7f65f443d129dcfc59b3c2a001b5a1f3cda092b3008e62a73ab87ba8f782b215

Analysis

max time kernel
21s
max time network
321s
platform
windows10_x64
resource
win10-en-20211104
submitted
13/11/2021, 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lock.exe
Size

2.2MB
MD5

fc93ecb882fbc1bac46aaf4232ce9b66
SHA1

e4cfd33fc8f20f05b07299845268a54dd33ffced
SHA256

7f65f443d129dcfc59b3c2a001b5a1f3cda092b3008e62a73ab87ba8f782b215
SHA512

2fffaf9f8c2305be7c55bc23b8822dab5ce961332833e0bffbb6cbbee01f97907e4b5b4e573b682f66b5309d462302e1db7df0f6df3b34dccaf323357dc2efca

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	OfficeClickToRun.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\ku.txt.dst	lock.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\libEGL.dll.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.dst	lock.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoCanary.png.dst	lock.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_elf.dll.dst	lock.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\libEGL.dll.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\readme.txt.dst	lock.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe.dst	lock.exe
File created	C:\Program Files\7-Zip\7-zip.dll.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.dst	lock.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.dst	lock.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe.dst	lock.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.dst	lock.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe.dst	lock.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.dst	lock.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.dst	lock.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrome.7z.dst	lock.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoDev.png.dst	lock.exe
File created	C:\Program Files\InvokeSuspend.gif.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.dst	lock.exe
File created	C:\Program Files\Java\jdk1.8.0_66\README.html.dst	lock.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe.dst	lock.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\eventlog_provider.dll.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.dst	lock.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoDev.png.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.dst	lock.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoCanary.png.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.dst	lock.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoBeta.png.dst	lock.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome.dll.dst	lock.exe
File created	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME.txt.dst	lock.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe.dst	lock.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.dst	lock.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Kills process with taskkill 1 IoCs

