Analysis Overview
SHA256
d4f150a8b26e9edccae4987433fb5b8a105970db143ba196f13652730c635668
Threat Level: Known bad
The file ####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe was found to be: Known bad.
Malicious Activity Summary
Lockbit
Renames multiple (150) files with added filename extension
Deletes itself
Executes dropped EXE
Drops desktop.ini file(s)
Suspicious use of NtSetInformationThreadHideFromDebugger
Sets desktop wallpaper using registry
Program crash
Unsigned PE
Enumerates physical storage devices
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies Control Panel
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-01 00:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-01 00:43
Reported
2024-03-01 00:46
Platform
win11-20240221-en
Max time kernel
90s
Max time network
94s
Command Line
Signatures
Lockbit
Renames multiple (150) files with added filename extension
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-1637591879-962683004-3585269084-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1637591879-962683004-3585269084-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\5lq6EmbYb.bmp" | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\5lq6EmbYb.bmp" | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.5lq6EmbYb | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.5lq6EmbYb\ = "5lq6EmbYb" | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\5lq6EmbYb\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\5lq6EmbYb | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\5lq6EmbYb\DefaultIcon\ = "C:\\ProgramData\\5lq6EmbYb.ico" | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
| N/A | N/A | C:\ProgramData\5311.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3292 wrote to memory of 1492 | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | C:\ProgramData\5311.tmp |
| PID 3292 wrote to memory of 1492 | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | C:\ProgramData\5311.tmp |
| PID 3292 wrote to memory of 1492 | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | C:\ProgramData\5311.tmp |
| PID 3292 wrote to memory of 1492 | N/A | C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe | C:\ProgramData\5311.tmp |
| PID 1492 wrote to memory of 5100 | N/A | C:\ProgramData\5311.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 1492 wrote to memory of 5100 | N/A | C:\ProgramData\5311.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 1492 wrote to memory of 5100 | N/A | C:\ProgramData\5311.tmp | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe
"C:\Users\Admin\AppData\Local\Temp\####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe"
C:\ProgramData\5311.tmp
"C:\ProgramData\5311.tmp"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3292 -ip 3292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 896
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\5lq6EmbYb.README.txt
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\5311.tmp >> NUL
Network
Files
memory/3292-0-0x0000000002290000-0x00000000022AC000-memory.dmp
memory/3292-1-0x00000000022E0000-0x0000000002309000-memory.dmp
memory/3292-2-0x0000000000400000-0x000000000044D000-memory.dmp
memory/3292-3-0x00000000023D0000-0x00000000023E0000-memory.dmp
memory/3292-4-0x00000000023D0000-0x00000000023E0000-memory.dmp
memory/3292-5-0x00000000023D0000-0x00000000023E0000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-1637591879-962683004-3585269084-1000\DDDDDDDDDDD
| MD5 | 5dca66ca104f5f1c79bf38b6d6be9024 |
| SHA1 | 3624594456a31e79bab89a0d37c73ac8f0bf930d |
| SHA256 | a37619d55d6b50dccea85e722249e70f0a9ba75a7ea67cb6ad818a0317593821 |
| SHA512 | cbcd8ba63d1ac0efc446dbb52d1c7147a848497eba1638cad97b013aaa4d0d381de6305f718f3010ee05dfcb993abcdee616bd121273a1f3eec46fcd902757c7 |
C:\Users\5lq6EmbYb.README.txt
| MD5 | 05707f1de0c1181e06d8981984261783 |
| SHA1 | 336107f36356ddcd9b54aee4a98582f3a6cfd1fb |
| SHA256 | 60d29d9355a70032d88dbdff52533627612b2767dd759922d6de17a177578c7f |
| SHA512 | 73d665db7b46aeaf95f4a2a99c126a1e7adee0f4bd5187ce33e45c84340e4d95715e02f306fca60227cf672a1dda10f5874f4882eb317b1b86645afa8bff3129 |
F:\$RECYCLE.BIN\S-1-5-21-1637591879-962683004-3585269084-1000\DDDDDDDDDDD
| MD5 | c6097f8a77a5fa3ab42fb469281273c9 |
| SHA1 | 057ac4674ad1666456a4327fb85fce74b7d64dc2 |
| SHA256 | f851c85186f23a6c9104960825f2ac3a9ce7bf214fe26655640514f97f28e977 |
| SHA512 | 763386c22f146c34273614e8f745fdc6a37f9ef1e4c6a05fca51afe1296f8ea16d68182def929e2df73770938f9a6461e9a2c0fde45434fad17fdbaee03b3e9c |
C:\ProgramData\5311.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
memory/1492-307-0x0000000000400000-0x0000000000407000-memory.dmp
memory/1492-308-0x0000000002660000-0x0000000002670000-memory.dmp
memory/1492-309-0x0000000002660000-0x0000000002670000-memory.dmp
memory/1492-312-0x000000007FE70000-0x000000007FE71000-memory.dmp
memory/1492-311-0x000000007FDF0000-0x000000007FDF1000-memory.dmp
memory/1492-310-0x000000007FE50000-0x000000007FE51000-memory.dmp
memory/3292-313-0x0000000000400000-0x000000000044D000-memory.dmp
memory/3292-314-0x00000000022E0000-0x0000000002309000-memory.dmp
memory/3292-315-0x0000000002290000-0x00000000022AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | a995bdfcbe343d6e1d94da02655fc80e |
| SHA1 | 4b72dab44822295f325b16534c2d4cd447266491 |
| SHA256 | 013f34f8bfe86667c3b70cc40065d8e06d32f4c6db5cc20fc0f8b18dd8183293 |
| SHA512 | 302a72007b4a40bca9d584e990f3e1871999823cc69843331c0835fa56d72f87e6136d3cff051a01eb96dce6690ff02869ec992672268f191f501a0ff02b6022 |
memory/1492-345-0x0000000000400000-0x0000000000407000-memory.dmp
memory/1492-346-0x0000000002660000-0x0000000002670000-memory.dmp
memory/1492-347-0x0000000002660000-0x0000000002670000-memory.dmp
memory/1492-351-0x000000007FE30000-0x000000007FE31000-memory.dmp
memory/1492-350-0x000000007FE10000-0x000000007FE11000-memory.dmp
memory/1492-352-0x0000000000400000-0x0000000000407000-memory.dmp