83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68

General

Target

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Size

160KB
MD5

9251dd806a703d4a6b388e504e5020f3
SHA1

a9c78679a7effe14bac6b0fe440af504c50d7d1f
SHA256

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68
SHA512

f67f5f44ef17128b575608c4a8eddd76af172ebee276c752cb7a6e149cc244e0df81166bab52435f3a1db26b42f2d141e1aa338366a81a616792a0a07b110862
SSDEEP

3072:kDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP33682wa9h+f2s9L6AsW:m5d/zugZqll3a5OB9L6

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\NOokKHoMb.README.txt

Ransom Note

~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: F7EA81C1375FE4074F67918407C07B28 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.

URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

Signatures

Renames multiple (184) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

5256.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 5256.tmp
Deletes itself 1 IoCs

Processes:

5256.tmp

pid process

2184 5256.tmp
Executes dropped EXE 1 IoCs

Processes:

5256.tmp

pid process

2184 5256.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	5256.tmp

Drops desktop.ini file(s) 2 IoCs

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\NOokKHoMb.bmp"	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\NOokKHoMb.bmp"	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe5256.tmp

pid	process
3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\WallpaperStyle = "10"	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

Modifies registry class 5 IoCs

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.NOokKHoMb	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.NOokKHoMb\ = "NOokKHoMb"	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NOokKHoMb\DefaultIcon	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NOokKHoMb	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NOokKHoMb\DefaultIcon\ = "C:\\ProgramData\\NOokKHoMb.ico"	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

pid	process
3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

5256.tmp

pid	process
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp
2184	5256.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exevssvc.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeDebugPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: 36	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeImpersonatePrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeIncBasePriorityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeIncreaseQuotaPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: 33	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeManageVolumePrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeProfSingleProcessPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeRestorePrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSystemProfilePrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeTakeOwnershipPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeShutdownPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeDebugPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	2908	vssvc.exe
Token: SeRestorePrivilege	2908	vssvc.exe
Token: SeAuditPrivilege	2908	vssvc.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeSecurityPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
Token: SeBackupPrivilege	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe5256.tmp

description	pid	process	target process
PID 3652 wrote to memory of 2184	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe	5256.tmp
PID 3652 wrote to memory of 2184	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe	5256.tmp
PID 3652 wrote to memory of 2184	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe	5256.tmp
PID 3652 wrote to memory of 2184	3652	83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe	5256.tmp
PID 2184 wrote to memory of 3052	2184	5256.tmp	cmd.exe
PID 2184 wrote to memory of 3052	2184	5256.tmp	cmd.exe
PID 2184 wrote to memory of 3052	2184	5256.tmp	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe
"C:\Users\Admin\AppData\Local\Temp\83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652

C:\ProgramData\5256.tmp
"C:\ProgramData\5256.tmp"
2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\5256.tmp >> NUL
3⤵
PID:3052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini

Filesize
129B

MD5
dbcb012e42d7c1cdab7297d74dd8a986

SHA1
4af5ba13a1869da2a37a183cb0ab1c976a1e723c

SHA256
0601c579a41d422186ac3119db98cefc3179f902731b0082f37481718a58bf9e

SHA512
eb9394463db38a206a78d69e826fb67d46c2722a3f44c10778b0f38a7dde50c17ba31d0a8fc9f2f420977412b22c2d94e0c20ca50c07954a873a4f87f3f2844e

Download Submit
C:\ProgramData\5256.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
160KB

MD5
cba8ff312f5c4a29a76665b9bdc4a9a6

SHA1
cd81c8209a860d3f53a638c9e2b0b242b97ea3e6

SHA256
7e20fc36ac071d26bbb557ed57e77a857b271e4132cf9203e11922a6176c7605

SHA512
612bc9c7b3ae35f499a8c91cf6633c49fe124fbc7fbe44e8e0e5ebc19692211098115d237568bbe16d8011e0c689c6789055e0d0c42237d83dc29b7651965797

Download Submit
C:\Users\NOokKHoMb.README.txt

Filesize
3KB

MD5
6c8e0b743ee2c75e2cf12110ff11aebb

SHA1
256c8cd86efe07b68d6aaabae22d661c681e112b

SHA256
c86e7041737c1321639307df49f3c70424423e7ae2e223082630391345238c72

SHA512
a4cfad8158d75069fecb164c6a525f2c972b7212034f98be71e4e1cbb1a3fcaf60e08d6ae4ed86792c97d9d97d3e5ffc6ad249c5e653c971552e3a98d5b8ebcb

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-540404634-651139247-2967210625-1000\DDDDDDDDDDD

Filesize
129B

MD5
aef441d87e3060041f729e20db0f4f60

SHA1
f3cfab2e7c07eb5643c34ec81bbe4202822aa2eb

SHA256
b3f7d1e675890d17cb488a1a9e8659f57d5441a4846d2cedb7fc3408f8606be9

SHA512
14307b3b5f8f8cbe519b63cb41e5ee4e025ba71f792c3d78ddf0348a4ed45f99b99810daccddb620a79fb7b49c1b729f22c7a51f0adf300dc629188b32187fbb

Download Submit
memory/2184-339-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/2184-338-0x000000007FE40000-0x000000007FE41000-memory.dmp

Filesize
4KB

Download
memory/2184-340-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/2184-342-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

Filesize
4KB

Download
memory/2184-341-0x000000007FE20000-0x000000007FE21000-memory.dmp

Filesize
4KB

Download
memory/2184-371-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/2184-372-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/2184-376-0x000000007FE00000-0x000000007FE01000-memory.dmp

Filesize
4KB

Download
memory/2184-375-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

Filesize
4KB

Download
memory/3652-1-0x00000000033C0000-0x00000000033D0000-memory.dmp

Filesize
64KB

Download
memory/3652-0-0x00000000033C0000-0x00000000033D0000-memory.dmp

Filesize
64KB

Download
memory/3652-2-0x00000000033C0000-0x00000000033D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads