Analysis
-
max time kernel
32s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/02/2023, 17:36
Static task
static1
Behavioral task
behavioral1
Sample
LBG32.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
LBG32.exe
Resource
win10v2004-20221111-en
General
-
Target
LBG32.exe
-
Size
231KB
-
MD5
5e3ec333a0b2ccf85fcc8ef31c1c8caa
-
SHA1
e6d9b00dd20426fb3d3a2c9a77b86553c144986a
-
SHA256
b1e12d0216a946329fe549e09bf481d7df9e8e3bc3f99bc24d9940cbb8f76f06
-
SHA512
116737b153810a7b2f91e52a03e97fa0601735919ec219aebff5e74321c730d14bbb46f5bcff457587daafd5c8c9341964d1ac91bc171b96f8289e02b0f370f7
-
SSDEEP
3072:ge9f4GwJqzPG927z6r7JGSxS0S4/J2cux2Ut8q7frsFmm0xUMZByH:z9fkgzP4HQSxSuJ2c/AnUmxxUGByH
Malware Config
Extracted
C:\!!!-Restore-My-Files-!!!.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\CompleteMount.tif => C:\Users\Admin\Pictures\CompleteMount.tif.a989f46d LBG32.exe File renamed C:\Users\Admin\Pictures\DismountAssert.raw => C:\Users\Admin\Pictures\DismountAssert.raw.a989f46d LBG32.exe File renamed C:\Users\Admin\Pictures\InvokeSync.raw => C:\Users\Admin\Pictures\InvokeSync.raw.a989f46d LBG32.exe File renamed C:\Users\Admin\Pictures\RenameHide.png => C:\Users\Admin\Pictures\RenameHide.png.a989f46d LBG32.exe File renamed C:\Users\Admin\Pictures\UnregisterSend.raw => C:\Users\Admin\Pictures\UnregisterSend.raw.a989f46d LBG32.exe File opened for modification C:\Users\Admin\Pictures\BackupWait.tiff LBG32.exe File renamed C:\Users\Admin\Pictures\BackupWait.tiff => C:\Users\Admin\Pictures\BackupWait.tiff.a989f46d LBG32.exe File renamed C:\Users\Admin\Pictures\ClosePop.tif => C:\Users\Admin\Pictures\ClosePop.tif.a989f46d LBG32.exe -
Drops desktop.ini file(s) 31 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\desktop.ini LBG32.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini LBG32.exe File opened for modification C:\Users\Public\Pictures\desktop.ini LBG32.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini LBG32.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Videos\desktop.ini LBG32.exe File opened for modification C:\Users\Public\Downloads\desktop.ini LBG32.exe File opened for modification C:\Program Files\desktop.ini LBG32.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini LBG32.exe File opened for modification C:\Users\Public\Music\desktop.ini LBG32.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini LBG32.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini LBG32.exe File opened for modification C:\Users\Public\desktop.ini LBG32.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini LBG32.exe File opened for modification C:\Users\Public\Libraries\desktop.ini LBG32.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Documents\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Links\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Searches\desktop.ini LBG32.exe File opened for modification C:\Users\Public\Desktop\desktop.ini LBG32.exe File opened for modification C:\Users\Public\Videos\desktop.ini LBG32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Music\desktop.ini LBG32.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini LBG32.exe File opened for modification C:\Users\Public\Documents\desktop.ini LBG32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini LBG32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\release LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Median.thmx LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198025.WMF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00014_.WMF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Essential.eftx LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Foundry.eftx LBG32.