Analysis
-
max time kernel
157s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 04:22
Behavioral task
behavioral1
Sample
c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe
Resource
win10v2004-20240226-en
General
-
Target
c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe
-
Size
159KB
-
MD5
a8e0d56f8c67f1f7b6e592c12d87acab
-
SHA1
ed555f0162ea6ec5b8b8bada743cfc628d376274
-
SHA256
c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2
-
SHA512
41aac8e5a4604134b1014cc08824a1820c138e2762324fd05521d55824aa56d118a8c2ab105285c914f6f839dff9a71a2ecb2e0b8c7bf0e2202edce288577a67
-
SSDEEP
3072:wrQnZg2Bvu2K8/PzRanIzrQSsKQj+zXzCGRG2:wrf2Bm3cLRanKr5zRG
Malware Config
Extracted
C:\Users\ddbPFTiN9.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes itself 1 IoCs
Processes:
FBB2.tmppid process 3132 FBB2.tmp -
Executes dropped EXE 1 IoCs
Processes:
FBB2.tmppid process 3132 FBB2.tmp -
Drops desktop.ini file(s) 2 IoCs
Processes:
c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe -
Drops file in System32 directory 4 IoCs
Processes:
splwow64.exeprintfilterpipelinesvc.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP90vwn6uc_b57a1dhrrx0igb1b.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPa3t3ow4t43jn6vc80y6mwdl6b.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPipvpvgbcc8tjsrmixjw94hrb.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ddbPFTiN9.bmp" c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ddbPFTiN9.bmp" c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exeFBB2.tmppid process 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\WallpaperStyle = "10" c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe -
Modifies registry class 5 IoCs
Processes:
c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ddbPFTiN9 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ddbPFTiN9\ = "ddbPFTiN9" c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ddbPFTiN9\DefaultIcon c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ddbPFTiN9 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ddbPFTiN9\DefaultIcon\ = "C:\\ProgramData\\ddbPFTiN9.ico" c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exeONENOTE.EXEpid process 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe 3708 ONENOTE.EXE 3708 ONENOTE.EXE -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
FBB2.tmppid process 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp 3132 FBB2.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeDebugPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: 36 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeImpersonatePrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeIncBasePriorityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeIncreaseQuotaPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: 33 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeManageVolumePrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeProfSingleProcessPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeRestorePrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSystemProfilePrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeTakeOwnershipPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeShutdownPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeDebugPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeBackupPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe Token: SeSecurityPrivilege 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid process 3708 ONENOTE.EXE 3708 ONENOTE.EXE 3708 ONENOTE.EXE 3708 ONENOTE.EXE 3708 ONENOTE.EXE 3708 ONENOTE.EXE 3708 ONENOTE.EXE 3708 ONENOTE.EXE 3708 ONENOTE.EXE 3708 ONENOTE.EXE 3708 ONENOTE.EXE 3708 ONENOTE.EXE 3708 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exeprintfilterpipelinesvc.exedescription pid process target process PID 452 wrote to memory of 4424 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe splwow64.exe PID 452 wrote to memory of 4424 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe splwow64.exe PID 4724 wrote to memory of 3708 4724 printfilterpipelinesvc.exe ONENOTE.EXE PID 4724 wrote to memory of 3708 4724 printfilterpipelinesvc.exe ONENOTE.EXE PID 452 wrote to memory of 3132 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe FBB2.tmp PID 452 wrote to memory of 3132 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe FBB2.tmp PID 452 wrote to memory of 3132 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe FBB2.tmp PID 452 wrote to memory of 3132 452 c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe FBB2.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe"C:\Users\Admin\AppData\Local\Temp\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:4424 -
C:\ProgramData\FBB2.tmp"C:\ProgramData\FBB2.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
PID:3132
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:5088
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{A3CBEE87-4F6F-4618-AC45-7B46955E8431}.xps" 1335486383441500002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5fa327cc5c685bf8952aad623a7c74b06
SHA10ddfd3a1405d26014dcf662f69772236484640c4
SHA256bcbb9e47a01db4f82451d63b25116272d984a1e6b56b5b4365a627b0e64d7a74
SHA51220e0f8ef153a9077117adfa267a33599c616b0c03a6eab6590f46c8d4cd16ff2648bf2ae05b37b3303068148902f34f25446cc08d9186f46e296d08b6b966d11
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize159KB
MD5521f5f8bc091bf97cd97ac5b5a48a791
SHA1daabeed028298700a1a327145ad052b0866d8862
SHA2563f5c8d33599e0b57a1685e2ba103f12a6bf5170724404048ea3df6e46d7bc725
SHA51208400985ad43ee61d1a8c9c4eb14e2701738813adcc7346e80ffb09ff052cd4296d21e0c9052aa5830fbd80817b2a4f441832c23eb14b2867aa4df4a01f8cb9c
-
Filesize
10KB
MD5171cc86fa907cf1d7ff502d38c97ebb9
SHA11b4002d6374ce5a51f5954d7f213cfa0bb5a4bb8
SHA2560a6f8d73610814444ae8aa16e75d8239c9d77be22f97de78c851a8f25331fe30
SHA5124d21b8f99d6a65f9964174f30848ff9cf1aced1f6d37ab9156cb3cf1b1ba7ffb9be229a5f9987c80c564a79d63596d83e6847a4c85118a395dc3083f5939a4c8
-
Filesize
129B
MD5706b4c019d3c725a6123811cc3592d9a
SHA1811d16b5558a36a778d6df3e374565661f075b22
SHA2566e0a640c3ed3c115e59c036df2aaf5ce13aff639b7f83b53e538af96ab814f3d
SHA5127967e9a4e3ed33c3f94da13d1a1eacc9b922a5ce6526d1115954115272658cbe0174663c9b367858132bb816fe5d3687ef7ac2ef3043004de751d79268339a9f