Analysis Overview
SHA256
d4f150a8b26e9edccae4987433fb5b8a105970db143ba196f13652730c635668
Threat Level: Known bad
The file ####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe was found to be: Known bad.
Malicious Activity Summary
Lockbit
Renames multiple (157) files with added filename extension
Renames multiple (178) files with added filename extension
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Deletes itself
Drops desktop.ini file(s)
Suspicious use of NtSetInformationThreadHideFromDebugger
Sets desktop wallpaper using registry
Unsigned PE
Enumerates physical storage devices
Program crash
Opens file in notepad (likely ransom note)
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Modifies Control Panel
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-26 12:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-26 12:21
Reported
2024-02-26 12:25
Platform
win7-20240221-en
Max time kernel
152s
Max time network
119s
Command Line
Signatures
Lockbit
Renames multiple (157) files with added filename extension
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\5lq6EmbYb.bmp" | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\5lq6EmbYb.bmp" | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.5lq6EmbYb | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.5lq6EmbYb\ = "5lq6EmbYb" | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\5lq6EmbYb\DefaultIcon\ = "C:\\ProgramData\\5lq6EmbYb.ico" | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\5lq6EmbYb\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\5lq6EmbYb | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
| N/A | N/A | C:\ProgramData\2A4B.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe
"C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe"
C:\ProgramData\2A4B.tmp
"C:\ProgramData\2A4B.tmp"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\StepNew.otf.5lq6EmbYb
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SendGrant.xls.5lq6EmbYb
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2A4B.tmp >> NUL
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\PublishReceive.wpl.5lq6EmbYb
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UnprotectPop.vstx.5lq6EmbYb
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SwitchStop.edrwx.5lq6EmbYb
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SwitchStop.edrwx.5lq6EmbYb
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\5lq6EmbYb.README.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\5lq6EmbYb.README.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\5lq6EmbYb.README.txt
Network
Files
memory/2972-2-0x0000000000400000-0x000000000044D000-memory.dmp
memory/2972-1-0x0000000000240000-0x0000000000269000-memory.dmp
memory/2972-0-0x0000000000220000-0x000000000023C000-memory.dmp
memory/2972-3-0x0000000000730000-0x0000000000770000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini
| MD5 | c8001fd03e89aacdf1260b577599ac28 |
| SHA1 | fc87b54b41964ea8209a63963acfa8520bdcc991 |
| SHA256 | e98e2b7736ee5bf2bde70cf6aac8c78b21950f1933eefda559ba1e514768cdfa |
| SHA512 | a0e23dac33f7e271115dde562e3bcb51a748a6f1e48381e6161f018f8d47d616e03d9dcaa19a59d9b79f86d8e4aa8cb1a8f4b1ff42d3ed8eacedcc3f031dfe0f |
C:\Users\5lq6EmbYb.README.txt
| MD5 | e55a26eaee3d2a5b4bb48f3a74a710c4 |
| SHA1 | ccc7b73bba41f2e615cb59af48507f49ecdb84b2 |
| SHA256 | 99110c5e47b683d239d3dca9ddb032c67f2cfe2d579d732f0361ac48e37585e1 |
| SHA512 | 47169d0889782d195fd4dd9aa483c6021cb3dca20438913c054b35d1987a3aff1f5f40a5fd47638a7087774634ed97effd4c686f32058dd91168324b6b5255eb |
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\CCCCCCCCCCC
| MD5 | 643a21c42b9fcb7d34dd48acb65f8e0f |
| SHA1 | 353374f379980d3d1966a33b3156fcbebc9d2e33 |
| SHA256 | 83db73447632453af0c4c9b31762c41ea319129f6d9bf8aef1a9eb227575c0e0 |
| SHA512 | 6449d9a6e8715cbc53b2d155b5382e118f4c6d1dff95c3b95901ecf67529d8bbad12358627b64d7653e9e1667033961178293e24b0f2da803e01832ac23b8587 |
\ProgramData\2A4B.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
memory/2056-290-0x0000000000400000-0x0000000000407000-memory.dmp
memory/2972-292-0x0000000000400000-0x000000000044D000-memory.dmp
memory/2056-293-0x00000000020B0000-0x00000000020F0000-memory.dmp
memory/2056-295-0x00000000020B0000-0x00000000020F0000-memory.dmp
memory/2056-296-0x000000007EF80000-0x000000007EF81000-memory.dmp
memory/2056-298-0x000000007EF20000-0x000000007EF21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | 1afe44c622877fbaac5f85f3c7db44d1 |
| SHA1 | 1c8d480f2f758df6a70aa01b440b9ed0557042a0 |
| SHA256 | 8015d518a8aec9563b24b5b65eadb47c24b345707513edcead89d73c83331c2d |
| SHA512 | 60624d4aee39edfaf5a799325d97ece22d647e51ff61e1775912dbf31201c6f3d29035afb51361824c7b517e0e8c5ad101bb12e50c387bfb706231f60d825fce |
memory/2056-302-0x000000007EFA0000-0x000000007EFA1000-memory.dmp
memory/2056-326-0x0000000000400000-0x0000000000407000-memory.dmp
memory/2056-327-0x00000000020B0000-0x00000000020F0000-memory.dmp
memory/2056-330-0x000000007EF40000-0x000000007EF41000-memory.dmp
memory/2056-331-0x000000007EF60000-0x000000007EF61000-memory.dmp
memory/2056-332-0x0000000000400000-0x0000000000407000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-26 12:21
Reported
2024-02-26 12:24
Platform
win10v2004-20240221-en
Max time kernel
93s
Max time network
114s
Command Line
Signatures
Lockbit
Renames multiple (178) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation | C:\ProgramData\C3FC.tmp | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-1392040655-2056082574-619088944-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1392040655-2056082574-619088944-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\5lq6EmbYb.bmp" | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\5lq6EmbYb.bmp" | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\5lq6EmbYb\DefaultIcon\ = "C:\\ProgramData\\5lq6EmbYb.ico" | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.5lq6EmbYb | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.5lq6EmbYb\ = "5lq6EmbYb" | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\5lq6EmbYb\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\5lq6EmbYb | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3FC.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4100 wrote to memory of 4412 | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | C:\ProgramData\C3FC.tmp |
| PID 4100 wrote to memory of 4412 | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | C:\ProgramData\C3FC.tmp |
| PID 4100 wrote to memory of 4412 | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | C:\ProgramData\C3FC.tmp |
| PID 4100 wrote to memory of 4412 | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | C:\ProgramData\C3FC.tmp |
| PID 4412 wrote to memory of 2712 | N/A | C:\ProgramData\C3FC.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 4412 wrote to memory of 2712 | N/A | C:\ProgramData\C3FC.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 4412 wrote to memory of 2712 | N/A | C:\ProgramData\C3FC.tmp | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe
"C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe"
C:\ProgramData\C3FC.tmp
"C:\ProgramData\C3FC.tmp"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4100 -ip 4100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 1164
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C3FC.tmp >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/4100-0-0x0000000002190000-0x00000000021AC000-memory.dmp
memory/4100-1-0x00000000021E0000-0x0000000002209000-memory.dmp
memory/4100-2-0x0000000000400000-0x000000000044D000-memory.dmp
memory/4100-4-0x00000000022D0000-0x00000000022E0000-memory.dmp
memory/4100-3-0x00000000022D0000-0x00000000022E0000-memory.dmp
memory/4100-5-0x00000000022D0000-0x00000000022E0000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-1392040655-2056082574-619088944-1000\CCCCCCCCCCC
| MD5 | ba341a5482c2a82cd6af7d1dc7237a4d |
| SHA1 | 3dc036aedd6f8eb4b821c87e688b68f80bd3aec8 |
| SHA256 | 03d0617ab9122ff53de974dcc7bb38729274c8960d915ac044624cc5970c18de |
| SHA512 | 7758c3718fedb318941f81863352808c5e7f93b2c0bb6b39e367ecf6981dbade1c4ecb7fa17a9cc6eba1daccea194f8f8c06070b2d8165665b899f46be3039b2 |
F:\$RECYCLE.BIN\S-1-5-21-1392040655-2056082574-619088944-1000\DDDDDDDDDDD
| MD5 | 0c24b055915d5f7b60340b7600a9d2a6 |
| SHA1 | eeaf8cbc68bd5c2bc7c40bf42f8c7fe354c58bc0 |
| SHA256 | f755174de35d93ffc213d5f94758d8c17c7418921c4c30e1ba35b77a7b3e750d |
| SHA512 | ed721029e69b211c467fa668afcc9f2e66beb3a439c570d8075173941bf48f32fcf4e3d0e095b06bb66f87dadf4908691f27524d352ec4b2f43d40e576b71143 |
C:\5lq6EmbYb.README.txt
| MD5 | 420ecad14b4e9b0f33e4891e0febc7cf |
| SHA1 | 6cf8a0ce9b1ba0962d156c346bef5792fb1ca189 |
| SHA256 | e20c9443a8341a8689d9b2761bdd49cfd7b6d24b3875450eab034c21fd0d4d02 |
| SHA512 | d8ee9417698a82ecd6f442ea2392dd6945a2ea7a376990a0bea42b168d6f6d8113c70146fab4c3249df1364b893ecbeb3b658f8fb2cae208222eca9197d00b8b |
memory/4100-333-0x0000000000400000-0x000000000044D000-memory.dmp
C:\ProgramData\C3FC.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
memory/4412-339-0x0000000000400000-0x0000000000407000-memory.dmp
memory/4412-340-0x0000000002600000-0x0000000002610000-memory.dmp
memory/4412-341-0x0000000002600000-0x0000000002610000-memory.dmp
memory/4412-342-0x000000007FE20000-0x000000007FE21000-memory.dmp
memory/4412-343-0x000000007FDC0000-0x000000007FDC1000-memory.dmp
memory/4412-344-0x000000007FE40000-0x000000007FE41000-memory.dmp
memory/4100-345-0x0000000000400000-0x000000000044D000-memory.dmp
memory/4100-346-0x00000000021E0000-0x0000000002209000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | ec227250bdf7e9873fbe806a6ae1f56e |
| SHA1 | bfd0e94dcb398917b61a2665ea0650822c272a91 |
| SHA256 | 402e14b1efa1d9f52349a493917566cf0a445479c77ecf51eecf3c43c402f3cb |
| SHA512 | 2f8afe2da3a339769691ee0bc7cc7f2ad1a35ba3ad3ab7ccea66b2acb2246525fc6e37e40ecd4fc0857a63317e3cef2c40c3d86c4b7f769f23c198f6f606bcc3 |
memory/4412-375-0x0000000000400000-0x0000000000407000-memory.dmp
memory/4412-378-0x0000000002600000-0x0000000002610000-memory.dmp
memory/4412-377-0x0000000002600000-0x0000000002610000-memory.dmp
memory/4412-380-0x000000007FDE0000-0x000000007FDE1000-memory.dmp
memory/4412-381-0x000000007FE00000-0x000000007FE01000-memory.dmp
memory/4412-382-0x0000000000400000-0x0000000000407000-memory.dmp