Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 04:12
Behavioral task
behavioral1
Sample
5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe
Resource
win10v2004-20240226-en
General
-
Target
5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe
-
Size
153KB
-
MD5
09e4979c4d8cf79b25aa82cb86d22f33
-
SHA1
4a30c87ecadf6e16c69128936f99492ca6f127fa
-
SHA256
5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1
-
SHA512
e49e8439b04851758bac17bf42e31e9f5721709c5e55e03c220a904dfb3682500ac5c5bddcdf07f4c97a81aeff0694916917df1a712273082b4eb5e477195a8d
-
SSDEEP
3072:YqJogYkcSNm9V7DUWPoZuUlupZegieqMVT:Yq2kc4m9tDvhUl4Tq
Malware Config
Extracted
C:\HoBZnAfiW.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (563) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7669.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation 7669.tmp -
Deletes itself 1 IoCs
Processes:
7669.tmppid process 4036 7669.tmp -
Executes dropped EXE 1 IoCs
Processes:
7669.tmppid process 4036 7669.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe -
Drops file in System32 directory 4 IoCs
Processes:
printfilterpipelinesvc.exesplwow64.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\PP3t_kt6_wajh8x1c_orlw2516b.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPm40y70yg9frt4yrhktc_ogvlb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP2t1a0f9hkt40ofdyt69om839.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\HoBZnAfiW.bmp" 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\HoBZnAfiW.bmp" 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
7669.tmppid process 4036 7669.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallpaperStyle = "10" 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe -
Modifies registry class 5 IoCs
Processes:
5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.HoBZnAfiW\ = "HoBZnAfiW" 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HoBZnAfiW\DefaultIcon 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HoBZnAfiW 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HoBZnAfiW\DefaultIcon\ = "C:\\ProgramData\\HoBZnAfiW.ico" 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.HoBZnAfiW 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exepid process 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
7669.tmppid process 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp 4036 7669.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeDebugPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: 36 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeImpersonatePrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeIncBasePriorityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeIncreaseQuotaPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: 33 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeManageVolumePrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeProfSingleProcessPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeRestorePrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSystemProfilePrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeTakeOwnershipPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeShutdownPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeDebugPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeBackupPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe Token: SeSecurityPrivilege 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid process 2684 ONENOTE.EXE 2684 ONENOTE.EXE 2684 ONENOTE.EXE 2684 ONENOTE.EXE 2684 ONENOTE.EXE 2684 ONENOTE.EXE 2684 ONENOTE.EXE 2684 ONENOTE.EXE 2684 ONENOTE.EXE 2684 ONENOTE.EXE 2684 ONENOTE.EXE 2684 ONENOTE.EXE 2684 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exeprintfilterpipelinesvc.exe7669.tmpdescription pid process target process PID 4372 wrote to memory of 868 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe splwow64.exe PID 4372 wrote to memory of 868 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe splwow64.exe PID 5040 wrote to memory of 2684 5040 printfilterpipelinesvc.exe ONENOTE.EXE PID 5040 wrote to memory of 2684 5040 printfilterpipelinesvc.exe ONENOTE.EXE PID 4372 wrote to memory of 4036 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 7669.tmp PID 4372 wrote to memory of 4036 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 7669.tmp PID 4372 wrote to memory of 4036 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 7669.tmp PID 4372 wrote to memory of 4036 4372 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe 7669.tmp PID 4036 wrote to memory of 5116 4036 7669.tmp cmd.exe PID 4036 wrote to memory of 5116 4036 7669.tmp cmd.exe PID 4036 wrote to memory of 5116 4036 7669.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe"C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:868
-
-
C:\ProgramData\7669.tmp"C:\ProgramData\7669.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7669.tmp >> NUL3⤵PID:5116
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1464
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{B64EEF50-24D5-4DA1-8677-137170600975}.xps" 1335486318674800002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2684
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5917f5c5e92d7126138230a0c057bd5d5
SHA1b67bca51a6d6eb54cfe1485a9e40004be3f1c3c8
SHA2564de8b55caf83a23955b1bf5442b25163ef3dac27c75ea1ee6f22a4aaced253b0
SHA512bdef7f21c027bab20548ffbafe826c3700617ad5d0f81e09e1a1a247e61776933ac22863682423fb55c42ee1f0fc075c5676a406b474f1ba05a4691dfd680c27
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize153KB
MD561511c767ee5714ca7df733c7582a8e5
SHA1c4f8b8c471dd9487fcac725e5f1e0ab41d98e775
SHA256db9f1b783e36cb729c8fa0e92453a75bef05de836508b21c2621f9d516285c46
SHA512795062965b1fe9e861fb59b2d46994a1057350ee45e851a21f5860445fc01896c59002eb85b11c66f499af647105cd53148806d6accbba7c9576bb5b399d56cb
-
Filesize
4KB
MD5836761de6b41e504f56710d6b5309822
SHA12e0a039d58c567d57ad635a85d5181067e6dd395
SHA256992eb40073a6d711d730be15dee90c217f31ab00cdacd1038040e6f2b0547549
SHA51229c438200bd70ffcffcf2e682ade30472d86f86598869ccccb6d28110cbeba129f68e06875d385a90db555e5c446f0ff807ba0f5627d2e6e34438ba8365f22f6
-
Filesize
4KB
MD542912106bc35bcdfef19334939cf61ad
SHA1c57c89b73f4a23108c10fa17a54a95509c41a5d8
SHA25642b129de5e20d01a5b5e29923116f2a8398bc212057d137653af3e410d22cefd
SHA512d5dc95e789d91465620ffa4d13b7c359822f2388d03a7f8b077292e01377c76d0d2aeb4b4f34892b837623500b102019c39bba8e34223c9475b90b07531072f4
-
Filesize
129B
MD595d88dddfdb1dab303184e8b22a78b69
SHA1a6681bd4420bb0ee58831578e34eb620df24132d
SHA256dc214377db02a8858f5f5e1d7844dd37a647f4dc57af38694d5fc1f3e2f268e4
SHA512b145ca24c09e830a21bdc7ae620c28b1785106812529470a643cea433c512a612b477eb140f26a63f3f0e2a5a8b1b95c3cf75aa32edb0f258a9cb7dbc6b19d88