Analysis
-
max time kernel
119s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 04:22
Behavioral task
behavioral1
Sample
d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe
Resource
win10v2004-20240226-en
General
-
Target
d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe
-
Size
159KB
-
MD5
85ca694de55c02d285e997e7671c9e43
-
SHA1
e4ecabeb1f0df4ae69a9408d6522f039fd3a4968
-
SHA256
d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3
-
SHA512
6bea0a189a947c059205e8c31dbcc0f6675504170d4dade3d780ab20fd44b1e1ae4b4d975227d95fd08a9aec3adeec21ce471a095650a53304837f12f515f4ca
-
SSDEEP
3072:/uJ9OlKolUa1U197bzhVsmftsfwohznCoJjlNr/DNg10:/ufj0zi1dNVsmft0GoJzrK0
Malware Config
Extracted
C:\Users\5XKuA1aj2.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes itself 1 IoCs
Processes:
1C76.tmppid process 2492 1C76.tmp -
Executes dropped EXE 1 IoCs
Processes:
1C76.tmppid process 2492 1C76.tmp -
Loads dropped DLL 1 IoCs
Processes:
d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exepid process 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exedescription ioc process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3787592910-3720486031-2929222812-1000\desktop.ini d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3787592910-3720486031-2929222812-1000\desktop.ini d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\5XKuA1aj2.bmp" d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\5XKuA1aj2.bmp" d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe1C76.tmppid process 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp -
Modifies Control Panel 2 IoCs
Processes:
d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\Desktop d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\Desktop\WallpaperStyle = "10" d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe -
Modifies registry class 5 IoCs
Processes:
d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.5XKuA1aj2 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.5XKuA1aj2\ = "5XKuA1aj2" d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\5XKuA1aj2\DefaultIcon d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\5XKuA1aj2 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\5XKuA1aj2\DefaultIcon\ = "C:\\ProgramData\\5XKuA1aj2.ico" d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exepid process 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
1C76.tmppid process 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp 2492 1C76.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeDebugPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: 36 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeImpersonatePrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeIncBasePriorityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeIncreaseQuotaPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: 33 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeManageVolumePrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeProfSingleProcessPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeRestorePrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSystemProfilePrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeTakeOwnershipPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeShutdownPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeDebugPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeBackupPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe Token: SeSecurityPrivilege 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exedescription pid process target process PID 2108 wrote to memory of 2492 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 1C76.tmp PID 2108 wrote to memory of 2492 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 1C76.tmp PID 2108 wrote to memory of 2492 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 1C76.tmp PID 2108 wrote to memory of 2492 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 1C76.tmp PID 2108 wrote to memory of 2492 2108 d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe 1C76.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe"C:\Users\Admin\AppData\Local\Temp\d31e38f333deeeb21c8b55fe129b64964a3ff14c04f3149b3f93a56e2fbf33d3.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\ProgramData\1C76.tmp"C:\ProgramData\1C76.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
PID:2492
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1541⤵PID:1092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5d688a63679b072e0001b43b73ba10f11
SHA1ec162aa906fe02667d2fe875b4db5e893efc86d4
SHA25610ce6fda71f422651fe783cb61fd3f8443d9df46e697292f73aba6b4be895136
SHA512cd6b44fc8c98d5f314501656ab9d474e59ecc0f6a9b21757d82cd36ce3f25849be9115bb1e488ab2e3b5a86829f4f61a302bc8635c497a469574e6b178e9e1fe
-
Filesize
10KB
MD5e2ff2226df731e9f35ce8a4e26de52b2
SHA131c91e836ca631d50368a507a072be7cfaee01d2
SHA2561d9cebabb11049b8b0879a2603b1ee4209b64dfbdee2e1f977060fb7a11fe4fe
SHA512ceb46b5ade75cfc249db8de89b91de98af10aea6e668413ecf88a8b232dc1885c9487e030d5d4cd257bc62f8ef94cd9fc97480b185e37e5f039ca848e10ddbf8
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize159KB
MD5539ba15f29d10727509ef9ae0e604857
SHA1db85187c0b468bfa54a74915b0f291974b7ea1a4
SHA25697a34540817367cf53849ecfa734680c4c21cde15d5d6e52a7231df170a7e45c
SHA5121f57a7385ea6b5e23b44ca9edb1fdac81e66258e00f449775fa2fb04fbd8fbfe578e7f3ee05150b8c22a2bf8de56511485a7328b4040ad9595f6e10aaa6cdd02
-
Filesize
129B
MD5c54d6632c8e1368adfe14882cfd5425b
SHA1e3c237078837dff1adb52e4935bd9e43c2aabcfd
SHA256cab2bc8906116ad6005427cf7711145bff2dc7942f4ae95bd6acfdeae25f2859
SHA51245ec13a06711086b38d09dd21441319a1e20922b1b4507ee26d81325788c274e19ab30333bf074befbe0937f27babb1d5d748c59424ebdc8b5c891d5d74b8a41
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf