Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 04:12
Behavioral task
behavioral1
Sample
5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe
Resource
win10v2004-20240226-en
General
-
Target
5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe
-
Size
145KB
-
MD5
5ff46c6ec36501f106aa7373832bf69c
-
SHA1
fc923fb8bb0fa7d52aa4b3421ea910d9d12a2809
-
SHA256
5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816
-
SHA512
9a1bd9624f02ab9caaf94381758ca809a73cc1deebe9ba55fb59fd71c003c72f81ee5339e92c673eb1c5f348ec5363f2ca5782391a8123c9b09a3f563f6c31fa
-
SSDEEP
3072:8qJogYkcSNm9V7DXWw+X1gDW1YfJVKhFT:8q2kc4m9tDmbCDWqQ
Malware Config
Extracted
C:\sNLnicEVl.README.txt
lockbit
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (348) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
2EAE.tmppid process 3036 2EAE.tmp -
Executes dropped EXE 1 IoCs
Processes:
2EAE.tmppid process 3036 2EAE.tmp -
Loads dropped DLL 1 IoCs
Processes:
5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exepid process 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exedescription ioc process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\sNLnicEVl.bmp" 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\sNLnicEVl.bmp" 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
2EAE.tmppid process 3036 2EAE.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
Processes:
5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\WallpaperStyle = "10" 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe -
Modifies registry class 5 IoCs
Processes:
5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sNLnicEVl\ = "sNLnicEVl" 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sNLnicEVl\DefaultIcon 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sNLnicEVl 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sNLnicEVl\DefaultIcon\ = "C:\\ProgramData\\sNLnicEVl.ico" 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sNLnicEVl 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exepid process 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
2EAE.tmppid process 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp 3036 2EAE.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeDebugPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: 36 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeImpersonatePrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeIncBasePriorityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeIncreaseQuotaPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: 33 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeManageVolumePrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeProfSingleProcessPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeRestorePrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSystemProfilePrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeTakeOwnershipPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeShutdownPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeDebugPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeBackupPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe Token: SeSecurityPrivilege 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe2EAE.tmpdescription pid process target process PID 2268 wrote to memory of 3036 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe 2EAE.tmp PID 2268 wrote to memory of 3036 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe 2EAE.tmp PID 2268 wrote to memory of 3036 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe 2EAE.tmp PID 2268 wrote to memory of 3036 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe 2EAE.tmp PID 2268 wrote to memory of 3036 2268 5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe 2EAE.tmp PID 3036 wrote to memory of 1652 3036 2EAE.tmp cmd.exe PID 3036 wrote to memory of 1652 3036 2EAE.tmp cmd.exe PID 3036 wrote to memory of 1652 3036 2EAE.tmp cmd.exe PID 3036 wrote to memory of 1652 3036 2EAE.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe"C:\Users\Admin\AppData\Local\Temp\5735ea71ae9c58fe79c5049056421cf68600d6afdac1c441ae02291637779816.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\ProgramData\2EAE.tmp"C:\ProgramData\2EAE.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2EAE.tmp >> NUL3⤵PID:1652
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:2280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD51527e602c83cfc6570f4de16035051dd
SHA160d8e37aed7e6fdd1be1d5b83c863d6e7e75992d
SHA25672ab9e6503e26f788c3beabb35f2384cbdf511ba9bec8961963c3b7d85bb122a
SHA51243ceb96d968974f051ed39d3d8998695fbf8c6f9f8ab65ff51fef14f220f8623a89a4509fafd27aaa8dc96adbe0e3a3b90cd27f57d57f6ee5c6008aa391a6dbb
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize145KB
MD52d2d9cd0b622414a449c37ad22414283
SHA1b83f2945f57908e4703719247e72700fe59870a1
SHA256b30210759a4fe4cc438f2ba29250ff1a034f0845857fc6664ed45020da848a87
SHA512c77efb551b64294c54fccec5a5adc8c63b38cd4da8066e35905281ec45bafef51e353c15d2c0103907da2f6e19079e5c68a092bb41c9ed71fe146ce10a619340
-
Filesize
233B
MD5885e5b5a0b7100068d7359be5025b479
SHA1413e60216fd28e306c8ac910f7d317a88f3ea9e3
SHA2563f8a1cf73e0f9fae26c30e80ff47c409799b697685cf31688e17e9f77e8e8ade
SHA512804a5949d5d0cde73fb4c667b34cc14266a3dee9691277201f3bfdab99bfe1f8445ff64db8f5f2410528f4f9b96a5f069f90aaede998aa97489ea364f32e9b26
-
Filesize
129B
MD582a7e38d1fa28b7660f639ea0daea8fc
SHA1f101dedd4b8e78b3e2fb2125b7755e37de229f83
SHA2566a7a4a27dfa45dac5c79655a20f7df11d227557de01e73716b18d2bc8bd01485
SHA5128db9a70ac00f23da5622499d73e44b9bc16ea161b0a301bb586e8103f0c8d81543dd0ae356c21fae2d72f213d3f1033ed5952f29bd38e4446360f78b22178d38
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf