Analysis
-
max time kernel
160s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-03-2024 16:53
Static task
static1
Behavioral task
behavioral1
Sample
a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe
Resource
win10-20240221-en
Behavioral task
behavioral2
Sample
a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe
Resource
win11-20240221-en
General
-
Target
a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe
-
Size
338KB
-
MD5
6d94d664f9ba75013dddf5cefbc9a4f5
-
SHA1
a9c58e2be33854f91cb6eb19701b71b2ad0c8db0
-
SHA256
a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716
-
SHA512
a8f8f4985a9fbaaddde72c2a700f11af12232dd2846eeba0f9c7988842bf51154d65c0126d85d610cd321cf6ae04d4dd32e578f54461e04401a44c48ed393846
-
SSDEEP
3072:m/1uwdeUo9srEwzwl6XH4qopEhNJJHpTazxQQ9X4V0vIrFCZezRothGwUy8hv857:8eLLXl6VoyhNbSxQQpHQrqRfqv8+N
Malware Config
Extracted
C:\Users\2uaphKeDl.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (157) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
55A2.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation 55A2.tmp -
Deletes itself 1 IoCs
Processes:
55A2.tmppid process 3244 55A2.tmp -
Executes dropped EXE 1 IoCs
Processes:
55A2.tmppid process 3244 55A2.tmp -
Drops desktop.ini file(s) 2 IoCs
Processes:
a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\2uaphKeDl.bmp" a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\2uaphKeDl.bmp" a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe55A2.tmppid process 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3928 3464 WerFault.exe a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe -
Modifies Control Panel 2 IoCs
Processes:
a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\WallpaperStyle = "10" a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe -
Modifies registry class 5 IoCs
Processes:
a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\2uaphKeDl\DefaultIcon\ = "C:\\ProgramData\\2uaphKeDl.ico" a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.2uaphKeDl a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.2uaphKeDl\ = "2uaphKeDl" a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\2uaphKeDl\DefaultIcon a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\2uaphKeDl a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exepid process 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
55A2.tmppid process 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp 3244 55A2.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeDebugPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: 36 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeImpersonatePrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeIncBasePriorityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeIncreaseQuotaPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: 33 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeManageVolumePrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeProfSingleProcessPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeRestorePrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSystemProfilePrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeTakeOwnershipPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeShutdownPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeDebugPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeBackupPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe Token: SeSecurityPrivilege 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe55A2.tmpdescription pid process target process PID 3464 wrote to memory of 3244 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe 55A2.tmp PID 3464 wrote to memory of 3244 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe 55A2.tmp PID 3464 wrote to memory of 3244 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe 55A2.tmp PID 3464 wrote to memory of 3244 3464 a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe 55A2.tmp PID 3244 wrote to memory of 3804 3244 55A2.tmp cmd.exe PID 3244 wrote to memory of 3804 3244 55A2.tmp cmd.exe PID 3244 wrote to memory of 3804 3244 55A2.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe"C:\Users\Admin\AppData\Local\Temp\a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\ProgramData\55A2.tmp"C:\ProgramData\55A2.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\55A2.tmp >> NUL3⤵PID:3804
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 13402⤵
- Program crash
PID:3928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3464 -ip 34641⤵PID:3400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5ce0eebbb0517e32f5050d0478c2093b5
SHA1c12751cc5f0a6d6fc869ec69c7a45be641356c52
SHA2560ecc62a8ef7e0c897d3ffb71feb8e97c6e12640a4f9942ecde6330352c6f7c9d
SHA5125e73a7fec1f95f3643152a95d4ca2b58d98dceb93a42aba284f35bdd480481f3ec609219619604a3b7dcf4c77b9038f57e8cf5ecc5ee191e3caaba9352dfb124
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
10KB
MD5348599c9d0099444664dd16ea333f96e
SHA12e9405515ad5a5ee19e87e0cb13e3f7418dbc017
SHA256f25e0282e195cd55fcbd04a803895d001d44923363783bcd6971dd3046a7f54a
SHA512df88b860b833b2f3c8cb7df4d9592213016b735a1c63e3af88fa3953ccd04e943cc0d374f790a2217033b2551acbe56aba01642a7538a4bdbda13726aa31d107
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize338KB
MD5f60ccc2fb0bfd15b30bfe0bba098636f
SHA1464cb20d5d5b0911bd93520f3eb7277d7959b828
SHA25633b31dbd98fbf14167d876df3520fe4250047c64520b1db2d46a72b610b25d03
SHA5129800b16f8479e79931d952ae7db4e32e73bb9dbd0bb1070c3507477a28aead3e2cfc357e93fede956e15cc2a6950de42b32651105bdaac92e3e11163277c1eb1
-
Filesize
129B
MD5203bd933c6b2aac15f3b526ee76c5a78
SHA1fc1f1e8dcdeed84fb682925779bee3de36dce0f8
SHA25660762136adf6c7b5a65ac61eb7ecfd14d3434d135e929ae312ca768ee5a7951f
SHA512dbbf215884139bebbce61b6a1bcc30583232a37bff05b2196b30698c57b90ba0dd8bf385f4a8dd43fda242d16b21d5dd96c4f8461dc583a8d9a993d911d85dd3