Analysis
-
max time kernel
599s -
max time network
601s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
15-02-2024 08:06
Behavioral task
behavioral1
Sample
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe
Resource
win10v2004-20231215-en
General
-
Target
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe
-
Size
159KB
-
MD5
5e54923e6dc9508ae25fb6148d5b2e55
-
SHA1
97bef2aed306a8f6bde427fd22e0f20095f14af7
-
SHA256
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9
-
SHA512
a8195321328c3beeae525ecedb672c520f15f2053eb39aa94efb123506741b807b666d8e15bf2c2c30fbafe9b6df8fc76a10897b3dff889683506d836b42a621
-
SSDEEP
3072:auJ9OlKolUa1U197bzhVsmftsXTUgbQ8aXqgP:aufj0zi1dNVsmftYT+5qE
Malware Config
Extracted
C:\Users\47IsP2Rni.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (168) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
61A8.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 61A8.tmp -
Deletes itself 1 IoCs
Processes:
61A8.tmppid Process 4344 61A8.tmp -
Executes dropped EXE 1 IoCs
Processes:
61A8.tmppid Process 4344 61A8.tmp -
Drops desktop.ini file(s) 2 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-1497073144-2389943819-3385106915-1000\desktop.ini 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1497073144-2389943819-3385106915-1000\desktop.ini 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\47IsP2Rni.bmp" 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\47IsP2Rni.bmp" 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe61A8.tmppid Process 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\WallpaperStyle = "10" 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Modifies registry class 5 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.47IsP2Rni 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.47IsP2Rni\ = "47IsP2Rni" 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni\DefaultIcon 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni\DefaultIcon\ = "C:\\ProgramData\\47IsP2Rni.ico" 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid Process 2676 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exepid Process 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
61A8.tmppid Process 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp 4344 61A8.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeDebugPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: 36 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeImpersonatePrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeIncBasePriorityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeIncreaseQuotaPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: 33 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeManageVolumePrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeProfSingleProcessPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeRestorePrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSystemProfilePrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeTakeOwnershipPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeShutdownPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeDebugPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe61A8.tmpdescription pid Process procid_target PID 1680 wrote to memory of 4344 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 86 PID 1680 wrote to memory of 4344 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 86 PID 1680 wrote to memory of 4344 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 86 PID 1680 wrote to memory of 4344 1680 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 86 PID 4344 wrote to memory of 3640 4344 61A8.tmp 94 PID 4344 wrote to memory of 3640 4344 61A8.tmp 94 PID 4344 wrote to memory of 3640 4344 61A8.tmp 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe"C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\ProgramData\61A8.tmp"C:\ProgramData\61A8.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\61A8.tmp >> NUL3⤵PID:3640
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4872
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\47IsP2Rni.README.txt1⤵
- Opens file in notepad (likely ransom note)
PID:2676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD59002c5719665d9baa723a08eec072983
SHA1ea878ae5a03e2ee6e34d92e5d15e4656710536f0
SHA2560c2236449b14880c38c335a4b2b6f7b4a12651b1e5b023db1959cb1c07cf67d2
SHA5126ccb83b6dac8dd04700c7631a1f0bbde83262b5c76d3ada03f75544a883b0f550048469631bf3c39a87d0bf7db3dc617952dda955210db8fa297a8728a581bb3
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
10KB
MD5a6c25dfa6970fcca52c2565e74a6fc5e
SHA1b5688d9eb69cc157691d557a3d52a5f486b4d4b1
SHA25672a75365c778e05bb1e635834c8462708e85b6abdb31df15dceb7291e22215f0
SHA512f9116fd3454560918afa7992f499c1799aef85cb6afd82580d593c2f99af7e813c726ab51f2e172f3cfb8ea6870ba49573b10ba18f554aab7e6155ae87fa2828
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize159KB
MD5b20e44a03d60caf25881b5d6ccbba6cb
SHA11f5afb4221c5b33aa98564058f4223d8ebcb95af
SHA25694c422ae8af5888f26e273cda4ee8d3f6da63e3cbbb662477e5d286d24660923
SHA51270733ed58b8a5b76e58642c45d1fd2ec06fadb4f073bf690c53d9527c1a2c58a859e07b695e7303d7c99b35a7ba05aad665615bde7fd0747ae507577c05c27c1
-
Filesize
129B
MD5110f6518e5881e2618ba493d39700f47
SHA15b13c457d19ca8fbddd2b1ea7ad05d2114eb0fc3
SHA2560618f617f04688b448696eb623058695b090ce6b75c5c969fc0fb64af8151fe7
SHA5125b1ee754acf38d845b1b8bb6e638fb6e202e008d4c66addbf0912d955e78e1b2a7a98b85b5ccbae2ce8349c7729ae682d15baf582126ec3449a6ce07c031c62e