Malware Analysis Report

2024-11-15 07:20

Sample ID 240314-es7eysab61
Target 64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1
SHA256 64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1

Threat Level: Known bad

The file 64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1 was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit

Renames multiple (571) files with added filename extension

Renames multiple (279) files with added filename extension

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Deletes itself

Executes dropped EXE

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 04:13

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 04:13

Reported

2024-03-14 04:15

Platform

win7-20231129-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (279) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\2194.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\2194.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AKEVizErI.bmp" C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AKEVizErI.bmp" C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.AKEVizErI\ = "AKEVizErI" C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AKEVizErI\DefaultIcon C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AKEVizErI C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AKEVizErI\DefaultIcon\ = "C:\\ProgramData\\AKEVizErI.ico" C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.AKEVizErI C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe

"C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe"

C:\ProgramData\2194.tmp

"C:\ProgramData\2194.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2194.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x148

Network

N/A

Files

memory/2884-0-0x0000000000780000-0x00000000007C0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini

MD5 ed528078cb895f24515ef1e9d71bf434
SHA1 f0b243155193083fa339795be21a11fc467ddcf2
SHA256 94ec153c10df05f83f42b01c595e3f9400521eb429334b8c95c7e67e86ee7c74
SHA512 287941e7a9444e57a9e23d6bb88e8c8c738404c04ae09241f0624925e18fead7f36e19984e636ff73406792b9611b6d4e5f4b262a0ebb0d7eafb98a631b27430

F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\DDDDDDDDDDD

MD5 cf5c16cc7149674a5a15052dfcbc5fd8
SHA1 53403a89c990ca716ba2252174aae21406b235b3
SHA256 2abe8e643ca04170c0c7ee78b7d4f83d84750807bc5ebac66676f7b448c8d562
SHA512 33a75a59e0f905b0117efa405bf9c1015db292c76014fc3423af426c6775fec46373b4de117305a0a4de9c19fb5439ad4601ffb1fa0c378e706b1b38ca55c828

C:\AKEVizErI.README.txt

MD5 313b20f4a516de48db5cc385cd135140
SHA1 dd7da312fe756a447b6c71259308c37883d3dbc3
SHA256 6fd79160a4cd176bab1772b6e2a626ebb6ad108b7075725537dfc54e5a972f0d
SHA512 f14ff483095a1822c4d0455e875ed4e8e6a529b9895d1ddcd5ee8f960bbe32031226062c5e83f3bf86aa0d77823c99e30c6b6bddd5818814a1cb390ebb75ecb4

\ProgramData\2194.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1168-786-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1168-788-0x00000000002A0000-0x00000000002E0000-memory.dmp

memory/1168-789-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/1168-790-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/1168-791-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/1168-794-0x00000000002A0000-0x00000000002E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 c146c3e2dea7f0e79e0eba412f5f1a69
SHA1 47d64e8b4904bc7f95ef3062b374d0bdc967f9fe
SHA256 fcf534801ac100c5b90eb5194953691615f4c8e789b2fd615fbf186577ea4822
SHA512 f241ce1e21a8aee4c62307fa3ecf4e97cf5735fa540da1260c7dfaca5955d4fa4197abc0d24cb1ffcda7519e7889d4051d32f16320a8c2c7c715c66ca96bde9c

memory/1168-821-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/1168-822-0x000000007EF60000-0x000000007EF61000-memory.dmp

memory/1168-823-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 04:13

Reported

2024-03-14 04:15

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (571) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\ProgramData\6562.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\6562.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\6562.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-399997616-3400990511-967324271-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-399997616-3400990511-967324271-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPfjw8mr9es379qa6l121l4vcvc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPn9g09fo0lt9r6wys8pjfilk6b.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPturuxaqmm0vqqeavu51yh0ezc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AKEVizErI.bmp" C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AKEVizErI.bmp" C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AKEVizErI C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AKEVizErI\DefaultIcon\ = "C:\\ProgramData\\AKEVizErI.ico" C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.AKEVizErI C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.AKEVizErI\ = "AKEVizErI" C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AKEVizErI\DefaultIcon C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4008 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe C:\Windows\splwow64.exe
PID 4008 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe C:\Windows\splwow64.exe
PID 448 wrote to memory of 4080 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 448 wrote to memory of 4080 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 4008 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe C:\ProgramData\6562.tmp
PID 4008 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe C:\ProgramData\6562.tmp
PID 4008 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe C:\ProgramData\6562.tmp
PID 4008 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe C:\ProgramData\6562.tmp
PID 2712 wrote to memory of 1012 N/A C:\ProgramData\6562.tmp C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 1012 N/A C:\ProgramData\6562.tmp C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 1012 N/A C:\ProgramData\6562.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe

"C:\Users\Admin\AppData\Local\Temp\64aa8889a8b3298487242ae21c9cf97a763bf905223a445d599f76327e8193f1.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{8F1BFBED-0409-40E0-BEAF-F2FB2A179882}.xps" 133548632088170000

C:\ProgramData\6562.tmp

"C:\ProgramData\6562.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6562.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
GB 96.17.178.174:80 tcp

Files

memory/4008-0-0x0000000002A60000-0x0000000002A70000-memory.dmp

memory/4008-1-0x0000000002A60000-0x0000000002A70000-memory.dmp

memory/4008-2-0x0000000002A60000-0x0000000002A70000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-399997616-3400990511-967324271-1000\YYYYYYYYYYY

MD5 4a5c02898f87544e9062f312dce7bb94
SHA1 af52d74c943100f7c794bfadc66e5fea41c670ea
SHA256 3a39241610fdb035fd8b1d2a671e313a714db15bed05f8ccedd0f39d5809a60b
SHA512 733b4e833d0bb70919253cbfd180bc342a133115b3e745b4e227cfa24301040b958dc3b7580f54b3b4fc84e11cc5aa4963fb705e7f8e4124a5b38277cacd55ae

C:\AKEVizErI.README.txt

MD5 c386ad5c1bcefc48977be2389beeed82
SHA1 7c807b6090782a6a33afd7ebf17ee20c5545680a
SHA256 27ee26fb3c243be2f4a132f0479bb1a017f94d582f0a3fcfb8eaa0d3648332f4
SHA512 4c0d738108f7809116aabb8c44125f3ee59690fdeb147cdb901ea298535848ef1392827bb0d5cf990701c407a4eb26f59536d68d2cc9c791852dfdcbaec2b3e8

F:\$RECYCLE.BIN\S-1-5-21-399997616-3400990511-967324271-1000\DDDDDDDDDDD

MD5 d43c516a32a5038e7254b0a8f8e2c89f
SHA1 24cd5483de714652941dab71f96ac71a613bbb35
SHA256 fe318f7dff79357f8767ae7a158b6b78cabe6c0a3c817b9adce313a26d26421a
SHA512 38118718d6c74ab9a359307cf645bac788c1b7c9f0fbd838bc0c8331997dbbe8252f0e5978a2bf631e68020537406387b378f791d39e7a58aa5033d757f8f82f

C:\ProgramData\6562.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/4080-2750-0x00007FFB9D290000-0x00007FFB9D2A0000-memory.dmp

memory/4080-2780-0x00007FFBDD210000-0x00007FFBDD405000-memory.dmp

memory/4080-2781-0x00007FFB9D290000-0x00007FFB9D2A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 bbae21078190b5bf884fa45a2d2a3bbd
SHA1 033fd4f0b1743cccc847a75b17dc6410df9c3127
SHA256 8a0412200d725aa5e4983f472fcaf2a80b2b6262e0932b0919a9ee8bcd574e5f
SHA512 33ade612f999a4490963979021243e25aaba8dec83c88bfd3e91cfa6ad21d28cf5c4e9962eb79d364d7ce6836a82f16b7dd27b889fb94907029877a4db4d5a92

memory/4080-2751-0x00007FFB9D290000-0x00007FFB9D2A0000-memory.dmp

memory/4080-2782-0x00007FFBDD210000-0x00007FFBDD405000-memory.dmp

memory/4080-2784-0x00007FFBDD210000-0x00007FFBDD405000-memory.dmp

memory/4080-2785-0x00007FFB9D290000-0x00007FFB9D2A0000-memory.dmp

memory/4080-2786-0x00007FFBDD210000-0x00007FFBDD405000-memory.dmp

memory/4080-2783-0x00007FFB9D290000-0x00007FFB9D2A0000-memory.dmp

memory/4080-2787-0x00007FFBDD210000-0x00007FFBDD405000-memory.dmp

memory/4080-2788-0x00007FFBDD210000-0x00007FFBDD405000-memory.dmp

memory/4080-2790-0x00007FFB9B050000-0x00007FFB9B060000-memory.dmp

memory/4080-2789-0x00007FFBDD210000-0x00007FFBDD405000-memory.dmp

memory/4080-2791-0x00007FFBDD210000-0x00007FFBDD405000-memory.dmp

memory/4080-2793-0x00007FFB9B050000-0x00007FFB9B060000-memory.dmp

memory/4080-2794-0x00007FFBDD210000-0x00007FFBDD405000-memory.dmp

memory/4080-2792-0x00007FFBDD210000-0x00007FFBDD405000-memory.dmp

memory/4080-2795-0x00007FFBDD210000-0x00007FFBDD405000-memory.dmp

memory/4080-2796-0x00007FFBDD210000-0x00007FFBDD405000-memory.dmp

memory/4080-2797-0x00007FFBDD210000-0x00007FFBDD405000-memory.dmp

memory/4080-2798-0x00007FFBDD210000-0x00007FFBDD405000-memory.dmp

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 651466011f89ff33664d6d7f01296682
SHA1 d69f421dad2e7d02a538881e3425abe76f97c60a
SHA256 1b4066c728e583e46f554e1795cce132ba0e378aec5bca79e3fc600a5351165b
SHA512 0a296d248496b3a37e93fcf4ceaaf518756fc3e7372169469067d67e31d258ecd399c0a2a1c75cc75417e9427062646e62b4e6abe29470eeb325d01d1a5cb3f3

memory/4080-2820-0x00007FFBDD210000-0x00007FFBDD405000-memory.dmp

memory/4080-2821-0x00007FFBDD210000-0x00007FFBDD405000-memory.dmp