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\VBAOWS10.CHM LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0195812.WMF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01330_.GIF LBG32.exe File created C:\Program Files\Java\jre7\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107426.WMF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187895.WMF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_10.MID LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152688.WMF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00452_.WMF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\NVBELL.NET.XML LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCAL.DPV LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01299_.GIF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0335112.WMF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\RPLBRF35.CHM LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATWIZ11.POC LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00792_.WMF LBG32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat LBG32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.htm LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195788.WMF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01236U.BMP LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLEX.DAT LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBPAGE.DPV LBG32.exe File created C:\Program Files\Microsoft Games\Purble Place\!!!-Restore-My-Files-!!!.txt LBG32.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0202045.JPG LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01566_.WMF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0298653.WMF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200383.WMF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01216_.WMF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099200.GIF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107266.WMF LBG32.exe File created C:\Program Files\Microsoft Games\Solitaire\es-ES\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XML2WORD.XSL LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105272.WMF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107182.WMF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153265.WMF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL011.XML LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAILMOD.POC LBG32.exe File created C:\Program Files\Microsoft Games\Mahjong\!!!-Restore-My-Files-!!!.txt LBG32.exe File created C:\Program Files\Common Files\System\en-US\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01785_.WMF LBG32.exe File created C:\Program Files (x86)\Microsoft.NET\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01237_.GIF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106146.WMF LBG32.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Black Tie.eftx LBG32.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00012_.WMF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYBB.DPV LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01560_.WMF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107024.WMF LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01565_.WMF LBG32.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log LBG32.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Library\!!!-Restore-My-Files-!!!.txt LBG32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00160_.WMF LBG32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe 1392 LBG32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 1468 vssvc.exe Token: SeRestorePrivilege 1468 vssvc.exe Token: SeAuditPrivilege 1468 vssvc.exe Token: SeIncreaseQuotaPrivilege 1164 WMIC.exe Token: SeSecurityPrivilege 1164 WMIC.exe Token: SeTakeOwnershipPrivilege 1164 WMIC.exe Token: SeLoadDriverPrivilege 1164 WMIC.exe Token: SeSystemProfilePrivilege 1164 WMIC.exe Token: SeSystemtimePrivilege 1164 WMIC.exe Token: SeProfSingleProcessPrivilege 1164 WMIC.exe Token: SeIncBasePriorityPrivilege 1164 WMIC.exe Token: SeCreatePagefilePrivilege 1164 WMIC.exe Token: SeBackupPrivilege 1164 WMIC.exe Token: SeRestorePrivilege 1164 WMIC.exe Token: SeShutdownPrivilege 1164 WMIC.exe Token: SeDebugPrivilege 1164 WMIC.exe Token: SeSystemEnvironmentPrivilege 1164 WMIC.exe Token: SeRemoteShutdownPrivilege 1164 WMIC.exe Token: SeUndockPrivilege 1164 WMIC.exe Token: SeManageVolumePrivilege 1164 WMIC.exe Token: 33 1164 WMIC.exe Token: 34 1164 WMIC.exe Token: 35 1164 WMIC.exe Token: SeIncreaseQuotaPrivilege 1164 WMIC.exe Token: SeSecurityPrivilege 1164 WMIC.exe Token: SeTakeOwnershipPrivilege 1164 WMIC.exe Token: SeLoadDriverPrivilege 1164 WMIC.exe Token: SeSystemProfilePrivilege 1164 WMIC.exe Token: SeSystemtimePrivilege 1164 WMIC.exe Token: SeProfSingleProcessPrivilege 1164 WMIC.exe Token: SeIncBasePriorityPrivilege 1164 WMIC.exe Token: SeCreatePagefilePrivilege 1164 WMIC.exe Token: SeBackupPrivilege 1164 WMIC.exe Token: SeRestorePrivilege 1164 WMIC.exe Token: SeShutdownPrivilege 1164 WMIC.exe Token: SeDebugPrivilege 1164 WMIC.exe Token: SeSystemEnvironmentPrivilege 1164 WMIC.exe Token: SeRemoteShutdownPrivilege 1164 WMIC.exe Token: SeUndockPrivilege 1164 WMIC.exe Token: SeManageVolumePrivilege 1164 WMIC.exe Token: 33 1164 WMIC.exe Token: 34 1164 WMIC.exe Token: 35 1164 WMIC.exe Token: SeIncreaseQuotaPrivilege 788 WMIC.exe Token: SeSecurityPrivilege 788 WMIC.exe Token: SeTakeOwnershipPrivilege 788 WMIC.exe Token: SeLoadDriverPrivilege 788 WMIC.exe Token: SeSystemProfilePrivilege 788 WMIC.exe Token: SeSystemtimePrivilege 788 WMIC.exe Token: SeProfSingleProcessPrivilege 788 WMIC.exe Token: SeIncBasePriorityPrivilege 788 WMIC.exe Token: SeCreatePagefilePrivilege 788 WMIC.exe Token: SeBackupPrivilege 788 WMIC.exe Token: SeRestorePrivilege 788 WMIC.exe Token: SeShutdownPrivilege 788 WMIC.exe Token: SeDebugPrivilege 788 WMIC.exe Token: SeSystemEnvironmentPrivilege 788 WMIC.exe Token: SeRemoteShutdownPrivilege 788 WMIC.exe Token: SeUndockPrivilege 788 WMIC.exe Token: SeManageVolumePrivilege 788 WMIC.exe Token: 33 788 WMIC.exe Token: 34 788 WMIC.exe Token: 35 788 WMIC.exe Token: SeIncreaseQuotaPrivilege 788 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1392 wrote to memory of 856 1392 LBG32.exe 31 PID 1392 wrote to memory of 856 1392 LBG32.exe 31 PID 1392 wrote to memory of 856 1392 LBG32.exe 31 PID 1392 wrote to memory of 856 1392 LBG32.exe 31 PID 856 wrote to memory of 1164 856 cmd.exe 33 PID 856 wrote to memory of 1164 856 cmd.exe 33 PID 856 wrote to memory of 1164 856 cmd.exe 33 PID 1392 wrote to memory of 1144 1392 LBG32.exe 34 PID 1392 wrote to memory of 1144 1392 LBG32.exe 34 PID 1392 wrote to memory of 1144 1392 LBG32.exe 34 PID 1392 wrote to memory of 1144 1392 LBG32.exe 34 PID 1144 wrote to memory of 788 1144 cmd.exe 36 PID 1144 wrote to memory of 788 1144 cmd.exe 36 PID 1144 wrote to memory of 788 1144 cmd.exe 36 PID 1392 wrote to memory of 536 1392 LBG32.exe 37 PID 1392 wrote to memory of 536 1392 LBG32.exe 37 PID 1392 wrote to memory of 536 1392 LBG32.exe 37 PID 1392 wrote to memory of 536 1392 LBG32.exe 37 PID 536 wrote to memory of 360 536 cmd.exe 39 PID 536 wrote to memory of 360 536 cmd.exe 39 PID 536 wrote to memory of 360 536 cmd.exe 39 PID 1392 wrote to memory of 304 1392 LBG32.exe 40 PID 1392 wrote to memory of 304 1392 LBG32.exe 40 PID 1392 wrote to memory of 304 1392 LBG32.exe 40 PID 1392 wrote to memory of 304 1392 LBG32.exe 40 PID 304 wrote to memory of 812 304 cmd.exe 42 PID 304 wrote to memory of 812 304 cmd.exe 42 PID 304 wrote to memory of 812 304 cmd.exe 42 PID 1392 wrote to memory of 1636 1392 LBG32.exe 43 PID 1392 wrote to memory of 1636 1392 LBG32.exe 43 PID 1392 wrote to memory of 1636 1392 LBG32.exe 43 PID 1392 wrote to memory of 1636 1392 LBG32.exe 43 PID 1636 wrote to memory of 1944 1636 cmd.exe 45 PID 1636 wrote to memory of 1944 1636 cmd.exe 45 PID 1636 wrote to memory of 1944 1636 cmd.exe 45 PID 1392 wrote to memory of 1496 1392 LBG32.exe 46 PID 1392 wrote to memory of 1496 1392 LBG32.exe 46 PID 1392 wrote to memory of 1496 1392 LBG32.exe 46 PID 1392 wrote to memory of 1496 1392 LBG32.exe 46 PID 1496 wrote to memory of 1172 1496 cmd.exe 48 PID 1496 wrote to memory of 1172 1496 cmd.exe 48 PID 1496 wrote to memory of 1172 1496 cmd.exe 48 PID 1392 wrote to memory of 1324 1392 LBG32.exe 49 PID 1392 wrote to memory of 1324 1392 LBG32.exe 49 PID 1392 wrote to memory of 1324 1392 LBG32.exe 49 PID 1392 wrote to memory of 1324 1392 LBG32.exe 49 PID 1392 wrote to memory of 1860 1392 LBG32.exe 52 PID 1392 wrote to memory of 1860 1392 LBG32.exe 52 PID 1392 wrote to memory of 1860 1392 LBG32.exe 52 PID 1392 wrote to memory of 1860 1392 LBG32.exe 52 PID 1860 wrote to memory of 856 1860 cmd.exe 54 PID 1860 wrote to memory of 856 1860 cmd.exe 54 PID 1860 wrote to memory of 856 1860 cmd.exe 54 PID 1392 wrote to memory of 1580 1392 LBG32.exe 55 PID 1392 wrote to memory of 1580 1392 LBG32.exe 55 PID 1392 wrote to memory of 1580 1392 LBG32.exe 55 PID 1392 wrote to memory of 1580 1392 LBG32.exe 55 PID 1580 wrote to memory of 272 1580 cmd.exe 57 PID 1580 wrote to memory of 272 1580 cmd.exe 57 PID 1580 wrote to memory of 272 1580 cmd.exe 57 PID 1392 wrote to memory of 1132 1392 LBG32.exe 58 PID 1392 wrote to memory of 1132 1392 LBG32.exe 58 PID 1392 wrote to memory of 1132 1392 LBG32.exe 58 PID 1392 wrote to memory of 1132 1392 LBG32.exe 58
Processes
-
C:\Users\Admin\AppData\Local\Temp\LBG32.exe"C:\Users\Admin\AppData\Local\Temp\LBG32.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{38F4F273-FD4E-40EE-A757-A0C4931FC7F9}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{38F4F273-FD4E-40EE-A757-A0C4931FC7F9}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{73136CA1-40E5-44A4-ACB1-1A381327A180}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{73136CA1-40E5-44A4-ACB1-1A381327A180}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:788
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5EA5ECFC-D39D-4BAD-AC73-64FFF00D3BA9}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5EA5ECFC-D39D-4BAD-AC73-64FFF00D3BA9}'" delete3⤵PID:360
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{46F85264-C264-422A-88E8-1CD66A062AA8}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{46F85264-C264-422A-88E8-1CD66A062AA8}'" delete3⤵PID:812
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E4B344C6-B590-45A1-A54B-DC4FC8A495EF}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E4B344C6-B590-45A1-A54B-DC4FC8A495EF}'" delete3⤵PID:1944
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0B869F6C-1033-47AA-B556-805661309D98}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0B869F6C-1033-47AA-B556-805661309D98}'" delete3⤵PID:1172
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F8063EB-8604-4FF4-AE6D-251209D63015}'" delete2⤵PID:1324
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F8063EB-8604-4FF4-AE6D-251209D63015}'" delete3⤵PID:820
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7FA0A99A-B76E-49F4-B158-A987EFAFE27D}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7FA0A99A-B76E-49F4-B158-A987EFAFE27D}'" delete3⤵PID:856
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{88E37423-C82B-4EF4-B3FF-A2B73329B9F7}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{88E37423-C82B-4EF4-B3FF-A2B73329B9F7}'" delete3⤵PID:272
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{008F9625-DDC3-4066-B788-49FC3657C4F6}'" delete2⤵PID:1132
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{008F9625-DDC3-4066-B788-49FC3657C4F6}'" delete3⤵PID:1224
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{97F00D85-BC71-4949-8703-1062C6D34D5C}'" delete2⤵PID:592
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{97F00D85-BC71-4949-8703-1062C6D34D5C}'" delete3⤵PID:1088
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{53305AF2-5F9F-4D3C-8609-14DCE07400B8}'" delete2⤵PID:1556
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{53305AF2-5F9F-4D3C-8609-14DCE07400B8}'" delete3⤵PID:1112
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7DF6716E-9291-4F53-8EDA-9EBD48C35B06}'" delete2⤵PID:2008
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7DF6716E-9291-4F53-8EDA-9EBD48C35B06}'" delete3⤵PID:944
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{05D90694-70D7-4B6F-952F-C0123300DC18}'" delete2⤵PID:736
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{05D90694-70D7-4B6F-952F-C0123300DC18}'" delete3⤵PID:1916
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1228787B-7BC4-4AA4-B53B-B657444EA523}'" delete2⤵PID:584
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1228787B-7BC4-4AA4-B53B-B657444EA523}'" delete3⤵PID:292
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1FF18028-010B-4686-87FE-19F7C952B49A}'" delete2⤵PID:276
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1FF18028-010B-4686-87FE-19F7C952B49A}'" delete3⤵PID:1952
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0D947DC8-B3AF-433F-9761-1C6E86ECC81D}'" delete2⤵PID:268
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0D947DC8-B3AF-433F-9761-1C6E86ECC81D}'" delete3⤵PID:1964
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9856A742-F496-4BA5-9F17-06D883495F22}'" delete2⤵PID:392
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9856A742-F496-4BA5-9F17-06D883495F22}'" delete3⤵PID:1736
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468