Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 04:23
Behavioral task
behavioral1
Sample
deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe
Resource
win10v2004-20240226-en
General
-
Target
deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe
-
Size
159KB
-
MD5
49bc004433997ad9fb6d0e42dcb1b020
-
SHA1
fbbfc40f0a0493794698680a4bd0c4b6fb6b4f1e
-
SHA256
deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1
-
SHA512
d5220c3160baa46d8568d3338a40fee24b7fbd6561690f225ddd47d556086e441e46ce26104348cf66d424b9b55a0f9d1d556e08336f074c2177c7060b56e09b
-
SSDEEP
3072:PuJ9OlKolUa1U197bzhVsmftsRUsIxX4sbqcQL8AX2jKl3j:Pufj0zi1dNVsmftjs8PbqMji3j
Malware Config
Extracted
C:\dB6AsqMxo.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes itself 1 IoCs
Processes:
3D9C.tmppid process 1768 3D9C.tmp -
Executes dropped EXE 1 IoCs
Processes:
3D9C.tmppid process 1768 3D9C.tmp -
Loads dropped DLL 1 IoCs
Processes:
deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exepid process 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\dB6AsqMxo.bmp" deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\dB6AsqMxo.bmp" deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe3D9C.tmppid process 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp -
Modifies Control Panel 2 IoCs
Processes:
deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallpaperStyle = "10" deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe -
Modifies registry class 5 IoCs
Processes:
deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dB6AsqMxo\DefaultIcon\ = "C:\\ProgramData\\dB6AsqMxo.ico" deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dB6AsqMxo deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dB6AsqMxo\ = "dB6AsqMxo" deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dB6AsqMxo\DefaultIcon deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dB6AsqMxo deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exepid process 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
3D9C.tmppid process 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp 1768 3D9C.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeDebugPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: 36 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeImpersonatePrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeIncBasePriorityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeIncreaseQuotaPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: 33 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeManageVolumePrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeProfSingleProcessPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeRestorePrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSystemProfilePrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeTakeOwnershipPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeShutdownPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeDebugPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeBackupPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe Token: SeSecurityPrivilege 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe3D9C.tmpdescription pid process target process PID 2088 wrote to memory of 1768 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 3D9C.tmp PID 2088 wrote to memory of 1768 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 3D9C.tmp PID 2088 wrote to memory of 1768 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 3D9C.tmp PID 2088 wrote to memory of 1768 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 3D9C.tmp PID 2088 wrote to memory of 1768 2088 deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe 3D9C.tmp PID 1768 wrote to memory of 760 1768 3D9C.tmp cmd.exe PID 1768 wrote to memory of 760 1768 3D9C.tmp cmd.exe PID 1768 wrote to memory of 760 1768 3D9C.tmp cmd.exe PID 1768 wrote to memory of 760 1768 3D9C.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe"C:\Users\Admin\AppData\Local\Temp\deca4775a99217b9a8e5e2614f23c20d7d6fa1c13d6b00bad73175a07fe049f1.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\ProgramData\3D9C.tmp"C:\ProgramData\3D9C.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3D9C.tmp >> NUL3⤵PID:760
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:2704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD583896bd348deaebb57eede99572e37ca
SHA1a2c0dd64413598b8af9b63e01cbef8db0ce35aa6
SHA2564149870f074ab77462959cac864de0af18931df116f872b26d4c701e870f38c7
SHA512a3776c3da22ce0629c89126e1474ea5aef81265f0b169d432d10d681016d057c5b5e102e57e8f7c9e6436163e0e2a975bdc052c32a055f77370e6194cad73f09
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize159KB
MD5b235abdc286af5fbdfe36740d6498512
SHA1d6c519736e6f323eafe4d350d8a63dcde11fdac0
SHA25657e463cb13c66dc054a50ded5387c067e49691614130ed36e949ea6cd961f651
SHA512cc7e93ac435f8faa11d2bedd43656e70704517dc3681cb357c3932528c3edd7574586294287cc010e7cb0c6631c97b91d423341756827115795f77bd138113a6
-
Filesize
10KB
MD5802d4c92988b7591fe4600669a7770db
SHA1a5710433d05398316048272b84264ab4669bcf24
SHA256667485a1ecb2c2ca7bc462af1b28ef45b350181da5e88183a1fc193dd3bc1fc2
SHA512ec430902d4cb0fb663b26a6c33f18fb43df81d7753ff1a0cce2184270eec6242ad9f97f46401c6a4a1225d1c24440822787fdaebda52126c2a722470c0b18798
-
Filesize
129B
MD54526adf0de51a31ca32a887e2d3493d6
SHA12ef272cebec48c73ef8f8cdd92513603149ae515
SHA25631ad50487a142f04365676c655fe030b2fe2a7730a54dcfe9f85172f7493e942
SHA5125791807f0dbc0d5972ebb3b9c2f0ee13a0e75163dd134f58cacb4e1d6271d8e0159d528acbc819b73a05da4ef7da55dba44c81590f3d64b066006c52c1e713f8
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf