All of these are very costly procedures that can exceed the cost of a ransomware buyout by a factor of hundreds. It's much easier, cheaper and faster to pay us the ransom. Well and most importantly, you will suffer a reputational loss, you have been building your company for many years, and now your reputation will be destroyed. Do not go to the police or FBI for help and do not tell anyone that we attacked you. They won't help and will only make your situation worse. In 7 years not a single member of our group has been caught by the police, we are top-notch hackers and never leave a trace of crime. The police will try to stop you from paying the ransom in any way they can. The first thing they will tell you is that there is no guarantee to decrypt your files and delete the stolen files, this is not true, we can do a test decryption before payment and your data will be guaranteed to be deleted because it is a matter of our reputation, we make hundreds of millions of dollars and we are not going to lose income because of your files. It is very beneficial for the police and the FBI to let everyone on the planet know about the leak of your data, because then your state will receive fines under GDPR and other similar laws. The fines will go to fund the police and FBI. The police and FBI will not be able to stop lawsuits from your customers for leaking personal and private information. The police and FBI will not protect you from repeat attacks. Paying us a ransom is much cheaper and more profitable than paying fines and legal fees. If you do not pay the ransom, we will attack your company again in the future.
Emails

7Z-tqjqXXQrFdts9ktmGZ5kdMqlPIpWgEte4gu8wCgE*[email protected]

[email protected]

[email protected]

Signatures

  • Detects Mimic ransomware 1 IoCs
  • Mimic

    Ransomware family was first exploited in the wild in 2022.

    ransomwaremimic
  • Mimic family
    mimic
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (5868) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 10 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Power Settings 1 TTPs 15 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2423f6e4b6f015042c4de4a4ad457629b7c4737ec19352abac9dd6136ba46d68.exe
    "C:\Users\Admin\AppData\Local\Temp\2423f6e4b6f015042c4de4a4ad457629b7c4737ec19352abac9dd6136ba46d68.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4872
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1164
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p89905472210203597 Everything64.dll
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1784
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\[email protected]"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:184
      • C:\Users\Admin\AppData\Local\3F4FFA8F-24F8-6F78-A0DA-370314484853\PIDAR.exe
        "C:\Users\Admin\AppData\Local\3F4FFA8F-24F8-6F78-A0DA-370314484853\PIDAR.exe"
        3⤵
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3444
        • C:\Users\Admin\AppData\Local\3F4FFA8F-24F8-6F78-A0DA-370314484853\PIDAR.exe
          "C:\Users\Admin\AppData\Local\3F4FFA8F-24F8-6F78-A0DA-370314484853\PIDAR.exe" -e watch -pid 3444 -!
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:856
        • C:\Users\Admin\AppData\Local\3F4FFA8F-24F8-6F78-A0DA-370314484853\PIDAR.exe
          "C:\Users\Admin\AppData\Local\3F4FFA8F-24F8-6F78-A0DA-370314484853\PIDAR.exe" -e ul1
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3600
        • C:\Users\Admin\AppData\Local\3F4FFA8F-24F8-6F78-A0DA-370314484853\PIDAR.exe
          "C:\Users\Admin\AppData\Local\3F4FFA8F-24F8-6F78-A0DA-370314484853\PIDAR.exe" -e ul2
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3260
        • C:\Users\Admin\AppData\Local\3F4FFA8F-24F8-6F78-A0DA-370314484853\Everything.exe
          "C:\Users\Admin\AppData\Local\3F4FFA8F-24F8-6F78-A0DA-370314484853\Everything.exe" -startup
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2424
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -H off
          4⤵
          • Power Settings
          PID:3300
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:380
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:1532
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:4928
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:852
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:3304
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:1732
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:2952
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:1224
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:3280
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:4296
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:4888
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:3144
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
          4⤵
          • Power Settings
          PID:2284
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb61
          4⤵
          • Power Settings
          PID:692
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:400
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:3356
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:4540
        • C:\Windows\SYSTEM32\bcdedit.exe
          bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:324
        • C:\Windows\SYSTEM32\bcdedit.exe
          bcdedit.exe /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3416
        • C:\Windows\SYSTEM32\wbadmin.exe
          wbadmin.exe DELETE SYSTEMSTATEBACKUP
          4⤵
          • Deletes System State backups
          • Drops file in Windows directory
          PID:4668
        • C:\Windows\SYSTEM32\wbadmin.exe
          wbadmin.exe delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:3252
        • C:\Users\Admin\AppData\Local\3F4FFA8F-24F8-6F78-A0DA-370314484853\Everything.exe
          "C:\Users\Admin\AppData\Local\3F4FFA8F-24F8-6F78-A0DA-370314484853\Everything.exe" -startup
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4460
  • C:\Windows\System32\Systray.exe
    C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
      PID:2844
    • C:\Windows\System32\Systray.exe
      C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
        PID:1100
      • C:\Windows\System32\Systray.exe
        C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
          PID:4068
        • C:\Windows\System32\Systray.exe
          C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:3512
          • C:\Windows\System32\Systray.exe
            C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:2584
            • C:\Windows\System32\Systray.exe
              C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
                PID:2016
              • C:\Windows\System32\Systray.exe
                C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                  PID:3220
                • C:\Windows\System32\Systray.exe
                  C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:688
                  • C:\Windows\System32\Systray.exe
                    C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                      PID:2524
                    • C:\Windows\System32\Systray.exe
                      C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                      1⤵
                        PID:2276
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                          PID:1120
                        • C:\Windows\system32\wbengine.exe
                          "C:\Windows\system32\wbengine.exe"
                          1⤵
                            PID:2524
                          • C:\Windows\System32\vdsldr.exe
                            C:\Windows\System32\vdsldr.exe -Embedding
                            1⤵
                              PID:1176
                            • C:\Windows\System32\vds.exe
                              C:\Windows\System32\vds.exe
                              1⤵
                              • Checks SCSI registry key(s)
                              PID:3064
                            • C:\Windows\System32\Systray.exe
                              C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                              1⤵
                                PID:3916

                              Network

                              MITRE ATT&CK Enterprise v15

                              Reconnaissance

                              Resource Development

                              Initial Access

                              Execution

                              Command and Scripting Interpreter

                              3
                              T1059

                              PowerShell

                              1
                              T1059.001

                              Persistence

                              Boot or Logon Autostart Execution

                              1
                              T1547

                              Registry Run Keys / Startup Folder

                              1
                              T1547.001

                              Event Triggered Execution

                              2
                              T1546

                              Change Default File Association

                              1
                              T1546.001

                              Image File Execution Options Injection

                              1
                              T1546.012

                              Power Settings

                              1
                              T1653

                              Privilege Escalation

                              Boot or Logon Autostart Execution

                              1
                              T1547

                              Registry Run Keys / Startup Folder

                              1
                              T1547.001

                              Event Triggered Execution

                              2
                              T1546

                              Change Default File Association

                              1
                              T1546.001

                              Image File Execution Options Injection

                              1
                              T1546.012

                              Defense Evasion

                              Indicator Removal

                              2
                              T1070

                              File Deletion

                              2
                              T1070.004

                              Modify Registry

                              3
                              T1112

                              Credential Access

                              Discovery

                              Peripheral Device Discovery

                              2
                              T1120

                              Query Registry

                              4
                              T1012

                              System Information Discovery

                              4
                              T1082

                              System Location Discovery

                              1
                              T1614

                              System Language Discovery

                              1
                              T1614.001

                              Lateral Movement

                              Collection

                              Command and Control

                              Exfiltration

                              Impact

                              Inhibit System Recovery

                              3
                              T1490

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\3F4FFA8F-24F8-6F78-A0DA-370314484853\Everything.db
                                Filesize

                                13.2MB

                                MD5

                                d15c9bb5964f413edfad814823832aae

                                SHA1

                                166919f0bcf7ed56a36fd61df66f8ef514f04c5e

                                SHA256

                                0f292c53dfc11ab5ba310095b21aaf48204c5043be885f47dd8e999c073cc539

                                SHA512

                                2aa4dda6ae67c494a7706c83b8dbff2273de64b2ce019a63b3c4da6a64530791ac98d7aa3119c73d69a8b7289cf6db9d72ee5b98c3d86b28dbe573220afedf2c

                                Download Submit

                              • C:\Users\Admin\AppData\Local\3F4FFA8F-24F8-6F78-A0DA-370314484853\Everything.ini
                                Filesize

                                20KB

                                MD5

                                e031c0543912a4d4a983ebf9cb6c3e94

                                SHA1

                                19a504ee176297c03d38abe704d07fcbe8a862b0

                                SHA256

                                f3b34b7d89734aaacb05789a2833ff68990ea0f375ce669f57f94dded9703872

                                SHA512

                                5ae3776ccb0f59138874e635b68a32d51e98b459742775b2fb097e99a7c427c287e640c88ebbd70527af20d0ccdd0ca9991d58cfd569edc59c6f56c84bfcce6f

                                Download Submit

                              • C:\Users\Admin\AppData\Local\3F4FFA8F-24F8-6F78-A0DA-370314484853\session.tmp
                                Filesize

                                32B

                                MD5

                                2cd031fe63f41888c7daf152bc0cb919

                                SHA1

                                621a2a56c7513b6c12fc1f5eb80d09b0ca1bb542

                                SHA256

                                42faa83c2038b14d8cdd0c6330a0f17fb5865f1b8b6214b377fa1fa092672e0e

                                SHA512

                                0614ebbb131c78beb9eddacb13a7503ec8b22115adac37011d3d30b7cfdcf92a0fa22e09ed2dcdec0616a812b37e8e8b8986cd5970c64ce61bb1180488591cb3

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                Filesize

                                2KB

                                MD5

                                d85ba6ff808d9e5444a4b369f5bc2730

                                SHA1

                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                SHA256

                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                SHA512

                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                944B

                                MD5

                                59d97011e091004eaffb9816aa0b9abd

                                SHA1

                                1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

                                SHA256

                                18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

                                SHA512

                                d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                1KB

                                MD5

                                925acffe86071a2de4f77f059596a4d3

                                SHA1

                                0890e8b055f6bff77ee247625f0fc5399670f94c

                                SHA256

                                5e9055bb1c76fcdd057a21e12ae737100ee272872f190a2de310ef14703ac76a

                                SHA512

                                20e4912800b9fd9ed93f426fd6835232f7d34680d0007728ae9cc55e8bbae6acd0303e5fcf6d38261c8a4bbe61c50a958ecc82c9e09a80d20d2c7e12334d3790

                                Download Submit

                              • C:\Users\Admin\AppData\Local\README.txt
                                Filesize

                                5KB

                                MD5

                                5cf0e7ed3f8463b92325619d1cfa2f25

                                SHA1

                                f4819994f8eaa14d3592107825df01f2a8ded058

                                SHA256

                                e447b78a3b363c1a348dc017c1e62ccb4c2c07ab325ab0190993d38cae0d962e

                                SHA512

                                d79edef66678e9f6ecf9502c02b98e81c7d67228d05001dfb8906f4987b9c56486cbe4bedacfecab18c9a29dd408a6278cb5363686971e0d662c2e9e28154aaf

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
                                Filesize

                                772KB

                                MD5

                                b93eb0a48c91a53bda6a1a074a4b431e

                                SHA1

                                ac693a14c697b1a8ee80318e260e817b8ee2aa86

                                SHA256

                                ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142

                                SHA512

                                732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\[email protected]
                                Filesize

                                2.3MB

                                MD5

                                6775b0b2cdd7cd537f132f77b73144b0

                                SHA1

                                a1bfc2ea21424a20431d0ac527916c7463eabb65

                                SHA256

                                4d5a5a19280efcff80150219ab749ca08c692e876b3a9f6a71c1af63b971f47f

                                SHA512

                                b1bea613fdb9c3d049243f82cb7370ac0c62eed38e6eec3d3312ca3f7e4cfc12283f244ea1eafafa123927b41cc9667603a55058991e8a23e8a4df151de65749

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.exe
                                Filesize

                                1.7MB

                                MD5

                                c44487ce1827ce26ac4699432d15b42a

                                SHA1

                                8434080fad778057a50607364fee8b481f0feef8

                                SHA256

                                4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405

                                SHA512

                                a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.ini
                                Filesize

                                548B

                                MD5

                                742c2400f2de964d0cce4a8dabadd708

                                SHA1

                                c452d8d4c3a82af4bc57ca8a76e4407aaf90deca

                                SHA256

                                2fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01

                                SHA512

                                63a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything2.ini
                                Filesize

                                550B

                                MD5

                                51014c0c06acdd80f9ae4469e7d30a9e

                                SHA1

                                204e6a57c44242fad874377851b13099dfe60176

                                SHA256

                                89ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5

                                SHA512

                                79b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything32.dll
                                Filesize

                                84KB

                                MD5

                                3b03324537327811bbbaff4aafa4d75b

                                SHA1

                                1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

                                SHA256

                                8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

                                SHA512

                                ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dll
                                Filesize

                                1.2MB

                                MD5

                                3983d31b7a906d3351ef223ab4ffaa0a

                                SHA1

                                65b317231fbe779516558261b4b0f3e839e7e946

                                SHA256

                                db3ba29eb00805d400c41be842b176a24c2a14efffb9a78ed34e630749bf31c1

                                SHA512

                                5231b5b31aa9702aef52fcde8ce384477ff4ff1a7cc9f9a634035aaa2d328e0eaf991228b71b5e0c51ecf737b95c6a6a937808d22a4ca64432a2c74fbd9f4595

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xdel.exe
                                Filesize

                                350KB

                                MD5

                                803df907d936e08fbbd06020c411be93

                                SHA1

                                4aa4b498ae037a2b0479659374a5c3af5f6b8d97

                                SHA256

                                e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c

                                SHA512

                                5b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sn2mvse4.w5n.ps1
                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                Download Submit

                              • memory/400-93-0x0000022540BE0000-0x0000022540C02000-memory.dmp

                                Filesize

                                136KB

                                Download