0461e6e8f234e00307331dae19d3512950bbf3cdf7a1ec32802dff62cc14c90c

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-11-2024 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2891E1D4BAC70EBA.exe
Size

137KB
MD5

c04dadf78f2813750900fa54863fb2b7
SHA1

8575e9d6f980b53ea13c37053aa2d55691bfe3e0
SHA256

207a249e3c4359548b9ff264cac31d09c95d626d0e4835c081d8afbb732bac4f
SHA512

20baf3958a55df7fe0196d300809afd2c4d4408c4e08db21f5ed6a1b6d21fcb09eea081813cf2b5ba60d745f745db043d2d2d9132da3ea565306402247b43372
SSDEEP

3072:GLIQ8YzXEMZK1A2czbFk58x+o+EFz9/t2f65q8hv2bIoKb:GstYrEMw6Bxk5zOFNtgJKCUb

Score

10^/10

defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\biobio ransmoware.txt

Ransom Note

kasper Ransmoware ATTENTION! At the moment, your system is not protected. We can fix itand restore files. To get started, send a file to decrypt trial. You can trust us after opening the test file. 2.Do not use free programs to unlock. To restore the system write to both : [email protected] and [email protected] Telegram id:@biobiorans Your Decryption ID: 2891E1D4BAC70EBA

Emails

[email protected]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (9123) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

2891E1D4BAC70EBA.exe

description ioc process

File opened (read-only) \??\D: 2891E1D4BAC70EBA.exe
File opened (read-only) \??\F: 2891E1D4BAC70EBA.exe

description	ioc	process
File opened (read-only)	\??\D:	2891E1D4BAC70EBA.exe
File opened (read-only)	\??\F:	2891E1D4BAC70EBA.exe

Drops file in Program Files directory 64 IoCs

Processes:

2891E1D4BAC70EBA.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18249_.WMF	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14871_.GIF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\blacklist.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Antigua	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Settings.zip	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libaribsub_plugin.dll	2891E1D4BAC70EBA.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\biobio ransmoware.txt	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107708.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_COL.HXT	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14755_.GIF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\gadget.xml	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jar.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSSOAP30.DLL	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00439_.WMF	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\THMBNAIL.PNG.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-4.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Eirunepe	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\utilityfunctions.js	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN107.XML.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Austin.thmx.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02075_.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215210.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03513_.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT98SP.POC.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\biobio ransmoware.txt	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02141_.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01058_.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10268_.GIF	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REMOTE.CFG.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7fr.kic	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292248.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\RE00006_.WMF	2891E1D4BAC70EBA.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\biobio ransmoware.txt	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\LEVEL.ELM	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18213_.WMF	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0157995.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\ja-JP\FreeCell.exe.mui	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105974.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSSOAPR3.DLL	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Distinctive.dotx.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-print.jar.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02028_.WMF	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEREP.DLL.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_09.MID.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143746.GIF	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15272_.GIF	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01545_.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107750.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio	2891E1D4BAC70EBA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

2891E1D4BAC70EBA.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2891E1D4BAC70EBA.exe
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

2228 vssadmin.exe
2672 vssadmin.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2891E1D4BAC70EBA.exe

pid	process
2228	vssadmin.exe
2672	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2891E1D4BAC70EBA.exe

pid	process
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe
2348	2891E1D4BAC70EBA.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

2891E1D4BAC70EBA.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2348	2891E1D4BAC70EBA.exe
Token: SeRestorePrivilege	2348	2891E1D4BAC70EBA.exe
Token: SeBackupPrivilege	2348	2891E1D4BAC70EBA.exe
Token: SeTakeOwnershipPrivilege	2348	2891E1D4BAC70EBA.exe
Token: SeAuditPrivilege	2348	2891E1D4BAC70EBA.exe
Token: SeSecurityPrivilege	2348	2891E1D4BAC70EBA.exe
Token: SeIncBasePriorityPrivilege	2348	2891E1D4BAC70EBA.exe
Token: SeBackupPrivilege	2024	vssvc.exe
Token: SeRestorePrivilege	2024	vssvc.exe
Token: SeAuditPrivilege	2024	vssvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

2891E1D4BAC70EBA.execmd.execmd.exe

description	pid	process	target process
PID 2348 wrote to memory of 2960	2348	2891E1D4BAC70EBA.exe	cmd.exe
PID 2348 wrote to memory of 2960	2348	2891E1D4BAC70EBA.exe	cmd.exe
PID 2348 wrote to memory of 2960	2348	2891E1D4BAC70EBA.exe	cmd.exe
PID 2348 wrote to memory of 2960	2348	2891E1D4BAC70EBA.exe	cmd.exe
PID 2960 wrote to memory of 2228	2960	cmd.exe	vssadmin.exe
PID 2960 wrote to memory of 2228	2960	cmd.exe	vssadmin.exe
PID 2960 wrote to memory of 2228	2960	cmd.exe	vssadmin.exe
PID 2348 wrote to memory of 2504	2348	2891E1D4BAC70EBA.exe	cmd.exe
PID 2348 wrote to memory of 2504	2348	2891E1D4BAC70EBA.exe	cmd.exe
PID 2348 wrote to memory of 2504	2348	2891E1D4BAC70EBA.exe	cmd.exe
PID 2348 wrote to memory of 2504	2348	2891E1D4BAC70EBA.exe	cmd.exe
PID 2504 wrote to memory of 2672	2504	cmd.exe	vssadmin.exe
PID 2504 wrote to memory of 2672	2504	cmd.exe	vssadmin.exe
PID 2504 wrote to memory of 2672	2504	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe
"C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\biobio ransmoware.txt

Filesize
402B

MD5
91fa1053207971e936e6bbad0c7e8c27

SHA1
61a6300d327ae6eb276c6143f65a58c8f269a67e

SHA256
f26d98cae64be561f1260f5cd1c2974a6dce9ffca484461b985ae1107198848d

SHA512
b2794993d695cb6950eaa65eecd44dfd4f8ee297dfbd0ef26532fa9f60639c466bacd18e557798e3e28535f4812f1e928bd4862d6bc39a3f014465836d88b832

Download Submit