Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 09:36
Static task
static1
Behavioral task
behavioral1
Sample
9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe
Resource
win10v2004-20240508-en
General
-
Target
9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe
-
Size
362KB
-
MD5
7e064da559216f888c487648ab6d0047
-
SHA1
54725179097947199b249b8deef4565e73151603
-
SHA256
9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388
-
SHA512
89a6f380e2ee7eab04b8a087d168d320dbfca3a50253eb2f1fcc264517ca19e1a376cada60f5274151a84c695577805ba0fa8f0e6ef9e2079e11f27a45763932
-
SSDEEP
6144:1N9JuegRZ+Rpbe3xwvG854HhNOP+msxvElWGQLajLjXg+Bdx6vHGBl/+n:1Ev+RteMGzNOUdGQLoLjXnDxAiQ
Malware Config
Extracted
C:\Users\yoxe0MdFZ.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7948.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 7948.tmp -
Deletes itself 1 IoCs
Processes:
7948.tmppid Process 4924 7948.tmp -
Executes dropped EXE 1 IoCs
Processes:
7948.tmppid Process 4924 7948.tmp -
Drops desktop.ini file(s) 2 IoCs
Processes:
9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe -
Drops file in System32 directory 4 IoCs
Processes:
splwow64.exeprintfilterpipelinesvc.exedescription ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPp95v1kaxf67fex_pr0c_500wb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPs92xq39_qkl767evpzu6fragb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPtfwvtcd1uxp7lsy2ptdey464d.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\yoxe0MdFZ.bmp" 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\yoxe0MdFZ.bmp" 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe7948.tmppid Process 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 4924 7948.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\WallpaperStyle = "10" 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe -
Modifies registry class 5 IoCs
Processes:
9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\yoxe0MdFZ\DefaultIcon\ = "C:\\ProgramData\\yoxe0MdFZ.ico" 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.yoxe0MdFZ 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.yoxe0MdFZ\ = "yoxe0MdFZ" 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\yoxe0MdFZ\DefaultIcon 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\yoxe0MdFZ 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exeONENOTE.EXEpid Process 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 1424 ONENOTE.EXE 1424 ONENOTE.EXE -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
7948.tmppid Process 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp 4924 7948.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeDebugPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: 36 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeImpersonatePrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeIncBasePriorityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeIncreaseQuotaPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: 33 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeManageVolumePrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeProfSingleProcessPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeRestorePrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSystemProfilePrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeTakeOwnershipPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeShutdownPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeDebugPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeBackupPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe Token: SeSecurityPrivilege 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid Process 1424 ONENOTE.EXE 1424 ONENOTE.EXE 1424 ONENOTE.EXE 1424 ONENOTE.EXE 1424 ONENOTE.EXE 1424 ONENOTE.EXE 1424 ONENOTE.EXE 1424 ONENOTE.EXE 1424 ONENOTE.EXE 1424 ONENOTE.EXE 1424 ONENOTE.EXE 1424 ONENOTE.EXE 1424 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exeprintfilterpipelinesvc.exe7948.tmpdescription pid Process procid_target PID 2672 wrote to memory of 1148 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 86 PID 2672 wrote to memory of 1148 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 86 PID 1980 wrote to memory of 1424 1980 printfilterpipelinesvc.exe 92 PID 1980 wrote to memory of 1424 1980 printfilterpipelinesvc.exe 92 PID 2672 wrote to memory of 4924 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 93 PID 2672 wrote to memory of 4924 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 93 PID 2672 wrote to memory of 4924 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 93 PID 2672 wrote to memory of 4924 2672 9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe 93 PID 4924 wrote to memory of 2044 4924 7948.tmp 94 PID 4924 wrote to memory of 2044 4924 7948.tmp 94 PID 4924 wrote to memory of 2044 4924 7948.tmp 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe"C:\Users\Admin\AppData\Local\Temp\9a5e9e472e27302d1268777726659f64ed9f0d9061877cd6dda1d31eb8ed6388.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:1148
-
-
C:\ProgramData\7948.tmp"C:\ProgramData\7948.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7948.tmp >> NUL3⤵PID:2044
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4944
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{EB336537-4821-408B-931B-9688FE6DF1CD}.xps" 1336162182373000002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1424
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5f5ed924023ba1dece54f9b4b6101023f
SHA15b12ec204592fbed80fd9e4de47029c0b6403f75
SHA256c5aae4dd8097df8b42344aa97fade639911b90b8b2380e82341290e8833cd470
SHA5125cd595e829886319b0f70257736d357dc29681c22ca2b0d1b4af32355cbd859a311c3e306544922d74695e2ea725edd3284ed40394d8ff959b16c46e003cfb6b
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
Filesize362KB
MD5bf39ce96aa7450c3f113ffd590ece68c
SHA1f6a25a05b5dadf71a5084812a3ad89effb5f4ffa
SHA256bb6837f0fc299db5b289739d6b42010055719a90d9be0f789633bfd36501bbfa
SHA512b4d5b263e332431c9983754b6f3a586a37b2f368d3069f2fbe539338c576ae9755732995073e66acc1b553a8b32e39de86e5d67f40bfc85074a54e3ab3605303
-
Filesize
4KB
MD5cc02e315fc443e2d4e809b9660b6897a
SHA1dfd05150101a3206c0034fcb4b723f45ad2c0205
SHA256dd2f8bdfbc2404cb9d8b6c41e5d8992c578943d0e33b55ad4fe55ebbe73eae92
SHA512a325e5154d891a06435506a5abbc21d1832b97755c0ea46a8dcd749a30f762e9d0e4a15c270c8912123161c89b1af8edd658756688fff664f11d76fde5d8601e
-
Filesize
4KB
MD51956a6cbf24ceb7e18d2449ccc97319f
SHA1febdba89b11112420c252e0a846e13ff3534af5e
SHA2568cecdbb7a780bd06d74f237edbed0aae9b81c2bca66ed117bf8a7810d604dd77
SHA512809bbbcf3a1e56ef09f0ce122137c4c096e46bb1c8dfa2a0dfde125a778bb7c38557fed9bd9d6f286894827f5c0a77539bf15fb37c7162ff6569a42c634e3261
-
Filesize
10KB
MD5e0a15960ede912034e77431079d43256
SHA1ccd4a901353e5b7c5dbe875a8952232f40cc7304
SHA256a4ba16ed2ce78098d26c4b51552448a92a7e8d51c427295fc7caa95a1d3fe108
SHA5125470e72e20a9250c3dcb3966b5de496a5bf0086807eb12d82affdb305121e535cfc7b47a2db04fd528410b06efbc88cdaff2b9b2a434198b9e269809e9257f7f
-
Filesize
129B
MD5222d957e5b9a57dddd9392abafbef0ca
SHA18f35d20d615911ff51afc963f6761bdf6fe0e47c
SHA256f99d116927536ea7dbbd1f7d4a75a1356bd977984b2b0ac49a1d1e7354032a5e
SHA512291126423ed58867520651c1fb8f94d1a736d6407c34133ca85775fea5adac58b032edac38b96eb6de3e22a8ea1085a05b47ba298087d7cb6a3061e88e96ab15