Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 06:32
Static task
static1
Behavioral task
behavioral1
Sample
cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe
Resource
win10v2004-20240508-en
General
-
Target
cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe
-
Size
356KB
-
MD5
277068c3d1ec38c4712e695eeafb6a9c
-
SHA1
92c495cd8f63ddbc7e28efc33246b20bb4fbe2ad
-
SHA256
cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d
-
SHA512
f620b16d9b5b074d784d5943989fce40b8b68ec152523dbf7cc7daf4a6c7acfe18809f868593081a8e4bb9f4ae4e67ce63843f8c9a068d557e63ad2da31aef88
-
SSDEEP
6144:/ulLZM3j7QmPbWDSKwNhzygoEwto7J5OWm0+/WXHhQ3vgmqA8Oi4qQ79xJSQ:/eWHBWSZvzyNe7JMFuS18y59CQ
Malware Config
Extracted
C:\MCgwFy7Y6.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (592) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
85BB.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 85BB.tmp -
Deletes itself 1 IoCs
Processes:
85BB.tmppid Process 3036 85BB.tmp -
Executes dropped EXE 1 IoCs
Processes:
85BB.tmppid Process 3036 85BB.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe -
Drops file in System32 directory 4 IoCs
Processes:
printfilterpipelinesvc.exesplwow64.exedescription ioc Process File created C:\Windows\system32\spool\PRINTERS\PPfcz4ulivjwy102n5krbao19u.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP7ym2lmdm8ypkb7kmh5k1_si0b.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPl0r104af_8vm0aowxx5vr0le.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\MCgwFy7Y6.bmp" cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\MCgwFy7Y6.bmp" cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
85BB.tmppid Process 3036 85BB.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\WallpaperStyle = "10" cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe -
Modifies registry class 5 IoCs
Processes:
cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.MCgwFy7Y6 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.MCgwFy7Y6\ = "MCgwFy7Y6" cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MCgwFy7Y6\DefaultIcon cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MCgwFy7Y6 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MCgwFy7Y6\DefaultIcon\ = "C:\\ProgramData\\MCgwFy7Y6.ico" cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exepid Process 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
85BB.tmppid Process 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp 3036 85BB.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeDebugPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: 36 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeImpersonatePrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeIncBasePriorityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeIncreaseQuotaPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: 33 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeManageVolumePrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeProfSingleProcessPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeRestorePrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSystemProfilePrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeTakeOwnershipPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeShutdownPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeDebugPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeBackupPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe Token: SeSecurityPrivilege 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid Process 912 ONENOTE.EXE 912 ONENOTE.EXE 912 ONENOTE.EXE 912 ONENOTE.EXE 912 ONENOTE.EXE 912 ONENOTE.EXE 912 ONENOTE.EXE 912 ONENOTE.EXE 912 ONENOTE.EXE 912 ONENOTE.EXE 912 ONENOTE.EXE 912 ONENOTE.EXE 912 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exeprintfilterpipelinesvc.exe85BB.tmpdescription pid Process procid_target PID 848 wrote to memory of 2196 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 92 PID 848 wrote to memory of 2196 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 92 PID 216 wrote to memory of 912 216 printfilterpipelinesvc.exe 97 PID 216 wrote to memory of 912 216 printfilterpipelinesvc.exe 97 PID 848 wrote to memory of 3036 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 98 PID 848 wrote to memory of 3036 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 98 PID 848 wrote to memory of 3036 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 98 PID 848 wrote to memory of 3036 848 cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe 98 PID 3036 wrote to memory of 1404 3036 85BB.tmp 99 PID 3036 wrote to memory of 1404 3036 85BB.tmp 99 PID 3036 wrote to memory of 1404 3036 85BB.tmp 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe"C:\Users\Admin\AppData\Local\Temp\cf3db033ddbcf46748703496d3725309b0dfd76d86a8158d9bf7823b97a72e8d.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:2196
-
-
C:\ProgramData\85BB.tmp"C:\ProgramData\85BB.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\85BB.tmp >> NUL3⤵PID:1404
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2772
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{60FE7DE4-136C-4B79-9FAC-5C9B528C18D5}.xps" 1336161076387800002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5d0d5518fa9be03a66f848dfb54d9f7ac
SHA14cd6940211a3a68d18e42a49f25b95a7a3df7c0c
SHA2563f2b768fbb6b25a71be528642703ea28002fcc944e1966bc95f57f9085926c9a
SHA5128946324049a4bc131d0ae4bf564f0a29213f843f00f57019937c5b9249c5dcceb3e808e0b03df72d40f8d215190d2820ce606b8985ac4fe61cc279012273726f
-
Filesize
6KB
MD58546c4c2613567bcbb9afccb46bd1b73
SHA1171b699f856238f09cfa9dea5862c8484f28b17b
SHA2560c97f5f8f8905dff541acd96a4e57ff687b15f1c56b94aa27f773c6bdec9ebfa
SHA512466b18c891ab987226b5be5af4f10609131ab774296dd3c446eba2e1b129f022b1b0db24a1fbd8842dd391fcad51e9347d56495ee98a3790af8551995926643c
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize356KB
MD545730945b138e4fcbd299ce67fad276e
SHA1aa42b7ada933fa9736d8e3a530fd121d3bf4ff69
SHA256c6b8cf03832386a95c7cb66ef8567611bbcbd6de91a3de02c9723805c5bfc461
SHA5129ae4ac223be88443eb014675d0133d6fb131293af43b1b83bcc248dda5e0ae0720c9688e586bceb01c2c280a13994383fd5945d749bfaa2e05e7aff0a914f3fa
-
Filesize
4KB
MD5625a76bf1fc0fa052a2e9259a86c9796
SHA175ffdffd1cbc114f555ce2d1e4ad801e11813525
SHA256f300a444ad1253ff0c1576831dbe1653c342d979e2a806dea2a1100e5467e670
SHA5123f08d99d87b9ed7c22d9d43026b36ebd9244d655b916d614478636d521a93f1725e03a3b390f531a5b916cd1d6251e02cc344bf66b31143fffa4b2fde369daa0
-
Filesize
4KB
MD5c32d8913bb56fe319f21ac7111b63ef7
SHA19de02eb65c05ee7b9e65f8ee35529227520888e2
SHA2563fc1327ee5ac2ac195ad88fd83f28ff5b533a7914326bd36f35a3ce7a6a03566
SHA512d17ec9c69502be826dc452364ff71d4d21ecb8af68b002951f03c6c33db9f7da22df8c73b31a9957a6a6c86de5bb7766d0189313cf1b8023a1d4e52394c6faed
-
Filesize
129B
MD5e5d69d2220f6bd6e87b60e4655afdf68
SHA16282aa1a206fc01fabc0c85835a1b007b63859a4
SHA2565eb7210bb2a58b0ba12790c459af7dcf9e5c8d1b4830783b0ddf39744b83a701
SHA512f3f747de199e4809ac954c735abf21af4a2bc6596c0ec1f044aee89a3f2a76c8b569b922cf46f539717d8ebd3c0d98eef185a40156833894132289209ecf735a