Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 04:12
Behavioral task
behavioral1
Sample
571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe
Resource
win10v2004-20240226-en
General
-
Target
571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe
-
Size
159KB
-
MD5
eb64e64ca3570dbd5f243f89f176462f
-
SHA1
11db0b04095ae910aee0767bf47a34b70b1e1e5c
-
SHA256
571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0
-
SHA512
42bf944dc319b0664868b6ed526329bae1abe9e373aeff64b0157f9363dd80bcf0fbef51562128c186b09d583fa8b87cc3c4461c404629a630cdab26b820583c
-
SSDEEP
3072:7uJ9OlKolUa1U197bzhVsmftsG/r3flfwK6Td:7ufj0zi1dNVsmftXr3flp6J
Malware Config
Extracted
C:\Users\j2e0Pf6Ew.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes itself 1 IoCs
Processes:
C8CB.tmppid process 2476 C8CB.tmp -
Executes dropped EXE 1 IoCs
Processes:
C8CB.tmppid process 2476 C8CB.tmp -
Loads dropped DLL 1 IoCs
Processes:
571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exepid process 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\j2e0Pf6Ew.bmp" 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\j2e0Pf6Ew.bmp" 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exeC8CB.tmppid process 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp -
Modifies Control Panel 2 IoCs
Processes:
571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\WallpaperStyle = "10" 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe -
Modifies registry class 5 IoCs
Processes:
571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\j2e0Pf6Ew 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\j2e0Pf6Ew\DefaultIcon\ = "C:\\ProgramData\\j2e0Pf6Ew.ico" 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.j2e0Pf6Ew 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.j2e0Pf6Ew\ = "j2e0Pf6Ew" 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\j2e0Pf6Ew\DefaultIcon 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exepid process 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
C8CB.tmppid process 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp 2476 C8CB.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeDebugPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: 36 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeImpersonatePrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeIncBasePriorityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeIncreaseQuotaPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: 33 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeManageVolumePrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeProfSingleProcessPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeRestorePrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSystemProfilePrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeTakeOwnershipPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeShutdownPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeDebugPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeBackupPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe Token: SeSecurityPrivilege 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exedescription pid process target process PID 2388 wrote to memory of 2476 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe C8CB.tmp PID 2388 wrote to memory of 2476 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe C8CB.tmp PID 2388 wrote to memory of 2476 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe C8CB.tmp PID 2388 wrote to memory of 2476 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe C8CB.tmp PID 2388 wrote to memory of 2476 2388 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe C8CB.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe"C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\ProgramData\C8CB.tmp"C:\ProgramData\C8CB.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
PID:2476
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1541⤵PID:2240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD556cf8f1d2bbeee57a057371fa2a8561d
SHA12836d9617b0239ba8db764e5b08ab65cd075a74b
SHA25671c1d42b449622981ce9a109ab9e058c287c7cf84989b2b8ce2edfbc8007aa57
SHA51221f21fb9a8bf7ccfcb9044110d04e71a14c061f126e27866cd655db8fc8551fd016849bd3c51d6ecccae0abd3786d54164d5f9d1c66f7eddedde5863e42e9905
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize159KB
MD52dec7dfd9ab776efa8eb6adb148df74a
SHA1604ae7fd81a06702aaa4d46b19c815693a30881d
SHA2565254fbb609af60324de5ad82b65eb215c8e4162d38328ad8394728daf42a7f29
SHA5123d4c01fe310dfcabea7d0d78606d15f4e9af48ee1fb6fd03a8e27ec95fde55bc46c8895efabddc52e67397781b0402a398c7998ced0505be5c811e5fcfb1a2dc
-
Filesize
10KB
MD57e9785b165e78a0f71fef2a46f73ff99
SHA1d16b20dc99609d54e69acb9989db86079e6548ed
SHA25622f6af4cec12fb147803ad0a69df186defdd560a1e19c76ad17fbe93a08064fa
SHA51200bde216b7183ad32cbbb106fd67d4548fdab676276287111d8514ba85054719f23f8934b36dd1197fc0797f3db1f5c6486cbb140227ea2f4d002e7ad4a77d2f
-
Filesize
129B
MD5ea2355e8d604c3920ccfda7565495a4f
SHA1ee283286d675394f8a9be8baa621914ed30fec73
SHA256d961ab19eea480a32f71ee79de4932cdf5f866935343f35b9b3d70f18ced46ea
SHA512eb03a9661fed4560a20e6e814a315e95e4b389c3aead91880b0b777d268adbb5c9dcabc00c73566969f8a34f37a138f49a43fe1ca28fff27d2c85e7ad00b5b01
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf