crypvault | 17b4d01d32c64a62e36496829da323fe308437048ca87143de7365fabd4194fd

Analysis

max time kernel
93s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
Size

182KB
MD5

1105f1e5cd13fc30fde877432e27457d
SHA1

108f03f9c98c63506dd8b9f6581f37ae5c18de23
SHA256

dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d
SHA512

49e9e4b02f432b9cc8f36913ce275f1d13672be627119c183713b5d6fb9fe27fd2cea67421560a463aaa16db35feb15df7c45258e2d102b5f70edb02865d9373
SSDEEP

3072:nO2W3zwMGWxLNjglP4cdkYsxSehTr76bJnhL:O2izwWlFuPP2xSehX6Fx

Score

10^/10

crypvault pony collection credential_access defense_evasion discovery execution impact persistence ransomware rat spyware stealer

Malware Config

Signatures

CrypVault
Ransomware family which makes encrypted files look like they have been quarantined by AV.
ransomware crypvault
Crypvault family
crypvault
Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1828	vssadmin.exe	94

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Edge = "C:\\Windows\\SYSTEM32\\Microsoft Edge\\Microsoft Edge.lnk"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	tasklist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Edge = "C:\\Windows\\SYSTEM32\\Microsoft Edge\\Microsoft Edge.lnk"	tasklist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe

Deletes itself 1 IoCs

pid	Process
2212	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta	svchost.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Microsoft Edge\AudioSes.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\AccountsRt.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\ActiveSyncProvider.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\AppVClientPS.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\AppXDeploymentClient.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\asferror.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\Microsoft Edge.lnk	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\AcSpecfc.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\AdaptiveCards.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\AdmTmpl.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\adprovider.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\adrclient.dll	explorer.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft Edge\Microsoft Edge.lnk	explorer.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft Edge\accessibilitycpl.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\AppxSip.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\AuthFWSnapin.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\Microsoft Edge.scr	explorer.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft Edge\Microsoft Edge.scr	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\acledit.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\ApiSetHost.AppExecutionAlias.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\authfwcfg.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\bcryptprimitives.dll	explorer.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft Edge	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\AppIdPolicyEngineApi.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\AppointmentActivation.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\AppointmentApis.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\aspnet_counters.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\AudioEng.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\altspace.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\AuditPolicyGPInterop.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\AuthBrokerUI.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\AuthExt.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\AzSqlExt.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\BcastDVRBroker.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\accessibilitycpl.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\ActivationClient.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\AcXtrnal.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\advapi32.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\atlthunk.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\bcd.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\avrt.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\BackgroundMediaPolicy.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\AcGenral.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\acwow64.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\appmgr.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\AppVTerminator.dll	explorer.exe
File created	C:\Windows\SysWOW64\Microsoft Edge\audiodev.dll	explorer.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
4272	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4868 set thread context of 4872	4868	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe	83

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2424	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4868	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
4868	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
4872	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
4872	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4872	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
2212	explorer.exe
4272	tasklist.exe
1180	explorer.exe
4272	tasklist.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	468	wmic.exe
Token: SeSecurityPrivilege	468	wmic.exe
Token: SeTakeOwnershipPrivilege	468	wmic.exe
Token: SeLoadDriverPrivilege	468	wmic.exe
Token: SeSystemProfilePrivilege	468	wmic.exe
Token: SeSystemtimePrivilege	468	wmic.exe
Token: SeProfSingleProcessPrivilege	468	wmic.exe
Token: SeIncBasePriorityPrivilege	468	wmic.exe
Token: SeCreatePagefilePrivilege	468	wmic.exe
Token: SeBackupPrivilege	468	wmic.exe
Token: SeRestorePrivilege	468	wmic.exe
Token: SeShutdownPrivilege	468	wmic.exe
Token: SeDebugPrivilege	468	wmic.exe
Token: SeSystemEnvironmentPrivilege	468	wmic.exe
Token: SeRemoteShutdownPrivilege	468	wmic.exe
Token: SeUndockPrivilege	468	wmic.exe
Token: SeManageVolumePrivilege	468	wmic.exe
Token: 33	468	wmic.exe
Token: 34	468	wmic.exe
Token: 35	468	wmic.exe
Token: 36	468	wmic.exe
Token: SeIncreaseQuotaPrivilege	468	wmic.exe
Token: SeSecurityPrivilege	468	wmic.exe
Token: SeTakeOwnershipPrivilege	468	wmic.exe
Token: SeLoadDriverPrivilege	468	wmic.exe
Token: SeSystemProfilePrivilege	468	wmic.exe
Token: SeSystemtimePrivilege	468	wmic.exe
Token: SeProfSingleProcessPrivilege	468	wmic.exe
Token: SeIncBasePriorityPrivilege	468	wmic.exe
Token: SeCreatePagefilePrivilege	468	wmic.exe
Token: SeBackupPrivilege	468	wmic.exe
Token: SeRestorePrivilege	468	wmic.exe
Token: SeShutdownPrivilege	468	wmic.exe
Token: SeDebugPrivilege	468	wmic.exe
Token: SeSystemEnvironmentPrivilege	468	wmic.exe
Token: SeRemoteShutdownPrivilege	468	wmic.exe
Token: SeUndockPrivilege	468	wmic.exe
Token: SeManageVolumePrivilege	468	wmic.exe
Token: 33	468	wmic.exe
Token: 34	468	wmic.exe
Token: 35	468	wmic.exe
Token: 36	468	wmic.exe
Token: SeBackupPrivilege	1824	vssvc.exe
Token: SeRestorePrivilege	1824	vssvc.exe
Token: SeAuditPrivilege	1824	vssvc.exe
Token: SeImpersonatePrivilege	3768	svchost.exe
Token: SeTcbPrivilege	3768	svchost.exe
Token: SeChangeNotifyPrivilege	3768	svchost.exe
Token: SeCreateTokenPrivilege	3768	svchost.exe
Token: SeBackupPrivilege	3768	svchost.exe
Token: SeRestorePrivilege	3768	svchost.exe
Token: SeIncreaseQuotaPrivilege	3768	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3768	svchost.exe
Token: SeImpersonatePrivilege	3768	svchost.exe
Token: SeTcbPrivilege	3768	svchost.exe
Token: SeChangeNotifyPrivilege	3768	svchost.exe
Token: SeCreateTokenPrivilege	3768	svchost.exe
Token: SeBackupPrivilege	3768	svchost.exe
Token: SeRestorePrivilege	3768	svchost.exe
Token: SeIncreaseQuotaPrivilege	3768	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3768	svchost.exe
Token: SeImpersonatePrivilege	3768	svchost.exe
Token: SeTcbPrivilege	3768	svchost.exe
Token: SeChangeNotifyPrivilege	3768	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4868	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
4868	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 4872	4868	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe	83
PID 4868 wrote to memory of 4872	4868	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe	83
PID 4868 wrote to memory of 4872	4868	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe	83
PID 4868 wrote to memory of 4872	4868	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe	83
PID 4868 wrote to memory of 4872	4868	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe	83
PID 4868 wrote to memory of 4872	4868	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe	83
PID 4868 wrote to memory of 4872	4868	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe	83
PID 4868 wrote to memory of 4872	4868	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe	83
PID 4868 wrote to memory of 4872	4868	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe	83
PID 4868 wrote to memory of 4872	4868	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe	83
PID 4868 wrote to memory of 4872	4868	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe	83
PID 4872 wrote to memory of 2212	4872	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe	84
PID 4872 wrote to memory of 2212	4872	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe	84
PID 4872 wrote to memory of 2212	4872	dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe	84
PID 2212 wrote to memory of 4272	2212	explorer.exe	85
PID 2212 wrote to memory of 4272	2212	explorer.exe	85
PID 2212 wrote to memory of 4272	2212	explorer.exe	85
PID 4272 wrote to memory of 1180	4272	tasklist.exe	87
PID 4272 wrote to memory of 1180	4272	tasklist.exe	87
PID 4272 wrote to memory of 1180	4272	tasklist.exe	87
PID 1180 wrote to memory of 3768	1180	explorer.exe	88
PID 1180 wrote to memory of 3768	1180	explorer.exe	88
PID 1180 wrote to memory of 3768	1180	explorer.exe	88
PID 4272 wrote to memory of 5068	4272	tasklist.exe	89
PID 4272 wrote to memory of 5068	4272	tasklist.exe	89
PID 4272 wrote to memory of 5068	4272	tasklist.exe	89
PID 3768 wrote to memory of 468	3768	svchost.exe	90
PID 3768 wrote to memory of 468	3768	svchost.exe	90
PID 3768 wrote to memory of 468	3768	svchost.exe	90
PID 3768 wrote to memory of 3328	3768	svchost.exe	109
PID 3768 wrote to memory of 3328	3768	svchost.exe	109
PID 3768 wrote to memory of 3328	3768	svchost.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
"C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
  C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SYSTEM32\explorer.exe
    3⤵
    - Adds policy Run key to start application
    - Deletes itself
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\SysWOW64\tasklist.exe
      C:\Windows\SYSTEM32\tasklist.exe
      4⤵
      Adds policy Run key to start application
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4272
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SYSTEM32\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1180
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SYSTEM32\svchost.exe
        6⤵
        Drops startup file
        Accesses Microsoft Outlook accounts
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        outlook_win_path
        
