Malware Analysis Report

2024-11-30 11:30

Sample ID 240228-jrwpaaeg4z
Target LB3.exe
SHA256 e609bf8406b61613f3e605d277cf445059974a4c71c3edd09fffae86a3c5dbfe
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e609bf8406b61613f3e605d277cf445059974a4c71c3edd09fffae86a3c5dbfe

Threat Level: Known bad

The file LB3.exe was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit

Renames multiple (337) files with added filename extension

Renames multiple (576) files with added filename extension

Checks computer location settings

Reads user/profile data of web browsers

Deletes itself

Executes dropped EXE

Loads dropped DLL

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Modifies Control Panel

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-28 07:54

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-28 07:54

Reported

2024-02-28 07:57

Platform

win7-20240221-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LB3.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (337) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\DC4B.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\DC4B.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3787592910-3720486031-2929222812-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3787592910-3720486031-2929222812-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ZImkTWSLZ.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ZImkTWSLZ.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\DC4B.tmp N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ZImkTWSLZ C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ZImkTWSLZ\ = "ZImkTWSLZ" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZImkTWSLZ\DefaultIcon C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZImkTWSLZ C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZImkTWSLZ\DefaultIcon\ = "C:\\ProgramData\\ZImkTWSLZ.ico" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\DC4B.tmp
PID 1680 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\DC4B.tmp
PID 1680 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\DC4B.tmp
PID 1680 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\DC4B.tmp
PID 1680 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\DC4B.tmp
PID 3068 wrote to memory of 908 N/A C:\ProgramData\DC4B.tmp C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 908 N/A C:\ProgramData\DC4B.tmp C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 908 N/A C:\ProgramData\DC4B.tmp C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 908 N/A C:\ProgramData\DC4B.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\LB3.exe

"C:\Users\Admin\AppData\Local\Temp\LB3.exe"

C:\ProgramData\DC4B.tmp

"C:\ProgramData\DC4B.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\DC4B.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x154

Network

N/A

Files

memory/1680-0-0x0000000002230000-0x0000000002270000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3787592910-3720486031-2929222812-1000\GGGGGGGGGGG

MD5 72ef7d7950fde68456ff63497a68b0b0
SHA1 a0bc0b8241449452b2cc93c72fac284763fddc83
SHA256 3752dad2f57c58c2a98a31eca576e20ed72ac2a26f2793795be4c2c12fbb7f39
SHA512 8e7e8a68e3244228279768fda068c4d3701b5f303630c633afac3bee6487def42927be23260fea46f5cafc9eb28948eeed187e7970d60cb0119095f4788fb1a8

F:\$RECYCLE.BIN\S-1-5-21-3787592910-3720486031-2929222812-1000\CCCCCCCCCCC

MD5 bf339b31b398995cc20b005160d132b5
SHA1 c439fae4aaecb56f4f19152cddab8aa960dca810
SHA256 19f9a0602c20b4c6950f134989df4807beb3f347d41d3087f848136662480040
SHA512 6c9b2bc0029d1327b7ff1f769cfff30af6142f968bf1f9e221adc3ec980c91c4eafe80a786340615845cf647907a075a98dee36ba21ccbc5400ecbe6edea206c

C:\ZImkTWSLZ.README.txt

MD5 6a41848e08fc4fdd6a32ed65ed22218c
SHA1 39809a0c455a35a3afdb7a53e132b1874c3124a2
SHA256 75b320e87464c86f1f7c95c200144b75e2921cefa0af8e0d847a99e14153bd7b
SHA512 a73fe4b220e3e84fd9af4a4ce6ae49b06f9cf89cd566ceedd287782c86fa8d7c29b24081a28a8b813fd5aae1f481827e80d1f04385583d798bc5867751a2cb63

\ProgramData\DC4B.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/3068-855-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/3068-856-0x00000000022D0000-0x0000000002310000-memory.dmp

memory/3068-858-0x00000000022D0000-0x0000000002310000-memory.dmp

memory/3068-859-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/3068-861-0x000000007EF20000-0x000000007EF21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDD

MD5 67f505030a7d4df1afead145571a0556
SHA1 6c1a339346c8c87efbced74dd8d603225d5d9611
SHA256 b857104b2566bf1cf67312dba8479d7781736b79fef4cffea34d41d861c9fddb
SHA512 278d3f7bc48ed4a80c2e9c62ab60445ffc9859ec97acc54d54a088671cda34bafe96b1ab23aec74a3df8fd441d8dbf6bf0e943da83acd3a9e5e2a9db0f3c10be

memory/3068-888-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/3068-889-0x000000007EF60000-0x000000007EF61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-28 07:54

Reported

2024-02-28 07:57

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LB3.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (576) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\ProgramData\61E7.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\61E7.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\61E7.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPt1bov0ln137thk982hh9vlgbb.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP1lk_s_n00x9gk0_pi337qtn1b.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPmkyqx9js0n3i691dz43c6s3sc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ZImkTWSLZ.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ZImkTWSLZ.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\61E7.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ZImkTWSLZ\ = "ZImkTWSLZ" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZImkTWSLZ\DefaultIcon C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZImkTWSLZ C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZImkTWSLZ\DefaultIcon\ = "C:\\ProgramData\\ZImkTWSLZ.ico" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ZImkTWSLZ C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LB3.exe

"C:\Users\Admin\AppData\Local\Temp\LB3.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{ECD49471-F70D-4333-BA9A-1FB59646BA31}.xps" 133535804999650000

C:\ProgramData\61E7.tmp

"C:\ProgramData\61E7.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\61E7.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 175.166.122.92.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2400-0-0x0000000002B10000-0x0000000002B20000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3270530367-132075249-2153716227-1000\WWWWWWWWWWW

MD5 04de46c5f072bf028ce80e4d7e1830e6
SHA1 b17d877d214c2cfa35f3637ddb7ebd7cb275327b
SHA256 e0749683b0b1b96a282dc57428e07235be5fb9a393b95810475e432a299361b3
SHA512 bda16aebdbff341d74ae89bb41a4e5347630d56a6b8186afe87731f063c3c84600ca471d783542a659ef7bdb23f98ecdfe7c8002ba78d77203ed2d5ff4692104

F:\$RECYCLE.BIN\S-1-5-21-3270530367-132075249-2153716227-1000\DDDDDDDDDDD

MD5 313b8a80e9f4b714e40ae4be7a79819f
SHA1 77dd95cbe9c9dedbb37ae94aa46a1578edb6dc5a
SHA256 9fb7b7a1efe2f9dcc118e43883d337ac556e6ef0f93f214011f3966df19cca27
SHA512 ded9f8fc53fb94ecb5b3e676b9a41dcbcf5c611191c5655c6d64338e2d6086744add9bb993df26ee671d4bb7cefc1b83089e549cf6c23c3a734a13ce7d742f6a

C:\ZImkTWSLZ.README.txt

MD5 59cd97164aa1348317de54d69eda5094
SHA1 13be56ed5b10f4e168b0009d5f043422f2277b69
SHA256 f53b85614c32f3bd157a35a95b297e4505d5d66973c25fe961dc3020d4712592
SHA512 ab551e2b467d160bc3afaa80ecda93e910587e2c8da6a31efc6df4b1f1d27ba7a977fb10b814b17599f87905b6f10ac05a7489d56c2f0ac976bb352e1672ba2d

C:\ProgramData\61E7.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/3524-2744-0x00007FFDDA1B0000-0x00007FFDDA1C0000-memory.dmp

memory/3524-2746-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3524-2748-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp

memory/3524-2747-0x00007FFDDA1B0000-0x00007FFDDA1C0000-memory.dmp

memory/3524-2745-0x00007FFDDA1B0000-0x00007FFDDA1C0000-memory.dmp

memory/3524-2778-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp

memory/3524-2777-0x00007FFDDA1B0000-0x00007FFDDA1C0000-memory.dmp

memory/3524-2779-0x00007FFDDA1B0000-0x00007FFDDA1C0000-memory.dmp

memory/3524-2780-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp

memory/3524-2781-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp

memory/3524-2782-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp

memory/3524-2785-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp

memory/3524-2784-0x00007FFDD7E20000-0x00007FFDD7E30000-memory.dmp

memory/3524-2783-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp

memory/3524-2787-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp

memory/3524-2786-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp

memory/3524-2789-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp

memory/3524-2788-0x00007FFDD7E20000-0x00007FFDD7E30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{0B008095-592C-4FCD-971E-CD2D30BD5EF9}

MD5 7fb8a0a6632eb1a1e8525f5b02841a5a
SHA1 d75067ae9b44a45301a56a2055831b6f85d50d0c
SHA256 9632fdab662531fda8b8ddb2bc1487a53d249c002bf77630a04f7aa84f9c2896
SHA512 a9d510d4b7dad74d8c93e8a90982490fa2654c6ccad73066986a9a1121dc58d47d307afc6a0f90a0d80bef8008961f2473e229ab730c12bf7caa90396ba2595f

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 7e72d816150b1315646cecdc2669888a
SHA1 42c763bd8d1ac8fbb2922b525df19cb98b479ccc
SHA256 8d0c035ba71ded97799634d77edd17fbcaa1ae523f77f1a9e65823d1ac048a1f
SHA512 349a511fc176b7a6bee55751a7c57d5b30d7c574d308193831e88207a124d7fead4ef5d8405b8e83b34631bdd5aae9d8172a7e4ca741bfbead398677cc908728

memory/3524-2807-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp

memory/3524-2808-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp