Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 04:21
Behavioral task
behavioral1
Sample
bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe
Resource
win10v2004-20240226-en
General
-
Target
bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe
-
Size
163KB
-
MD5
717f366b354d1eef8022ad7edbffd387
-
SHA1
882420c79f4d8b8a0aa9f747a3cfc6caf224d9ca
-
SHA256
bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0
-
SHA512
bdf36c2a5030fc331cb84c922dbef0a264acc937b24283e4573a6e5c15cfce4d484b5cc25a629ffda63b68d99a6c903d4ef2ca47944e44daa66616a14ae56ce1
-
SSDEEP
3072:D5uyulsHwDV1gFnTwn7zwJGJ+Bt5kCI5Gzei3N2VzRmK:D5uZ1DPgFnk7EJwsI5gDN2VVm
Malware Config
Extracted
C:\Users\HLJkNskOq.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2856-0-0x0000000000400000-0x000000000042D000-memory.dmp family_lockbit behavioral1/memory/2856-311-0x0000000000400000-0x000000000042D000-memory.dmp family_lockbit -
Deletes itself 1 IoCs
Processes:
7790.tmppid process 1532 7790.tmp -
Executes dropped EXE 1 IoCs
Processes:
7790.tmppid process 1532 7790.tmp -
Loads dropped DLL 1 IoCs
Processes:
bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exepid process 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-778096762-2241304387-192235952-1000\desktop.ini bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-778096762-2241304387-192235952-1000\desktop.ini bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\HLJkNskOq.bmp" bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\HLJkNskOq.bmp" bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe7790.tmppid process 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp -
Modifies Control Panel 2 IoCs
Processes:
bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\WallpaperStyle = "10" bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe -
Modifies registry class 5 IoCs
Processes:
bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.HLJkNskOq\ = "HLJkNskOq" bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HLJkNskOq\DefaultIcon bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HLJkNskOq bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HLJkNskOq\DefaultIcon\ = "C:\\ProgramData\\HLJkNskOq.ico" bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.HLJkNskOq bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exepid process 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
7790.tmppid process 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp 1532 7790.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeDebugPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: 36 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeImpersonatePrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeIncBasePriorityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeIncreaseQuotaPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: 33 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeManageVolumePrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeProfSingleProcessPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeRestorePrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSystemProfilePrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeTakeOwnershipPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeShutdownPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeDebugPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeBackupPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe Token: SeSecurityPrivilege 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exedescription pid process target process PID 2856 wrote to memory of 1532 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 7790.tmp PID 2856 wrote to memory of 1532 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 7790.tmp PID 2856 wrote to memory of 1532 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 7790.tmp PID 2856 wrote to memory of 1532 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 7790.tmp PID 2856 wrote to memory of 1532 2856 bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe 7790.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe"C:\Users\Admin\AppData\Local\Temp\bcbdc1bd464ba817632f46bcb5c09a2012da859487c61bd4dc51bceae54512c0.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\ProgramData\7790.tmp"C:\ProgramData\7790.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
PID:1532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5c478ed87163e5b9565ccbc09ba58dc4f
SHA1622b1827b16ba0a5cbdc752a70c258bf7bf66754
SHA256bda261792fe6e3f4593655f2dfff4359f7363731f614d120613058dd23a3a693
SHA5129a95ca9f842f8000cb3778c24afcc895aff04a9e2052cfacbbed798d8ae62a3a531520627a33038671434cc88ee59c87d8bfce53f79ba3d74af96af05ce571ec
-
C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
Filesize163KB
MD54b0593230668dc055b526f51001e6fbc
SHA1339b9c36419448c7021d2ba206ffe2df75bb99a0
SHA25681dcda73851bfd158b61c71f0ced045078d18e1e7ec98e7f1be38a31ae868fb3
SHA512e861ffbbc54c4361beca5eca251cb1a5b78b793ce1e15446a6e203ae1c482ed09acaaab2f43d3e6561547921ad08b8eda9b772e349627057316f2fb89cfe6c05
-
Filesize
10KB
MD51b0987d2cabdd05c666982bb5be8b6d1
SHA151883d8e00e9f455cef7d8a7ccfa2278c84083e1
SHA256b0075c52f1d757fb3febdf3a2bd2a19ba5025b7a0182c469783bb7652c278f16
SHA512d8b2b7a9e6f0857184fef2777d95598c76f9258fea276313ce3fbcdea653f95278930fc6978a0291d39c5fba5e4a600e88a3d72e807729966a27ea197fa9a8c3
-
Filesize
129B
MD563d70903aa399b9c199b9395e2aa8470
SHA1d011f535d03ed101848c6431ed5b1f3cd422626f
SHA256bd7f03c0faf530db4412e87e4275dd556c0ddd96b062bf3c8106475bc52281f4
SHA512d68153ff920ababe9c4636f532af8484aba1122edecc5129ea972bfa6c05ac29196c65e6395e214fd644043a32f31676223bac4bd6ba2701fb0119412b734dd8
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf