Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 04:07
Behavioral task
behavioral1
Sample
239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe
Resource
win10v2004-20240226-en
General
-
Target
239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe
-
Size
153KB
-
MD5
bb78df384ff1d296d1f0b59803df89b3
-
SHA1
39c9235f96cf39a24c9907ac9ff5ab58de837bac
-
SHA256
239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390
-
SHA512
b682f26d3baf33ab2f11036f1c0461c1c022d8073989db5f6cfaaa84655bc46d8fa0dac7b1842c74c69d7ad640c9d390dec946cfa8dd08efd240886e816a3288
-
SSDEEP
3072:5qJogYkcSNm9V7DvjFHHjHLuHk7XHURLPGwAcT:5q2kc4m9tDFfXkuwA
Malware Config
Extracted
C:\Tvks1ukoO.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (576) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
576E.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation 576E.tmp -
Deletes itself 1 IoCs
Processes:
576E.tmppid process 2104 576E.tmp -
Executes dropped EXE 1 IoCs
Processes:
576E.tmppid process 2104 576E.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe -
Drops file in System32 directory 4 IoCs
Processes:
splwow64.exeprintfilterpipelinesvc.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPm2_h_qiholm9_l3qef1qhs0ad.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPa0hgwkz5ghwwdt_kxo29verrc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPh8v3pph20yvvwmch6luwkisdd.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Tvks1ukoO.bmp" 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Tvks1ukoO.bmp" 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
576E.tmppid process 2104 576E.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\WallpaperStyle = "10" 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe -
Modifies registry class 5 IoCs
Processes:
239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tvks1ukoO 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tvks1ukoO\DefaultIcon\ = "C:\\ProgramData\\Tvks1ukoO.ico" 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Tvks1ukoO 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Tvks1ukoO\ = "Tvks1ukoO" 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tvks1ukoO\DefaultIcon 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exepid process 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
576E.tmppid process 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp 2104 576E.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeDebugPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: 36 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeImpersonatePrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeIncBasePriorityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeIncreaseQuotaPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: 33 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeManageVolumePrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeProfSingleProcessPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeRestorePrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSystemProfilePrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeTakeOwnershipPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeShutdownPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeDebugPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeBackupPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe Token: SeSecurityPrivilege 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid process 4492 ONENOTE.EXE 4492 ONENOTE.EXE 4492 ONENOTE.EXE 4492 ONENOTE.EXE 4492 ONENOTE.EXE 4492 ONENOTE.EXE 4492 ONENOTE.EXE 4492 ONENOTE.EXE 4492 ONENOTE.EXE 4492 ONENOTE.EXE 4492 ONENOTE.EXE 4492 ONENOTE.EXE 4492 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exeprintfilterpipelinesvc.exe576E.tmpdescription pid process target process PID 2972 wrote to memory of 2732 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe splwow64.exe PID 2972 wrote to memory of 2732 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe splwow64.exe PID 1848 wrote to memory of 4492 1848 printfilterpipelinesvc.exe ONENOTE.EXE PID 1848 wrote to memory of 4492 1848 printfilterpipelinesvc.exe ONENOTE.EXE PID 2972 wrote to memory of 2104 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 576E.tmp PID 2972 wrote to memory of 2104 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 576E.tmp PID 2972 wrote to memory of 2104 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 576E.tmp PID 2972 wrote to memory of 2104 2972 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe 576E.tmp PID 2104 wrote to memory of 4916 2104 576E.tmp cmd.exe PID 2104 wrote to memory of 4916 2104 576E.tmp cmd.exe PID 2104 wrote to memory of 4916 2104 576E.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe"C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:2732 -
C:\ProgramData\576E.tmp"C:\ProgramData\576E.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\576E.tmp >> NUL3⤵PID:4916
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3852
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9C8A8FD2-7AFD-4388-BFF2-E85A57ABEC03}.xps" 1335486299878100002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5c40ba9d1e080f16d1c18a7fa18d0531e
SHA1de2baf08c694eb1f875f438d58443c9843777706
SHA256734418a6fe5006a03bc97e321eacd1fd566cedf05ba12f343e83d4196c4c739f
SHA51252b3c1b8f0dc4a69eeb033f0874dff38a41f1061c6998abd2e5fae02580186a276b15b313ec8d340668b11f34bd309c70d15eef64b6151ae478f329ade9246fa
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
6KB
MD52c0cc59c3960144f229f87d5a42daa7e
SHA167e83fe63be6b13ba6d0e982d7ca94984af09e25
SHA256adb58ad6e25c0c7c707d32ca305bd45e8f15818994c5f881ede37b7bd0d64ad7
SHA512ec2ee0b1c47c7a2bc0dcf99e38ba470bb532fdd7078253dcae1b00e60a5ebf533685a88c307be0ee92952ed660c08abbdcd4daad96fa3919b8f667f338908ce0
-
Filesize
4KB
MD581475895afc81458a7cfc7f23ea9792b
SHA10d37a305451c16045678406678be508cfcc7415b
SHA256f9c0c7126e88bc78a6ff80e9932a9a24e036973b72c50e4f1a8c995e51f98109
SHA512893a3eca205a8689bf977a7287edea7dc93a5e69b6ea135e0c84ebc75a8516f841ba0bd6afd9c634480b072c71561233eadc399eb5fc8e05ef5a2bd181bf9122
-
Filesize
4KB
MD56623e5652bf8b360c2199338a48cdc51
SHA1e6d5bd2922626bc00ac0c01b0f585ccab4109cae
SHA2567475efb3a14c361527ecc30da5e22f970e5359b35585872fc49c2b20fb25ad15
SHA512e3d76aa61cfad3e8a5ffc58d6f3ecd5c51ba06de3f6e6c9ad6641b263a326b12999da3b9a6c9d76be9fab321bd02a5c2eabd8736b5d3e67bb490df98346a7892
-
Filesize
129B
MD566a2c716f0042a14e55f522b8d9fe228
SHA19a8c71b8a7fd5bf4c2de0ee24474b2df0c3724ff
SHA256b3587e04ac4c8d235726d8b6b224129d9225e656fceb870475a5e80a630f6ce1
SHA51268c99b4909a06fecc5c8061b4db4db978f3405ea496591c249b65b379f71834dd61d3d85cdf1def9a610dfbef5294158d184be867a01a723f0e5cfcbdc0ea316