Analysis
-
max time kernel
280s -
max time network
261s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06/02/2023, 23:29
Static task
static1
Behavioral task
behavioral1
Sample
LBG32.exe
Resource
win10v2004-20221111-en
General
-
Target
LBG32.exe
-
Size
231KB
-
MD5
5e3ec333a0b2ccf85fcc8ef31c1c8caa
-
SHA1
e6d9b00dd20426fb3d3a2c9a77b86553c144986a
-
SHA256
b1e12d0216a946329fe549e09bf481d7df9e8e3bc3f99bc24d9940cbb8f76f06
-
SHA512
116737b153810a7b2f91e52a03e97fa0601735919ec219aebff5e74321c730d14bbb46f5bcff457587daafd5c8c9341964d1ac91bc171b96f8289e02b0f370f7
-
SSDEEP
3072:ge9f4GwJqzPG927z6r7JGSxS0S4/J2cux2Ut8q7frsFmm0xUMZByH:z9fkgzP4HQSxSuJ2c/AnUmxxUGByH
Malware Config
Extracted
C:\!!!-Restore-My-Files-!!!.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\RedoDisable.tiff => C:\Users\Admin\Pictures\RedoDisable.tiff.a989f46d LBG32.exe File renamed C:\Users\Admin\Pictures\ConnectStart.crw => C:\Users\Admin\Pictures\ConnectStart.crw.a989f46d LBG32.exe File opened for modification C:\Users\Admin\Pictures\RedoDisable.tiff LBG32.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!-Restore-My-Files-!!!.txt LBG32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 31 IoCs
description ioc Process File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini LBG32.exe File opened for modification C:\Program Files (x86)\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Searches\desktop.ini LBG32.exe File opened for modification C:\Users\Public\Pictures\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Videos\desktop.ini LBG32.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini LBG32.exe File opened for modification C:\Users\Public\Music\desktop.ini LBG32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Music\desktop.ini LBG32.exe File opened for modification C:\Users\Public\Downloads\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini LBG32.exe File opened for modification C:\Users\Public\Libraries\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini LBG32.exe File opened for modification C:\Users\Public\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Documents\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Links\desktop.ini LBG32.exe File opened for modification C:\Users\Public\Desktop\desktop.ini LBG32.exe File opened for modification C:\Program Files\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini LBG32.exe File opened for modification C:\Users\Public\Documents\desktop.ini LBG32.exe File opened for modification C:\Users\Public\Videos\desktop.ini LBG32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI LBG32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\Analytics LBG32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down-pressed.gif LBG32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini LBG32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms LBG32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkDrop32x32.gif LBG32.exe File created C:\Program Files\Common Files\System\ado\it-IT\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api LBG32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL086.XML LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Edge.dat.DATA LBG32.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf LBG32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms LBG32.exe File created C:\Program Files (x86)\Common Files\System\ado\en-US\!!!-Restore-My-Files-!!!.txt LBG32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms LBG32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\MANIFEST.MF LBG32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\selector.js LBG32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png LBG32.exe File created C:\Program Files (x86)\Reference Assemblies\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011 LBG32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Hx.HxC LBG32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\!!!-Restore-My-Files-!!!.txt LBG32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\!!!-Restore-My-Files-!!!.txt LBG32.exe File created C:\Program Files\Internet Explorer\es-ES\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_fr.properties LBG32.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js LBG32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\ui-strings.js LBG32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ca-es\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml LBG32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul.xrm-ms LBG32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\!!!-Restore-My-Files-!!!.txt LBG32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\!!!-Restore-My-Files-!!!.txt LBG32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ro-ro\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar LBG32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html LBG32.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png LBG32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\ui-strings.js LBG32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions2x.png LBG32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-phn.xrm-ms LBG32.exe File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\close.svg LBG32.exe File created C:\Program Files (x86)\Common Files\System\es-ES\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\lpc.win32.bundle LBG32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] LBG32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lets-get-started-2x.png LBG32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help_3.6.0.v20130326-1254.jar LBG32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ppd.xrm-ms LBG32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms LBG32.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\!!!-Restore-My-Files-!!!.txt LBG32.exe File created C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ro.pak.DATA LBG32.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\!!!-Restore-My-Files-!!!.txt LBG32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\ui-strings.js LBG32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-pl.xrm-ms LBG32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSZIP.DIC LBG32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar LBG32.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt LBG32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\!!!-Restore-My-Files-!!!.txt LBG32.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe 4996 LBG32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1732 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeBackupPrivilege 4920 vssvc.exe Token: SeRestorePrivilege 4920 vssvc.exe Token: SeAuditPrivilege 4920 vssvc.exe Token: SeIncreaseQuotaPrivilege 1700 WMIC.exe Token: SeSecurityPrivilege 1700 WMIC.exe Token: SeTakeOwnershipPrivilege 1700 WMIC.exe Token: SeLoadDriverPrivilege 1700 WMIC.exe Token: SeSystemProfilePrivilege 1700 WMIC.exe Token: SeSystemtimePrivilege 1700 WMIC.exe Token: SeProfSingleProcessPrivilege 1700 WMIC.exe Token: SeIncBasePriorityPrivilege 1700 WMIC.exe Token: SeCreatePagefilePrivilege 1700 WMIC.exe Token: SeBackupPrivilege 1700 WMIC.exe Token: SeRestorePrivilege 1700 WMIC.exe Token: SeShutdownPrivilege 1700 WMIC.exe Token: SeDebugPrivilege 1700 WMIC.exe Token: SeSystemEnvironmentPrivilege 1700 WMIC.exe Token: SeRemoteShutdownPrivilege 1700 WMIC.exe Token: SeUndockPrivilege 1700 WMIC.exe Token: SeManageVolumePrivilege 1700 WMIC.exe Token: 33 1700 WMIC.exe Token: 34 1700 WMIC.exe Token: 35 1700 WMIC.exe Token: 36 1700 WMIC.exe Token: SeIncreaseQuotaPrivilege 1700 WMIC.exe Token: SeSecurityPrivilege 1700 WMIC.exe Token: SeTakeOwnershipPrivilege 1700 WMIC.exe Token: SeLoadDriverPrivilege 1700 WMIC.exe Token: SeSystemProfilePrivilege 1700 WMIC.exe Token: SeSystemtimePrivilege 1700 WMIC.exe Token: SeProfSingleProcessPrivilege 1700 WMIC.exe Token: SeIncBasePriorityPrivilege 1700 WMIC.exe Token: SeCreatePagefilePrivilege 1700 WMIC.exe Token: SeBackupPrivilege 1700 WMIC.exe Token: SeRestorePrivilege 1700 WMIC.exe Token: SeShutdownPrivilege 1700 WMIC.exe Token: SeDebugPrivilege 1700 WMIC.exe Token: SeSystemEnvironmentPrivilege 1700 WMIC.exe Token: SeRemoteShutdownPrivilege 1700 WMIC.exe Token: SeUndockPrivilege 1700 WMIC.exe Token: SeManageVolumePrivilege 1700 WMIC.exe Token: 33 1700 WMIC.exe Token: 34 1700 WMIC.exe Token: 35 1700 WMIC.exe Token: 36 1700 WMIC.exe Token: SeDebugPrivilege 1732 taskmgr.exe Token: SeSystemProfilePrivilege 1732 taskmgr.exe Token: SeCreateGlobalPrivilege 1732 taskmgr.exe Token: 33 1732 taskmgr.exe Token: SeIncBasePriorityPrivilege 1732 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe 1732 taskmgr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4996 wrote to memory of 2252 4996 LBG32.exe 85 PID 4996 wrote to memory of 2252 4996 LBG32.exe 85 PID 2252 wrote to memory of 1700 2252 cmd.exe 87 PID 2252 wrote to memory of 1700 2252 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\LBG32.exe"C:\Users\Admin\AppData\Local\Temp\LBG32.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{197EF8A3-6C0C-4392-9954-89785C32C0FB}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{197EF8A3-6C0C-4392-9954-89785C32C0FB}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵PID:2724
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵PID:2208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵PID:3252
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1732