Analysis Overview
SHA256
10306702a13bfd1d9c8208394eaf42eddcbe49a03f039f7715ad31579db2b6dd
Threat Level: Known bad
The file 10306702a13bfd1d9c8208394eaf42eddcbe49a03f039f7715ad31579db2b6dd was found to be: Known bad.
Malicious Activity Summary
Lockbit
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Deletes itself
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-14 04:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-14 04:06
Reported
2024-03-14 04:09
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation | C:\ProgramData\6C56.tmp | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wkyNXZoXP | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wkyNXZoXP\ = "wkyNXZoXP" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wkyNXZoXP\DefaultIcon | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wkyNXZoXP | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wkyNXZoXP\DefaultIcon\ = "C:\\ProgramData\\wkyNXZoXP.ico" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
| N/A | N/A | C:\ProgramData\6C56.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\ProgramData\6C56.tmp | N/A |
| Token: SeRestorePrivilege | N/A | C:\ProgramData\6C56.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 448 wrote to memory of 760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 448 wrote to memory of 760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 448 wrote to memory of 760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 760 wrote to memory of 4368 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\ProgramData\6C56.tmp |
| PID 760 wrote to memory of 4368 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\ProgramData\6C56.tmp |
| PID 760 wrote to memory of 4368 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\ProgramData\6C56.tmp |
| PID 760 wrote to memory of 4368 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\ProgramData\6C56.tmp |
| PID 4368 wrote to memory of 1728 | N/A | C:\ProgramData\6C56.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 4368 wrote to memory of 1728 | N/A | C:\ProgramData\6C56.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 4368 wrote to memory of 1728 | N/A | C:\ProgramData\6C56.tmp | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10306702a13bfd1d9c8208394eaf42eddcbe49a03f039f7715ad31579db2b6dd.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10306702a13bfd1d9c8208394eaf42eddcbe49a03f039f7715ad31579db2b6dd.dll,#1
C:\ProgramData\6C56.tmp
"C:\ProgramData\6C56.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6C56.tmp >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
memory/760-0-0x0000000002800000-0x0000000002810000-memory.dmp
memory/760-1-0x0000000002800000-0x0000000002810000-memory.dmp
memory/760-3-0x0000000002ED0000-0x0000000002EE0000-memory.dmp
C:\ProgramData\6C56.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
memory/4368-9-0x000000007FE40000-0x000000007FE41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | c28f828c1a26243b75a777be4f0170db |
| SHA1 | cc622f0b01e99c8061bd56966b4e5670c061db6e |
| SHA256 | 82812c2d102f2aca8ab326cf7a7fad505b2aec5035649e5365eb72c6fd3fc75f |
| SHA512 | 647ce5e9090706ff265e5be8fcd13d58d11ec0a0488b48833f41edd6e5ef23cf34b28e18b3246cf3a2084d3c79b8ef58edcbbb77d57c19c36ddd25b0d11c1b44 |
memory/4368-39-0x0000000002640000-0x0000000002650000-memory.dmp
memory/4368-32-0x0000000002640000-0x0000000002650000-memory.dmp
memory/4368-41-0x000000007FDC0000-0x000000007FDC1000-memory.dmp
memory/4368-42-0x000000007FDE0000-0x000000007FDE1000-memory.dmp
memory/4368-40-0x000000007FE20000-0x000000007FE21000-memory.dmp
memory/4368-43-0x000000007FE00000-0x000000007FE01000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-14 04:06
Reported
2024-03-14 04:09
Platform
win7-20240221-en
Max time kernel
118s
Max time network
132s
Command Line
Signatures
Lockbit
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wkyNXZoXP | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wkyNXZoXP\ = "wkyNXZoXP" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wkyNXZoXP\DefaultIcon | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wkyNXZoXP | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wkyNXZoXP\DefaultIcon\ = "C:\\ProgramData\\wkyNXZoXP.ico" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
| N/A | N/A | C:\ProgramData\DCE7.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10306702a13bfd1d9c8208394eaf42eddcbe49a03f039f7715ad31579db2b6dd.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10306702a13bfd1d9c8208394eaf42eddcbe49a03f039f7715ad31579db2b6dd.dll,#1
C:\ProgramData\DCE7.tmp
"C:\ProgramData\DCE7.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\DCE7.tmp >> NUL
Network
Files
memory/2192-0-0x0000000002110000-0x0000000002150000-memory.dmp
C:\Users\wkyNXZoXP.README.txt
| MD5 | fad0a90c05731e681986c655bf629669 |
| SHA1 | c262ebf63d90024d4a930e94d07bec1488843718 |
| SHA256 | 52101729b68cab0bee0bfe63ba4a513fe61dd5f4974b057a2a2629a77c2e8a45 |
| SHA512 | 1c9e454889f1fad1f524eee912f4a4c98f4c6ceb73f2b78aad5cbc908d507db225c854d955a406b3616e4ff65efa1eb5c8c009f400203421fb2db239f36cd395 |
memory/2192-38-0x00000000003A0000-0x00000000003E0000-memory.dmp
memory/2192-40-0x00000000003A0000-0x00000000003E0000-memory.dmp
\ProgramData\DCE7.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
memory/1644-54-0x000000007EFA0000-0x000000007EFA1000-memory.dmp
memory/1644-58-0x000000007EF20000-0x000000007EF21000-memory.dmp
memory/1644-57-0x000000007EF80000-0x000000007EF81000-memory.dmp
memory/1644-56-0x0000000002170000-0x00000000021B0000-memory.dmp
memory/1644-55-0x0000000002170000-0x00000000021B0000-memory.dmp
memory/2192-59-0x0000000002110000-0x0000000002150000-memory.dmp
memory/2192-60-0x00000000003A0000-0x00000000003E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | f495d9dde5d0becabfe1c30277e4f0b4 |
| SHA1 | a3468d9df3c983c8fc7b45c2d41a53bf87aa0aac |
| SHA256 | e0046d878e665decf7b0e613ab5b0cd506855ca07510cd0c6359e285173ed154 |
| SHA512 | 829f54686543ccb5f2719b2b7e9afa2e18cf482837cc1d2ada221edbc787cce27f1a2c8c4887fac6322d7346de3857eb6067b5293dffb24a293c3f7bb206da13 |
memory/1644-89-0x000000007EF40000-0x000000007EF41000-memory.dmp
memory/1644-90-0x000000007EF60000-0x000000007EF61000-memory.dmp