Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 04:11
Behavioral task
behavioral1
Sample
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe
Resource
win10v2004-20240226-en
General
-
Target
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe
-
Size
159KB
-
MD5
e71ad94e2d5bd95bcaf85fc17acec28f
-
SHA1
fd5469f26e71f862fb6dd11efd5cd2a7ef90473f
-
SHA256
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a
-
SHA512
0d68d07852eca44e47c14efd651aa04479dbba22e97379220aae8f406cd118b89cb72147d1176760118ca23e517c082b1974b553196e62b697b28cb4eb351e3f
-
SSDEEP
3072:SuJ9OlKolUa1U197bzhVsmftsmXhBSTE6pSLR7Z:Sufj0zi1dNVsmftJvS46+FZ
Malware Config
Extracted
F:\o3LDjrpOa.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes itself 1 IoCs
Processes:
2829.tmppid process 1800 2829.tmp -
Executes dropped EXE 1 IoCs
Processes:
2829.tmppid process 1800 2829.tmp -
Loads dropped DLL 1 IoCs
Processes:
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exepid process 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\o3LDjrpOa.bmp" 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\o3LDjrpOa.bmp" 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe2829.tmppid process 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
Processes:
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallpaperStyle = "10" 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe -
Modifies registry class 5 IoCs
Processes:
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.o3LDjrpOa 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.o3LDjrpOa\ = "o3LDjrpOa" 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa\DefaultIcon 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa\DefaultIcon\ = "C:\\ProgramData\\o3LDjrpOa.ico" 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exepid process 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
2829.tmppid process 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp 1800 2829.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeDebugPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: 36 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeImpersonatePrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeIncBasePriorityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeIncreaseQuotaPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: 33 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeManageVolumePrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeProfSingleProcessPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeRestorePrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSystemProfilePrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeTakeOwnershipPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeShutdownPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeDebugPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe2829.tmpdescription pid process target process PID 1812 wrote to memory of 1800 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 2829.tmp PID 1812 wrote to memory of 1800 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 2829.tmp PID 1812 wrote to memory of 1800 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 2829.tmp PID 1812 wrote to memory of 1800 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 2829.tmp PID 1812 wrote to memory of 1800 1812 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 2829.tmp PID 1800 wrote to memory of 1260 1800 2829.tmp cmd.exe PID 1800 wrote to memory of 1260 1800 2829.tmp cmd.exe PID 1800 wrote to memory of 1260 1800 2829.tmp cmd.exe PID 1800 wrote to memory of 1260 1800 2829.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe"C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\ProgramData\2829.tmp"C:\ProgramData\2829.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2829.tmp >> NUL3⤵PID:1260
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD50c6c4f867a08ca3dda895a8d98089ebe
SHA1448506893a320587b2d28c6e49a16ac9e8a34307
SHA256cde0f7bed9d74d866d52a4e89ba0ef32ba2930919ea3e90ed62227feac6e3b30
SHA512a4b7f515c96d4b822679da757bdea91a4e54948332fa24df6436e55e9a9cef407aaee3d3bc648e756c4b6b5e5ed033fba8818cb163d72fb55fcf5ea813c035eb
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize159KB
MD519799f4ab2dfa09a3fd5d1a02b4568d8
SHA14a9c7a6e9bf9d8214cda50baf2efddfa2ca41bf1
SHA2568ae2ef9126d6e9881f115b129bebdd9ec5dfcb8cd0086ef239daff5f1e9fc7ba
SHA512cb3b095bb12895cb7aebda95100d563ff252c626149b8aec17f2b513f04c8db2c699f58db0e08469e6e8620f956b00a5b0a4a704e90fdf8f783358891cc51ef8
-
Filesize
129B
MD5890c21a5f87cbc91c5415b4ed1072298
SHA1d5121319f4dfd5615f451f44f7f6e83a7dc4630c
SHA2563deca78e87a7792044aab9582d0c6fe5d09f60103dc3be3576eae8e1469b400e
SHA5124a60af88f094abdd4e950cee73203364c1d155c91fcef0a755a4dad3f572deac90c498ed59c02eeaa0dab97a27168c9517d29658e6ed23b599b4a2b35536cb51
-
Filesize
10KB
MD547a1dcd21891bbe5addf535dffca0f2a
SHA18a81092466a3ba2d4d7e909da3b044feb4bea276
SHA256c8e83412c62211f875cbcaa89b3ba02e40249d052faaf375aa5a23affbb4c863
SHA512ff6440344ab0f27bd8b0b94af088c84250141e6e3febfa89901ce9afda4c798d0f8097e50f8d8ec975929373f9eb2592204559de8f0b4ecad58d38ea0affb718
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf