Malware Analysis Report

2024-11-30 11:40

Sample ID 240221-cfmhxahd9s
Target 33c2a1189c2d5716f3e89f9ab0179675.bin
SHA256 f01909eee3dec5474a5a845deea3f8fb5502ac006f65060a7e945f91c966e266
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f01909eee3dec5474a5a845deea3f8fb5502ac006f65060a7e945f91c966e266

Threat Level: Known bad

The file 33c2a1189c2d5716f3e89f9ab0179675.bin was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Renames multiple (584) files with added filename extension

Renames multiple (330) files with added filename extension

Reads user/profile data of web browsers

Deletes itself

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-21 02:01

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-21 02:01

Reported

2024-02-21 02:03

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe"

Signatures

Renames multiple (330) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\21A4.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\21A4.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\21A4.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe

"C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe"

C:\ProgramData\21A4.tmp

"C:\ProgramData\21A4.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\21A4.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x14c

Network

N/A

Files

memory/2924-0-0x0000000000DE0000-0x0000000000E20000-memory.dmp

C:\7fpKwvu5x.README.txt

MD5 9a93bdac5989317ace2a796b8d273381
SHA1 9e3200d5d2a79004d062bd88c06e7742ab1474ce
SHA256 d5eb3f426eb64d366e9f17f1142b0289ae1550b19ddb9c5e5463472350aa2e4a
SHA512 4ccb42c9b7d60640ed083d096108856eaa88106a0b2af622b3e88cc85a9c57c4ca3e1f7579a42261b73e4045c811a28bb7412009e046ad267facfbc8312e2431

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini

MD5 93036b5f41d68246c7067613fd4a3ad7
SHA1 65c94c0b9bc76d0ebbb4f0bbbb18b02072cab309
SHA256 01610aee0e25177e757231fb0c2b31d1b440319d822f6ffe4475f2cf236bd8cf
SHA512 30a803f3ca9ef2708908ac9eb372cf35957d56217fdae84cd2629995f4ceb75d98c6a14d98b2217350fbe359485ca9b553eaf5a91ac142da8cd155de3a85a5f0

F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\DDDDDDDDDDD

MD5 73e7af74de8ff6a902ed34152be76ae4
SHA1 0d244ed7abefe89f7d35394100ae30547367f355
SHA256 87bdd48bd60515daf134d696585b041a1c6099c916cd20bca4ece1f0817bcd0e
SHA512 4616979294a83c606cd6be45a4f388679fe3f48c26c26c70f18307b575d1b80fb392febc0076896835f0bfc065a179691d888a1da0f86e5790fd2914e8076c25

C:\ProgramData\21A4.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1412-853-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/1412-854-0x0000000002240000-0x0000000002280000-memory.dmp

memory/1412-860-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/1412-862-0x000000007EF20000-0x000000007EF21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 c06fe06d04ffd2a50e6ca3eb05d5b7d4
SHA1 2f16c6cbcc43a98937e8bab3c7d2a8559858f99d
SHA256 12a6f2f6c14a9c33b077ec5cba8db0cd022a4c787673cb0d42ba0e8fcdfea575
SHA512 1a902ba68525fdd668d6d0145d5747a724bd37a2949cf4bcf1ea4b0c085ffbf3d2796959eb80df371e6a3bbe4453cd7f61ea2e69504f5d1960ff5277901b8d77

memory/1412-885-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/1412-886-0x000000007EF60000-0x000000007EF61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-21 02:01

Reported

2024-02-21 02:03

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe"

Signatures

Renames multiple (584) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\ProgramData\EB1B.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\EB1B.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\EB1B.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-983843758-932321429-1636175382-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-983843758-932321429-1636175382-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\EB1B.tmp N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe

"C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe"

C:\ProgramData\EB1B.tmp

"C:\ProgramData\EB1B.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\EB1B.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/936-0-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/936-1-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/936-2-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-983843758-932321429-1636175382-1000\desktop.ini

MD5 2b3383785a4ef1245ce991281a438e61
SHA1 8ea88436e47e0374206aa6c288d188054b99fe9f
SHA256 a2a1a6fed7a888df8279a7dffa5d142e779cf14d697169ad6d57daa9eaa2673c
SHA512 0c5eba30b60bcad2d622520d080db834b21266f9869dc23c4336acb008320b240ef60a82cc285fb7a6365b0def69ba21d4f5a6452d3538641905f5bf1c97be3a

C:\7fpKwvu5x.README.txt

MD5 85c38f851b1ebf97450897d2cee1bf1f
SHA1 007a09cd283bb17b6a45b1de3977c08b5f177b03
SHA256 1300bd82b3b745791a623c1736e7e1213ae23d9994f4a624400dc516ad261bda
SHA512 91fa87894f7329c683e987536df6fea5c9314b6b0e149eb3c8db837258cbd3dc635ff286f15a02948bf685ba1ac720167d0b8547d739b4349142b766a13781f5

F:\$RECYCLE.BIN\S-1-5-21-983843758-932321429-1636175382-1000\CCCCCCCCCCC

MD5 3cace86baac07f0c659f93db5ce68fa5
SHA1 b8132fe187fb92db024a250bff408c9f29619c36
SHA256 5b5e44369fad56089c170a95e9335ed7f073c6461ceed3c87b6bf63cfb98e106
SHA512 772874ad392d8cce7d71593fc98020f2fe1db5451028ee103e975d0503b3f342628e3a36013aeaba06efb093e4aad3f66b66ff87c7e4a3331054d12cc50fe8b5

memory/936-2720-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/936-2721-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/936-2722-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

C:\ProgramData\EB1B.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/4164-2727-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/4164-2728-0x0000000002430000-0x0000000002440000-memory.dmp

memory/4164-2729-0x0000000002430000-0x0000000002440000-memory.dmp

memory/4164-2730-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/4164-2731-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 7eabd8cb3b55a65d31c4d856163d2755
SHA1 cc7be339482c9e37420dfc35cef440294731c754
SHA256 73fd51365a07852a2d44c66875f9f830291300b9d6fdd47bd966d9b1ce125d6b
SHA512 7cda2dae46aa139f315a1fc525b5133c81568ec4a6f031455981f61868cfef3bcf770f63cfd9ff825956478cfb7d3b49f81c870b9656e3e9d58b5bf54217feea

memory/4164-2760-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

memory/4164-2761-0x000000007FE00000-0x000000007FE01000-memory.dmp