Malware Analysis Report

2024-11-13 15:03

Sample ID 240314-eq47tacd44
Target 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580
SHA256 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580

Threat Level: Known bad

The file 3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580 was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Lockbit family

Lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Renames multiple (367) files with added filename extension

Renames multiple (577) files with added filename extension

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Control Panel

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 04:09

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 04:09

Reported

2024-03-14 04:12

Platform

win7-20240220-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (367) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\3E29.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\3E29.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\wkyNXZoXP.bmp" C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\wkyNXZoXP.bmp" C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\3E29.tmp N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wkyNXZoXP C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wkyNXZoXP\DefaultIcon\ = "C:\\ProgramData\\wkyNXZoXP.ico" C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wkyNXZoXP C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wkyNXZoXP\ = "wkyNXZoXP" C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wkyNXZoXP\DefaultIcon C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe

"C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe"

C:\ProgramData\3E29.tmp

"C:\ProgramData\3E29.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3E29.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x14c

Network

N/A

Files

memory/2260-0-0x0000000002260000-0x00000000022A0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\BBBBBBBBBBB

MD5 f5cc7ce9ceaf9846a93386fef0fc3f0c
SHA1 9f47a4635f3a8c74908207195a68b4349f69b715
SHA256 1fc1c25a27e6c5cc1059139c3067091f682ac4c62478a2e5b126e1b1badc547a
SHA512 e477f687e2b857ee3ccc2c0a8293fc5b278e91bd6a9e354393fe8f9f19d59605ad37695cf668365861110770739a7041660c4d7b8da5d4a1d9e40b6a9a052946

C:\wkyNXZoXP.README.txt

MD5 e86025b0b98e352f191ae26f166a6008
SHA1 a40d1ad411862e30f085a145bcf2ed5dedb83f12
SHA256 b577f2812c6db0bd8e448bdfb904ff8a265f51d37f3fdd67216eaeb77d9561ff
SHA512 9a9ca28d55f2437af359908ca26b21fb701801a32f24494b8d29c0c3d04611ddd10deb7a3415e31727d5466b303691b59e6ff0928670bf1a7f4a4281ffc060bc

F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\DDDDDDDDDDD

MD5 633e612e5e3fb76cd20e623e6ffa30c8
SHA1 3f277eec721fc8f45033e9021a3d3e7bc9964432
SHA256 21fdc07481aab4405f0f7626fd5efb35542480ebe4a79df65a64e16d6ce48876
SHA512 ac94ee147c63dc3f12bb59409ca67a71667a8b176d06698f733a31bf5c22f54edbfd18fb668054aa7bff6d5e26c465d80cff6d4fe1e4b4831fa937507faa14eb

\ProgramData\3E29.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2912-892-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2912-894-0x00000000022D0000-0x0000000002310000-memory.dmp

memory/2912-895-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/2912-903-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/2912-904-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

MD5 3051f6766866877e621b6f1d6b9edaa5
SHA1 d20f50a3d42f187ef0a5b977d1a6a3896df5e5e7
SHA256 7e54e843bcecfab476bba103309cee041816c371f22d0214ec7d8bb87082a732
SHA512 26e8223e402f10ca8ddca013d5df48115d79ba1c56423ea62795e488d98047f3b75bd17d86c77c3f702463163bada6f3d27a6205d9c0ed94685c4b10a12384a8

memory/2912-926-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/2912-927-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2912-928-0x000000007EF40000-0x000000007EF41000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 04:09

Reported

2024-03-14 04:12

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (577) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\ProgramData\7204.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\7204.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\7204.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP59hps0xy_6teao91ygbhcv4zb.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPfdr197gzkdhyxle245pgi_hjc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPbzzlgzxm9jw_13d6pm2mgcezb.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\wkyNXZoXP.bmp" C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\wkyNXZoXP.bmp" C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\7204.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wkyNXZoXP\ = "wkyNXZoXP" C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wkyNXZoXP\DefaultIcon C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wkyNXZoXP C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wkyNXZoXP\DefaultIcon\ = "C:\\ProgramData\\wkyNXZoXP.ico" C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wkyNXZoXP C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe C:\Windows\splwow64.exe
PID 1228 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe C:\Windows\splwow64.exe
PID 3728 wrote to memory of 1892 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 3728 wrote to memory of 1892 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 1228 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe C:\ProgramData\7204.tmp
PID 1228 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe C:\ProgramData\7204.tmp
PID 1228 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe C:\ProgramData\7204.tmp
PID 1228 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe C:\ProgramData\7204.tmp
PID 2212 wrote to memory of 4560 N/A C:\ProgramData\7204.tmp C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 4560 N/A C:\ProgramData\7204.tmp C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 4560 N/A C:\ProgramData\7204.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe

"C:\Users\Admin\AppData\Local\Temp\3766cc743fed6fdb2d9f7822f85e5b9bbafcbdccc25a1fe608bff12699849580.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{CDCC65CB-3C4C-40D5-81B2-1C7B2726F9AE}.xps" 133548629934880000

C:\ProgramData\7204.tmp

"C:\ProgramData\7204.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7204.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 49.192.11.51.in-addr.arpa udp

Files

memory/1228-0-0x00000000029D0000-0x00000000029E0000-memory.dmp

memory/1228-1-0x00000000029D0000-0x00000000029E0000-memory.dmp

memory/1228-2-0x00000000029D0000-0x00000000029E0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini

MD5 fdd8bcba95cd2fe6e9366becd3cdd387
SHA1 b65ebdd364482e2fbc0a64bdeead1d621c988371
SHA256 cf273e0d006ab0087a507742363b6f07b847bd115a4d90996aec21957da05bb8
SHA512 ff39d97c08041bcc8eb6eb23b53458c338ecf685fc4996248b07d55150395c44e53a0b8f1cbce3551bd0921d552877d8b48b44224e42e0e4cb1eedd8624b286e

C:\wkyNXZoXP.README.txt

MD5 e97d34970e4571a5d1cfc0e46789b0d4
SHA1 e22fef2efd8c0550f6e73ab0dfe9db7b512acf67
SHA256 7092c5caa9c986bd2430dd0b1a247c12ceb39ca49c632cfa8b1af1c8f21eba11
SHA512 6bbd5671e98c1bfdcfb10a35199766bca0bac36b868857841198f837a75562d8629e9e8c2091ab13e562fc3b99d9f482c26527c1b9ffed1fcc17edec123a94f5

F:\$RECYCLE.BIN\S-1-5-21-3270530367-132075249-2153716227-1000\DDDDDDDDDDD

MD5 1c18f498d2cad6d69fc7cff870952b0c
SHA1 37de1830bac1ca30f847cb841bfed11e443d8ee1
SHA256 762a83ced2d65e79e46c06780a9f6908ec8c8436892d26f6aae62a8011226df7
SHA512 ad46f34b24d557c0ab3a3d2a7dadbbd147efad20f6f3cf271eb71615e12c096200f47dd6f1be7feb160e05028a09eb7d0e60d799dc34d8820d0873c270237d58

C:\ProgramData\7204.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1892-2747-0x00007FFDE19B0000-0x00007FFDE19C0000-memory.dmp

memory/2212-2748-0x000000007FE40000-0x000000007FE41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 01305591a939831adea911335cefa9e4
SHA1 f1ccfdf2ca0133d13badc7e46f3480da797cddce
SHA256 8dd0b35f49370bd361f881dcd12c96b48ab984d15c9b37a4b558531a8d9cfc7d
SHA512 1ee971dc38de84cbb566e032a7ed7d37b19ff882656a3537b46834834db6fa620d44429c2444fb53ed2245b1a6c04fab9818d383995216e973d2578cc3b83eb8

memory/2212-2750-0x0000000002360000-0x0000000002370000-memory.dmp

memory/1892-2749-0x00007FFDE19B0000-0x00007FFDE19C0000-memory.dmp

memory/1892-2779-0x00007FFDE19B0000-0x00007FFDE19C0000-memory.dmp

memory/2212-2783-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/2212-2781-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/1892-2782-0x00007FFDE19B0000-0x00007FFDE19C0000-memory.dmp

memory/2212-2780-0x0000000002360000-0x0000000002370000-memory.dmp

memory/1892-2784-0x00007FFE21930000-0x00007FFE21B25000-memory.dmp

memory/1892-2786-0x00007FFE21930000-0x00007FFE21B25000-memory.dmp

memory/1892-2785-0x00007FFDE19B0000-0x00007FFDE19C0000-memory.dmp

memory/1892-2787-0x00007FFE21930000-0x00007FFE21B25000-memory.dmp

memory/1892-2788-0x00007FFE21930000-0x00007FFE21B25000-memory.dmp

memory/1892-2790-0x00007FFDDF730000-0x00007FFDDF740000-memory.dmp

memory/1892-2789-0x00007FFE21930000-0x00007FFE21B25000-memory.dmp

memory/1892-2791-0x00007FFE21930000-0x00007FFE21B25000-memory.dmp

memory/1892-2793-0x00007FFE21930000-0x00007FFE21B25000-memory.dmp

memory/1892-2794-0x00007FFDDF730000-0x00007FFDDF740000-memory.dmp

memory/1892-2792-0x00007FFE21930000-0x00007FFE21B25000-memory.dmp

memory/1892-2795-0x00007FFE21930000-0x00007FFE21B25000-memory.dmp

memory/1892-2796-0x00007FFE21930000-0x00007FFE21B25000-memory.dmp

memory/1892-2797-0x00007FFE21930000-0x00007FFE21B25000-memory.dmp

memory/1892-2798-0x00007FFE21930000-0x00007FFE21B25000-memory.dmp

memory/1892-2799-0x00007FFE21930000-0x00007FFE21B25000-memory.dmp

memory/1892-2800-0x00007FFE21930000-0x00007FFE21B25000-memory.dmp

memory/1892-2801-0x00007FFE21930000-0x00007FFE21B25000-memory.dmp

memory/1892-2802-0x00007FFE21930000-0x00007FFE21B25000-memory.dmp

memory/1892-2803-0x00007FFE21930000-0x00007FFE21B25000-memory.dmp

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 b4482fbb6f39a9bccc9b4bc6d2f9cb08
SHA1 c87d789320540768daca4266573c1527e25a82f8
SHA256 bfb20c3d1e24d8371a93b0c83029a6c02e632c929e4769063ff5778c7d2682b3
SHA512 719841d1f1ccaf2e291a4ade6f09831bc64b8fa6eed2c95b79e2494df1bb4d20f5a568d687041424c7d43ec055a75115f97a5d25fb98b32bca352665ff8fe3b0

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 b38c3db742cb931cf39921265c54b474
SHA1 b184aec4101c4168c174cb0b1019c234184dbc3e
SHA256 bb3c0b720d3e8f15981409cd12eaa7376215b939c7f56e16f5af40c96f959e34
SHA512 be0e50d3bb60bd7e85b0e2d75e728294c6987116fa68a2e009bc1ed09d1dcb31178a6061e5cc2a81c4b10fc1a9acd3fb32947181b83fc89513519a01716a6898

memory/1892-2825-0x00007FFE21930000-0x00007FFE21B25000-memory.dmp

memory/1892-2826-0x00007FFE21930000-0x00007FFE21B25000-memory.dmp