Malware Analysis Report

2024-11-30 11:30

Sample ID 240227-ktg5cacg32
Target abc.bin
SHA256 1520e4cb2748aa5725d8b6c242ff6cf365f6672db35df2745c920ed228666317
Tags
lockbit ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1520e4cb2748aa5725d8b6c242ff6cf365f6672db35df2745c920ed228666317

Threat Level: Known bad

The file abc.bin was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware

Lockbit

Renames multiple (144) files with added filename extension

Renames multiple (167) files with added filename extension

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Deletes itself

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 08:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 08:53

Reported

2024-02-27 08:55

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abc.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (144) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\ProgramData\4A76.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\4A76.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\4A76.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-399997616-3400990511-967324271-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-399997616-3400990511-967324271-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\abc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ONa9v7hKI.bmp" C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ONa9v7hKI.bmp" C:\Users\Admin\AppData\Local\Temp\abc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\abc.exe

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\abc.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ONa9v7hKI\DefaultIcon\ = "C:\\ProgramData\\ONa9v7hKI.ico" C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ONa9v7hKI C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ONa9v7hKI\ = "ONa9v7hKI" C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ONa9v7hKI\DefaultIcon C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ONa9v7hKI C:\Users\Admin\AppData\Local\Temp\abc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\abc.exe C:\ProgramData\4A76.tmp
PID 2900 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\abc.exe C:\ProgramData\4A76.tmp
PID 2900 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\abc.exe C:\ProgramData\4A76.tmp
PID 2900 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\abc.exe C:\ProgramData\4A76.tmp
PID 388 wrote to memory of 2892 N/A C:\ProgramData\4A76.tmp C:\Windows\SysWOW64\cmd.exe
PID 388 wrote to memory of 2892 N/A C:\ProgramData\4A76.tmp C:\Windows\SysWOW64\cmd.exe
PID 388 wrote to memory of 2892 N/A C:\ProgramData\4A76.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\abc.exe

"C:\Users\Admin\AppData\Local\Temp\abc.exe"

C:\ProgramData\4A76.tmp

"C:\ProgramData\4A76.tmp"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2900 -ip 2900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 800

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4A76.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
GB 92.123.128.156:443 www.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 156.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2900-1-0x0000000000520000-0x0000000000620000-memory.dmp

memory/2900-2-0x00000000008F0000-0x0000000000919000-memory.dmp

memory/2900-3-0x0000000000400000-0x0000000000463000-memory.dmp

memory/2900-4-0x0000000002290000-0x00000000022A0000-memory.dmp

memory/2900-5-0x0000000002290000-0x00000000022A0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-399997616-3400990511-967324271-1000\DDDDDDDDDDD

MD5 abb14f0877e3d3d2210ba34799ab6ff2
SHA1 92bea1d1cc2f0733925cb9234ea2f26dd429b0f5
SHA256 79e715479b8405330ce1ff36597bfad96cbf51950fd263ac18ebc07dd523e645
SHA512 d2f6e98ac9a07f455ef391fdebb7418ef24bd0688e1db1bcf8fd358bc6606300fb59ee4a6fc012dee1f7e9900bc4694fed6991024a72af666ed5003dcdca7bad

F:\$RECYCLE.BIN\S-1-5-21-399997616-3400990511-967324271-1000\DDDDDDDDDDD

MD5 147ad975848c847130778652e18193dd
SHA1 07e5d9d7dee4cf7838212807b644f67dee703a98
SHA256 d457cb610d5176b09791f8db746cb00f7d59a6543fef531f152a991ee7df98b3
SHA512 1f86cbeea7a59cff4e52628db76f3eee40a0157ac90fc05b0efce2d3730ba6f90633d2a09f3092f32a2b9f89cf685b9b4c5015891a9d9b899cad10e75d77bf11

F:\ONa9v7hKI.README.txt

MD5 032da997600fff47a2461a6879d6d3ad
SHA1 fb41fbfc9d26dc4a2c80691cf003a0149a00a31f
SHA256 97ea37dbaaa3642460bb3e9a634a22313230fe3c026945da7522a96f039d6a0f
SHA512 5a1b6bbd0336000af4661057b36e5b0b7ad51f2fb77bf778e35ea6fa37b3a2e754a8327fff48226d1c96aa1bedee12f1eba16749cd2eb66b0030999ee7326579

C:\ProgramData\4A76.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/388-304-0x0000000000400000-0x0000000000407000-memory.dmp

memory/388-305-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/388-306-0x00000000023A0000-0x00000000023B0000-memory.dmp

memory/388-307-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/388-308-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/2900-309-0x0000000000400000-0x0000000000463000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EEEEEEE

MD5 e5b650c52c9b1f0bf3bd8cc44a014f4a
SHA1 c00fc195c6b85d95681e35a4c64619f25fcbee41
SHA256 befdd06456490ccf5da9301d2e32b4545951274218d872d39c2938a2cca0a18e
SHA512 d6c4e068ff2bf7faee948e3b63b50499964012862cb663b54c70dca52408f9c69be9e0f05f15445f4c77b50b720cf7d1605551dd0c4013510fcfaa29b986c65e

memory/388-339-0x0000000000400000-0x0000000000407000-memory.dmp

memory/388-340-0x00000000023A0000-0x00000000023B0000-memory.dmp

memory/388-341-0x00000000023A0000-0x00000000023B0000-memory.dmp

memory/388-343-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

memory/388-344-0x000000007FE00000-0x000000007FE01000-memory.dmp

memory/388-345-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 08:53

Reported

2024-02-27 08:56

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abc.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (167) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\7AAC.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\7AAC.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\abc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ONa9v7hKI.bmp" C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ONa9v7hKI.bmp" C:\Users\Admin\AppData\Local\Temp\abc.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\abc.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ONa9v7hKI C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ONa9v7hKI\ = "ONa9v7hKI" C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ONa9v7hKI\DefaultIcon C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ONa9v7hKI C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ONa9v7hKI\DefaultIcon\ = "C:\\ProgramData\\ONa9v7hKI.ico" C:\Users\Admin\AppData\Local\Temp\abc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\abc.exe C:\ProgramData\7AAC.tmp
PID 3056 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\abc.exe C:\ProgramData\7AAC.tmp
PID 3056 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\abc.exe C:\ProgramData\7AAC.tmp
PID 3056 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\abc.exe C:\ProgramData\7AAC.tmp
PID 3056 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\abc.exe C:\ProgramData\7AAC.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\abc.exe

"C:\Users\Admin\AppData\Local\Temp\abc.exe"

C:\ProgramData\7AAC.tmp

"C:\ProgramData\7AAC.tmp"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x150

Network

N/A

Files

memory/3056-1-0x00000000005B0000-0x00000000006B0000-memory.dmp

memory/3056-2-0x0000000000220000-0x0000000000249000-memory.dmp

memory/3056-3-0x0000000000400000-0x0000000000463000-memory.dmp

memory/3056-4-0x0000000002010000-0x0000000002050000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini

MD5 2c367fe0023ef0a1cecd59bd388da6db
SHA1 bb2dcf0fd7f0f51b10c87eede849cdc9878bc2d7
SHA256 7108005a55b87b8ee757c3834ec3a9d53585e61585c786dcb9af32820a4e6f09
SHA512 64b971918b4f04a51696bd99681a03694402ad08e181cbadb39974c5552075ad0e779f27423d01b5af518684903f529e35af9efee6c7d2fd5cde31a192cc00af

F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\IIIIIIIIIII

MD5 c977eccfa0089f5ab4d799961db6c249
SHA1 f6b829770c46af4b1cdd2eb94db620dcc2198a9f
SHA256 cbbba4f742a0ac83b2b69859a20743bce4ea9d95f83a9070a138207ed9ea3a01
SHA512 068d097c945c248d99c1e45c9ba4b0284578a4245e07049585fe2f8a62b6c2e52b06a77aa3da75fa78657ca71f55c75973a9ca2e09ea3d61c98fddbe2c0a5b37

C:\Users\ONa9v7hKI.README.txt

MD5 b00d3d96d98d383287c76c635277f8e7
SHA1 e8f3366e9f79a0c88c5b0eaca2a005f97c9e5e03
SHA256 2860959f487d9889683634d62bb70a73a18a3b7bdefd6537586da39494f8f9ed
SHA512 00831b41b54d6f2e47404f30843a90efb02a3988ec42f54166eb20df16523c95e83c37b11410b90b0f9e60424aaef012921e511a070acb2040c8e3287156af99

memory/3056-294-0x0000000000400000-0x0000000000463000-memory.dmp

\ProgramData\7AAC.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1152-302-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1152-304-0x0000000000290000-0x00000000002D0000-memory.dmp

memory/1152-306-0x0000000000290000-0x00000000002D0000-memory.dmp

memory/1152-307-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/1152-308-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/1152-309-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDD

MD5 74422aa430ace88228ce44f999b95967
SHA1 ac6a8b1d8dd007ba91b1997958d8621879eec9e1
SHA256 866b0a23c10835b7f71fe7863346e011b732e1756fdce6fdb199aeaee1e9d5ef
SHA512 a8363f420e6f28d9fbb901c50d5d7b90e4a94f8861d108db377d699d17e40c0f4e858bfaea3e6624f01a4c5ccb7e304cf37427906824bef9df170e39c5400a85

memory/1152-338-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1152-339-0x0000000000290000-0x00000000002D0000-memory.dmp