Malware Analysis Report

2024-11-15 07:21

Sample ID 240314-et5mraab8y
Target 7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e
SHA256 7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e

Threat Level: Known bad

The file 7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Lockbit family

Lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Renames multiple (562) files with added filename extension

Renames multiple (287) files with added filename extension

Loads dropped DLL

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Modifies Control Panel

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 04:14

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 04:14

Reported

2024-03-14 04:17

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (287) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\A6DA.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\A6DA.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\zvV4dTvWn.bmp" C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\zvV4dTvWn.bmp" C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zvV4dTvWn\ = "zvV4dTvWn" C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zvV4dTvWn\DefaultIcon C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zvV4dTvWn\DefaultIcon\ = "C:\\ProgramData\\zvV4dTvWn.ico" C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe

"C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe"

C:\ProgramData\A6DA.tmp

"C:\ProgramData\A6DA.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A6DA.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x150

Network

N/A

Files

memory/2032-0-0x0000000000320000-0x0000000000360000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini

MD5 c83332c873a925bf586fd9da225133ce
SHA1 d70f899846987838065536781df7bf4c45484755
SHA256 51139af27402fd65875e10124d42a563bfcaff825ad65463c41265bef7e852c1
SHA512 841305651125f6c4034b84ab0044e2e592cf249aa16404adecbf0884b3fb898e94ac4852088e77985a74a7d09ba4527957a56f845486cff88356e58143b0d740

F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\DDDDDDDDDDD

MD5 d0909468a8e58aea1cbe416454f78799
SHA1 fed37ef5919c07e15b8e2f8db9aed660b9e29ab9
SHA256 1486984845762c9e9a632afdcb9320422d787e433277fc52a424631884c59cac
SHA512 cb446abc88f1ba8e258f1742cf9e22395ad62c6cc4f35559a9a51c4a478eec61e45dd3becffca7364a66d001d4b033c8df2f3402968f0c9885dd53fa390e5067

C:\zvV4dTvWn.README.txt

MD5 b8223aa3012ad039db36737213646a16
SHA1 780337e8fccbc6196e7d360cee27fe8e2bdf382e
SHA256 a09e199dc134de29320ca5b10d3a881b991aeabf993e6c160fba6c701ee0e66d
SHA512 81b9e12355b1eaaa0b6a338d9f9f0893d62262df344148509b8f4397dc4a3de89911e70f179f422546392fed03073d6368fbeec38fb61792402960c9a74d62ae

\ProgramData\A6DA.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1968-806-0x0000000000240000-0x0000000000280000-memory.dmp

memory/1968-807-0x0000000000240000-0x0000000000280000-memory.dmp

memory/1968-804-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1968-808-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/1968-815-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/1968-812-0x000000007EF20000-0x000000007EF21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

MD5 b60c003acbed44a94c4add41b075386b
SHA1 b9589e526e4ee99c739999c1ad6735b6f6f27494
SHA256 d8dac11f8f11de56ef86c54144af0387d9772bdb22dba9538106ae9283b4c857
SHA512 4d36a8b17d7f5fed641fefddbee89ccd2c255f013bd23d8a0747e3262d397aca7449e9022c322daa98e7f65acb4262a0e267eb59b8b7bc090087935ee9914550

memory/1968-840-0x000000007EF60000-0x000000007EF61000-memory.dmp

memory/1968-839-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/1968-841-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 04:14

Reported

2024-03-14 04:17

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (562) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\ProgramData\66C9.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\66C9.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\66C9.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\PPyfoc325g4h47eh9sclvqrbi_.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP_v2iw89x9q0iz88rt4_ikku5c.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP3ifgak51dv33sknjjlwykmto.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\zvV4dTvWn.bmp" C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\zvV4dTvWn.bmp" C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zvV4dTvWn\DefaultIcon\ = "C:\\ProgramData\\zvV4dTvWn.ico" C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zvV4dTvWn\ = "zvV4dTvWn" C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zvV4dTvWn\DefaultIcon C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1008 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe C:\Windows\splwow64.exe
PID 1008 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe C:\Windows\splwow64.exe
PID 3184 wrote to memory of 1432 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 3184 wrote to memory of 1432 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 1008 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe C:\ProgramData\66C9.tmp
PID 1008 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe C:\ProgramData\66C9.tmp
PID 1008 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe C:\ProgramData\66C9.tmp
PID 1008 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe C:\ProgramData\66C9.tmp
PID 4948 wrote to memory of 3216 N/A C:\ProgramData\66C9.tmp C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 3216 N/A C:\ProgramData\66C9.tmp C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 3216 N/A C:\ProgramData\66C9.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe

"C:\Users\Admin\AppData\Local\Temp\7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{744DDACA-614D-47F4-8413-0E1539BCFF1D}.xps" 133548633075070000

C:\ProgramData\66C9.tmp

"C:\ProgramData\66C9.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\66C9.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp

Files

memory/1008-0-0x00000000032E0000-0x00000000032F0000-memory.dmp

memory/1008-1-0x00000000032E0000-0x00000000032F0000-memory.dmp

memory/1008-2-0x00000000032E0000-0x00000000032F0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-275798769-4264537674-1142822080-1000\BBBBBBBBBBB

MD5 97dbf3d651e7b08f8daffa1bd1e64a4b
SHA1 1b68029275d70554345ad4ecfde5614fe44da3ef
SHA256 a66a260b7e250430b6d127c333be9fea30ed6c87b2873c21d037d84196861008
SHA512 7d35a7688cc80e8a0287e4f0c82713e72159501f439096d7cf3e4cdc15411aac080e353bf7c6bd7f9e36a9b06c2340af692714eb09bfacfffd9ebbe18ea6e89e

F:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\DDDDDDDDDDD

MD5 5e9472c4fb0a14b996f77e72a88ce04f
SHA1 0be20e8a7c422651347bff3d519ac3068eb57b2d
SHA256 e4b3fe0434750ad8d5d1daddc164cebf8d200e8d9de21c2ced67baba6b4243f0
SHA512 a64eefa6c859e515e115ed276ee966988854e2e9d56228122e195ebdd6d513fb04e1a51b7f1da40386147877bdcef8b3b8615ddc6a92a75eb8f82f2323bc024d

C:\zvV4dTvWn.README.txt

MD5 bf7ae8f47d8fa0ac5dcadc18c81e5a04
SHA1 4be4e42d3f6bd15e4b7fc11d8b54a6a1839d37be
SHA256 522d831a26affafa89499382925defcfc377e24a4c1904b30bae4ed73d3d85ff
SHA512 9ff0f8236251b81c335e61e2e8ede40a0cbeaa36afdb46b040daeb85c548d0db87b46a7fabf3bfe7e04bd2dec9d09fb2847a94a4b9b908612f4f4a9a3ff6269a

C:\ProgramData\66C9.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1432-2742-0x00007FFD0A0B0000-0x00007FFD0A0C0000-memory.dmp

memory/1432-2741-0x00007FFD0A0B0000-0x00007FFD0A0C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 be025835be60bbb8e8eeea6a0cfe33fb
SHA1 98c76c626c38b88f51fabd859140980e2ae999fa
SHA256 7547bb7d966e9c07faefd07d04fbda1524d18fb202ee1b8c8b597cd9651ba030
SHA512 755d300c13c8e73333b815cbae99a7bed797eb1b8310451e13a494c46347155c9b8702b5391a00ba04e8ed68dcbc598ba64234e45ef85d4de76c718880a43e74

memory/1432-2748-0x00007FFD0A0B0000-0x00007FFD0A0C0000-memory.dmp

memory/1432-2743-0x00007FFD4A030000-0x00007FFD4A225000-memory.dmp

memory/1432-2773-0x00007FFD4A030000-0x00007FFD4A225000-memory.dmp

memory/1432-2774-0x00007FFD0A0B0000-0x00007FFD0A0C0000-memory.dmp

memory/1432-2775-0x00007FFD4A030000-0x00007FFD4A225000-memory.dmp

memory/1432-2776-0x00007FFD0A0B0000-0x00007FFD0A0C0000-memory.dmp

memory/1432-2777-0x00007FFD4A030000-0x00007FFD4A225000-memory.dmp

memory/1432-2778-0x00007FFD4A030000-0x00007FFD4A225000-memory.dmp

memory/1432-2780-0x00007FFD4A030000-0x00007FFD4A225000-memory.dmp

memory/1432-2781-0x00007FFD07DA0000-0x00007FFD07DB0000-memory.dmp

memory/1432-2782-0x00007FFD4A030000-0x00007FFD4A225000-memory.dmp

memory/1432-2779-0x00007FFD4A030000-0x00007FFD4A225000-memory.dmp

memory/1432-2783-0x00007FFD07DA0000-0x00007FFD07DB0000-memory.dmp

memory/1432-2784-0x00007FFD4A030000-0x00007FFD4A225000-memory.dmp

memory/1432-2785-0x00007FFD4A030000-0x00007FFD4A225000-memory.dmp

memory/1432-2787-0x00007FFD4A030000-0x00007FFD4A225000-memory.dmp

memory/1432-2786-0x00007FFD4A030000-0x00007FFD4A225000-memory.dmp

memory/1432-2788-0x00007FFD4A030000-0x00007FFD4A225000-memory.dmp

memory/1432-2789-0x00007FFD4A030000-0x00007FFD4A225000-memory.dmp

memory/1432-2790-0x00007FFD4A030000-0x00007FFD4A225000-memory.dmp

memory/1432-2791-0x00007FFD4A030000-0x00007FFD4A225000-memory.dmp

memory/1432-2792-0x00007FFD4A030000-0x00007FFD4A225000-memory.dmp

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 bf13d87846cbc3655f9d2915244a53f7
SHA1 cc6494ef21439fe2a9db5bf02a24c7898df2e071
SHA256 4c1a1c706c208c694dcfbd7415a45d80e2a92ff8fdbf6a1b0a855eb2d3486359
SHA512 ddd5ee5ca45dca7bb1e964bad95fc536f31deadf16101ff9f36e28330c8ba96892f5a236b256ea9f7e4b4542158d6acf1018e16eb397c11176c509bca35f81ad

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 acc13c7c189a347ee411510944595b7b
SHA1 1df59c80314cf657900da57e4e0b014860b54fbc
SHA256 032b49ad52964537618c0fc67a9c64ebdf88e5ea2c067a1dc1c5f715a14c9f32
SHA512 66c0de8f91abd03683d9ed2569b7d4a09a1f4312bf38318c0f0c182885db2c7ef96894bd317535e7b9b6800efd29e94f2d772b4b801a0f4e93b49dfee6f371cd

memory/1432-2814-0x00007FFD4A030000-0x00007FFD4A225000-memory.dmp

memory/1432-2815-0x00007FFD4A030000-0x00007FFD4A225000-memory.dmp