        PID:3768
        
        C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic process call create "vssadmin.exe delete shadows /all /quiet"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:468
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta.exe C:\Users\Admin\Desktop\VAULT.hta
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3328
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SYSTEM32\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5068

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2424

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CONFIRMATION.KEY

Filesize
3KB

MD5
1ef8b68ffe960997d4509f24b11fb022

SHA1
6d25c6ec8f63f9811420eaa3555159bdd40a2502

SHA256
7f4813e5f1b84200cb3df1d26779f43ff73d64b4e6a3c70a0f6db9111b4c13d0

SHA512
5c14137a63abfeaba978bb274a79878057f2263a1729d3922a8eff8cf1d70392a35d49ca0ec6e66627afc4fe9842d94cfed9e74cb8cf08a4361560b85d8d64c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta

Filesize
4KB

MD5
ca834cc56015bce8e010e356c69dc9f5

SHA1
b55ea373d3f5d583c33803d80059db5ddccf7038

SHA256
1b5feb1b9bf79a857330fc891a65824953ad5d72ce38b4fb41755475775c65bd

SHA512
66c6370c538567286641e2ca3438d28572a78b4d2a15912f9d55cc65f9c7491d16e3f277c9f1385ee6773ef400e1a47e7abe5208aa4d7f75b8db5c816e6531a8

Download Submit
C:\VAULT.KEY

Filesize
1KB

MD5
02e8ec67bb9adec4d96f65024e61d3f4

SHA1
841b6c629abd1f755214467d6a0f24ff0a8565fd

SHA256
a026f2ae89be80d92621dbbe73d89f4ed5ce05c4a2f324a2a4ee26ccc31e3846

SHA512
a0f62cb227e572cc8ca8e195fdeacf4f1d552349aeb90f374ae5701d3bf43ecb845ddd9718cfcab20ddca6bf9f7baa3d7c46b1264b5fd4e406123e2e95a7a7ac

Download Submit
C:\VAULT.KEY

Filesize
1KB

MD5
988f9920a47a009a5c3b4c8c304381fd

SHA1
81217bd02906dcdc0d941fd4ab7ac4af02d79a27

SHA256
214f912401ac13bad81c4dde7114e1ebf942c04c8d09ca4e3a492c2cd5c1d3d9

SHA512
5cb0a85241f09dbccd8ca0d33a4cd5dbc3e35816795e9d91b40da97a857a3b74c07ed030a8e2faf320a220d8342a57cfc036a9b15af058a0fa2590635d556097

Download Submit
C:\VAULT.KEY

Filesize
1KB

MD5
3022b371d3588070cc7dc63c9c86c407

SHA1
0005037fcdac3401100a963442896ccba2872e36

SHA256
83ac01d1bace84bd1bba0c3e2a4343958a56747be17a46c29dd18b5d91aaf51b

SHA512
03a22cccddf68e60434e6766d486ff958e94d53ec832ab11155ae9723ba255e702c3ccd5a14793279898daf9f904814841ca7296fb9e2ef585d2943f122d0dcf

Download Submit
C:\VAULT.KEY

Filesize
1KB

MD5
da773f4a2943260a70dbb698c5cbbc77

SHA1
2f8a2d0c96a5240d8a7dc53f91e6f62753c4724d

SHA256
2ec2b34a6b5175c58d1faae6f70bafb8875bc11471da72ebd7673960c13cc3af

SHA512
eeb3999cbdde8be08713df55e40cf199022d46d53330be3cf98a4bf2ad8d392274973abbfa6a6ff7946a894f725cd9f891dd72b8d7c15a7e6b3ce91d29dbff11

Download Submit
C:\VAULT.KEY

Filesize
1KB

MD5
cb8dd6d4719072c2157510329a016436

SHA1
48d4b373b868b0a8aa44fa8aeea78d8a78369cb0

SHA256
b5cc58a3b66e3a800cd3c69cb5e8899d733f41cbac06d43c40affbe2ee3ea1cf

SHA512
5c2458b625aed1d12e9f5aad8cf082f9e94be4f4912f26b8b5e7f18cce6562c9f7b6989969c715ae825b0e9dd09fcd3002af6de50af4a01eaee8d4522c8ff090

Download Submit
C:\VAULT.KEY

Filesize
1KB

MD5
f9bee0e2dfdc5e1ce9db7f225359cc8b

SHA1
406c3e316ae41811956c9e33598b75df077783c9

SHA256
5d3bdead8922de41c9fd7d054b0c071964ff247e076100d3261120c21adc38e6

SHA512
56b96ae0b6811bfda79e699381305c142f53d70612af0333af0ec5c5e90dd2b8139205362560e297bed251e20ea3e54719e2c46a5946fa8a37fca6d7f1e448e1

Download Submit
C:\Windows\SysWOW64\Microsoft Edge\Microsoft Edge.lnk

Filesize
1KB

MD5
49694f63bb47cf24a0112f79e0e11685

SHA1
fe8b7c02aae6d4918ce2674b384bbab905cf3585

SHA256
2ba990cfed349932ab2a722feb2dd2043dd40415ace1d1aadd70a91f9b3f955d

SHA512
fcb8fd017a873d94efd95afb1cc86172a60b7dcb431167a6f8ea03d32b8ddefdb19f86bb8f369876fbebd687c151dd43da3b9b3021084d43f84b6ecd9bfe30bd

Download Submit
C:\Windows\SysWOW64\Microsoft Edge\Microsoft Edge.scr

Filesize
182KB

MD5
1105f1e5cd13fc30fde877432e27457d

SHA1
108f03f9c98c63506dd8b9f6581f37ae5c18de23

SHA256
dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d

SHA512
49e9e4b02f432b9cc8f36913ce275f1d13672be627119c183713b5d6fb9fe27fd2cea67421560a463aaa16db35feb15df7c45258e2d102b5f70edb02865d9373

Download Submit
memory/1180-64-0x0000000000D60000-0x0000000001193000-memory.dmp

Filesize
4.2MB

Download
memory/1180-65-0x0000000000D60000-0x0000000001193000-memory.dmp

Filesize
4.2MB

Download
memory/1180-66-0x0000000000D60000-0x0000000001193000-memory.dmp

Filesize
4.2MB

Download
memory/2212-36-0x0000000000D60000-0x0000000001193000-memory.dmp

Filesize
4.2MB

Download
memory/2212-9-0x0000000000D60000-0x0000000001193000-memory.dmp

Filesize
4.2MB

Download
memory/2212-4-0x0000000000D60000-0x0000000001193000-memory.dmp

Filesize
4.2MB

Download
memory/3768-69-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/3768-70-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/3768-202-0x0000000000B10000-0x0000000000B3E000-memory.dmp

Filesize
184KB

Download
memory/3768-191-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/3768-71-0x0000000000B10000-0x0000000000B3E000-memory.dmp

Filesize
184KB

Download
memory/3768-187-0x0000000002A30000-0x0000000002A42000-memory.dmp

Filesize
72KB

Download
memory/4272-190-0x0000000000CC0000-0x0000000000CD6000-memory.dmp

Filesize
88KB

Download
memory/4272-61-0x0000000000CC0000-0x0000000000CD6000-memory.dmp

Filesize
88KB

Download
memory/4272-59-0x0000000000CC0000-0x0000000000CD6000-memory.dmp

Filesize
88KB

Download
memory/4272-60-0x0000000000CC0000-0x0000000000CD6000-memory.dmp

Filesize
88KB

Download
memory/4868-0-0x0000000002380000-0x0000000002385000-memory.dmp

Filesize
20KB

Download
memory/4872-8-0x0000000000400000-0x000000000040F1F7-memory.dmp

Filesize
60KB

Download
memory/4872-3-0x0000000000400000-0x00000000009E9000-memory.dmp

Filesize
5.9MB

Download
memory/4872-2-0x0000000000400000-0x000000000040F1F7-memory.dmp

Filesize
60KB

Download
memory/4872-1-0x0000000000400000-0x00000000009E9000-memory.dmp

Filesize
5.9MB

Download
memory/5068-78-0x0000000000D60000-0x0000000001193000-memory.dmp

Filesize
4.2MB

Download
memory/5068-77-0x0000000000D60000-0x0000000001193000-memory.dmp

Filesize
4.2MB

Download
memory/5068-79-0x0000000000D60000-0x0000000001193000-memory.dmp

Filesize
4.2MB

Download