Malware Analysis Report

2024-11-30 11:31

Sample ID 240225-fjav3acf7t
Target LB3.bin
SHA256 4cd8104440fb28afb5cadcfbdc529f57f62db479b679117c0c461fdae5796997
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4cd8104440fb28afb5cadcfbdc529f57f62db479b679117c0c461fdae5796997

Threat Level: Known bad

The file LB3.bin was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Lockbit family

Lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Renames multiple (614) files with added filename extension

Renames multiple (363) files with added filename extension

Checks computer location settings

Executes dropped EXE

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-25 04:53

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-25 04:53

Reported

2024-02-25 04:56

Platform

win7-20240221-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LB3.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (363) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\9740.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\9740.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-778096762-2241304387-192235952-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-778096762-2241304387-192235952-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\8jRMgfBxd.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\8jRMgfBxd.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\ProgramData\9740.tmp N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\8jRMgfBxd\DefaultIcon\ = "C:\\ProgramData\\8jRMgfBxd.ico" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.8jRMgfBxd C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.8jRMgfBxd\ = "8jRMgfBxd" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\8jRMgfBxd\DefaultIcon C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\8jRMgfBxd C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2144 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\9740.tmp
PID 2144 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\9740.tmp
PID 2144 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\9740.tmp
PID 2144 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\9740.tmp
PID 2144 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\9740.tmp
PID 2892 wrote to memory of 1804 N/A C:\ProgramData\9740.tmp C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1804 N/A C:\ProgramData\9740.tmp C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1804 N/A C:\ProgramData\9740.tmp C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1804 N/A C:\ProgramData\9740.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\LB3.exe

"C:\Users\Admin\AppData\Local\Temp\LB3.exe"

C:\ProgramData\9740.tmp

"C:\ProgramData\9740.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9740.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x150

Network

N/A

Files

memory/2144-0-0x0000000000C90000-0x0000000000CD0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-778096762-2241304387-192235952-1000\desktop.ini

MD5 a306822168892bbc13c9d846c16333a9
SHA1 21241eb1c4f7438f072f93e03cd51c84beb67a4c
SHA256 98e258a89e325f556a0cf103860ef2be2feaba240b21909d53000a1b8f9dd1f4
SHA512 24a7bf6d4850fa4381c042a6aa143e499390421fde1733331f72eaa4387f7677d8a24ac7ecbddec30847c4db6ec8960dd7f29a7e862390342ab3bdd8fe9befd5

C:\8jRMgfBxd.README.txt

MD5 b0442f11b313b9d0a578f5c827e12ee8
SHA1 0d8ddcad9cce6e8fed1985ade48accdcc0beb041
SHA256 dc868806f81b98c70451bc6375fa1a97821bb7b6a676863761ddeedfa4baf548
SHA512 713b63c3a0e2a58b3efa2f37081b42ac07d83c224a40eacc8c90f69ee8fb29355dd8fa44318f26aaa91f76544c1afce8b1d57c45c60d09862901250e3c67841d

F:\$RECYCLE.BIN\S-1-5-21-778096762-2241304387-192235952-1000\EEEEEEEEEEE

MD5 df89d20cb62d44f377faced17f19950e
SHA1 53a8018d1f795d3a8336a99ea441fcea60fbc524
SHA256 229e6b9ed20441692b143168cb35f71c30a956c7cd64e7db9145cf4305c09826
SHA512 1493c62910b5a5add41bae108959528334fc98a152999fd7b05896449f6acab62cc60b4fa65a7b6f41f43250692a0ae1c37b5f92e1dbafe47747eed835b424db

\ProgramData\9740.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2892-881-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDD

MD5 3d45925acb964b7679d8e5fea29cd492
SHA1 0d44617c80a04a83dacde452c47258af968917b3
SHA256 acb1520a549597e81082c78cae01836dc3aa3c2fdf711bff421c84a29db0e9a1
SHA512 16fe9cbde4960747bf403df28c86b20d88a42d7f450a43c647f7bba23cc904138a7e5f815e56e86f0e1ee2200fb522d0f1864a585ad6b2691b92edf69a47178e

memory/2892-882-0x00000000002B0000-0x00000000002F0000-memory.dmp

memory/2892-911-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/2892-912-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/2892-913-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/2892-914-0x000000007EF60000-0x000000007EF61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-25 04:53

Reported

2024-02-25 04:56

Platform

win10v2004-20240221-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LB3.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (614) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation C:\ProgramData\9442.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\9442.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\9442.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3316742141-2240921845-2885234760-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3316742141-2240921845-2885234760-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\PP8b_budi2h7uoegxehox6nw4f.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPe01_okn059pvhofvv1oqv7nhc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPeebamy9j8i52ocgojx7f5qrrb.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\8jRMgfBxd.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\8jRMgfBxd.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\ProgramData\9442.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.8jRMgfBxd C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.8jRMgfBxd\ = "8jRMgfBxd" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\8jRMgfBxd\DefaultIcon C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\8jRMgfBxd C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\8jRMgfBxd\DefaultIcon\ = "C:\\ProgramData\\8jRMgfBxd.ico" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LB3.exe

"C:\Users\Admin\AppData\Local\Temp\LB3.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{C25276E7-408B-46D7-B972-C007A7AF8EC1}.xps" 133533104339560000

C:\ProgramData\9442.tmp

"C:\ProgramData\9442.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9442.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 199.111.78.13.in-addr.arpa udp

Files

memory/3268-0-0x0000000003230000-0x0000000003240000-memory.dmp

memory/3268-2-0x0000000003230000-0x0000000003240000-memory.dmp

memory/3268-1-0x0000000003230000-0x0000000003240000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3316742141-2240921845-2885234760-1000\desktop.ini

MD5 105150be7f2e66947b045dd08b17cccb
SHA1 6d9987491a8db9cb9e3fa0ff5af8dcf0cca471a7
SHA256 5a50f48aefaa08fb5894fcb7d465bf7834a72675a87bb3702a2392de3bf9d3d6
SHA512 c2d86eb082d109606b1bbf00fbfd1a0fab386195633833561c22b9715fa7cba8eabeea00a1419774f1db5a913823c00994b9f6a04efbcdd1f0bb0ba55db36375

F:\$RECYCLE.BIN\S-1-5-21-3316742141-2240921845-2885234760-1000\DDDDDDDDDDD

MD5 23ebdcdb2f8212634ecb34cc1ed80828
SHA1 c73e2fd9abee1b821484aa4076adbfeb1405df9e
SHA256 332beabb3c851dee213bfb701c123518b00f03b5c9d1c284b5425ecc734f4a5a
SHA512 4054a80010440113fb7dc62b2f1249b880cf77a9f74f2aee495a36ad3f17618fe1b3c0970347194e29a3615c35a3792edeec95d5a6a8d29dbf30a2a44a84cdc9

C:\8jRMgfBxd.README.txt

MD5 b0d649501718b7599279073e8b7e68ed
SHA1 0edaefe4f43717960019e4aebe1bfc400229640c
SHA256 3459b8677424943b7896486ea79c49dd6c908b6b7182aa32b70e903cb03c16ac
SHA512 091c3056a218db0220be2c4bcfac9a0069d75a49c49e9446fc00204f30408a4e2887a075c632598dc3904b2fcd5ad271cd4c03f7a76a9ae1d43d655683f8e480

C:\ProgramData\9442.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/5704-2788-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/5704-2795-0x0000000002580000-0x0000000002590000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDD

MD5 86b842fe531075d9c58e3f3decabe983
SHA1 c6323b48636273ee6bc0abc8ab2612623cedb579
SHA256 b554d34c19e7183f09812a12a30422fec5798d4be6803e99e154374dce0d3cfd
SHA512 429e5e8bd5efaca5fcd76793553c685102e91a04b2a8c9b92e1810d2af263265ed2a3439133671d649b08cfd7f72c22781c42a4635eca99b53aa3c228110fc43

memory/5704-2829-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/5704-2828-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/5688-2830-0x00007FFB83850000-0x00007FFB83860000-memory.dmp

memory/5688-2799-0x00007FFB83850000-0x00007FFB83860000-memory.dmp

memory/5704-2798-0x0000000002580000-0x0000000002590000-memory.dmp

memory/5688-2832-0x00007FFBC37D0000-0x00007FFBC39C5000-memory.dmp

memory/5688-2833-0x00007FFBC37D0000-0x00007FFBC39C5000-memory.dmp

memory/5688-2834-0x00007FFB83850000-0x00007FFB83860000-memory.dmp

memory/5688-2836-0x00007FFB83850000-0x00007FFB83860000-memory.dmp

memory/5688-2835-0x00007FFBC37D0000-0x00007FFBC39C5000-memory.dmp

memory/5688-2837-0x00007FFBC37D0000-0x00007FFBC39C5000-memory.dmp

memory/5688-2831-0x00007FFB83850000-0x00007FFB83860000-memory.dmp

memory/5688-2838-0x00007FFBC37D0000-0x00007FFBC39C5000-memory.dmp

memory/5688-2839-0x00007FFBC37D0000-0x00007FFBC39C5000-memory.dmp

memory/5688-2840-0x00007FFBC37D0000-0x00007FFBC39C5000-memory.dmp

memory/5688-2841-0x00007FFB80F50000-0x00007FFB80F60000-memory.dmp

memory/5688-2842-0x00007FFBC37D0000-0x00007FFBC39C5000-memory.dmp

memory/5688-2843-0x00007FFBC37D0000-0x00007FFBC39C5000-memory.dmp

memory/5688-2844-0x00007FFBC37D0000-0x00007FFBC39C5000-memory.dmp

memory/5688-2847-0x00007FFBC37D0000-0x00007FFBC39C5000-memory.dmp

memory/5688-2846-0x00007FFB80F50000-0x00007FFB80F60000-memory.dmp

memory/5688-2845-0x00007FFBC37D0000-0x00007FFBC39C5000-memory.dmp

memory/5688-2848-0x00007FFBC37D0000-0x00007FFBC39C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{FCEC60A7-BD8C-40E6-BB0F-23C9E0D1EB42}

MD5 ba947b99273695bb897f6ab6cb35fb9e
SHA1 ec524905458aafde90688d32933defeb035756a1
SHA256 4e2bff90f839168a777ab23d76cc051926d6deb9d82496cf968f0dbed17af8ea
SHA512 c6dbc6fb497335da7ac91bb88fd97c84cc8883be554de4482947ee971e0808d02c310e01d7958c01e9f65cf59045b094b65371f96a370367a4beee305a7d396f

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 b822318ef741ee3b3f98820c8ce0a2dc
SHA1 f235867858e1becd2f638207a50bf0c498cf964f
SHA256 a81f8e719b756d481c7e50afbc282cc37edf570311011ca9dcd1a028000e07b1
SHA512 233550af40ef99684c607d1cd66794d82c115d027049bee2347f1caeea2092eae28bf05011eab2f67d4c686e5d6198386ce64a178b0e542a81929fd6ee8e5672

memory/5688-2869-0x00007FFBC37D0000-0x00007FFBC39C5000-memory.dmp

memory/5688-2870-0x00007FFBC37D0000-0x00007FFBC39C5000-memory.dmp