gandcrab | 2ca4803498d7d375a61bfab2a3a4cf7e0eec41d116e50a838791a55b164e0f8c

Resubmissions

13/02/2025, 01:26

250213-btppra1pcz 10

17/01/2025, 20:14

17/01/2025, 20:12

17/01/2025, 17:25

17/01/2025, 17:21

17/01/2025, 14:16

17/01/2025, 14:12

16/01/2025, 12:52

Analysis

max time kernel
149s
max time network
156s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17/01/2025, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware-1-master/crb.exe
Size

139KB
MD5

24275604649ac0abafe99b981b914fbc
SHA1

818b0e3018ad27be9887e9e5f4ef1971f422652c
SHA256

4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749
SHA512

008ef045724963d6ae3b845a6c3de8ebb6682b0f4b8ea77c2d35e2193596b78f0092183de0a88a34f7dde4e71abbc129b2f0f00fd8469801fff66f1b8390b6c8
SSDEEP

1536:JLMVCWvZ8URtqOz3d+1Qs6H9Mk2e3E2avMWC3yMgYxf6+okbdWsWjcdpKCaIxWzX:VM9ntZ3s1QJdnU2SQdf64ZZ8CaIxWec

Score

10^/10

gandcrab backdoor credential_access defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-2826969134-2088669430-2680400721-1000\MHMCM-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .MHMCM The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/b96b8df5c38240ca | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAP9KPgl4uUxflf48DG2Rppx9oWeXuKWaU8slPAOQEiRc/rPUGRzQjEftICY3PSj4F060/ORkrnX9XF0g2++u+KUJO+1G4+dmEGsIbSr0N5bk5C/NisIwTXVfYu7x/SWQuVCyjTyWLHPV41Dmo1aMurRI0yqcfp6Io9ayeMcbT9ox1pRt5KTfVJn0al29MLMCwkeOxLAunv6RWgw65n3EpHyCzyZGR6Fw7rS5FHbnQWXx8wY8jO3xZc+kDJJgyBJQL/iDJEXJNCmXsFDVnIj40ECIVm6AztMORjHTtld7gfOvV0GXIule8wLXOsOT4hhrtD8tFcT4qCRD3X4+pnmiBw5q+r4eg1J/yKlaZRWc0dqZXEwn/nxHCyGFWf039MeBUIsUKmIt9/tXY7ytLqdMDty1hL86ctrIdKGE/32J+79syNUWmyYvjR2C+ewK15Yo4ZCQ1scLnr6xdlNX5QNfykn3L/P6QS3X+d1PQVrZJbnDL4vojkTJnJfzC/UXM2vWvVZBuD+9IjKYgv3L3IMzFQ0q68PBsuFYQowRY4IniHId79eh99d5a5twq/8aPkRHORLu+9VOCfhP66fkq1N4MrNzTwWNBnxAt1pS5MMbAc5xz6ZYL9Nx+gtu+Otlk3eyf91GGj3f5s6np5aRbskUSpXIz+qRU5w2IAFh6ZglsqtJztsga1NzX4kSDC6OQIcH8IHqR5oJjoapLFhvt1MhcIh/dcnqEh2+DHwGSanbqpmc8rTt8K3erqt/PLNyruqYJSMHG4o1FalLbk7dTmeVRX+fxDI+s417bGnsIQo1TOLk4Rl5AJV6kqHsyahdyTHFDDkmG3Xhb3U26HSJzFHf/mWbvEdAeI+QMeb0MRUi284eoRNb3KR+iBWBdy16mhiXJeeSUJ30J0UBbnHQkz6LS+SOeaCw2APa8oU65ANKyqoIph2eRgCfe9QvwH0WGF0cQN0sU2PATi8es1dewbevHx2LT6yMvoNCqIWMNt7UoDtb+O5RhFEyMLxMdGj9eivVTB+7My+mewdpwx/EwWXeLocx9+2DR+0Zl3zGA9ccTnp9GTla5Dw/OXSmAKSbqVWUPztifj/u6gg2AWs4EYXFm0D4n7bziQjdqMDNTJQMKSsoQdNXUycDlm/ym2mWszJmTZ5CyNLsbPph68dE8/FD7HJMiU3KtfJTLjS8ENdgAWp4f8HtwhQ9eR+oA/SBcx3pxpAMetHbeXn+tvXK0upYcXuBfQCyuLwlNxqbWWR1AozVGLYxbHPS7vTxHkIg4f19z5bewhbVqcz5mRE6NMfd/PU/rC3/5U2nTXd+dzk5Do4bVg7HsBLDmu1/gxYBZ+50CtH1R2IIAdjq9fQxaR/zsEoLBWJJmDVuQYMnunMIDAWA/3KtOODT1CTpRysVGDXltXkmwm0SU0brYbx/jWSHVpqfiIZoWH/3uY723euNWhnwVz0iNsyZeV3+CxtbX8UuFd3eMx9mCuNLzrUiKuB6jyF1IfVIQYUNM8rRO7F7Z/jM8iS7CU3nAoVQ6c7BiqEmVepc5+ZCrWyju5g3pB2qjBZcj9pJ1dpPXP8f1MQjVsAT4KasS1DSB78yiA25ljYXc2vTbJ9czddNxh/I4b8rnpjlM2zC/4k8e8d0OTloMyAcjbpZ/gzmdWLJdI25Z3gj6CJz9E0fRm02Bu0Pe+PfsBIjl8VdpbVf3VyG+7KSCIxVjNibavX0tZ7vgKYXmam1HvGfhxnwHxnQ6n5Z0N8TujxRVO3F15CvhsMOWr4rvoUfaLIyzWW+UDRcbZRgFpUJ7HXu1VPSqosz4RUSb14wbh5fhGmzF1pGDIttmCmOCDoMt3pnBcBxgXFLKvqhkzrptPLvpAuEo3KskWSgFBibFzbn0+PMdghitznTfQSrR/+8A7gYDf43AyLKdI5fYteE5jqirVFFEaD98dBPa82PgRBnSYCHMkXyQU9XlMn0l3UBOH6hB7gXyUJJ9mtBIHXnCFZnSgY8g9KaVD4YO1zmqVzCfa+eyHJU+cnIt8YAd743JRbMzvj6GZqCf3fkeAhEE2dOF4hJSwe9zhH6KASg4sJ8/klhXSrLI/Bggwi0d8mfpzdEmA0XnDjh2dZatMipTg7FS1BtIVfRVKCe6p8EJPIdfYvq5PXO6L/A+LhteKSNu/BM8l8IkxfErq1HG8U3rOu0uYR54tF76IM3lK/sfxtg0CGVB/BSTtJjVdhwNlzFtO7Xq1dvR61JL771z0VHafLvnZs= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZSTo5RpHYM7m9Wt7fXTGuHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9Fne90CCDIxVw6SDJIrsX07SirFGQ/zkfgtFNi/qcantLql56Vi5bF2kV7BouL1/zg2Uut5GoZYA1raBnPtoBGEEdAbpydA4tG4b6a3Y85yOoyg2XOiw5QfTW8qPVPuJJQJ+5E8wIYoCRO7nKU+fO4mANef+GFCg8NrKg3sxA1KwA7/ZinpChFE3vPLNeao1wAZLnQURlaKfTnX1lDgdX8ImU7fnCzyQUpnn7Iylrmw4XJ4VffpFDeBfGAcE8BhP3dNhn9RQ3XC06ZBEuHtL0igBY1McpHzHpsOfb/PRdsPp4l8V6Pu8LORzJL9NXYMh8cz/ewLRbhtDP+1bmbW6uIcXpdeNtQu9FRhfFKI2vxg0WmDLQgzxwsJfmL5AGFeiSEEyrIVT+HbRwE2KYD/kjM1dHg34W5UffeUvXI= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/b96b8df5c38240ca

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Gandcrab family
gandcrab
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (323) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2826969134-2088669430-2680400721-1000\Control Panel\International\Geo\Nation	crb.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\MHMCM-DECRYPT.txt	crb.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\c3824726c38240cd219.lock	crb.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	crb.exe
File opened (read-only)	\??\R:	crb.exe
File opened (read-only)	\??\J:	crb.exe
File opened (read-only)	\??\H:	crb.exe
File opened (read-only)	\??\N:	crb.exe
File opened (read-only)	\??\Z:	crb.exe
File opened (read-only)	\??\G:	crb.exe
File opened (read-only)	\??\E:	crb.exe
File opened (read-only)	\??\M:	crb.exe
File opened (read-only)	\??\O:	crb.exe
File opened (read-only)	\??\Q:	crb.exe
File opened (read-only)	\??\S:	crb.exe
File opened (read-only)	\??\U:	crb.exe
File opened (read-only)	\??\W:	crb.exe
File opened (read-only)	\??\A:	crb.exe
File opened (read-only)	\??\X:	crb.exe
File opened (read-only)	\??\I:	crb.exe
File opened (read-only)	\??\K:	crb.exe
File opened (read-only)	\??\L:	crb.exe
File opened (read-only)	\??\T:	crb.exe
File opened (read-only)	\??\V:	crb.exe
File opened (read-only)	\??\Y:	crb.exe
File opened (read-only)	\??\B:	crb.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2826969134-2088669430-2680400721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp"	crb.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\InitializeGroup.dotm	crb.exe
File opened for modification	C:\Program Files\AssertSuspend.dotx	crb.exe
File opened for modification	C:\Program Files\FormatCompress.dotm	crb.exe
File opened for modification	C:\Program Files\FormatAdd.png	crb.exe
File opened for modification	C:\Program Files\UninstallApprove.AAC	crb.exe
File opened for modification	C:\Program Files\BlockResume.tif	crb.exe
File opened for modification	C:\Program Files\ConvertFromWrite.snd	crb.exe
File opened for modification	C:\Program Files\UnblockStop.emz	crb.exe
File created	C:\Program Files\MHMCM-DECRYPT.txt	crb.exe
File created	C:\Program Files\c3824726c38240cd219.lock	crb.exe
File opened for modification	C:\Program Files\ConnectLimit.vsd	crb.exe
File opened for modification	C:\Program Files\ImportEnable.pot	crb.exe
File created	C:\Program Files (x86)\MHMCM-DECRYPT.txt	crb.exe
File created	C:\Program Files (x86)\c3824726c38240cd219.lock	crb.exe
File opened for modification	C:\Program Files\ApproveSuspend.potm	crb.exe
File opened for modification	C:\Program Files\ConfirmUnlock.tif	crb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	crb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	crb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	crb.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E	crb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 5c0000000100000004000000000800000b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c06200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f51400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b271d000000010000001000000054e2cd85ba79cda018fed9e6a863aa46030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4	crb.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4156	crb.exe
4156	crb.exe
4156	crb.exe
4156	crb.exe
3708	wmic.exe
3708	wmic.exe
3708	wmic.exe
3708	wmic.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3708	wmic.exe
Token: SeSecurityPrivilege	3708	wmic.exe
Token: SeTakeOwnershipPrivilege	3708	wmic.exe
Token: SeLoadDriverPrivilege	3708	wmic.exe
Token: SeSystemProfilePrivilege	3708	wmic.exe
Token: SeSystemtimePrivilege	3708	wmic.exe
Token: SeProfSingleProcessPrivilege	3708	wmic.exe
Token: SeIncBasePriorityPrivilege	3708	wmic.exe
Token: SeCreatePagefilePrivilege	3708	wmic.exe
Token: SeBackupPrivilege	3708	wmic.exe
Token: SeRestorePrivilege	3708	wmic.exe
Token: SeShutdownPrivilege	3708	wmic.exe
Token: SeDebugPrivilege	3708	wmic.exe
Token: SeSystemEnvironmentPrivilege	3708	wmic.exe
Token: SeRemoteShutdownPrivilege	3708	wmic.exe
Token: SeUndockPrivilege	3708	wmic.exe
Token: SeManageVolumePrivilege	3708	wmic.exe
Token: 33	3708	wmic.exe
Token: 34	3708	wmic.exe
Token: 35	3708	wmic.exe
Token: 36	3708	wmic.exe
Token: SeIncreaseQuotaPrivilege	3708	wmic.exe
Token: SeSecurityPrivilege	3708	wmic.exe
Token: SeTakeOwnershipPrivilege	3708	wmic.exe
Token: SeLoadDriverPrivilege	3708	wmic.exe
Token: SeSystemProfilePrivilege	3708	wmic.exe
Token: SeSystemtimePrivilege	3708	wmic.exe
Token: SeProfSingleProcessPrivilege	3708	wmic.exe
Token: SeIncBasePriorityPrivilege	3708	wmic.exe
Token: SeCreatePagefilePrivilege	3708	wmic.exe
Token: SeBackupPrivilege	3708	wmic.exe
Token: SeRestorePrivilege	3708	wmic.exe
Token: SeShutdownPrivilege	3708	wmic.exe
Token: SeDebugPrivilege	3708	wmic.exe
Token: SeSystemEnvironmentPrivilege	3708	wmic.exe
Token: SeRemoteShutdownPrivilege	3708	wmic.exe
Token: SeUndockPrivilege	3708	wmic.exe
Token: SeManageVolumePrivilege	3708	wmic.exe
Token: 33	3708	wmic.exe
Token: 34	3708	wmic.exe
Token: 35	3708	wmic.exe
Token: 36	3708	wmic.exe
Token: SeBackupPrivilege	3872	vssvc.exe
Token: SeRestorePrivilege	3872	vssvc.exe
Token: SeAuditPrivilege	3872	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 3708	4156	crb.exe	83
PID 4156 wrote to memory of 3708	4156	crb.exe	83
PID 4156 wrote to memory of 3708	4156	crb.exe	83

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Malware-1-master\crb.exe
"C:\Users\Admin\AppData\Local\Temp\Malware-1-master\crb.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\SysWOW64\wbem\wmic.exe
  "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3708

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

F:\$RECYCLE.BIN\S-1-5-21-2826969134-2088669430-2680400721-1000\MHMCM-DECRYPT.txt

Filesize
8KB

MD5
53b04ef2981bdbfc9de92eed9cd4a1a5

SHA1
8e3acea8a7739e81a3b66a1e547a9f05707c6847

SHA256
3bc0d263a78760e94275edf6332331ee0691715ee8ad73b93ce15edb817bbcc3

SHA512
19874a7cea283ff6bfe7568b0f519b12c335bf1b41cabe412e1630fdddcfd037ef4680b18c67779a09becc3154a1eac3a53c699423faecb65b354762f741e2ec

Download Submit