Malware Analysis Report

2024-11-13 15:00

Sample ID 240314-esnmvacd79
Target 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0
SHA256 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0
Tags
lockbit ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0

Threat Level: Known bad

The file 571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0 was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware

Lockbit

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

Deletes itself

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Modifies Control Panel

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 04:12

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 04:12

Reported

2024-03-14 04:14

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe"

Signatures

Lockbit

ransomware lockbit

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\C8CB.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\C8CB.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\j2e0Pf6Ew.bmp" C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\j2e0Pf6Ew.bmp" C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\j2e0Pf6Ew C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\j2e0Pf6Ew\DefaultIcon\ = "C:\\ProgramData\\j2e0Pf6Ew.ico" C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.j2e0Pf6Ew C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.j2e0Pf6Ew\ = "j2e0Pf6Ew" C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\j2e0Pf6Ew\DefaultIcon C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe

"C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe"

C:\ProgramData\C8CB.tmp

"C:\ProgramData\C8CB.tmp"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x154

Network

N/A

Files

memory/2388-0-0x00000000002A0000-0x00000000002E0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini

MD5 56cf8f1d2bbeee57a057371fa2a8561d
SHA1 2836d9617b0239ba8db764e5b08ab65cd075a74b
SHA256 71c1d42b449622981ce9a109ab9e058c287c7cf84989b2b8ce2edfbc8007aa57
SHA512 21f21fb9a8bf7ccfcb9044110d04e71a14c061f126e27866cd655db8fc8551fd016849bd3c51d6ecccae0abd3786d54164d5f9d1c66f7eddedde5863e42e9905

C:\Users\j2e0Pf6Ew.README.txt

MD5 7e9785b165e78a0f71fef2a46f73ff99
SHA1 d16b20dc99609d54e69acb9989db86079e6548ed
SHA256 22f6af4cec12fb147803ad0a69df186defdd560a1e19c76ad17fbe93a08064fa
SHA512 00bde216b7183ad32cbbb106fd67d4548fdab676276287111d8514ba85054719f23f8934b36dd1197fc0797f3db1f5c6486cbb140227ea2f4d002e7ad4a77d2f

F:\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\EEEEEEEEEEE

MD5 ea2355e8d604c3920ccfda7565495a4f
SHA1 ee283286d675394f8a9be8baa621914ed30fec73
SHA256 d961ab19eea480a32f71ee79de4932cdf5f866935343f35b9b3d70f18ced46ea
SHA512 eb03a9661fed4560a20e6e814a315e95e4b389c3aead91880b0b777d268adbb5c9dcabc00c73566969f8a34f37a138f49a43fe1ca28fff27d2c85e7ad00b5b01

\ProgramData\C8CB.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2476-314-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/2476-315-0x00000000020C0000-0x0000000002100000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 2dec7dfd9ab776efa8eb6adb148df74a
SHA1 604ae7fd81a06702aaa4d46b19c815693a30881d
SHA256 5254fbb609af60324de5ad82b65eb215c8e4162d38328ad8394728daf42a7f29
SHA512 3d4c01fe310dfcabea7d0d78606d15f4e9af48ee1fb6fd03a8e27ec95fde55bc46c8895efabddc52e67397781b0402a398c7998ced0505be5c811e5fcfb1a2dc

memory/2476-316-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/2476-345-0x000000007EF20000-0x000000007EF21000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 04:12

Reported

2024-03-14 04:14

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe"

Signatures

Lockbit

ransomware lockbit

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\ProgramData\6255.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\6255.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\6255.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP1zg2dx73fehh99s4j_xsimj_c.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPmjd932o6jj_4a0gkmuovlax6b.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP0wz8gzw6pfg_5i828y_bvyh6.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\j2e0Pf6Ew.bmp" C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\j2e0Pf6Ew.bmp" C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.j2e0Pf6Ew C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.j2e0Pf6Ew\ = "j2e0Pf6Ew" C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\j2e0Pf6Ew\DefaultIcon C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\j2e0Pf6Ew C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\j2e0Pf6Ew\DefaultIcon\ = "C:\\ProgramData\\j2e0Pf6Ew.ico" C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 960 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe C:\Windows\splwow64.exe
PID 960 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe C:\Windows\splwow64.exe
PID 3836 wrote to memory of 1852 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 3836 wrote to memory of 1852 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 960 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe C:\ProgramData\6255.tmp
PID 960 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe C:\ProgramData\6255.tmp
PID 960 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe C:\ProgramData\6255.tmp
PID 960 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe C:\ProgramData\6255.tmp
PID 3044 wrote to memory of 3796 N/A C:\ProgramData\6255.tmp C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 3796 N/A C:\ProgramData\6255.tmp C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 3796 N/A C:\ProgramData\6255.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe

"C:\Users\Admin\AppData\Local\Temp\571a0b0b517179ab2ef9a799cd66437fe07e2459d75b76f53307f5e13b1159b0.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{114A1DCB-48C1-44E7-AE61-82A589893601}.xps" 133548631497990000

C:\ProgramData\6255.tmp

"C:\ProgramData\6255.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6255.tmp >> NUL

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/960-0-0x0000000000F50000-0x0000000000F60000-memory.dmp

memory/960-1-0x0000000000F50000-0x0000000000F60000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini

MD5 684ae669ae3d8313f326a1e9ae52f905
SHA1 39b93eeb8e6d0cf296c50e315282a4f87d2a4e74
SHA256 01aaa68e56baad55f3ede52af7603e58f95a24badbc6decc5a75443463552273
SHA512 32efc5eb36c0cd4ea8dc6eaf59cab153e85c5d8432d39c8a423bb1e45b253169452e52e78f903e58f32f92cdfcdd721d8af8c4b7e35a063732eb7659549a1e27

C:\Users\j2e0Pf6Ew.README.txt

MD5 6e192bc6d6de32b583aec32abed0c47e
SHA1 3d78bbfb8ec4e2c488b357e4b215d48ac1e57e30
SHA256 170f075961d219618501bbc4e839c7037dfcc227144fb182b70e0520b864d8af
SHA512 303c626affda7b224badf13407a29914a89cae990f08e12f21ddb7d31eb873f061901fa891b2e28aebf59020363e9af278f93040833df20e0cef3b35db2c5618

F:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\DDDDDDDDDDD

MD5 b1d1c4ccbe9d1d45aa56cad4e1f50087
SHA1 b949e242910794f3b097ef171a55706b599e5bd0
SHA256 976d10af1d0fbd9fcf8382c55388f4715b80034ff118ecfa579523fc27caba41
SHA512 645a1b8f3b80217bad0cd2f6ad422346d3b1c3b56df04fa6b7802112a24c689994ccf335da5c4115c5cf6063484684737c6fa7ecfb6c4acfe0d4e194e7415e3a

memory/1852-290-0x00007FF8666D0000-0x00007FF8666E0000-memory.dmp

C:\ProgramData\6255.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1852-295-0x00007FF8A6650000-0x00007FF8A6845000-memory.dmp

memory/1852-325-0x00007FF8A6650000-0x00007FF8A6845000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 ed4e63070f4b2861f6f135c41c557e04
SHA1 ef1a9c547e12a199b8adcc5e1cd87ca8b63b2805
SHA256 9958d54d83ba79b002b326ad747e013d071c06abfd8c31740513f958ddf854b2
SHA512 f17569ab3cc6d8c70b2b1a4fd79651be4291f92a4bbe0b61a9e99a2a55b134711ecc693c30549c720be98b766b9315a123bbf68f27ed46d2e4c859f98a11f91b

memory/1852-327-0x00007FF8A6650000-0x00007FF8A6845000-memory.dmp

memory/1852-326-0x00007FF8666D0000-0x00007FF8666E0000-memory.dmp

memory/1852-297-0x00007FF8666D0000-0x00007FF8666E0000-memory.dmp

memory/1852-292-0x00007FF8A6650000-0x00007FF8A6845000-memory.dmp

memory/1852-328-0x00007FF8A6650000-0x00007FF8A6845000-memory.dmp

memory/1852-329-0x00007FF8666D0000-0x00007FF8666E0000-memory.dmp

memory/1852-330-0x00007FF8A6650000-0x00007FF8A6845000-memory.dmp

memory/3044-331-0x0000000002530000-0x0000000002540000-memory.dmp

memory/3044-333-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/1852-332-0x00007FF8666D0000-0x00007FF8666E0000-memory.dmp

memory/3044-334-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/1852-335-0x00007FF8A6650000-0x00007FF8A6845000-memory.dmp

memory/1852-336-0x00007FF8A6650000-0x00007FF8A6845000-memory.dmp

memory/3044-337-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/1852-338-0x00007FF8641C0000-0x00007FF8641D0000-memory.dmp

memory/1852-340-0x00007FF8A6650000-0x00007FF8A6845000-memory.dmp

memory/1852-339-0x00007FF8A6650000-0x00007FF8A6845000-memory.dmp

memory/1852-341-0x00007FF8641C0000-0x00007FF8641D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{3476C772-3D1D-4E28-958B-272B5271AD35}

MD5 78ceb46a9f61017a1eca0f496fc91013
SHA1 29d38155d306fbce244f2b387627ed39d5de7821
SHA256 870e9d382db25ddf34b9511b667f08896399087a56f4aad7ffeb2b588d14f2b4
SHA512 6f3bd36a0b75bf4893329fea00d8b563ddc0e91d9821750f5c974b4a67130ef56041f6df9fb8813f07c305ae0dcb69c85de019dde1760cbe4454aa33601dc169

memory/1852-362-0x00007FF8A6650000-0x00007FF8A6845000-memory.dmp

memory/3044-363-0x0000000002530000-0x0000000002540000-memory.dmp

memory/1852-365-0x00007FF8A6650000-0x00007FF8A6845000-memory.dmp

memory/3044-367-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

memory/3044-368-0x000000007FE00000-0x000000007FE01000-memory.dmp