Analysis
-
max time kernel
144s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 10:29
Static task
static1
Behavioral task
behavioral1
Sample
aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe
Resource
win10v2004-20240508-en
General
-
Target
aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe
-
Size
361KB
-
MD5
93ff3e682a69781cf12b88a1892066ae
-
SHA1
934a2fd88c884f7d6c544224594ef0e853efc1fe
-
SHA256
aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f
-
SHA512
6e508d8442462e16cbc693c2b3794b2cf312fc65049d2e5f11f405222161ef013ff912ee7c71ac17cd9138dfe7210d587e12730f84c1eecfb17eb81d847599fe
-
SSDEEP
6144:hNM4IM8m9xa2DXkRh52DmuGAkUMRJcqUTiKb1UlfC884eRIEkxAgU+CZvz2jFtCH:5IMD9r7xDmFYMRmqsH1+q8De/kxAg3Cn
Malware Config
Extracted
C:\Users\1YwR2c1YK.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (186) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6F92.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 6F92.tmp -
Deletes itself 1 IoCs
Processes:
6F92.tmppid Process 2340 6F92.tmp -
Executes dropped EXE 1 IoCs
Processes:
6F92.tmppid Process 2340 6F92.tmp -
Drops desktop.ini file(s) 2 IoCs
Processes:
aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\1YwR2c1YK.bmp" aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\1YwR2c1YK.bmp" aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe6F92.tmppid Process 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
Processes:
aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\WallpaperStyle = "10" aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe -
Modifies registry class 5 IoCs
Processes:
aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1YwR2c1YK aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1YwR2c1YK\ = "1YwR2c1YK" aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\1YwR2c1YK\DefaultIcon aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\1YwR2c1YK aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\1YwR2c1YK\DefaultIcon\ = "C:\\ProgramData\\1YwR2c1YK.ico" aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exepid Process 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
6F92.tmppid Process 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp 2340 6F92.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeDebugPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: 36 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeImpersonatePrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeIncBasePriorityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeIncreaseQuotaPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: 33 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeManageVolumePrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeProfSingleProcessPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeRestorePrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSystemProfilePrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeTakeOwnershipPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeShutdownPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeDebugPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeBackupPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe Token: SeSecurityPrivilege 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe6F92.tmpdescription pid Process procid_target PID 2720 wrote to memory of 2340 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe 95 PID 2720 wrote to memory of 2340 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe 95 PID 2720 wrote to memory of 2340 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe 95 PID 2720 wrote to memory of 2340 2720 aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe 95 PID 2340 wrote to memory of 1008 2340 6F92.tmp 101 PID 2340 wrote to memory of 1008 2340 6F92.tmp 101 PID 2340 wrote to memory of 1008 2340 6F92.tmp 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe"C:\Users\Admin\AppData\Local\Temp\aa3c3863446db6a21f6f296a7c8671aa8e8df75e4899af39fde400182c4d0e5f.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\ProgramData\6F92.tmp"C:\ProgramData\6F92.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6F92.tmp >> NUL3⤵PID:1008
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5e4b013b8cabf07db37275b8d720bb4b5
SHA1aa255c45fc445426fab1e9851719b3b7e6a27110
SHA2567b160114bd6e80e9e6065643d453fba749a8eaf7d99394b59b9eb213949f4e9c
SHA512351f61fde6c4deaebc2324d2fb334cac9a003846c0b66e236501f44e3b842d11e394b406af6ade6df0ee75e73184e71fa9963b5779310b350e03a692179b2e36
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
10KB
MD5aa1fac7d90d02d98cc80490f20d83bcc
SHA1fa9aea28c13c30fa481400c6d3735c9abe4117a5
SHA2560bd2d96a1d2fc414b83d6bbb600eeeb5175b1654d85aed5e08f6fabc450f5c6d
SHA5122c5e78da11743cebf99f4be928e5019ff751286f7d5313379387655c585f7ae18bf7c2e54d72742f8b1605fd107215ff6b70aebd243c10d4092d2ad8822e72aa
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize361KB
MD58a2ff68e72b76066cca3a74c7b636b14
SHA1c38f2ba9ae0223ef6ae216d413c6f6a1431fb786
SHA2563b9cb54c6208b0c25601ab9b3c0449f3dd25a5c7a78e324d9374e06590f111f5
SHA5122305510ecabdb25a30167c65a75bc515dfea187a8ea3ebd9b7656c6d94aa1652272f71eb4088345f45af8327cfd1cb53fb6d58821858e84e133567496f89dcd6
-
Filesize
129B
MD52dde68b3770e0ec5534af8d36e7183c3
SHA121b16fee80d67e401dfb3c210637a29b25897f9a
SHA256b40eea509fa45a1835d1945c26c275c18a592350f798450772ced3c0f593c750
SHA5120535f69c97eb3effec5f3df060b5a602f1bbf17429a384ab6dfc2697703cc199bea1350f15f7e4c9fa021a210485c43f060892147808edec735e1fef4c0ebde1