Analysis
-
max time kernel
150s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 04:11
Behavioral task
behavioral1
Sample
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe
Resource
win10v2004-20240226-en
General
-
Target
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe
-
Size
159KB
-
MD5
e71ad94e2d5bd95bcaf85fc17acec28f
-
SHA1
fd5469f26e71f862fb6dd11efd5cd2a7ef90473f
-
SHA256
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a
-
SHA512
0d68d07852eca44e47c14efd651aa04479dbba22e97379220aae8f406cd118b89cb72147d1176760118ca23e517c082b1974b553196e62b697b28cb4eb351e3f
-
SSDEEP
3072:SuJ9OlKolUa1U197bzhVsmftsmXhBSTE6pSLR7Z:Sufj0zi1dNVsmftJvS46+FZ
Malware Config
Extracted
C:\Users\o3LDjrpOa.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes itself 1 IoCs
Processes:
849D.tmppid process 5468 849D.tmp -
Executes dropped EXE 1 IoCs
Processes:
849D.tmppid process 5468 849D.tmp -
Drops desktop.ini file(s) 2 IoCs
Processes:
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exedescription ioc process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1904519900-954640453-4250331663-1000\desktop.ini 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1904519900-954640453-4250331663-1000\desktop.ini 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe -
Drops file in System32 directory 4 IoCs
Processes:
splwow64.exeprintfilterpipelinesvc.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP7kduq8u1ygm5z1q6vc59vzuyc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPchitm7ys_6703c2kulibdhyxc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPl56f607vyaqzlyiyfw6zx8b1d.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\o3LDjrpOa.bmp" 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\o3LDjrpOa.bmp" 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe849D.tmppid process 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop\WallpaperStyle = "10" 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe -
Modifies registry class 5 IoCs
Processes:
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa\DefaultIcon\ = "C:\\ProgramData\\o3LDjrpOa.ico" 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.o3LDjrpOa 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.o3LDjrpOa\ = "o3LDjrpOa" 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa\DefaultIcon 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exeONENOTE.EXEpid process 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 5356 ONENOTE.EXE 5356 ONENOTE.EXE -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
849D.tmppid process 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp 5468 849D.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeDebugPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: 36 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeImpersonatePrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeIncBasePriorityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeIncreaseQuotaPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: 33 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeManageVolumePrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeProfSingleProcessPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeRestorePrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSystemProfilePrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeTakeOwnershipPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeShutdownPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeDebugPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeBackupPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe Token: SeSecurityPrivilege 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid process 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exeprintfilterpipelinesvc.exedescription pid process target process PID 4544 wrote to memory of 4180 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe splwow64.exe PID 4544 wrote to memory of 4180 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe splwow64.exe PID 1420 wrote to memory of 5356 1420 printfilterpipelinesvc.exe ONENOTE.EXE PID 1420 wrote to memory of 5356 1420 printfilterpipelinesvc.exe ONENOTE.EXE PID 4544 wrote to memory of 5468 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 849D.tmp PID 4544 wrote to memory of 5468 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 849D.tmp PID 4544 wrote to memory of 5468 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 849D.tmp PID 4544 wrote to memory of 5468 4544 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe 849D.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe"C:\Users\Admin\AppData\Local\Temp\54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:4180 -
C:\ProgramData\849D.tmp"C:\ProgramData\849D.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
PID:5468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1044 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:81⤵PID:4584
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4596
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{25B69333-0052-4D6D-BD75-F7442646BD92}.xps" 1335486316555300002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5f78679cd2ed37d57b2f611e1b32956dd
SHA115c3bc410420ded0345e87cca00e7169c6de65ba
SHA2569e96b775af09cbcab50128036f99cb0ab9f21dd8c05748b41de5e8113a9bd767
SHA5127393dadaa2c917747b407908e876e0f0f2f6f9b6f65f52ee3879a4cfcd9589d1b7a4a2809b27cfdb65b7cde59c817ac2f4efa98746f408d7f26779562e8079ca
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
Filesize159KB
MD50f7ce0389709f8b08378c8a69bb1c58e
SHA15815a5139ee4e4894e5a7c8a79a8a3cd1141441b
SHA25659643b2b8f8e5f5e0470ada38fe0dc2be8d63db33c302ff221a30a636a660b98
SHA512612d9c8756543703b0ffb70e87e25accea86a3ee81bedb92cef68d97ffc46a69d334e5dc9f47f0df1b3f35813264e4ba0dcb7c155979c52890fb11c71035eb37
-
Filesize
4KB
MD5703b6dfe0545cd784bbde2964dcb3634
SHA1fba9d74b89a547553a90f7542cee43888e2197ec
SHA256a45b907b4058eb86256e2038288cd94e98cc9e872907f16478b8013a6a4c5c36
SHA512728499f215778251b37ba5de13bc0d9834cf6695c101df210b1c6ddb21226af7ca648c9c87cb00d0e9a196af106d74aeabf00a57371d89a21ce64540a69847fe
-
Filesize
10KB
MD5f45e391f29f25500baf0ac2b649df89c
SHA1d894747132a8b28c15e67da3cab21e0dfb5c372a
SHA2564b7a1867b2c0a5a501361186df5104e0c4bd4e9579d0087b40ee478ca56d5a7f
SHA512aa56adc6927b5947a5131b42e73c943bc762b590f57b7f80521f0beab8e4a0520e6b75206fd7a1ade74551dc3fc84d4b53c1e721b123efc55dcb917d3893a682
-
Filesize
129B
MD5d88d1f5841336a017efc511831957f80
SHA1f6dacddb6672afc3301144c0d77305885294cfb1
SHA25633d94a431a8c86c0516d7c8b0ee7f50b32d15be19c5f12a3b078fb1c081303d5
SHA512dee6d812b86874797518689da793d0491c8a0450da1f82f9ecf935746b3c1f4b550aeab4af9220d57a4e8d6ee61eb05d89c2578c1b6cd6ab67f767c4a9e3562a