Analysis
-
max time kernel
147s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 02:40
Behavioral task
behavioral1
Sample
75e3d908fdddee413481dba88258783b.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
75e3d908fdddee413481dba88258783b.exe
Resource
win10v2004-20240226-en
General
-
Target
75e3d908fdddee413481dba88258783b.exe
-
Size
156KB
-
MD5
75e3d908fdddee413481dba88258783b
-
SHA1
4cd6c1a88f3575d298aa168356651d5237bb72ab
-
SHA256
36aae3ba1a6fd78e040bba4522f6c15d5a3627ae78b27ff6879ee64d038445a4
-
SHA512
d7c1e0bd3eb3888579ef696ea48ae4d83d70f08b3bafb23288a81ed40e1501513e2739af119c4a0f9d788f7aa4a6500df80260151a8eeeb7f6fe19fc5cf34256
-
SSDEEP
3072:ZfDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP33686plZG1kqxSb6W:ZB5d/zugZqll32rZ2txSb
Malware Config
Extracted
C:\Users\O957g99QW.README.txt
http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
https://twitter.com/hashtag/lockbit?f=live
http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
Signatures
-
Renames multiple (169) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
CE09.tmppid process 3484 CE09.tmp -
Executes dropped EXE 1 IoCs
Processes:
CE09.tmppid process 3484 CE09.tmp -
Drops desktop.ini file(s) 2 IoCs
Processes:
75e3d908fdddee413481dba88258783b.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-2727153400-192325109-1870347593-1000\desktop.ini 75e3d908fdddee413481dba88258783b.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2727153400-192325109-1870347593-1000\desktop.ini 75e3d908fdddee413481dba88258783b.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
75e3d908fdddee413481dba88258783b.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\O957g99QW.bmp" 75e3d908fdddee413481dba88258783b.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\O957g99QW.bmp" 75e3d908fdddee413481dba88258783b.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
75e3d908fdddee413481dba88258783b.exeCE09.tmppid process 4296 75e3d908fdddee413481dba88258783b.exe 4296 75e3d908fdddee413481dba88258783b.exe 4296 75e3d908fdddee413481dba88258783b.exe 4296 75e3d908fdddee413481dba88258783b.exe 4296 75e3d908fdddee413481dba88258783b.exe 4296 75e3d908fdddee413481dba88258783b.exe 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp -
Modifies Control Panel 2 IoCs
Processes:
75e3d908fdddee413481dba88258783b.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\Desktop 75e3d908fdddee413481dba88258783b.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\Desktop\WallpaperStyle = "10" 75e3d908fdddee413481dba88258783b.exe -
Modifies registry class 5 IoCs
Processes:
75e3d908fdddee413481dba88258783b.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.O957g99QW 75e3d908fdddee413481dba88258783b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.O957g99QW\ = "O957g99QW" 75e3d908fdddee413481dba88258783b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\O957g99QW\DefaultIcon 75e3d908fdddee413481dba88258783b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\O957g99QW 75e3d908fdddee413481dba88258783b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\O957g99QW\DefaultIcon\ = "C:\\ProgramData\\O957g99QW.ico" 75e3d908fdddee413481dba88258783b.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
75e3d908fdddee413481dba88258783b.exepid process 4296 75e3d908fdddee413481dba88258783b.exe 4296 75e3d908fdddee413481dba88258783b.exe 4296 75e3d908fdddee413481dba88258783b.exe 4296 75e3d908fdddee413481dba88258783b.exe 4296 75e3d908fdddee413481dba88258783b.exe 4296 75e3d908fdddee413481dba88258783b.exe 4296 75e3d908fdddee413481dba88258783b.exe 4296 75e3d908fdddee413481dba88258783b.exe 4296 75e3d908fdddee413481dba88258783b.exe 4296 75e3d908fdddee413481dba88258783b.exe 4296 75e3d908fdddee413481dba88258783b.exe 4296 75e3d908fdddee413481dba88258783b.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
CE09.tmppid process 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp 3484 CE09.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
75e3d908fdddee413481dba88258783b.exevssvc.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeDebugPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: 36 4296 75e3d908fdddee413481dba88258783b.exe Token: SeImpersonatePrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeIncBasePriorityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeIncreaseQuotaPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: 33 4296 75e3d908fdddee413481dba88258783b.exe Token: SeManageVolumePrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeProfSingleProcessPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeRestorePrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSystemProfilePrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeTakeOwnershipPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeShutdownPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeDebugPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4584 vssvc.exe Token: SeRestorePrivilege 4584 vssvc.exe Token: SeAuditPrivilege 4584 vssvc.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeSecurityPrivilege 4296 75e3d908fdddee413481dba88258783b.exe Token: SeBackupPrivilege 4296 75e3d908fdddee413481dba88258783b.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
75e3d908fdddee413481dba88258783b.exedescription pid process target process PID 4296 wrote to memory of 3484 4296 75e3d908fdddee413481dba88258783b.exe CE09.tmp PID 4296 wrote to memory of 3484 4296 75e3d908fdddee413481dba88258783b.exe CE09.tmp PID 4296 wrote to memory of 3484 4296 75e3d908fdddee413481dba88258783b.exe CE09.tmp PID 4296 wrote to memory of 3484 4296 75e3d908fdddee413481dba88258783b.exe CE09.tmp -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe"C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\ProgramData\CE09.tmp"C:\ProgramData\CE09.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
PID:3484
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5ba16ad22f42d1b281573a5812d57b053
SHA17f1595c013c38e666cf1931bdb8a8f3b1f715ed5
SHA256a7b5d7537c864e55b9012b5b0c652b9bbfb66e045d3013eda1fd128d5e65081a
SHA512c36ea7a8e8523cc6d80bbb2cbd431af9226a6b9f9ed015930874eb23806f63aa42bcbac8fc2eb125448e5ff6f37be831c181b9ff72b637f55e9a2e62690827fa
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
156KB
MD5cb3ec9edce59a3638e5b255d6148839d
SHA13a06aed51576265d8178ae417eb4118ec87eb37f
SHA2565c40d284689190e244886d6a81a928a098d9b9d6b8877e6e2e9081877ae8a7d1
SHA512ba4802874879c361002f6ec462a4950e8c1e5feabc48a629d978e87671ce13fdeb0cb856ab66afc4d5def17308574c6bb23d70feab340ed0c3931787771c913c
-
Filesize
3KB
MD50000799ebb390273026f8c43f98cd650
SHA1d619d43fbf045b5cecbc38c5f509918c09bcd744
SHA256fec0c3f70fc4672c5ffae34695ae3aee68cce97d9b952012ef18597f5bd90c5d
SHA5128a53b665e418fee4780a51f04c20e70470c455bf4fc7ef0b105fb93a248f6ebd6b1daf4236f46847d310c3317aef662749273727172d0146a64e31268d813ffe
-
Filesize
129B
MD5d0bb69d823b9440e3e4a00eff6fb1159
SHA119fe772b01b7a790e4275dd2369c1af90117197f
SHA256d22c62e617c9ce7c061d724c868ef576f814f61332e67fae11034f86700a79c1
SHA5126a8781fe492b40a7d9daf7d745379398c253a30fa28e20a2766cb8769e3f82c925bad61c42a8ea915524904455b57bb437d3b32d449253439c2a53deb0d3b3df