Analysis
-
max time kernel
214s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
16-02-2024 06:41
Behavioral task
behavioral1
Sample
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe
Resource
win10v2004-20231222-en
General
-
Target
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe
-
Size
159KB
-
MD5
5e54923e6dc9508ae25fb6148d5b2e55
-
SHA1
97bef2aed306a8f6bde427fd22e0f20095f14af7
-
SHA256
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9
-
SHA512
a8195321328c3beeae525ecedb672c520f15f2053eb39aa94efb123506741b807b666d8e15bf2c2c30fbafe9b6df8fc76a10897b3dff889683506d836b42a621
-
SSDEEP
3072:auJ9OlKolUa1U197bzhVsmftsXTUgbQ8aXqgP:aufj0zi1dNVsmftYT+5qE
Malware Config
Extracted
C:\Users\47IsP2Rni.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (160) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
9389.tmppid Process 3048 9389.tmp -
Executes dropped EXE 1 IoCs
Processes:
9389.tmppid Process 3048 9389.tmp -
Loads dropped DLL 1 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exepid Process 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3427588347-1492276948-3422228430-1000\desktop.ini 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3427588347-1492276948-3422228430-1000\desktop.ini 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\47IsP2Rni.bmp" 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\47IsP2Rni.bmp" 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe9389.tmppid Process 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\WallpaperStyle = "10" 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Modifies registry class 5 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni\DefaultIcon\ = "C:\\ProgramData\\47IsP2Rni.ico" 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.47IsP2Rni 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.47IsP2Rni\ = "47IsP2Rni" 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni\DefaultIcon 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exepid Process 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
9389.tmppid Process 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp 3048 9389.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeDebugPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: 36 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeImpersonatePrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeIncBasePriorityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeIncreaseQuotaPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: 33 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeManageVolumePrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeProfSingleProcessPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeRestorePrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSystemProfilePrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeTakeOwnershipPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeShutdownPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeDebugPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe9389.tmpdescription pid Process procid_target PID 1380 wrote to memory of 3048 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 30 PID 1380 wrote to memory of 3048 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 30 PID 1380 wrote to memory of 3048 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 30 PID 1380 wrote to memory of 3048 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 30 PID 1380 wrote to memory of 3048 1380 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 30 PID 3048 wrote to memory of 940 3048 9389.tmp 35 PID 3048 wrote to memory of 940 3048 9389.tmp 35 PID 3048 wrote to memory of 940 3048 9389.tmp 35 PID 3048 wrote to memory of 940 3048 9389.tmp 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe"C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\ProgramData\9389.tmp"C:\ProgramData\9389.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9389.tmp >> NUL3⤵PID:940
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1541⤵PID:1908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5d1ad288acadeff74c9dbeb55c0744a05
SHA10d21bae30a76d84bdc647387cc1c43763d476a30
SHA256190fe7996909e1be0e06f6fda155b946e2f8e3a1f0363c5fe9df988edd1c62d9
SHA5129822573e6f7f0eab1388d653a55e5801c7ae2c727cb18d0d1659685cfe202f178af6f394cc07e0ee2927ed61c17245b5e640408f5cd1071bfd52b9442a621625
-
Filesize
10KB
MD5c18e448e8fe499dd97e9222c82f6169f
SHA1090e95166c80a0e9d7c028d20ba52885ececd9df
SHA25662a19a6ed0669e80cd035b2f9d9edfe4d677c936880d35323d1a0176548a2a05
SHA5126617296d524d9cd61fb1445bd410cf5a5665aed65461e43f724b040efc8bc1da078229a496c978aef24f7495a4858908992fcd9b6e6ad31ed6914140a789f1be
-
C:\Users\Admin\AppData\Local\Temp\PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
Filesize159KB
MD559e06342dc606b59ccc5a0bdc537d4af
SHA104bf31397a823b1e9ca8e983a204c486b65e0624
SHA2568031c511a0df0be3859111350db9e385892d05fdb3df2d7303f5dad4d4126c23
SHA51207e7995f8509c828b568a49afc4b7934094a5f7fdb145cc630d605281d9231f3df86dda8df2945e3d9ffb136dae95c47a1641f123bd496f1d3bf5cf3e899b2a2
-
Filesize
129B
MD58d1da533e41ba16ddac5070a102319ee
SHA1fc8c4a5fa3d1773616db27e507c810985e4e17be
SHA256b4c7eb8aedf092076802236cb64981d68394b45f5e9cd1ef82a09c8a65421c94
SHA512edc679f889134969684befd3227b3c3c0ec88774b361fd5e181a02b3d063e9d24e3781f9c5b222f1985f006dd0c88336e1bab5df2fc29852f3b35b67999a9f79
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf