83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68

General

Target

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Size

160KB
MD5

9251dd806a703d4a6b388e504e5020f3
SHA1

a9c78679a7effe14bac6b0fe440af504c50d7d1f
SHA256

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68
SHA512

f67f5f44ef17128b575608c4a8eddd76af172ebee276c752cb7a6e149cc244e0df81166bab52435f3a1db26b42f2d141e1aa338366a81a616792a0a07b110862
SSDEEP

3072:kDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP33682wa9h+f2s9L6AsW:m5d/zugZqll3a5OB9L6

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\NOokKHoMb.README.txt

Ransom Note

~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: F7EA81C1375FE4079ED63E4020B94140 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.

URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

Signatures

Renames multiple (191) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

6A14.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 6A14.tmp
Deletes itself 1 IoCs

Processes:

6A14.tmp

pid process

4888 6A14.tmp
Executes dropped EXE 1 IoCs

Processes:

6A14.tmp

pid process

4888 6A14.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	6A14.tmp

Drops desktop.ini file(s) 2 IoCs

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\NOokKHoMb.bmp"	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\NOokKHoMb.bmp"	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe6A14.tmp

pid	process
2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\WallpaperStyle = "10"	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

Modifies registry class 5 IoCs

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NOokKHoMb\DefaultIcon	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NOokKHoMb	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NOokKHoMb\DefaultIcon\ = "C:\\ProgramData\\NOokKHoMb.ico"	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.NOokKHoMb	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.NOokKHoMb\ = "NOokKHoMb"	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

pid	process
2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

6A14.tmp

pid	process
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp
4888	6A14.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exevssvc.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeDebugPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: 36	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeImpersonatePrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeIncBasePriorityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeIncreaseQuotaPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: 33	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeManageVolumePrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeProfSingleProcessPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeRestorePrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSystemProfilePrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeTakeOwnershipPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeShutdownPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeDebugPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3636	vssvc.exe
Token: SeRestorePrivilege	3636	vssvc.exe
Token: SeAuditPrivilege	3636	vssvc.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe6A14.tmp

description	pid	process	target process
PID 2492 wrote to memory of 4888	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe	6A14.tmp
PID 2492 wrote to memory of 4888	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe	6A14.tmp
PID 2492 wrote to memory of 4888	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe	6A14.tmp
PID 2492 wrote to memory of 4888	2492	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe	6A14.tmp
PID 4888 wrote to memory of 1776	4888	6A14.tmp	cmd.exe
PID 4888 wrote to memory of 1776	4888	6A14.tmp	cmd.exe
PID 4888 wrote to memory of 1776	4888	6A14.tmp	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
"C:\Users\Admin\AppData\Local\Temp\83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492

C:\ProgramData\6A14.tmp
"C:\ProgramData\6A14.tmp"
2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6A14.tmp >> NUL
3⤵
PID:1776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\YYYYYYYYYYY
Filesize
129B

MD5
7e26d8ffbb9c8c886172264badf9c076

SHA1
db50e4d6c0c61a53afca4081d230e9843b47e56e

SHA256
3fef3cdbb8925bde0af789bd84aa48a9af0a609313baf1d77907d41a20578003

SHA512
1e462e3a0a49b60e328b4e4549a0441366f7f1690c9a51356aafd10a11673ed0e29f13436342c5fb75893d3fec5c4aa335284a76b3c1b62f51e73bc56915b257

Download Submit
C:\ProgramData\6A14.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize
160KB

MD5
bbb53ab6f8531a1d5825be89953e4d5d

SHA1
be12af6efc259fe5ad4cf05c8d33f4011dbdcfcc

SHA256
b16d87f6e8260231947c4a915c9b0e767fdbfc7206039e1e8ac3429a4b47a43c

SHA512
aa525559ec01af6c486d79eb948ce4e461257dafcade088de49c0b4f179ee5130fa8b0c08fef62c60fb5148aea23a14535fbb71d85c742cfdf41e41c121d7ef0

Download Submit
C:\Users\NOokKHoMb.README.txt
Filesize
3KB

MD5
860b23178b58d513bf398ed806aab67a

SHA1
f5c36df29dee0c0198768e7b245de464dc29fc23

SHA256
8017f25f1339d54bab87e9d41ae2607353f1dda07a8224627afc91e5cffcfb7b

SHA512
01bc79b29a7d496efc5ea621532065e5f8526a2301c07099488fba57bcc8b3e7289aa89fda9016eb727cd6f8e23b578b0391839a8440413d31811d629efbcc79

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\CCCCCCCCCCC
Filesize
129B

MD5
3688254ca5c5c0e33e29980ec2191c4e

SHA1
7f6005879adc284da16edc62ecbee3139107d3fe

SHA256
49d1af10bcae4b3ef6fdefec2bb5a5c8693c08ea93d48165ffe59dbc57222bae

SHA512
af2fc671341d84cf34351968f124d91712c5954167678d055fb8e02dfe820c396a5e3d04592f9e26a628b605dc32f47c96889ee2b160f551e063daf4a35c3991

Download Submit
memory/2492-2-0x00000000028A0000-0x00000000028B0000-memory.dmp

Filesize
64KB

Download
memory/2492-0-0x00000000028A0000-0x00000000028B0000-memory.dmp

Filesize
64KB

Download
memory/2492-1-0x00000000028A0000-0x00000000028B0000-memory.dmp

Filesize
64KB

Download
memory/4888-349-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

Filesize
4KB

Download
memory/4888-348-0x000000007FE20000-0x000000007FE21000-memory.dmp

Filesize
4KB

Download
memory/4888-347-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/4888-346-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/4888-345-0x000000007FE40000-0x000000007FE41000-memory.dmp

Filesize
4KB

Download
memory/4888-378-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/4888-379-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/4888-382-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

Filesize
4KB

Download
memory/4888-383-0x000000007FE00000-0x000000007FE01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads