Malware Analysis Report

2024-11-15 07:22

Sample ID 240314-c5tzaagf5v
Target 75e3d908fdddee413481dba88258783b.bin
SHA256 36aae3ba1a6fd78e040bba4522f6c15d5a3627ae78b27ff6879ee64d038445a4
Tags
lockbit ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

36aae3ba1a6fd78e040bba4522f6c15d5a3627ae78b27ff6879ee64d038445a4

Threat Level: Known bad

The file 75e3d908fdddee413481dba88258783b.bin was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Renames multiple (169) files with added filename extension

Renames multiple (144) files with added filename extension

Executes dropped EXE

Deletes itself

Loads dropped DLL

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious behavior: RenamesItself

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 02:40

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 02:40

Reported

2024-03-14 02:42

Platform

win7-20240215-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe"

Signatures

Renames multiple (144) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\24B0.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\24B0.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\O957g99QW.bmp" C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\O957g99QW.bmp" C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\O957g99QW\DefaultIcon\ = "C:\\ProgramData\\O957g99QW.ico" C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.O957g99QW C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.O957g99QW\ = "O957g99QW" C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\O957g99QW\DefaultIcon C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\O957g99QW C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe

"C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\ProgramData\24B0.tmp

"C:\ProgramData\24B0.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\24B0.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x14c

Network

N/A

Files

memory/2396-0-0x0000000002160000-0x00000000021A0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini

MD5 9dd49b139846f38ec70fbf6427250635
SHA1 01dc2353dfe0163e773214f8f013a49be8af3d95
SHA256 5656d1c82632beac78803348e50275b116098f8eea5b9b2afca05b8d7d15a764
SHA512 d0b628cd10a05db784154a1b135a1dcf4a7e15fbff3cad6d12a0e03e2c090c77643bda1bd2ef4665c23ab0d29026ba89709b5db0df13f78388cab8e0c779ba7f

F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\DDDDDDDDDDD

MD5 0b09c761464babdfa5bdbf51b8573a51
SHA1 54e160afdd227d858ad5b30fef5cfdd90142d375
SHA256 e9c6d49fc3bf2834eef8e7fd73fac9199a8ea37b8d00bee2b6a4bb2b72f600b1
SHA512 e73fdbeec5e7a1053b0f51f8c4e653016b183460d034de8486df5db64e5f7b4b6716b989bf3fe9c872c2ea659fabfbf260096ecf9d95ce844e0b9fc3f590205a

C:\Users\O957g99QW.README.txt

MD5 6eabed2d8ad300ed838c1acc00b3fa31
SHA1 335abeacb5c7c5853405bd96f8db96e18e2e1887
SHA256 867d88ad1726bce9a0fe74cde5c5e78aab34488a29a0aeafcd68fab30bd79849
SHA512 27273b444871035e74584d2047d16fe33894948476ba7a4e48c695c53e0133d7ad9cd018e471bfcdcad29edaa004b0d5a8ca7a522cd39d0068db1e49309b57f2

\ProgramData\24B0.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1952-275-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/1952-276-0x0000000000370000-0x00000000003B0000-memory.dmp

memory/1952-282-0x000000007EF80000-0x000000007EF81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 f7dc00eb7d7fa9bb1c8c83505325e0f9
SHA1 c517759a38e90ce1546d923c23bd0a911c3aa8e6
SHA256 eeb864ff1d953433cd0501e5da78927c7e659c9ae721470280f2b87b3a8fa7b3
SHA512 e44b296a3061ea46b041566559b6e6f688b9af6038933daa8f1b3c492eb25371e4ec9d93540b522badc6376929be7f5f0e1cdf7d5bb858d278ec507fa41ed271

memory/1952-283-0x000000007EF20000-0x000000007EF21000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 02:40

Reported

2024-03-14 02:43

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe"

Signatures

Renames multiple (169) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\CE09.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\CE09.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2727153400-192325109-1870347593-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2727153400-192325109-1870347593-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\O957g99QW.bmp" C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\O957g99QW.bmp" C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.O957g99QW C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.O957g99QW\ = "O957g99QW" C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\O957g99QW\DefaultIcon C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\O957g99QW C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\O957g99QW\DefaultIcon\ = "C:\\ProgramData\\O957g99QW.ico" C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe

"C:\Users\Admin\AppData\Local\Temp\75e3d908fdddee413481dba88258783b.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\ProgramData\CE09.tmp

"C:\ProgramData\CE09.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/4296-0-0x0000000002B20000-0x0000000002B30000-memory.dmp

memory/4296-1-0x0000000002B20000-0x0000000002B30000-memory.dmp

memory/4296-2-0x0000000002B20000-0x0000000002B30000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2727153400-192325109-1870347593-1000\desktop.ini

MD5 ba16ad22f42d1b281573a5812d57b053
SHA1 7f1595c013c38e666cf1931bdb8a8f3b1f715ed5
SHA256 a7b5d7537c864e55b9012b5b0c652b9bbfb66e045d3013eda1fd128d5e65081a
SHA512 c36ea7a8e8523cc6d80bbb2cbd431af9226a6b9f9ed015930874eb23806f63aa42bcbac8fc2eb125448e5ff6f37be831c181b9ff72b637f55e9a2e62690827fa

F:\$RECYCLE.BIN\S-1-5-21-2727153400-192325109-1870347593-1000\HHHHHHHHHHH

MD5 d0bb69d823b9440e3e4a00eff6fb1159
SHA1 19fe772b01b7a790e4275dd2369c1af90117197f
SHA256 d22c62e617c9ce7c061d724c868ef576f814f61332e67fae11034f86700a79c1
SHA512 6a8781fe492b40a7d9daf7d745379398c253a30fa28e20a2766cb8769e3f82c925bad61c42a8ea915524904455b57bb437d3b32d449253439c2a53deb0d3b3df

C:\Users\O957g99QW.README.txt

MD5 0000799ebb390273026f8c43f98cd650
SHA1 d619d43fbf045b5cecbc38c5f509918c09bcd744
SHA256 fec0c3f70fc4672c5ffae34695ae3aee68cce97d9b952012ef18597f5bd90c5d
SHA512 8a53b665e418fee4780a51f04c20e70470c455bf4fc7ef0b105fb93a248f6ebd6b1daf4236f46847d310c3317aef662749273727172d0146a64e31268d813ffe

memory/4296-321-0x0000000002B20000-0x0000000002B30000-memory.dmp

memory/4296-322-0x0000000002B20000-0x0000000002B30000-memory.dmp

C:\ProgramData\CE09.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/3484-329-0x00000000026C0000-0x00000000026D0000-memory.dmp

memory/3484-328-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/3484-330-0x00000000026C0000-0x00000000026D0000-memory.dmp

memory/3484-334-0x000000007FE20000-0x000000007FE21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

MD5 cb3ec9edce59a3638e5b255d6148839d
SHA1 3a06aed51576265d8178ae417eb4118ec87eb37f
SHA256 5c40d284689190e244886d6a81a928a098d9b9d6b8877e6e2e9081877ae8a7d1
SHA512 ba4802874879c361002f6ec462a4950e8c1e5feabc48a629d978e87671ce13fdeb0cb856ab66afc4d5def17308574c6bb23d70feab340ed0c3931787771c913c

memory/3484-339-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/3484-361-0x00000000026C0000-0x00000000026D0000-memory.dmp

memory/3484-362-0x00000000026C0000-0x00000000026D0000-memory.dmp