Malware Analysis Report

2024-11-13 15:01

Sample ID 240314-ep6n9aaa8z
Target 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390
SHA256 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390

Threat Level: Known bad

The file 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390 was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Lockbit

Renames multiple (576) files with added filename extension

Renames multiple (266) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Deletes itself

Reads user/profile data of web browsers

Checks computer location settings

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Enumerates system info in registry

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 04:07

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 04:07

Reported

2024-03-14 04:10

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (576) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\ProgramData\576E.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\576E.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\576E.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPm2_h_qiholm9_l3qef1qhs0ad.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPa0hgwkz5ghwwdt_kxo29verrc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPh8v3pph20yvvwmch6luwkisdd.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Tvks1ukoO.bmp" C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Tvks1ukoO.bmp" C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\576E.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tvks1ukoO\DefaultIcon\ = "C:\\ProgramData\\Tvks1ukoO.ico" C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Tvks1ukoO\ = "Tvks1ukoO" C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tvks1ukoO\DefaultIcon C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe C:\Windows\splwow64.exe
PID 2972 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe C:\Windows\splwow64.exe
PID 1848 wrote to memory of 4492 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 1848 wrote to memory of 4492 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 2972 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe C:\ProgramData\576E.tmp
PID 2972 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe C:\ProgramData\576E.tmp
PID 2972 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe C:\ProgramData\576E.tmp
PID 2972 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe C:\ProgramData\576E.tmp
PID 2104 wrote to memory of 4916 N/A C:\ProgramData\576E.tmp C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 4916 N/A C:\ProgramData\576E.tmp C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 4916 N/A C:\ProgramData\576E.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe

"C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9C8A8FD2-7AFD-4388-BFF2-E85A57ABEC03}.xps" 133548629987810000

C:\ProgramData\576E.tmp

"C:\ProgramData\576E.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\576E.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

memory/2972-1-0x0000000002780000-0x0000000002790000-memory.dmp

memory/2972-0-0x0000000002780000-0x0000000002790000-memory.dmp

memory/2972-2-0x0000000002780000-0x0000000002790000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini

MD5 c40ba9d1e080f16d1c18a7fa18d0531e
SHA1 de2baf08c694eb1f875f438d58443c9843777706
SHA256 734418a6fe5006a03bc97e321eacd1fd566cedf05ba12f343e83d4196c4c739f
SHA512 52b3c1b8f0dc4a69eeb033f0874dff38a41f1061c6998abd2e5fae02580186a276b15b313ec8d340668b11f34bd309c70d15eef64b6151ae478f329ade9246fa

F:\$RECYCLE.BIN\S-1-5-21-3045580317-3728985860-206385570-1000\DDDDDDDDDDD

MD5 66a2c716f0042a14e55f522b8d9fe228
SHA1 9a8c71b8a7fd5bf4c2de0ee24474b2df0c3724ff
SHA256 b3587e04ac4c8d235726d8b6b224129d9225e656fceb870475a5e80a630f6ce1
SHA512 68c99b4909a06fecc5c8061b4db4db978f3405ea496591c249b65b379f71834dd61d3d85cdf1def9a610dfbef5294158d184be867a01a723f0e5cfcbdc0ea316

C:\Tvks1ukoO.README.txt

MD5 2c0cc59c3960144f229f87d5a42daa7e
SHA1 67e83fe63be6b13ba6d0e982d7ca94984af09e25
SHA256 adb58ad6e25c0c7c707d32ca305bd45e8f15818994c5f881ede37b7bd0d64ad7
SHA512 ec2ee0b1c47c7a2bc0dcf99e38ba470bb532fdd7078253dcae1b00e60a5ebf533685a88c307be0ee92952ed660c08abbdcd4daad96fa3919b8f667f338908ce0

memory/2972-2716-0x0000000002780000-0x0000000002790000-memory.dmp

memory/2972-2717-0x0000000002780000-0x0000000002790000-memory.dmp

memory/2972-2718-0x0000000002780000-0x0000000002790000-memory.dmp

memory/4492-2730-0x00007FFDD9E30000-0x00007FFDD9E40000-memory.dmp

memory/4492-2733-0x00007FFDD9E30000-0x00007FFDD9E40000-memory.dmp

C:\ProgramData\576E.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/4492-2735-0x00007FFE19DB0000-0x00007FFE19FA5000-memory.dmp

C:\ProgramData\576E.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4492-2739-0x00007FFDD9E30000-0x00007FFDD9E40000-memory.dmp

memory/4492-2741-0x00007FFDD9E30000-0x00007FFDD9E40000-memory.dmp

memory/4492-2742-0x00007FFE19DB0000-0x00007FFE19FA5000-memory.dmp

memory/4492-2740-0x00007FFE19DB0000-0x00007FFE19FA5000-memory.dmp

memory/4492-2738-0x00007FFE19DB0000-0x00007FFE19FA5000-memory.dmp

memory/4492-2734-0x00007FFDD9E30000-0x00007FFDD9E40000-memory.dmp

memory/4492-2755-0x00007FFE19DB0000-0x00007FFE19FA5000-memory.dmp

memory/4492-2756-0x00007FFE19DB0000-0x00007FFE19FA5000-memory.dmp

memory/2104-2757-0x00000000023A0000-0x00000000023B0000-memory.dmp

memory/2104-2758-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/2104-2759-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/2104-2760-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/2104-2777-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

memory/2104-2778-0x000000007FE00000-0x000000007FE01000-memory.dmp

memory/4492-2779-0x00007FFDD7DD0000-0x00007FFDD7DE0000-memory.dmp

memory/4492-2780-0x00007FFDD7DD0000-0x00007FFDD7DE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{8D141B3A-B0B6-4EE0-BA76-BE30BFDDFD5F}

MD5 81475895afc81458a7cfc7f23ea9792b
SHA1 0d37a305451c16045678406678be508cfcc7415b
SHA256 f9c0c7126e88bc78a6ff80e9932a9a24e036973b72c50e4f1a8c995e51f98109
SHA512 893a3eca205a8689bf977a7287edea7dc93a5e69b6ea135e0c84ebc75a8516f841ba0bd6afd9c634480b072c71561233eadc399eb5fc8e05ef5a2bd181bf9122

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 6623e5652bf8b360c2199338a48cdc51
SHA1 e6d5bd2922626bc00ac0c01b0f585ccab4109cae
SHA256 7475efb3a14c361527ecc30da5e22f970e5359b35585872fc49c2b20fb25ad15
SHA512 e3d76aa61cfad3e8a5ffc58d6f3ecd5c51ba06de3f6e6c9ad6641b263a326b12999da3b9a6c9d76be9fab321bd02a5c2eabd8736b5d3e67bb490df98346a7892

memory/4492-2802-0x00007FFE19DB0000-0x00007FFE19FA5000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 04:07

Reported

2024-03-14 04:10

Platform

win7-20231129-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (266) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\1C09.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\1C09.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Tvks1ukoO.bmp" C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Tvks1ukoO.bmp" C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\1C09.tmp N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tvks1ukoO\DefaultIcon\ = "C:\\ProgramData\\Tvks1ukoO.ico" C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Tvks1ukoO\ = "Tvks1ukoO" C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tvks1ukoO\DefaultIcon C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe

"C:\Users\Admin\AppData\Local\Temp\239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390.exe"

C:\ProgramData\1C09.tmp

"C:\ProgramData\1C09.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1C09.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x148

Network

N/A

Files

memory/2200-0-0x00000000023E0000-0x0000000002420000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\CCCCCCCCCCC

MD5 3b0dd6a0ee203b26ac7511ffe35225f0
SHA1 e4255d13bcc60a83cf772f0ee7d8bfb00e442de1
SHA256 346bc42b17881ff178b54e9b507be3d0140e02034af56673ffad7132c41c2425
SHA512 519908bc92ae7c55555da1b0dd1fa0888047d353d3caad313bf7a03235d59780413dbe33cdf8280fd6f37289a263ba883efa46161fa079cf1dbc8331ea25138e

F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\AAAAAAAAAAA

MD5 1ed50c1287e526229163496c623af555
SHA1 d52293f15e42aeb63f733bb09488477677e120a3
SHA256 2bafac72342a856785202476fd34005ea7bfe92d76fbdf3a35347da597b38c03
SHA512 6d119cb6b327a54d3e74e848a1734daf3052cf3375cef6e46187a238ae7d055d3616a51c29412ca0ae98c24e918a158eb38b3022c6e69a205e6f31755be11642

C:\Tvks1ukoO.README.txt

MD5 24a73c67c6efa55aac9f5cc91e207074
SHA1 a65f07b3938f37fc53e339076b14b688c88ad6c1
SHA256 ddb75da6ed5dcc1be5c5e36cd1f0e82f53a427921222803c6f84a85dc91d473c
SHA512 73ea0c5835a1659952e0e88f5a4a61d8dc9b7b2d671325c7ecc5633a61bdd80f941f2a0a5647c3da1f1f808d6a24334e1a37264f5f95e62644db8ff730463ce7

\ProgramData\1C09.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2500-774-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/2500-776-0x0000000002080000-0x00000000020C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 ad56afe77d4cc9a47b4c9388638932b0
SHA1 1c6c84f819e2f413f04a76aadf12e666b0db3192
SHA256 60707a557397f0479fa54513975e56a3c4499e54ff2f14bfc0c81dd178d6db01
SHA512 923a4110cbf12b469840355c2bb5e89520f070cc248b712d0c20e968b421f7d6ef2ce9675c459f3b4eb76a29a2e6ce538e338176fbc8acc1aa6e5480ddceddff

memory/2500-783-0x0000000002080000-0x00000000020C0000-memory.dmp

memory/2500-784-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/2500-785-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/2500-807-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/2500-808-0x000000007EF60000-0x000000007EF61000-memory.dmp