Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 04:09
Behavioral task
behavioral1
Sample
3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe
Resource
win10v2004-20240226-en
General
-
Target
3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe
-
Size
150KB
-
MD5
1e60573f1429ea1939140c1d54c14ce3
-
SHA1
58a4a779580ac004c938c95f3fc365f30235a480
-
SHA256
3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580
-
SHA512
8aabe669a80c4072a4b8e0bd21e758728809c58f1ff74c2436976a6266d1145c61118234997d5be03d3f8c4c7578533ece3c33620302d7d1674e2f3772495189
-
SSDEEP
1536:lzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDGv0oRYYwVwMYNkBjLhTfWJbnv8:mqJogYkcSNm9V7DGvxxwSf8i+2v3O/T
Malware Config
Extracted
C:\wkyNXZoXP.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt.uz
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (577) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7204.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation 7204.tmp -
Deletes itself 1 IoCs
Processes:
7204.tmppid process 2212 7204.tmp -
Executes dropped EXE 1 IoCs
Processes:
7204.tmppid process 2212 7204.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe -
Drops file in System32 directory 4 IoCs
Processes:
splwow64.exeprintfilterpipelinesvc.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP59hps0xy_6teao91ygbhcv4zb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPfdr197gzkdhyxle245pgi_hjc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPbzzlgzxm9jw_13d6pm2mgcezb.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\wkyNXZoXP.bmp" 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\wkyNXZoXP.bmp" 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
7204.tmppid process 2212 7204.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\WallpaperStyle = "10" 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe -
Modifies registry class 5 IoCs
Processes:
3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wkyNXZoXP\ = "wkyNXZoXP" 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wkyNXZoXP\DefaultIcon 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wkyNXZoXP 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wkyNXZoXP\DefaultIcon\ = "C:\\ProgramData\\wkyNXZoXP.ico" 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wkyNXZoXP 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exepid process 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
7204.tmppid process 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp 2212 7204.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeDebugPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: 36 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeImpersonatePrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeIncBasePriorityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeIncreaseQuotaPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: 33 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeManageVolumePrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeProfSingleProcessPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeRestorePrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSystemProfilePrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeTakeOwnershipPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeShutdownPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeDebugPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeBackupPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe Token: SeSecurityPrivilege 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid process 1892 ONENOTE.EXE 1892 ONENOTE.EXE 1892 ONENOTE.EXE 1892 ONENOTE.EXE 1892 ONENOTE.EXE 1892 ONENOTE.EXE 1892 ONENOTE.EXE 1892 ONENOTE.EXE 1892 ONENOTE.EXE 1892 ONENOTE.EXE 1892 ONENOTE.EXE 1892 ONENOTE.EXE 1892 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exeprintfilterpipelinesvc.exe7204.tmpdescription pid process target process PID 1228 wrote to memory of 4388 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe splwow64.exe PID 1228 wrote to memory of 4388 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe splwow64.exe PID 3728 wrote to memory of 1892 3728 printfilterpipelinesvc.exe ONENOTE.EXE PID 3728 wrote to memory of 1892 3728 printfilterpipelinesvc.exe ONENOTE.EXE PID 1228 wrote to memory of 2212 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 7204.tmp PID 1228 wrote to memory of 2212 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 7204.tmp PID 1228 wrote to memory of 2212 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 7204.tmp PID 1228 wrote to memory of 2212 1228 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe 7204.tmp PID 2212 wrote to memory of 4560 2212 7204.tmp cmd.exe PID 2212 wrote to memory of 4560 2212 7204.tmp cmd.exe PID 2212 wrote to memory of 4560 2212 7204.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe"C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:4388 -
C:\ProgramData\7204.tmp"C:\ProgramData\7204.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7204.tmp >> NUL3⤵PID:4560
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4704
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{CDCC65CB-3C4C-40D5-81B2-1C7B2726F9AE}.xps" 1335486299348800002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5fdd8bcba95cd2fe6e9366becd3cdd387
SHA1b65ebdd364482e2fbc0a64bdeead1d621c988371
SHA256cf273e0d006ab0087a507742363b6f07b847bd115a4d90996aec21957da05bb8
SHA512ff39d97c08041bcc8eb6eb23b53458c338ecf685fc4996248b07d55150395c44e53a0b8f1cbce3551bd0921d552877d8b48b44224e42e0e4cb1eedd8624b286e
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize150KB
MD501305591a939831adea911335cefa9e4
SHA1f1ccfdf2ca0133d13badc7e46f3480da797cddce
SHA2568dd0b35f49370bd361f881dcd12c96b48ab984d15c9b37a4b558531a8d9cfc7d
SHA5121ee971dc38de84cbb566e032a7ed7d37b19ff882656a3537b46834834db6fa620d44429c2444fb53ed2245b1a6c04fab9818d383995216e973d2578cc3b83eb8
-
Filesize
4KB
MD5b4482fbb6f39a9bccc9b4bc6d2f9cb08
SHA1c87d789320540768daca4266573c1527e25a82f8
SHA256bfb20c3d1e24d8371a93b0c83029a6c02e632c929e4769063ff5778c7d2682b3
SHA512719841d1f1ccaf2e291a4ade6f09831bc64b8fa6eed2c95b79e2494df1bb4d20f5a568d687041424c7d43ec055a75115f97a5d25fb98b32bca352665ff8fe3b0
-
Filesize
4KB
MD5b38c3db742cb931cf39921265c54b474
SHA1b184aec4101c4168c174cb0b1019c234184dbc3e
SHA256bb3c0b720d3e8f15981409cd12eaa7376215b939c7f56e16f5af40c96f959e34
SHA512be0e50d3bb60bd7e85b0e2d75e728294c6987116fa68a2e009bc1ed09d1dcb31178a6061e5cc2a81c4b10fc1a9acd3fb32947181b83fc89513519a01716a6898
-
Filesize
3KB
MD5e97d34970e4571a5d1cfc0e46789b0d4
SHA1e22fef2efd8c0550f6e73ab0dfe9db7b512acf67
SHA2567092c5caa9c986bd2430dd0b1a247c12ceb39ca49c632cfa8b1af1c8f21eba11
SHA5126bbd5671e98c1bfdcfb10a35199766bca0bac36b868857841198f837a75562d8629e9e8c2091ab13e562fc3b99d9f482c26527c1b9ffed1fcc17edec123a94f5
-
Filesize
129B
MD51c18f498d2cad6d69fc7cff870952b0c
SHA137de1830bac1ca30f847cb841bfed11e443d8ee1
SHA256762a83ced2d65e79e46c06780a9f6908ec8c8436892d26f6aae62a8011226df7
SHA512ad46f34b24d557c0ab3a3d2a7dadbbd147efad20f6f3cf271eb71615e12c096200f47dd6f1be7feb160e05028a09eb7d0e60d799dc34d8820d0873c270237d58