cc5278242b8a119b0cdcdf10f48269b21fdcecfbb2ac1292b3548a54eaee853b

Analysis

max time kernel
151s
max time network
136s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc5278242b8a119b0cdcdf10f48269b21fdcecfbb2ac1292b3548a54eaee853b.exe
Size

280KB
MD5

630c1481a23ccb384e983be564b86560
SHA1

0c1ea1cfcae42e2c51b8edc11e11272eb044ca87
SHA256

cc5278242b8a119b0cdcdf10f48269b21fdcecfbb2ac1292b3548a54eaee853b
SHA512

4a41ad29df9f574bbf928de1f08e79d7f23bb5628348402998ebbfc76a49d55ec2a89691f59b570e126ffe614aa1c9e839b99fad851168987067d07245317796
SSDEEP

3072:PTfF8DHWIsMNjHVb7D22yPJAANQRU3Cb8Zteb3sPWZY8mgOFPtX1ObdM:PjGTHsMjH121Es3CbLWcOPob+

Score

9^/10

persistence ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	lhnomct.exe

Executes dropped EXE 1 IoCs

pid	Process
1992	lhnomct.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\DisconnectSkip.crw => C:\Users\Admin\Pictures\DisconnectSkip.crw.ecc	lhnomct.exe
File renamed	C:\Users\Admin\Pictures\ResolveUnblock.crw => C:\Users\Admin\Pictures\ResolveUnblock.crw.ecc	lhnomct.exe

Deletes itself 1 IoCs

pid	Process
1740	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1680	cc5278242b8a119b0cdcdf10f48269b21fdcecfbb2ac1292b3548a54eaee853b.exe
1680	cc5278242b8a119b0cdcdf10f48269b21fdcecfbb2ac1292b3548a54eaee853b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	lhnomct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svcav_module = "C:\\Users\\Admin\\AppData\\Roaming\\lhnomct.exe"	lhnomct.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasicN\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_PSSnapins.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Starter\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\OEM\EnterpriseE\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\eval\Ultimate\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Parsing.help.txt	lhnomct.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpc309at.vdf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\_Default\Ultimate\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_output.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_WMI_Cmdlets.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\OEM\EnterpriseN\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\OEM\StarterN\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp8000at.vdf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\wdi\perftrack\HealthCenterInstrumentation.ptxml	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Foreach.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\eval\UltimateN\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Parsing.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_scopes.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Professional\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomePremium\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomePremiumN\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Break.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\eval\UltimateE\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Throw.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_regular_expressions.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_advanced.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_scopes.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Continue.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\eval\HomePremiumE\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Starter\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_While.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Throw.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\OEM\EnterpriseN\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomeBasicN\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\UltimateE\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_try_catch_finally.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\UltimateN\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\lipeula.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Professional\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions_cmdletbindingattribute.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_jobs.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_parameters.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Return.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\eval\StarterN\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomePremiumN\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Break.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_command_precedence.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_preference_variables.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_objects.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\eval\HomeBasicN\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_functions_advanced_methods.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_pipelines.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\wdi\perftrack\Help-DataLayer.ptxml	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_locations.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_data_sections.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\_Default\EnterpriseN\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\lipeula.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\eval\Professional\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\EnterpriseE\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Comment_Based_Help.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Starter\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Comment_Based_Help.help.txt	lhnomct.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_preference_variables.help.txt	lhnomct.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\highDpiImageSwap.js	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue.css	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full_partly-cloudy.png	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png	lhnomct.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\Xusage.txt	lhnomct.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\AUTHORS.txt	lhnomct.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_h.png	lhnomct.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\localizedStrings.js	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\THMBNAIL.PNG	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)redStateIcon.png	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png	lhnomct.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css	lhnomct.exe
File opened for modification	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt	lhnomct.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\triangle.png	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf	lhnomct.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\picturePuzzle.css	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME33.CSS	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue.css	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Earthy.css	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_m.png	lhnomct.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png	lhnomct.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png	lhnomct.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	lhnomct.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_Undocked.png	lhnomct.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\library.js	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_rainy.png	lhnomct.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv	lhnomct.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png	lhnomct.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\settings.css	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_disabled.png	lhnomct.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png	lhnomct.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\settings.css	lhnomct.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.PNG	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_h.png	lhnomct.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02053J.JPG	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\localizedStrings.js	lhnomct.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png	lhnomct.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar	lhnomct.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\slideShow.css	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313970.JPG	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SlateBlue.css	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Sts.css	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_over.png	lhnomct.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png	lhnomct.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png	lhnomct.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png	lhnomct.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\settings.js	lhnomct.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\slideShow.css	lhnomct.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149018.JPG	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309664.JPG	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePageScript.js	lhnomct.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	lhnomct.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_flyout.png	lhnomct.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png	lhnomct.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\THMBNAIL.PNG	lhnomct.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\settings.js	lhnomct.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7601.17514_es-es_d5c9b9e4fbbebe76\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_906b5430848de670\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-babygirl_31bf3856ad364e35_6.1.7600.16385_none_b2bd01695c9021fd\highlight.png	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-flippage_31bf3856ad364e35_6.1.7600.16385_none_0f19716417635239\NavigationRight_SelectionSubpicture.png	lhnomct.exe
File opened for modification	C:\Windows\diagnostics\system\Power\ja-JP\Power_Troubleshooter.psd1	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..eady_eula.resources_31bf3856ad364e35_6.1.7600.16385_it-it_227e33fb04382aa3\playready_eula.txt	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c4791cafd126e03\service.js	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_black_moon-new_partly-cloudy.png	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_remote.help.txt	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7600.16385_it-it_43c8f8ac0805bca7\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_functions_advanced_parameters.help.txt	lhnomct.exe
File opened for modification	C:\Windows\winsxs\Manifests\wow64_microsoft-windows-i..rbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e768d718690619d3.manifest	lhnomct.exe
File opened for modification	C:\Windows\diagnostics\system\Power\es-ES\RS_AdjustScreenBrightness.psd1	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..eady_eula.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_38563db42d064525\playready_eula.txt	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\22.png	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-h..eraccount.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8a4202a45063c41a\OOBE_HELP_What_is_User_Account.rtf	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_History.help.txt	lhnomct.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-s..rbleplace.resources_31bf3856ad364e35_6.1.7600.16385_en-us_09bc2db811bc91be.manifest	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\button_MCELogo_mouseover.png	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..s-package.resources_31bf3856ad364e35_6.1.7601.17514_it-it_86fa4eb7805982a0\LocalizationData.psd1	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\Circle_ButtonGraphic.png	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_functions_cmdletbindingattribute.help.txt	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_preference_variables.help.txt	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\flyout.css	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\9.png	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\trad.png	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_black_rainy.png	lhnomct.exe
File opened for modification	C:\Windows\diagnostics\system\Networking\de-DE\LocalizationData.psd1	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\reportapi.js	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\GB-wp5.jpg	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_script_blocks.help.txt	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\4to3Squareframe_Buttongraphic.png	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-babygirl_31bf3856ad364e35_6.1.7600.16385_none_b2bd01695c9021fd\chapters-static.png	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Notes_LOOP_BG_PAL.wmv	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-winsatmediasamples_31bf3856ad364e35_6.1.7600.16385_none_0b34d0642122c1c4\winsatencode.wmv	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\42.png	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_gray_hail.png	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_es-es_47a66c4231b590d1\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\SoftBlue.jpg	lhnomct.exe
File opened for modification	C:\Windows\winsxs\Manifests\wow64_microsoft-windows-i..rbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6804269288123c4d.manifest	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ieframe_31bf3856ad364e35_11.2.9600.16428_none_46f97fadc32d3aef\ieframe.ptxml	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_en-us_dd050cebcad7bb4b\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_399bb48ff329ff89\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_remote_troubleshooting.help.txt	lhnomct.exe
File opened for modification	C:\Windows\diagnostics\system\PCW\ja-JP\CL_LocalizationData.psd1	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e9ea273bf74e2d7d\settings.js	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\35.png	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_black_moon-full_partly-cloudy.png	lhnomct.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..itmap-ms_sans_serif_31bf3856ad364e35_6.1.7600.16385_none_ac9f9e10add68c8b_sserife.fon_dad8712a	lhnomct.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-s..docs-main.resources_31bf3856ad364e35_6.1.7601.17514_de-de_18fdeea986d5e635.manifest	lhnomct.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-s..rbleplace.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac3f009b04b599c5.manifest	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\docked_gray_rainy.png	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_es-es_617418a2a916eb62\Microsoft.JScript.Resources.dll	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-stacking_31bf3856ad364e35_6.1.7600.16385_none_d0d2b98d4629a41f\720_480shadow.png	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-push_31bf3856ad364e35_6.1.7600.16385_none_cc073ae540855a07\NavigationRight_ButtonGraphic.png	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_type_operators.help.txt	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\Ringtone 06.wma	lhnomct.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-m..odbc-cursor-library_31bf3856ad364e35_6.1.7600.16385_none_0b01ce847b92b185.manifest	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_5d0f22c9e44cb6ed\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-stacking_31bf3856ad364e35_6.1.7600.16385_none_d0d2b98d4629a41f\photograph.png	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_4802d78d4a814db3\CL_LocalizationData.psd1	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_While.help.txt	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_en-us_7cb9d6b0c095b208\license.rtf	lhnomct.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\Scene_loop_PAL.wmv	lhnomct.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1732	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe
1992	lhnomct.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1924	vssvc.exe
Token: SeRestorePrivilege	1924	vssvc.exe
Token: SeAuditPrivilege	1924	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1992	1680	cc5278242b8a119b0cdcdf10f48269b21fdcecfbb2ac1292b3548a54eaee853b.exe	28
PID 1680 wrote to memory of 1992	1680	cc5278242b8a119b0cdcdf10f48269b21fdcecfbb2ac1292b3548a54eaee853b.exe	28
PID 1680 wrote to memory of 1992	1680	cc5278242b8a119b0cdcdf10f48269b21fdcecfbb2ac1292b3548a54eaee853b.exe	28
PID 1680 wrote to memory of 1992	1680	cc5278242b8a119b0cdcdf10f48269b21fdcecfbb2ac1292b3548a54eaee853b.exe	28
PID 1680 wrote to memory of 1740	1680	cc5278242b8a119b0cdcdf10f48269b21fdcecfbb2ac1292b3548a54eaee853b.exe	29
PID 1680 wrote to memory of 1740	1680	cc5278242b8a119b0cdcdf10f48269b21fdcecfbb2ac1292b3548a54eaee853b.exe	29
PID 1680 wrote to memory of 1740	1680	cc5278242b8a119b0cdcdf10f48269b21fdcecfbb2ac1292b3548a54eaee853b.exe	29
PID 1680 wrote to memory of 1740	1680	cc5278242b8a119b0cdcdf10f48269b21fdcecfbb2ac1292b3548a54eaee853b.exe	29
PID 1992 wrote to memory of 1732	1992	lhnomct.exe	31
PID 1992 wrote to memory of 1732	1992	lhnomct.exe	31
PID 1992 wrote to memory of 1732	1992	lhnomct.exe	31
PID 1992 wrote to memory of 1732	1992	lhnomct.exe	31

C:\Users\Admin\AppData\Local\Temp\cc5278242b8a119b0cdcdf10f48269b21fdcecfbb2ac1292b3548a54eaee853b.exe
"C:\Users\Admin\AppData\Local\Temp\cc5278242b8a119b0cdcdf10f48269b21fdcecfbb2ac1292b3548a54eaee853b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Roaming\lhnomct.exe
  C:\Users\Admin\AppData\Roaming\lhnomct.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all
    3⤵
    - Interacts with shadow copies
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\CC5278~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:1740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\lhnomct.exe

Filesize
280KB

MD5
630c1481a23ccb384e983be564b86560

SHA1
0c1ea1cfcae42e2c51b8edc11e11272eb044ca87

SHA256
cc5278242b8a119b0cdcdf10f48269b21fdcecfbb2ac1292b3548a54eaee853b

SHA512
4a41ad29df9f574bbf928de1f08e79d7f23bb5628348402998ebbfc76a49d55ec2a89691f59b570e126ffe614aa1c9e839b99fad851168987067d07245317796

Download Submit
C:\Users\Admin\AppData\Roaming\lhnomct.exe

Filesize
280KB

MD5
630c1481a23ccb384e983be564b86560

SHA1
0c1ea1cfcae42e2c51b8edc11e11272eb044ca87

SHA256
cc5278242b8a119b0cdcdf10f48269b21fdcecfbb2ac1292b3548a54eaee853b

SHA512
4a41ad29df9f574bbf928de1f08e79d7f23bb5628348402998ebbfc76a49d55ec2a89691f59b570e126ffe614aa1c9e839b99fad851168987067d07245317796

Download Submit
\Users\Admin\AppData\Roaming\lhnomct.exe

Filesize
280KB

MD5
630c1481a23ccb384e983be564b86560

SHA1
0c1ea1cfcae42e2c51b8edc11e11272eb044ca87

SHA256
cc5278242b8a119b0cdcdf10f48269b21fdcecfbb2ac1292b3548a54eaee853b

SHA512
4a41ad29df9f574bbf928de1f08e79d7f23bb5628348402998ebbfc76a49d55ec2a89691f59b570e126ffe614aa1c9e839b99fad851168987067d07245317796

Download Submit
\Users\Admin\AppData\Roaming\lhnomct.exe

Filesize
280KB

MD5
630c1481a23ccb384e983be564b86560

SHA1
0c1ea1cfcae42e2c51b8edc11e11272eb044ca87

SHA256
cc5278242b8a119b0cdcdf10f48269b21fdcecfbb2ac1292b3548a54eaee853b

SHA512
4a41ad29df9f574bbf928de1f08e79d7f23bb5628348402998ebbfc76a49d55ec2a89691f59b570e126ffe614aa1c9e839b99fad851168987067d07245317796

Download Submit
memory/1680-54-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download