lockbit | 30cf476cf309662b96c237d3778afc6a33ca512d76d1daa9deb2a4c7fa2ef408

Analysis

max time kernel
300s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfa1a2bd23754277ee1f31e80c92d9c5309f150083451bfc33bbeb604adec8f6.exe
Size

512KB
MD5

ca9030325048d92594bc29ec5d6e5b6e
SHA1

b65183cc886185a8c34860f68d3289d8e9dd84e3
SHA256

bfa1a2bd23754277ee1f31e80c92d9c5309f150083451bfc33bbeb604adec8f6
SHA512

112e69453ee1289302ed7f9ca5a885be6b74e6d18a34cb61d976874f833ae9cb61b31a8cbf6a636ea5cedef87d3fd781bcff8499e477f87c61926d7ea6b7de56
SSDEEP

12288:vubsNSOetfARQAPyGUJWX+t4IbhYR6H6/ou6BEZEQ4Gfw28:vubsnafAPyjJUIbKcH6AqZENP

Score

10^/10

lockbit ransomware spyware stealer

Malware Config

Extracted

Path

C:\Uc2RrigQ4.README.txt

Ransom Note

~~~ Ikaruz Red Team the world's Simple Ransomware Since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: DD569E4494EC647A682FCF8CBAE81357 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lb3.exe	family_lockbit

Renames multiple (623) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bfa1a2bd23754277ee1f31e80c92d9c5309f150083451bfc33bbeb604adec8f6.exe98B7.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	bfa1a2bd23754277ee1f31e80c92d9c5309f150083451bfc33bbeb604adec8f6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	98B7.tmp

Executes dropped EXE 2 IoCs

Processes:

lb3.exe98B7.tmp

pid process

1464 lb3.exe
4904 98B7.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

lb3.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3571316656-3665257725-2415531812-1000\desktop.ini	lb3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3571316656-3665257725-2415531812-1000\desktop.ini	lb3.exe

Drops file in System32 directory 4 IoCs

Processes:

splwow64.exeprintfilterpipelinesvc.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPp0woi0udvbhccrqut4vcxps1c.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP0d3x1w74zq0234m9983ogvgwb.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP00h8k959df7vg489lg9_0og6d.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

lb3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Uc2RrigQ4.bmp"	lb3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Uc2RrigQ4.bmp"	lb3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

98B7.tmp

pid process

4904 98B7.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4904	98B7.tmp

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

lb3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop	lb3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\WallpaperStyle = "10"	lb3.exe

Modifies registry class 5 IoCs

Processes:

lb3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Uc2RrigQ4	lb3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Uc2RrigQ4\ = "Uc2RrigQ4"	lb3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Uc2RrigQ4\DefaultIcon	lb3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Uc2RrigQ4	lb3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Uc2RrigQ4\DefaultIcon\ = "C:\\ProgramData\\Uc2RrigQ4.ico"	lb3.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

6444 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

ONENOTE.EXE

pid process

2032 ONENOTE.EXE
2032 ONENOTE.EXE

pid	process
6444	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

lb3.exe

pid	process
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe
1464	lb3.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

lb3.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeDebugPrivilege	1464	lb3.exe
Token: 36	1464	lb3.exe
Token: SeImpersonatePrivilege	1464	lb3.exe
Token: SeIncBasePriorityPrivilege	1464	lb3.exe
Token: SeIncreaseQuotaPrivilege	1464	lb3.exe
Token: 33	1464	lb3.exe
Token: SeManageVolumePrivilege	1464	lb3.exe
Token: SeProfSingleProcessPrivilege	1464	lb3.exe
Token: SeRestorePrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeSystemProfilePrivilege	1464	lb3.exe
Token: SeTakeOwnershipPrivilege	1464	lb3.exe
Token: SeShutdownPrivilege	1464	lb3.exe
Token: SeDebugPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeBackupPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe
Token: SeSecurityPrivilege	1464	lb3.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

ONENOTE.EXE

pid	process
2032	ONENOTE.EXE
2032	ONENOTE.EXE
2032	ONENOTE.EXE
2032	ONENOTE.EXE
2032	ONENOTE.EXE
2032	ONENOTE.EXE
2032	ONENOTE.EXE
2032	ONENOTE.EXE
2032	ONENOTE.EXE
2032	ONENOTE.EXE
2032	ONENOTE.EXE
2032	ONENOTE.EXE
2032	ONENOTE.EXE
2032	ONENOTE.EXE
2032	ONENOTE.EXE
2032	ONENOTE.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

bfa1a2bd23754277ee1f31e80c92d9c5309f150083451bfc33bbeb604adec8f6.exelb3.exeprintfilterpipelinesvc.exe98B7.tmp

description	pid	process	target process
PID 2192 wrote to memory of 1464	2192	bfa1a2bd23754277ee1f31e80c92d9c5309f150083451bfc33bbeb604adec8f6.exe	lb3.exe
PID 2192 wrote to memory of 1464	2192	bfa1a2bd23754277ee1f31e80c92d9c5309f150083451bfc33bbeb604adec8f6.exe	lb3.exe
PID 2192 wrote to memory of 1464	2192	bfa1a2bd23754277ee1f31e80c92d9c5309f150083451bfc33bbeb604adec8f6.exe	lb3.exe
PID 1464 wrote to memory of 7048	1464	lb3.exe	splwow64.exe
PID 1464 wrote to memory of 7048	1464	lb3.exe	splwow64.exe
PID 3900 wrote to memory of 2032	3900	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 3900 wrote to memory of 2032	3900	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 1464 wrote to memory of 4904	1464	lb3.exe	98B7.tmp
PID 1464 wrote to memory of 4904	1464	lb3.exe	98B7.tmp
PID 1464 wrote to memory of 4904	1464	lb3.exe	98B7.tmp
PID 1464 wrote to memory of 4904	1464	lb3.exe	98B7.tmp
PID 4904 wrote to memory of 4416	4904	98B7.tmp	cmd.exe
PID 4904 wrote to memory of 4416	4904	98B7.tmp	cmd.exe
PID 4904 wrote to memory of 4416	4904	98B7.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\bfa1a2bd23754277ee1f31e80c92d9c5309f150083451bfc33bbeb604adec8f6.exe
"C:\Users\Admin\AppData\Local\Temp\bfa1a2bd23754277ee1f31e80c92d9c5309f150083451bfc33bbeb604adec8f6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2192

C:\Users\Admin\AppData\Local\Temp\RarSFX0\lb3.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\lb3.exe"
2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
- Drops file in System32 directory
PID:7048

C:\ProgramData\98B7.tmp
"C:\ProgramData\98B7.tmp"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\98B7.tmp >> NUL
4⤵
PID:4416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:7096

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3900

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{5F8120ED-93D6-4914-806C-CF8D7F2C4C1B}.xps" 133589016017900000
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Uc2RrigQ4.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:6444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3571316656-3665257725-2415531812-1000\OOOOOOOOOOO

Filesize
129B

MD5
e25081007e85fb342bd894946cdbf446

SHA1
e445de092ffa695c7f7948a07994937c37687187

SHA256
5a9d1b0e2cadb33e8ce59b19cc54ecc7d07a6d63913cfa43f17afe02467c8b73

SHA512
ed7e94ec73509f5e0efd87d6487a8cc5018303274510705a5081307a4d782f40a9e114ae16bb788bc842b1b5ed625aa7694a114065003d939a421909f4d299a9

Download Submit
C:\ProgramData\98B7.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Uc2RrigQ4.README.txt

Filesize
6KB

MD5
f52b2dd567bff9601b794f838c7d2096

SHA1
133388ea2bd362993198bba461c7273a2a3af1ec

SHA256
320802f131c7b4b6f759ac0050c2e31b4f6afe5f1e851800acd5cf66f5112480

SHA512
029b912ad279deb51b2c90e9956ac9b8b3acd39a70012b51fb1cbafcc404a0bf07c3b5c12ad75ad3736dcb9a0117ad2ba8391f5893005fc67f5d91c1699a8187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{5F8120ED-93D6-4914-806C-CF8D7F2C4C1B}.xps

Filesize
12.9MB

MD5
dfcf146f667b0744ce84a8377431da38

SHA1
912002dbbae76ad78febebc616ba02a0b77a2a8e

SHA256
dbdb8d08d2ed5c3d76552877e2baddc938048667dcd067fb707887008b3a30dc

SHA512
9173ff9145b38e53ae9b936c63795b8c34f66467be633d618c20adc39b4bd1d2b6f3045e833420740a7a80a828fbea587e344c39d9d2ae643faf8d9a0881ac14

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DDDDDDD

Filesize
153KB

MD5
51cc40faa3d56346f672b5580d8280ae

SHA1
33c1d6bb0b3d25efed391dbc18c4420b7fd7c8f6

SHA256
fb3750f0bf39083a212771ce91d8bd78bf5ff98dc3ce09632db37f5f10ad9d56

SHA512
5b9632c7a8856a0b518b5b8f2a7355ad525b6b55b3689f61668ce650dfe2e0ee51dae1566481b1f1fb9891fc5d00a9cfd6c8e9d38019f587aa67b5c2082b8be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lb3.exe

Filesize
153KB

MD5
8861ae48d8a851e1573586ac4b7ed230

SHA1
a379e55be365ece1ca2b8f72b6c54bb8b5bfe4e9

SHA256
c9dd51d4295c33e1df0d275669a1de9e1de374a51eb88d7f7b1a1e65f49f7794

SHA512
2b6c452ec52e76c0e0750e3a94041cb7103fd36c5257067bb965cdb50af431fb55323c88e7b0c5b7f51a35be10f5cb60cc600a9dcece67093c6898603de61123

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8528658C-F90D-4DB4-85DB-DCCC9A25CA92}

Filesize
4KB

MD5
f5025f217a31209693d10f936317ac49

SHA1
8e0e2ad08cb9d12beb09cbbc00c7cecf21078d53

SHA256
5f8e38e3050affc2fefc44561350397af316a117ad2516ecb45632d6139de0f0

SHA512
edfeb42df1f4deb2f4db119475d247f583fb595702d4f962003a114abef7ccb6e14889f6e3e3d79494f6d48b1acc6511d73fd5301a2d7e8ac7b24b5a7181fb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
89f5e495ec44e244d0a2d34ca33b3e37

SHA1
832b3f2de8a05f76d798cc329c21a378e6bd3400

SHA256
ba52826a662a34b09147ae2e5a30a61e6c465697861698e03f097522ad1212b5

SHA512
8517900bb1a4b8bde1cbaa1fcd7d4f90e0000e7104b6f49ceb380ed87cf95ec8e1496b8135a49f081731571dff1160bf0463dd84c9ed629e751d4695f82b7a51

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3571316656-3665257725-2415531812-1000\DDDDDDDDDDD

Filesize
129B

MD5
53265befafc6d3714a97ca66990275e8

SHA1
6b0c55b7893049f908c008b672f7410acd2eedc4

SHA256
6812d8ec8557b5cc2823f9be5439dc9fb7663a76473d5fc71dd6a97a202c8c7e

SHA512
252f954be29770655193ebb4531275f8079f699d2cd99bcbb7b09f900174faf7ec15653e39cbe39727ff2e5e16ed053eb5eae010f5983edbd70b37f9cb2c30cc

Download Submit
memory/1464-11-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/1464-13-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/1464-12-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/2032-2782-0x00007FFAA63F0000-0x00007FFAA6400000-memory.dmp

Filesize
64KB

Download
memory/2032-2788-0x00007FFAA3F60000-0x00007FFAA3F70000-memory.dmp

Filesize
64KB

Download
memory/2032-2817-0x00007FFAA3F60000-0x00007FFAA3F70000-memory.dmp

Filesize
64KB

Download
memory/2032-2783-0x00007FFAA63F0000-0x00007FFAA6400000-memory.dmp

Filesize
64KB

Download
memory/2032-2781-0x00007FFAA63F0000-0x00007FFAA6400000-memory.dmp

Filesize
64KB

Download
memory/2032-2780-0x00007FFAA63F0000-0x00007FFAA6400000-memory.dmp

Filesize
64KB

Download
memory/2032-2779-0x00007FFAA63F0000-0x00007FFAA6400000-memory.dmp

Filesize
64KB

Download