evasion

pid	Process
1312	taskkill.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000060bf4498ef09b24b93cbd1853f035d12000000000200000000001066000000010000200000009efac650741e39e8aa10d6be7a8bb089a5199ac21cffc0839d2af03212517eb0000000000e80000000020000200000007af900f440c75ff9af39b928cf818efbe39412b431d7556c00f9b8eb8125f6f5f00300006eaff7653a28b3a47718c704da562e795a5571117a5601e844bf3f1964d4d6460535d3d35307ab30919a63e6a304e2038ce7f848869333a9fb12c59321252d3ab59335077abca645f7b9cd36bdaef8fbc3ea834d5b428d74bc3f09dc554376c0e1173ad5ae8bda6a4a42dadc5686dd1380e1f9f2dc283ee1631fd1430ff1e4f52c322f2cedfb3660601d2d696db48ba5706e24764d88eea721fac49a91e6fa6c560db84b429a7e8a0540c6a89a177adfef4a5d8ac3047e720a8e5afd59f86ff62265b28d68a411aa1027fc8aeffc319c524991bed13e5b66aa305d16a327e52359611d936d9b8631310d28c61e5093a1d59453b5073fb0766a61f171c90811cb9e2cb17286cd156cd072dbc1c78c07057c58727142ec9f4ea979c0d41fb9d94f0e25070d802f7426983d62401b7386688ac3c3dd60e7a78f0af3e81599cb5203afc634e59285b3f9531c0dd6131459b1bf3d186f0eb17732b3e4ae2032f727281353c100461882c28981b1676f64f8021de693783b8a39438482c44bc1a1cac931de44a1929f7c8c7c6ab096315bef4797f0964447b4e7f63ad9b0162d539e00c1bf8ac3fc79ddc2c073dbd5c4568da4d9d335d91f1e5de78bb75e373289b2ecde8d9136b434f8bfd2c56dabb7e35e1a4bb666b465430b44961d007e8b8529d9f717acfb618b7d27d202c71029c4e11767abee69832288d00b46d221adc1457bad6c64c76c1eea7973c63f880638bd7680f7e717923aee3eb14169aa98e5540d67e6c4dc565709c627c11eda3556573587dd9dce82b45a41a927cc3fd582b7b94a5dac994be1bc9c9aa2f34638435fe7ecac1fd5e532c82870b7b226b067f6daeef2e7d4612347274a1ffbfb4dde8f496b5b4d5d733145717e5f072b01ad274c07fa0d2c4b049e8ae0aa196ab7604bf65aa3aa139f7d24562cb5f4dde5a3f3791657bd11e4d348d99bda8f337bdca81557c84fdbc485963614f0df8493dc539b49ff15bf663ea69dbac66f984cb22b774eb538f741d67d2d50eccbf57b3f0a37ad267de61979bc0741e20b0feb6f9a73f5fa492b44668dbb4a4948d6edf53607a04ca306ba7dbcb377d51327e3bc7d3cdddfb74aab268fee51954b1177492917497001bffee6bea8365a0fd23154254d09c1cecea9a50b611efd45ce12f9569e9004b288b8dca38448f8aa12c60bc08a988adb1fbc877c9446249515dd1f1bf22f91109f3e87c15dfe1388c552f42148dd19c71db77a9166705d4aeb8f88802eebc6830669ad1cd3d8f326de35c70473fbf036154abb2a9b50b3a7df666bb9dcfd0b77265d26d5eb5a1bd5dd4d365efaad1675043d273106ea480954c211baff80be14e33643a29cc107ebb9d2485d1c2d6a2adfc4289ec9aff9ef7a33b49ec271dc4ad9aea044c135c24e1ab71ef70a40000000d1d1633255e73ad46b540e4d2bc655cb2534160b10dfd0560cee38dbdc47491d7c991ff16a8b08d54568100ef8aaed77ad1241ec0c90861de7b47c673c95fb46	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile\MsaDevice = "t=GwAWAbuEBAAUTtlZ6S5DAUSlRrmXzKeUMjH15hsOZgAAEPH3rrJgXQLHINNISJ6DP3XgAMBL3tY61cZRCKssKA3jahFoAuI4+etWhoOqxJUw0uVchaRhhFFdT9v/6z1AUnr5XRaMVxOSwKr/XDTWpoJeoo5ucBeYj1FaYPy3vCGaS0VCJjC7FRREcwgxaSD5+SXd2OUdpMFvikQMLpECEuJcOQkUbVbsJ8SRJ+U94nIUc7B0MxngEv5Oj45e7ElKrqrZPzeHsFCTwbmh9SdWuT7QyaWzH/NiYPliSqghdiTe/nAWQx32rqE9x65792h99yGaOGSYgy8kASpc2x+TnEPema2xf1osOc7LYEQjWFOvWLjTGwE=&p="	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,941 10,1329 15,941 15,941 6,1329 100,1329 6"	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018C004CA75ED43 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000060bf4498ef09b24b93cbd1853f035d1200000000020000000000106600000001000020000000762e68109c8432bfd16450d9555a05dcf6a28c386ab594664d96fea7ef80e347000000000e80000000020000200000004fb7f449ee116a18d06ea0573d6e8a11715f0150d98693f39c259b897180d107800000000aa21c0db8a5ced321a43357ea65c821083f5a4d9e1cb00a5cc8feddcb193e9803d84bc771cbaad0c12166923ae2351de2eb80fb5cd9144ee5c8675ef024e9f544d199b17b423566c4092b6e19456a1fad823d45140a260b7936dbd14b74ad152694e6ebfaa19d46feb1e6846d8d0a446674700f980a21b9f0ca8ce0bf559cd440000000f81d142b4f04633d0c2d1ede3cc5a2cf1d29dca6e2326b1209b3a12b03be55850a3a670ef509d3859eda2614fd89146b7bb47b376ae313624af6f6896daf4a40	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceId = "0018C004CA75ED43"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\ApplicationFlags = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	OfficeClickToRun.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2380	lock.exe
2380	lock.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1312	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3152	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2672	2380	lock.exe	71
PID 2380 wrote to memory of 2672	2380	lock.exe	71
PID 2672 wrote to memory of 2052	2672	cmd.exe	69
PID 2672 wrote to memory of 2052	2672	cmd.exe	69
PID 2672 wrote to memory of 2836	2672	cmd.exe	70
PID 2672 wrote to memory of 2836	2672	cmd.exe	70
PID 2380 wrote to memory of 3164	2380	lock.exe	72
PID 2380 wrote to memory of 3164	2380	lock.exe	72
PID 2380 wrote to memory of 2212	2380	lock.exe	73
PID 2380 wrote to memory of 2212	2380	lock.exe	73
PID 2380 wrote to memory of 3708	2380	lock.exe	74
PID 2380 wrote to memory of 3708	2380	lock.exe	74
PID 2380 wrote to memory of 580	2380	lock.exe	75
PID 2380 wrote to memory of 580	2380	lock.exe	75
PID 2380 wrote to memory of 2716	2380	lock.exe	76
PID 2380 wrote to memory of 2716	2380	lock.exe	76
PID 2380 wrote to memory of 1256	2380	lock.exe	77
PID 2380 wrote to memory of 1256	2380	lock.exe	77
PID 2380 wrote to memory of 3084	2380	lock.exe	78
PID 2380 wrote to memory of 3084	2380	lock.exe	78
PID 2380 wrote to memory of 848	2380	lock.exe	79
PID 2380 wrote to memory of 848	2380	lock.exe	79
PID 2380 wrote to memory of 364	2380	lock.exe	80
PID 2380 wrote to memory of 364	2380	lock.exe	80
PID 2380 wrote to memory of 1384	2380	lock.exe	99
PID 2380 wrote to memory of 1384	2380	lock.exe	99
PID 3708 wrote to memory of 2476	3708	cmd.exe	98
PID 3708 wrote to memory of 2476	3708	cmd.exe	98
PID 1256 wrote to memory of 2792	1256	cmd.exe	97
PID 1256 wrote to memory of 2792	1256	cmd.exe	97
PID 3084 wrote to memory of 3532	3084	cmd.exe	96
PID 3084 wrote to memory of 3532	3084	cmd.exe	96
PID 580 wrote to memory of 652	580	cmd.exe	95
PID 580 wrote to memory of 652	580	cmd.exe	95
PID 3164 wrote to memory of 588	3164	cmd.exe	94
PID 3164 wrote to memory of 588	3164	cmd.exe	94
PID 2212 wrote to memory of 896	2212	cmd.exe	93
PID 2212 wrote to memory of 896	2212	cmd.exe	93
PID 2380 wrote to memory of 2232	2380	lock.exe	81
PID 2380 wrote to memory of 2232	2380	lock.exe	81
PID 848 wrote to memory of 2100	848	cmd.exe	92
PID 848 wrote to memory of 2100	848	cmd.exe	92
PID 2716 wrote to memory of 3404	2716	cmd.exe	83
PID 2716 wrote to memory of 3404	2716	cmd.exe	83
PID 2380 wrote to memory of 2256	2380	lock.exe	82
PID 2380 wrote to memory of 2256	2380	lock.exe	82
PID 2100 wrote to memory of 1672	2100	net.exe	84
PID 2100 wrote to memory of 1672	2100	net.exe	84
PID 2232 wrote to memory of 3056	2232	cmd.exe	91
PID 2232 wrote to memory of 3056	2232	cmd.exe	91
PID 2476 wrote to memory of 2720	2476	net.exe	85
PID 2476 wrote to memory of 2720	2476	net.exe	85
PID 2380 wrote to memory of 4092	2380	lock.exe	90
PID 2380 wrote to memory of 4092	2380	lock.exe	90
PID 1384 wrote to memory of 2516	1384	cmd.exe	89
PID 1384 wrote to memory of 2516	1384	cmd.exe	89
PID 2792 wrote to memory of 1160	2792	net.exe	88
PID 2792 wrote to memory of 1160	2792	net.exe	88
PID 588 wrote to memory of 1360	588	net.exe	87
PID 588 wrote to memory of 1360	588	net.exe	87
PID 652 wrote to memory of 668	652	net.exe	86
PID 652 wrote to memory of 668	652	net.exe	86
PID 3404 wrote to memory of 732	3404	net.exe	103
PID 3404 wrote to memory of 732	3404	net.exe	103

C:\Users\Admin\AppData\Local\Temp\lock.exe
"C:\Users\Admin\AppData\Local\Temp\lock.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\system32\cmd.exe
  cmd.exe "/csc query | findstr SERVICE_NAME"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2672
- C:\Windows\system32\cmd.exe
  cmd.exe "/cnet stop "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Windows\system32\net.exe
    net stop "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:588
- C:\Windows\system32\cmd.exe
  cmd.exe "/cnet stop AudioEndpointBuilder"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\system32\net.exe
    net stop AudioEndpointBuilder"
    3⤵
    PID:896
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AudioEndpointBuilder"
      4⤵
      PID:3380
- C:\Windows\system32\cmd.exe
  cmd.exe "/cnet stop Audiosrv"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\system32\net.exe
    net stop Audiosrv"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2476
- C:\Windows\system32\cmd.exe
  cmd.exe "/cnet stop BF"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\system32\net.exe
    net stop BF"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:652
- C:\Windows\system32\cmd.exe
  cmd.exe "/cnet stop BIT"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\net.exe
    net stop BIT"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3404
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BIT"
      4⤵
      PID:732
- C:\Windows\system32\cmd.exe
  cmd.exe "/cnet stop Browser"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\system32\net.exe
    net stop Browser"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2792
- C:\Windows\system32\cmd.exe
  cmd.exe "/cnet stop ClickToRunSvc"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\system32\net.exe
    net stop ClickToRunSvc"
    3⤵
    PID:3532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ClickToRunSvc"
      4⤵
      PID:3252
- C:\Windows\system32\cmd.exe
  cmd.exe "/cnet stop DusmSvc"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\system32\net.exe
    net stop DusmSvc"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2100
- C:\Windows\system32\cmd.exe
  cmd.exe "/cnet stop L"
  2⤵
  PID:364
- - C:\Windows\system32\net.exe
    net stop L"
    3⤵
    PID:596
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop L"
      4⤵
      PID:1524
- C:\Windows\system32\cmd.exe
  cmd.exe "/cnet stop SSDP"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\system32\net.exe
    net stop SSDP"
    3⤵
    PID:3056
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SSDP"
      4⤵
      PID:1320
- C:\Windows\system32\cmd.exe
  cmd.exe "/cnet stop CDPUserSvc_15229"
  2⤵
  PID:2256
- - C:\Windows\system32\net.exe
    net stop CDPUserSvc_15229"
    3⤵
    PID:820
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop CDPUserSvc_15229"
      4⤵
      PID:1556
- C:\Windows\system32\cmd.exe
  cmd.exe /c "taskkill /F /PID 2508"
  2⤵
  PID:4092
- - C:\Windows\system32\taskkill.exe
    taskkill /F /PID 2508
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- C:\Windows\system32\cmd.exe
  cmd.exe "/cnet stop "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1384

C:\Windows\system32\sc.exe
sc query
1⤵
PID:2052

C:\Windows\system32\findstr.exe
findstr SERVICE_NAME"
1⤵
PID:2836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DusmSvc"
1⤵
PID:1672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Audiosrv"
1⤵
PID:2720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BF"
1⤵
PID:668

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "
1⤵
PID:1360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Browser"
1⤵
PID:1160

C:\Windows\system32\net.exe
net stop "
1⤵
PID:2516
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "
  2⤵
  PID:4036

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3152

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads