Malware Analysis Report

2024-11-15 07:21

Sample ID 240314-eszp4sab6v
Target 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1
SHA256 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1

Threat Level: Known bad

The file 5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1 was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit

Lockbit family

Renames multiple (354) files with added filename extension

Renames multiple (563) files with added filename extension

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Modifies Control Panel

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 04:12

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 04:12

Reported

2024-03-14 04:15

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (354) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\43E3.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\43E3.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\HoBZnAfiW.bmp" C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\HoBZnAfiW.bmp" C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\43E3.tmp N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.HoBZnAfiW\ = "HoBZnAfiW" C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HoBZnAfiW\DefaultIcon C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HoBZnAfiW\DefaultIcon\ = "C:\\ProgramData\\HoBZnAfiW.ico" C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe

"C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe"

C:\ProgramData\43E3.tmp

"C:\ProgramData\43E3.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\43E3.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x14c

Network

N/A

Files

memory/2176-0-0x00000000022A0000-0x00000000022E0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini

MD5 99b9ebde1d7ad9d98ed6589e327e72d6
SHA1 81f660133cde6b010a1d303a9aa6a7daf9f44702
SHA256 7aa8b5ba1399cfc1f0b52aedc04b45f9287f78e948397d8f8ea05764e6edc83a
SHA512 13c0d7084e27a6ce5beb98468f9e269d2a9e7b0caf2eb8dee8287300e527d0abe60b0691d4810af8330c71cf7a636e840cd0f83d291804ff60ced1b6d9a7f8cb

C:\HoBZnAfiW.README.txt

MD5 7e55d277320adb577303a24a526cab00
SHA1 139e66f4ae6284b61faeaefa67d614f5fc8afe70
SHA256 d3ae1147fc107ee20b59042c1e79103ea148132c0709e3428f4257201754c686
SHA512 c327b84f28f6e8e12875e18edbeeea423821ec4a28aa2455c41650b60c598cdf52b6f3526c1ca47075b9cc81ee14ead84f7704e4e2426a9c0c9b2d89f50be388

F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\EEEEEEEEEEE

MD5 b296b700e7b1a20870630bcc4e384ef9
SHA1 134ff402da61aa9ed234b96c1001f46d31f1453d
SHA256 3077a669b1fb523a92e732c754ecdde573156b55cc697d124a29b6ae5801f755
SHA512 078e29d0df8fc4fea3fec7c888cbda88ebbd7ec5738e924290a9c814c911a52fd7904cee3254a39ee58db7afaa63c5263e4382b6b16d5fd4c3318549b60c1207

\ProgramData\43E3.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2424-880-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/2424-881-0x00000000004D0000-0x0000000000510000-memory.dmp

memory/2424-883-0x00000000004D0000-0x0000000000510000-memory.dmp

memory/2424-886-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/2424-887-0x000000007EF20000-0x000000007EF21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 b79992424b470e82e9410f61d262dc6f
SHA1 97ad7510822eaea506306f9023d7284b3492ac1d
SHA256 6758c8d23428eaf418fae921c44aa3f09701c78f8ab5483f0d3d0ca470a1dfb5
SHA512 2d0bac5646b574f87d288d84c7d6deeda2a07c9b04861c8f9a5cb4e7e6b4be4410128b954899be791fa265b1a8fd792d6fe2c09b8d3411d67f85ceb73cabba41

memory/2424-914-0x000000007EF60000-0x000000007EF61000-memory.dmp

memory/2424-913-0x000000007EF40000-0x000000007EF41000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 04:12

Reported

2024-03-14 04:15

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (563) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\ProgramData\7669.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\7669.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\7669.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\PP3t_kt6_wajh8x1c_orlw2516b.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPm40y70yg9frt4yrhktc_ogvlb.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP2t1a0f9hkt40ofdyt69om839.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\HoBZnAfiW.bmp" C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\HoBZnAfiW.bmp" C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\7669.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.HoBZnAfiW\ = "HoBZnAfiW" C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HoBZnAfiW\DefaultIcon C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HoBZnAfiW\DefaultIcon\ = "C:\\ProgramData\\HoBZnAfiW.ico" C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.HoBZnAfiW C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4372 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe C:\Windows\splwow64.exe
PID 4372 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe C:\Windows\splwow64.exe
PID 5040 wrote to memory of 2684 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 5040 wrote to memory of 2684 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 4372 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe C:\ProgramData\7669.tmp
PID 4372 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe C:\ProgramData\7669.tmp
PID 4372 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe C:\ProgramData\7669.tmp
PID 4372 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe C:\ProgramData\7669.tmp
PID 4036 wrote to memory of 5116 N/A C:\ProgramData\7669.tmp C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 5116 N/A C:\ProgramData\7669.tmp C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 5116 N/A C:\ProgramData\7669.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe

"C:\Users\Admin\AppData\Local\Temp\5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{B64EEF50-24D5-4DA1-8677-137170600975}.xps" 133548631867480000

C:\ProgramData\7669.tmp

"C:\ProgramData\7669.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7669.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4372-0-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

memory/4372-1-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

memory/4372-2-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-566096764-1992588923-1249862864-1000\GGGGGGGGGGG

MD5 917f5c5e92d7126138230a0c057bd5d5
SHA1 b67bca51a6d6eb54cfe1485a9e40004be3f1c3c8
SHA256 4de8b55caf83a23955b1bf5442b25163ef3dac27c75ea1ee6f22a4aaced253b0
SHA512 bdef7f21c027bab20548ffbafe826c3700617ad5d0f81e09e1a1a247e61776933ac22863682423fb55c42ee1f0fc075c5676a406b474f1ba05a4691dfd680c27

C:\HoBZnAfiW.README.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

F:\$RECYCLE.BIN\S-1-5-21-566096764-1992588923-1249862864-1000\DDDDDDDDDDD

MD5 95d88dddfdb1dab303184e8b22a78b69
SHA1 a6681bd4420bb0ee58831578e34eb620df24132d
SHA256 dc214377db02a8858f5f5e1d7844dd37a647f4dc57af38694d5fc1f3e2f268e4
SHA512 b145ca24c09e830a21bdc7ae620c28b1785106812529470a643cea433c512a612b477eb140f26a63f3f0e2a5a8b1b95c3cf75aa32edb0f258a9cb7dbc6b19d88

C:\ProgramData\7669.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2684-2733-0x00007FF8C2DF0000-0x00007FF8C2E00000-memory.dmp

memory/4036-2739-0x000000007FE40000-0x000000007FE41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 61511c767ee5714ca7df733c7582a8e5
SHA1 c4f8b8c471dd9487fcac725e5f1e0ab41d98e775
SHA256 db9f1b783e36cb729c8fa0e92453a75bef05de836508b21c2621f9d516285c46
SHA512 795062965b1fe9e861fb59b2d46994a1057350ee45e851a21f5860445fc01896c59002eb85b11c66f499af647105cd53148806d6accbba7c9576bb5b399d56cb

memory/4036-2765-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/4036-2764-0x0000000000760000-0x0000000000770000-memory.dmp

memory/4036-2763-0x0000000000760000-0x0000000000770000-memory.dmp

memory/2684-2767-0x00007FF8C2DF0000-0x00007FF8C2E00000-memory.dmp

memory/2684-2768-0x00007FF8C2DF0000-0x00007FF8C2E00000-memory.dmp

memory/4036-2766-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/2684-2769-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

memory/2684-2770-0x00007FF8C2DF0000-0x00007FF8C2E00000-memory.dmp

memory/2684-2771-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

memory/2684-2773-0x00007FF8C2DF0000-0x00007FF8C2E00000-memory.dmp

memory/2684-2772-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

memory/2684-2774-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

memory/2684-2776-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

memory/2684-2775-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

memory/2684-2777-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

memory/2684-2779-0x00007FF8C0580000-0x00007FF8C0590000-memory.dmp

memory/2684-2778-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

memory/2684-2780-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

memory/2684-2782-0x00007FF8C0580000-0x00007FF8C0590000-memory.dmp

memory/2684-2783-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

memory/2684-2781-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

memory/2684-2784-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

memory/2684-2785-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

memory/2684-2786-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

memory/2684-2787-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

memory/2684-2788-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

memory/2684-2789-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{2FEC9423-B4ED-41EE-8058-A0BDA5448497}

MD5 836761de6b41e504f56710d6b5309822
SHA1 2e0a039d58c567d57ad635a85d5181067e6dd395
SHA256 992eb40073a6d711d730be15dee90c217f31ab00cdacd1038040e6f2b0547549
SHA512 29c438200bd70ffcffcf2e682ade30472d86f86598869ccccb6d28110cbeba129f68e06875d385a90db555e5c446f0ff807ba0f5627d2e6e34438ba8365f22f6

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 42912106bc35bcdfef19334939cf61ad
SHA1 c57c89b73f4a23108c10fa17a54a95509c41a5d8
SHA256 42b129de5e20d01a5b5e29923116f2a8398bc212057d137653af3e410d22cefd
SHA512 d5dc95e789d91465620ffa4d13b7c359822f2388d03a7f8b077292e01377c76d0d2aeb4b4f34892b837623500b102019c39bba8e34223c9475b90b07531072f4

memory/2684-2811-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

memory/2684-2812-0x00007FF902D70000-0x00007FF902F65000-memory.dmp