83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68

General

Target

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Size

160KB
MD5

9251dd806a703d4a6b388e504e5020f3
SHA1

a9c78679a7effe14bac6b0fe440af504c50d7d1f
SHA256

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68
SHA512

f67f5f44ef17128b575608c4a8eddd76af172ebee276c752cb7a6e149cc244e0df81166bab52435f3a1db26b42f2d141e1aa338366a81a616792a0a07b110862
SSDEEP

3072:kDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP33682wa9h+f2s9L6AsW:m5d/zugZqll3a5OB9L6

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\NOokKHoMb.README.txt

Ransom Note

~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: F7EA81C1375FE40777C50D7B3297A591 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.

URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

Signatures

Renames multiple (157) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

386E.tmp

pid process

2508 386E.tmp
Executes dropped EXE 1 IoCs

Processes:

386E.tmp

pid process

2508 386E.tmp
Loads dropped DLL 1 IoCs

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

pid process

3048 83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\NOokKHoMb.bmp"	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\NOokKHoMb.bmp"	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe386E.tmp

pid	process
3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallpaperStyle = "10"	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

Modifies registry class 5 IoCs

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.NOokKHoMb\ = "NOokKHoMb"	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NOokKHoMb\DefaultIcon	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NOokKHoMb	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NOokKHoMb\DefaultIcon\ = "C:\\ProgramData\\NOokKHoMb.ico"	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.NOokKHoMb	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

pid	process
3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

386E.tmp

pid	process
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp
2508	386E.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exevssvc.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeDebugPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: 36	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeImpersonatePrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeIncBasePriorityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeIncreaseQuotaPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: 33	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeManageVolumePrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeProfSingleProcessPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeRestorePrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSystemProfilePrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeTakeOwnershipPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeShutdownPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeDebugPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	804	vssvc.exe
Token: SeRestorePrivilege	804	vssvc.exe
Token: SeAuditPrivilege	804	vssvc.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe386E.tmp

description	pid	process	target process
PID 3048 wrote to memory of 2508	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe	386E.tmp
PID 3048 wrote to memory of 2508	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe	386E.tmp
PID 3048 wrote to memory of 2508	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe	386E.tmp
PID 3048 wrote to memory of 2508	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe	386E.tmp
PID 3048 wrote to memory of 2508	3048	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe	386E.tmp
PID 2508 wrote to memory of 2992	2508	386E.tmp	cmd.exe
PID 2508 wrote to memory of 2992	2508	386E.tmp	cmd.exe
PID 2508 wrote to memory of 2992	2508	386E.tmp	cmd.exe
PID 2508 wrote to memory of 2992	2508	386E.tmp	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
"C:\Users\Admin\AppData\Local\Temp\83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048

C:\ProgramData\386E.tmp
"C:\ProgramData\386E.tmp"
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\386E.tmp >> NUL
3⤵
PID:2992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x148
1⤵
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini

Filesize
129B

MD5
144d812b10628924d3622488cf61c7a9

SHA1
9db767041aeafccb942d85239ad3ce956e3b4975

SHA256
8845e0565275fe763a62015be8b1394e3b99ba91d51f4fc02b79bb846dcd30a8

SHA512
117bb048e628f64b3ebac9b510ecd65bfac2188a0ba9eb85cc602288a7ec96c7da2d79d30c8bbf7f8b42cf1f1c4ea09132815aa8bdfb1b5dbc5095b730b203a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
160KB

MD5
779cd55f9ab5859d444e2f10ac9cf32e

SHA1
3b68e886564d4245f43ead01f72016cba99f4531

SHA256
77d970bc6429fa7c1dcad55a01e20aeabe581b435709f475299a7615e9c07ca8

SHA512
2370b81c84fb13069a8921c219cf051eb42a0c60f8a1cbd0cfd3428d8206fea3ad5ac2ba835ad4f9e0d90ee08d16f73864240f4c5f9885717e187cfdbca8d899

Download Submit
C:\Users\NOokKHoMb.README.txt

Filesize
3KB

MD5
3ead714da43705cef94cde037889a5fc

SHA1
45fbfcebe44d2d77766de2eaf1e14bee6b868a29

SHA256
39f35bdf9c9632cb6a380db43e3bc7fe495683e52fe429872d7251bfffac01a1

SHA512
3cc546cb0e54339fe5ee9fe85e21874f3080f5fa812e7db727138d9c255ab47a58d2e2884aa7fac1382316b632d29daa6bb4440068832d4af2521b0883f06dda

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\DDDDDDDDDDD

Filesize
129B

MD5
065b9843d93f62e9c7c627e2cf3acc1a

SHA1
f8a50661ab3a7a9a577b10901a72e39003cceff8

SHA256
18dfc3b957da8474e813ddfc6f9d46624bf949f57257de51d398c8ec12205b5e

SHA512
6598703d06114cc9a42b422bd6f3ce9d5190749ca4734b9a185830b39d54499fd7a0cbeed895cf2344005322db5d36eaef391dbe945f86545c419effa936e17f

Download Submit
\ProgramData\386E.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/2508-288-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/2508-293-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/2508-292-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/2508-290-0x00000000002C0000-0x0000000000300000-memory.dmp

Filesize
256KB

Download
memory/2508-323-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/2508-322-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/3048-0-0x0000000000460000-0x00000000004A0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads