Analysis
-
max time kernel
146s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 08:36
Static task
static1
Behavioral task
behavioral1
Sample
f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe
Resource
win10v2004-20240426-en
General
-
Target
f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe
-
Size
356KB
-
MD5
e3def5511bcc25dc39a3b0ef72a211e3
-
SHA1
36125aefe24b86c2692a3b4a23efc4fd9016c031
-
SHA256
f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7
-
SHA512
3555d67fa9cf6db180799cabb38c47f3722d404f4df6738fd96ac9376d8710d165a4c65266eb8dc76f02ac3809c90b68c0cd41e4114815c511775060024cddbf
-
SSDEEP
6144:2U2EJrZ5g9ggTjwLJc1i8WUrcIOVVK5JZpe9Yg9ZuysvBXfCxG6Ob0q6ynU7zLNf:cEJ09lE2occLgzqZzHs5vCRa0WnUfJSJ
Malware Config
Extracted
C:\3HBMS7YgC.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (600) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6310.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 6310.tmp -
Deletes itself 1 IoCs
Processes:
6310.tmppid Process 4676 6310.tmp -
Executes dropped EXE 1 IoCs
Processes:
6310.tmppid Process 4676 6310.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe -
Drops file in System32 directory 4 IoCs
Processes:
printfilterpipelinesvc.exesplwow64.exedescription ioc Process File created C:\Windows\system32\spool\PRINTERS\PP60tyfttp8szz94isor_xj0vg.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP129b6fm3w1nnkz5n0a_wp19ob.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPnny2ybdakxmoczeo8gbpce1e.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\3HBMS7YgC.bmp" f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\3HBMS7YgC.bmp" f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
6310.tmppid Process 4676 6310.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\WallpaperStyle = "10" f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe -
Modifies registry class 5 IoCs
Processes:
f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\3HBMS7YgC f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\3HBMS7YgC\DefaultIcon\ = "C:\\ProgramData\\3HBMS7YgC.ico" f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.3HBMS7YgC f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.3HBMS7YgC\ = "3HBMS7YgC" f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\3HBMS7YgC\DefaultIcon f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exepid Process 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
6310.tmppid Process 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp 4676 6310.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeDebugPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: 36 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeImpersonatePrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeIncBasePriorityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeIncreaseQuotaPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: 33 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeManageVolumePrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeProfSingleProcessPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeRestorePrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSystemProfilePrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeTakeOwnershipPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeShutdownPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeDebugPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeBackupPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe Token: SeSecurityPrivilege 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid Process 3588 ONENOTE.EXE 3588 ONENOTE.EXE 3588 ONENOTE.EXE 3588 ONENOTE.EXE 3588 ONENOTE.EXE 3588 ONENOTE.EXE 3588 ONENOTE.EXE 3588 ONENOTE.EXE 3588 ONENOTE.EXE 3588 ONENOTE.EXE 3588 ONENOTE.EXE 3588 ONENOTE.EXE 3588 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exeprintfilterpipelinesvc.exe6310.tmpdescription pid Process procid_target PID 772 wrote to memory of 3984 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 90 PID 772 wrote to memory of 3984 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 90 PID 1868 wrote to memory of 3588 1868 printfilterpipelinesvc.exe 95 PID 1868 wrote to memory of 3588 1868 printfilterpipelinesvc.exe 95 PID 772 wrote to memory of 4676 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 96 PID 772 wrote to memory of 4676 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 96 PID 772 wrote to memory of 4676 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 96 PID 772 wrote to memory of 4676 772 f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe 96 PID 4676 wrote to memory of 4700 4676 6310.tmp 97 PID 4676 wrote to memory of 4700 4676 6310.tmp 97 PID 4676 wrote to memory of 4700 4676 6310.tmp 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe"C:\Users\Admin\AppData\Local\Temp\f8dc0023784da2049fdb5dd187ce4b92832518e89dbb467a016a4daaa06718d7.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:3984
-
-
C:\ProgramData\6310.tmp"C:\ProgramData\6310.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6310.tmp >> NUL3⤵PID:4700
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3304
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{685AB7DB-2F73-4DBA-BC86-12B879C99116}.xps" 1336161820428500002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD56ca9ecc8b83fa3672ebed7a942225a15
SHA1d1dc2ac03b583de69c0e0e6e0898f1f604b241f2
SHA256c1192099d72357b503825a0e395fdaa306b1e48d48dea1cee0fdc5d4e6439b34
SHA5120419dcdd28ca41b62a837b9ba346cf8538611745cacba4236cebb2c1cb663fe681c28c29f7f52e7793bdfe27ddb2329ab9088480636eda8602ed4b66da70ac5d
-
Filesize
6KB
MD53248ef0ce006c38c8eb700a70cb36312
SHA1fb633c5725dd3921b60554b2fcc4e341f5429989
SHA256f6e78dd2fe8359ce16eb1e9de7b02feed3d47b2bce8660b4f68e64f9ba7f1a49
SHA51201cf63a0797b2658f8f2f81bbc5918e07c661cabaede4ecd0571cb2c86a2e764f9d38c8e37a7f00e2c59633daf93bd7979793207e7b39f6b0f9c24b24c5c6c9b
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize356KB
MD50da7ae0a00b344bb0a4849df3f18b554
SHA1b8dec1179ef6417b1eabf75e84cfe822a610829f
SHA25696850f1b2187884444525e00b35e05b982204f9d013157606fb62b08500f760c
SHA512409b05e6daf96ce7cbfd4a1a0b40a2b78483317726a0b3362f5b7876ba5d599cf085968236e5f54fd11050962e41075c597196df722a8145126dd1a95eaf0505
-
Filesize
4KB
MD5452119927bac4e68e872d9f51b86ed6a
SHA1146e055d8217637e56334986d6f5728567142382
SHA25687ea99103522d9cf0c832ad4523a55a8c91e0e0f0e4639b7871387a5670a3970
SHA512166b1f89973d48671d165bd449e5de11b1c1e1873a93201598986512878590e2c34166092381e011505f12fa8385bb26f0384e8dfecb49a5473282ffb469993a
-
Filesize
4KB
MD5a10709f6b82e0d73d89f9c6e7f12bca1
SHA162ff04d3fb9913ee9785280d651c40e751deb3ea
SHA25631251c6f038574b6022e170730185466586f0d74eaf295f2a7f6efdd22138315
SHA5124dcefd217c2841d34a4f53719bece0dd7449cdf53875087a5988c3f2488a9c2ef43602b3b5608ccf3cf4009b5650509dee2e4e245a194a304020166db1db6fa5
-
Filesize
129B
MD5aa173def574286c3dffae97201527811
SHA17ab0c9de2a4b696b614c933eec86ebd02c8e6b81
SHA25630280d68bdaf815ede189eb9fb27d57e9c635c5cb1fc66116b74990095d78809
SHA5125b247178c2183ab5f6aa74d59311aa6de22421d1b479b7e624d829496716368860ac47f10504a097a52f24aebef233a3628606304af820ddaf5d1ba2babd7709