Analysis
-
max time kernel
297s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
16-02-2024 06:41
Behavioral task
behavioral1
Sample
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe
Resource
win10v2004-20231222-en
General
-
Target
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe
-
Size
159KB
-
MD5
5e54923e6dc9508ae25fb6148d5b2e55
-
SHA1
97bef2aed306a8f6bde427fd22e0f20095f14af7
-
SHA256
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9
-
SHA512
a8195321328c3beeae525ecedb672c520f15f2053eb39aa94efb123506741b807b666d8e15bf2c2c30fbafe9b6df8fc76a10897b3dff889683506d836b42a621
-
SSDEEP
3072:auJ9OlKolUa1U197bzhVsmftsXTUgbQ8aXqgP:aufj0zi1dNVsmftYT+5qE
Malware Config
Extracted
C:\47IsP2Rni.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (116) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4CF7.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 4CF7.tmp -
Deletes itself 1 IoCs
Processes:
4CF7.tmppid Process 3332 4CF7.tmp -
Executes dropped EXE 1 IoCs
Processes:
4CF7.tmppid Process 3332 4CF7.tmp -
Drops desktop.ini file(s) 2 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3803511929-1339359695-2191195476-1000\desktop.ini 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3803511929-1339359695-2191195476-1000\desktop.ini 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\47IsP2Rni.bmp" 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\47IsP2Rni.bmp" 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe4CF7.tmppid Process 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\WallpaperStyle = "10" 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Modifies registry class 5 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.47IsP2Rni 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.47IsP2Rni\ = "47IsP2Rni" 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni\DefaultIcon 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\47IsP2Rni\DefaultIcon\ = "C:\\ProgramData\\47IsP2Rni.ico" 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid Process 4048 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exepid Process 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
4CF7.tmppid Process 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp 3332 4CF7.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeDebugPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: 36 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeImpersonatePrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeIncBasePriorityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeIncreaseQuotaPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: 33 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeManageVolumePrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeProfSingleProcessPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeRestorePrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSystemProfilePrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeTakeOwnershipPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeShutdownPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeDebugPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeBackupPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe Token: SeSecurityPrivilege 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
NOTEPAD.EXEpid Process 4048 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe4CF7.tmpdescription pid Process procid_target PID 116 wrote to memory of 3332 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 88 PID 116 wrote to memory of 3332 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 88 PID 116 wrote to memory of 3332 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 88 PID 116 wrote to memory of 3332 116 87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe 88 PID 3332 wrote to memory of 3912 3332 4CF7.tmp 97 PID 3332 wrote to memory of 3912 3332 4CF7.tmp 97 PID 3332 wrote to memory of 3912 3332 4CF7.tmp 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe"C:\Users\Admin\AppData\Local\Temp\87b76f35740262abb8da224b94779ff56eb6346318b4f9fb1988a59a72a4e6c9.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116 -
C:\ProgramData\4CF7.tmp"C:\ProgramData\4CF7.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4CF7.tmp >> NUL3⤵PID:3912
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4268
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\47IsP2Rni.README.txt1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:4048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD58dafaa5db2fe592066e02c36434e4330
SHA1fdb72d2a8c305ea5e7cf87f707d0df38b1e49fbb
SHA256e1cba6e4144840c7de12f5ba68836860ebfa766067f50771d765e46fc2447e60
SHA51203eec9e702b7011d5cb4d8467b8189b3374eb560176e2c62a57b231429262f74d6fed95456ec7f3bb8ce307d070b5c2056c9c80b65fcd8ed3fb6289618267b31
-
Filesize
10KB
MD5230564def0f344c15dea701dfa21dbf7
SHA1109d6d7d26720368642b2799765f4bc662329a2d
SHA25665e1ef3e11e98bc50bcc27873363f6970dc9f861141ba8db9d25e0e1a15e8d94
SHA512c98a167bfab85eb967026557feafb1b8b234e224fd46f76274f7c94513c0fe873987e1387336009234159567d82c25f1dda38b8c47d89cb7d2262739ef34d0f9
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize159KB
MD5a3b817442f0ec019e3c7cd4a0547c2a3
SHA1681dc31a618b2965085d6e5173798ff6d59f9981
SHA2560a30fdbef5ffec78086fb7ab854a7244e01add0d8423b3da19da75a9d4bb27df
SHA51226861275b8e136c5c11d9604a4e6c0ff89ed749a90fa5b683170fa1a494685685dd750cb5fdba8e39af2831dd9455859e3a8bb8608773aaa0fe3391febd18f8c
-
Filesize
129B
MD58db6772041b21da7f5e2913cba0128a4
SHA12b51e735a08fdf1a6c4c0212b873a9d2bf21d18d
SHA256e60bbf4089e8cdac057dbeeab1fb637c6777ec06ad5e991ceb8179cb2eda659f
SHA51293160568011fccb9eacd643be3d69caa5a9d1ea3b4a067c76bff9b2e1ffd2ac11409cc25819b78735d83ea8710720689c97663ef980a7291dc43525353ffb040