cbff35f58791a79553e070ff74011dbdc5bd8d401075144cbaf38678e325b0b6

General

Target

cbff35f58791a79553e070ff74011dbdc5bd8d401075144cbaf38678e325b0b6.exe
Size

484KB
MD5

4cbfab996ac0b42ab08e0bc9405aca1a
SHA1

b6c2723405b76f8701f5665a4633828f93df68e7
SHA256

cbff35f58791a79553e070ff74011dbdc5bd8d401075144cbaf38678e325b0b6
SHA512

041018d06049ae9cf36ad0ec9c7af96c7176b0a467b24687fa312b94ff0faeb2aaa9fb59d475b0f5fce5ed52dfd266b3a23ead70ae592e87fef0cf3b1b4e7a48
SSDEEP

12288:2INGjfjmd+pNlAMUozPz/VG+KCIxGJgfxgf:LNGjb9Ayh0CIMJ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
672	lnoukkbniq.exe

Deletes itself 1 IoCs

pid	Process
1136	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1136	cmd.exe
1136	cmd.exe
672	lnoukkbniq.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	cbff35f58791a79553e070ff74011dbdc5bd8d401075144cbaf38678e325b0b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
768	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
868	PING.EXE

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	768	taskkill.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe
672	lnoukkbniq.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1136	2024	cbff35f58791a79553e070ff74011dbdc5bd8d401075144cbaf38678e325b0b6.exe	28
PID 2024 wrote to memory of 1136	2024	cbff35f58791a79553e070ff74011dbdc5bd8d401075144cbaf38678e325b0b6.exe	28
PID 2024 wrote to memory of 1136	2024	cbff35f58791a79553e070ff74011dbdc5bd8d401075144cbaf38678e325b0b6.exe	28
PID 2024 wrote to memory of 1136	2024	cbff35f58791a79553e070ff74011dbdc5bd8d401075144cbaf38678e325b0b6.exe	28
PID 1136 wrote to memory of 768	1136	cmd.exe	30
PID 1136 wrote to memory of 768	1136	cmd.exe	30
PID 1136 wrote to memory of 768	1136	cmd.exe	30
PID 1136 wrote to memory of 768	1136	cmd.exe	30
PID 1136 wrote to memory of 868	1136	cmd.exe	32
PID 1136 wrote to memory of 868	1136	cmd.exe	32
PID 1136 wrote to memory of 868	1136	cmd.exe	32
PID 1136 wrote to memory of 868	1136	cmd.exe	32
PID 1136 wrote to memory of 672	1136	cmd.exe	33
PID 1136 wrote to memory of 672	1136	cmd.exe	33
PID 1136 wrote to memory of 672	1136	cmd.exe	33
PID 1136 wrote to memory of 672	1136	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\cbff35f58791a79553e070ff74011dbdc5bd8d401075144cbaf38678e325b0b6.exe
"C:\Users\Admin\AppData\Local\Temp\cbff35f58791a79553e070ff74011dbdc5bd8d401075144cbaf38678e325b0b6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2024 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\cbff35f58791a79553e070ff74011dbdc5bd8d401075144cbaf38678e325b0b6.exe" & start C:\Users\Admin\AppData\Local\LNOUKK~1.EXE -f
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /pid 2024
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:768
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:868
- - C:\Users\Admin\AppData\Local\lnoukkbniq.exe
    C:\Users\Admin\AppData\Local\LNOUKK~1.EXE -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\lnoukkbniq.exe

Filesize
484KB

MD5
4cbfab996ac0b42ab08e0bc9405aca1a

SHA1
b6c2723405b76f8701f5665a4633828f93df68e7

SHA256
cbff35f58791a79553e070ff74011dbdc5bd8d401075144cbaf38678e325b0b6

SHA512
041018d06049ae9cf36ad0ec9c7af96c7176b0a467b24687fa312b94ff0faeb2aaa9fb59d475b0f5fce5ed52dfd266b3a23ead70ae592e87fef0cf3b1b4e7a48

Download Submit
C:\Users\Admin\AppData\Local\lnoukkbniq.exe

Filesize
484KB

MD5
4cbfab996ac0b42ab08e0bc9405aca1a

SHA1
b6c2723405b76f8701f5665a4633828f93df68e7

SHA256
cbff35f58791a79553e070ff74011dbdc5bd8d401075144cbaf38678e325b0b6

SHA512
041018d06049ae9cf36ad0ec9c7af96c7176b0a467b24687fa312b94ff0faeb2aaa9fb59d475b0f5fce5ed52dfd266b3a23ead70ae592e87fef0cf3b1b4e7a48

Download Submit
\Users\Admin\AppData\Local\lnoukkbniq.exe

Filesize
484KB

MD5
4cbfab996ac0b42ab08e0bc9405aca1a

SHA1
b6c2723405b76f8701f5665a4633828f93df68e7

SHA256
cbff35f58791a79553e070ff74011dbdc5bd8d401075144cbaf38678e325b0b6

SHA512
041018d06049ae9cf36ad0ec9c7af96c7176b0a467b24687fa312b94ff0faeb2aaa9fb59d475b0f5fce5ed52dfd266b3a23ead70ae592e87fef0cf3b1b4e7a48

Download Submit
\Users\Admin\AppData\Local\lnoukkbniq.exe

Filesize
484KB

MD5
4cbfab996ac0b42ab08e0bc9405aca1a

SHA1
b6c2723405b76f8701f5665a4633828f93df68e7

SHA256
cbff35f58791a79553e070ff74011dbdc5bd8d401075144cbaf38678e325b0b6

SHA512
041018d06049ae9cf36ad0ec9c7af96c7176b0a467b24687fa312b94ff0faeb2aaa9fb59d475b0f5fce5ed52dfd266b3a23ead70ae592e87fef0cf3b1b4e7a48

Download Submit
\Users\Admin\AppData\Local\lnoukkbniq.exe

Filesize
484KB

MD5
4cbfab996ac0b42ab08e0bc9405aca1a

SHA1
b6c2723405b76f8701f5665a4633828f93df68e7

SHA256
cbff35f58791a79553e070ff74011dbdc5bd8d401075144cbaf38678e325b0b6

SHA512
041018d06049ae9cf36ad0ec9c7af96c7176b0a467b24687fa312b94ff0faeb2aaa9fb59d475b0f5fce5ed52dfd266b3a23ead70ae592e87fef0cf3b1b4e7a48

Download Submit
memory/672-67-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/672-68-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2024-57-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2024-54-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/2024-56-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing