Analysis
-
max time kernel
97s -
max time network
58s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11/03/2023, 16:44
Static task
static1
Behavioral task
behavioral1
Sample
Crypted.bin.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Crypted.bin.exe
Resource
win10v2004-20230221-en
General
-
Target
Crypted.bin.exe
-
Size
1.7MB
-
MD5
927426bafb84fe8daff84cff77258e0d
-
SHA1
320a91f6b810e4f5dbb38f58fd2949c780d4c807
-
SHA256
6375e7e4c7cdc3f96afd991c4dfedd5cdfe4b31bf0662dccfa703c117e951f71
-
SHA512
1eb9eb0e65a6cb5ea43db76b476f8a0a78942664980eee67e46929685005f40d7f7d85be3e1dec98fce3ca7bfdce62ad2d6daafdc96a4844e84a72a721d55181
-
SSDEEP
24576:/5dZufOrzvckB+Fr+waFHTcqunNW3QdWvPiVD2CWgrUE94FFs+n9rQOF8nux8igX:/5dVwPaFHTTgkAAn2IQ39y9rRF8uxG
Malware Config
Extracted
C:\ZQXLByuZ3.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Modifies extensions of user files 16 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\SetUse.crw => C:\Users\Admin\Pictures\SetUse.crw.ZQXLByuZ3 Crypted.bin.exe File opened for modification C:\Users\Admin\Pictures\SetUse.crw.ZQXLByuZ3 Crypted.bin.exe File renamed C:\Users\Admin\Pictures\GrantCompare.raw => C:\Users\Admin\Pictures\GrantCompare.raw.ZQXLByuZ3 Crypted.bin.exe File opened for modification C:\Users\Admin\Pictures\RestartProtect.tiff Crypted.bin.exe File renamed C:\Users\Admin\Pictures\OpenSkip.tiff => C:\Users\Admin\Pictures\OpenSkip.tiff.ZQXLByuZ3 Crypted.bin.exe File renamed C:\Users\Admin\Pictures\SaveNew.crw => C:\Users\Admin\Pictures\SaveNew.crw.ZQXLByuZ3 Crypted.bin.exe File opened for modification C:\Users\Admin\Pictures\CompleteDeny.png.ZQXLByuZ3 Crypted.bin.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromShow.tif.ZQXLByuZ3 Crypted.bin.exe File renamed C:\Users\Admin\Pictures\RestartProtect.tiff => C:\Users\Admin\Pictures\RestartProtect.tiff.ZQXLByuZ3 Crypted.bin.exe File opened for modification C:\Users\Admin\Pictures\RestartProtect.tiff.ZQXLByuZ3 Crypted.bin.exe File opened for modification C:\Users\Admin\Pictures\GrantCompare.raw.ZQXLByuZ3 Crypted.bin.exe File opened for modification C:\Users\Admin\Pictures\OpenSkip.tiff Crypted.bin.exe File opened for modification C:\Users\Admin\Pictures\OpenSkip.tiff.ZQXLByuZ3 Crypted.bin.exe File opened for modification C:\Users\Admin\Pictures\SaveNew.crw.ZQXLByuZ3 Crypted.bin.exe File renamed C:\Users\Admin\Pictures\CompleteDeny.png => C:\Users\Admin\Pictures\CompleteDeny.png.ZQXLByuZ3 Crypted.bin.exe File renamed C:\Users\Admin\Pictures\ConvertFromShow.tif => C:\Users\Admin\Pictures\ConvertFromShow.tif.ZQXLByuZ3 Crypted.bin.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Crypted.bin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Crypted.bin.exe -
Deletes itself 1 IoCs
pid Process 1768 A545.tmp -
Executes dropped EXE 1 IoCs
pid Process 1768 A545.tmp -
Loads dropped DLL 1 IoCs
pid Process 980 Crypted.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\desktop.ini Crypted.bin.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ZQXLByuZ3.bmp" Crypted.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ZQXLByuZ3.bmp" Crypted.bin.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1768 A545.tmp -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1740 set thread context of 980 1740 Crypted.bin.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop Crypted.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\WallpaperStyle = "10" Crypted.bin.exe -
Modifies registry class 40 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" Crypted.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\RuntimeVersion = "v2.0.50727" Crypted.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ZQXLByuZ3\ = "ZQXLByuZ3" Crypted.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZQXLByuZ3\DefaultIcon Crypted.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Implemented Categories Crypted.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Typelib Crypted.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZQXLByuZ3 Crypted.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZQXLByuZ3\DefaultIcon\ = "C:\\ProgramData\\ZQXLByuZ3.ico" Crypted.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\ = "Microsoft Outlook Recipient Control" Crypted.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocHandler32 Crypted.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32 Crypted.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\Class = "Microsoft.Office.Interop.Outlook._RecipientControlClass" Crypted.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\MiscStatus\1\ = "131200" Crypted.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Verb\0 Crypted.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} Crypted.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\MiscStatus Crypted.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\MiscStatus\ = "0" Crypted.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\MiscStatus\1 Crypted.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\ProgID\ = "RECIP.RecipCtl.1" Crypted.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\ToolboxBitmap32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE,5500" Crypted.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Verb Crypted.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Version\ = "9.4" Crypted.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB} Crypted.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Implemented Categories\ = "1" Crypted.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\ = "1" Crypted.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\14.0.0.0 Crypted.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Outlook._RecipientControlClass" Crypted.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727" Crypted.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Control Crypted.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocHandler32\ = "ole32.dll" Crypted.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\ProgID Crypted.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\ToolboxBitmap32 Crypted.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Verb\0\ = "Edit, 0, 2" Crypted.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Version Crypted.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" Crypted.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\LocalServer32 Crypted.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\LocalServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE" Crypted.bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\LocalServer32\LocalServer32 = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b004f00550054004c004f004f004b00460069006c00650073003e005500330069006f006b006a0040004a0069003f0035007600320062006600790076003d0046002c0000000000 Crypted.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Typelib\ = "{00062FFF-0000-0000-C000-000000000046}" Crypted.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ZQXLByuZ3 Crypted.bin.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 980 Crypted.bin.exe 980 Crypted.bin.exe 980 Crypted.bin.exe 980 Crypted.bin.exe 980 Crypted.bin.exe 980 Crypted.bin.exe 980 Crypted.bin.exe 980 Crypted.bin.exe 980 Crypted.bin.exe 980 Crypted.bin.exe 980 Crypted.bin.exe 980 Crypted.bin.exe 980 Crypted.bin.exe 980 Crypted.bin.exe 980 Crypted.bin.exe 980 Crypted.bin.exe 980 Crypted.bin.exe 980 Crypted.bin.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp 1768 A545.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 1740 Crypted.bin.exe Token: SeIncBasePriorityPrivilege 1740 Crypted.bin.exe Token: 33 1740 Crypted.bin.exe Token: SeIncBasePriorityPrivilege 1740 Crypted.bin.exe Token: SeAssignPrimaryTokenPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeDebugPrivilege 980 Crypted.bin.exe Token: 36 980 Crypted.bin.exe Token: SeImpersonatePrivilege 980 Crypted.bin.exe Token: SeIncBasePriorityPrivilege 980 Crypted.bin.exe Token: SeIncreaseQuotaPrivilege 980 Crypted.bin.exe Token: 33 980 Crypted.bin.exe Token: SeManageVolumePrivilege 980 Crypted.bin.exe Token: SeProfSingleProcessPrivilege 980 Crypted.bin.exe Token: SeRestorePrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeSystemProfilePrivilege 980 Crypted.bin.exe Token: SeTakeOwnershipPrivilege 980 Crypted.bin.exe Token: SeShutdownPrivilege 980 Crypted.bin.exe Token: SeDebugPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeBackupPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe Token: SeSecurityPrivilege 980 Crypted.bin.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2016 wrote to memory of 1740 2016 Crypted.bin.exe 28 PID 2016 wrote to memory of 1740 2016 Crypted.bin.exe 28 PID 2016 wrote to memory of 1740 2016 Crypted.bin.exe 28 PID 2016 wrote to memory of 1740 2016 Crypted.bin.exe 28 PID 2016 wrote to memory of 1740 2016 Crypted.bin.exe 28 PID 2016 wrote to memory of 1740 2016 Crypted.bin.exe 28 PID 1740 wrote to memory of 980 1740 Crypted.bin.exe 30 PID 1740 wrote to memory of 980 1740 Crypted.bin.exe 30 PID 1740 wrote to memory of 980 1740 Crypted.bin.exe 30 PID 1740 wrote to memory of 980 1740 Crypted.bin.exe 30 PID 1740 wrote to memory of 980 1740 Crypted.bin.exe 30 PID 1740 wrote to memory of 980 1740 Crypted.bin.exe 30 PID 1740 wrote to memory of 980 1740 Crypted.bin.exe 30 PID 1740 wrote to memory of 980 1740 Crypted.bin.exe 30 PID 1740 wrote to memory of 980 1740 Crypted.bin.exe 30 PID 1740 wrote to memory of 980 1740 Crypted.bin.exe 30 PID 1740 wrote to memory of 980 1740 Crypted.bin.exe 30 PID 1740 wrote to memory of 980 1740 Crypted.bin.exe 30 PID 980 wrote to memory of 1768 980 Crypted.bin.exe 32 PID 980 wrote to memory of 1768 980 Crypted.bin.exe 32 PID 980 wrote to memory of 1768 980 Crypted.bin.exe 32 PID 980 wrote to memory of 1768 980 Crypted.bin.exe 32 PID 980 wrote to memory of 1768 980 Crypted.bin.exe 32 PID 1768 wrote to memory of 340 1768 A545.tmp 33 PID 1768 wrote to memory of 340 1768 A545.tmp 33 PID 1768 wrote to memory of 340 1768 A545.tmp 33 PID 1768 wrote to memory of 340 1768 A545.tmp 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe"2⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exeC:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe3⤵
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980 -
C:\ProgramData\A545.tmp"C:\ProgramData\A545.tmp"4⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A545.tmp >> NUL5⤵PID:340
-
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1541⤵PID:304
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
129B
MD5371c83ca2832672edf54008036c3324d
SHA12386cfd52730aa062ccf4624daef0b1430a44720
SHA25659a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA51247fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
1.7MB
MD5051071bfe4fb1eac65b644d182a8f428
SHA11f671ca2d5d8efe42e19b84a7bcf907ff498a02f
SHA256156b7cdff8b14fa4e6baf42539ad907481b9da62fbc7058415d2d0090f4b394e
SHA5128c7011cafcac1ff415bb429f42a28d8b8e36c3938ae03311ae362e34a408150866b9848e9584bc5207404afb847b15424853bee6d9c42ae1cd0ef07ddd1f576e
-
Filesize
5KB
MD5aaaf0de3f4bcb9275ba225d0170e5486
SHA1d6786a09d6c491cfa39ceaec9423d180601b0fb0
SHA256f5a03bbada05402596d4c2872021fc0ff2951961c10e8a39426e663b2ff7bc57
SHA51237382b17557d1aa0d194f5f82ea9431b71b6bb36c2f4ea9d1638ec7a0f5215c66b88419fd0f3b2435229467f14dcb38b55ce8f81116e44ea79da692acaa8cb96
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf