Analysis
-
max time kernel
147s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 12:29
Static task
static1
Behavioral task
behavioral1
Sample
d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe
Resource
win10v2004-20240508-en
General
-
Target
d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe
-
Size
362KB
-
MD5
03bb39210a95173c9c6a474853878509
-
SHA1
8271693ac8f201a1e4d8db0069ed8346bd5a4867
-
SHA256
d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d
-
SHA512
d0b21104ecb9ad6fe9a904d45e6586025aa04bcf5916ec6d9b2ed90e9b87a69091f9be6ea51d185fe1db9db7fda975e538ed44de351a4ab0969e3aa440e81714
-
SSDEEP
6144:lJDu8JE4WsGCv8jx/1s6L6Pk0eYq7rk5AsphFQWju5DZrnJirO5U8NUMHUz:l9u8JlLis6CeYqkxFQIu5D5nJirO5U+q
Malware Config
Extracted
C:\Users\o3LDjrpOa.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
89B3.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 89B3.tmp -
Deletes itself 1 IoCs
Processes:
89B3.tmppid Process 1476 89B3.tmp -
Executes dropped EXE 1 IoCs
Processes:
89B3.tmppid Process 1476 89B3.tmp -
Drops desktop.ini file(s) 2 IoCs
Processes:
d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exedescription ioc Process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe -
Drops file in System32 directory 4 IoCs
Processes:
printfilterpipelinesvc.exesplwow64.exedescription ioc Process File created C:\Windows\system32\spool\PRINTERS\PPuo0yvld_tae9g9d0y5k83g07b.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPjlp6dop80n_0fo883l__q_zk.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP59ozau48injil4gp0zlqmeb0c.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\o3LDjrpOa.bmp" d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\o3LDjrpOa.bmp" d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe89B3.tmppid Process 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\WallpaperStyle = "10" d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe -
Modifies registry class 5 IoCs
Processes:
d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa\DefaultIcon\ = "C:\\ProgramData\\o3LDjrpOa.ico" d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.o3LDjrpOa d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.o3LDjrpOa\ = "o3LDjrpOa" d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa\DefaultIcon d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exeONENOTE.EXEpid Process 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 216 ONENOTE.EXE 216 ONENOTE.EXE 216 ONENOTE.EXE 216 ONENOTE.EXE -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
89B3.tmppid Process 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp 1476 89B3.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeDebugPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: 36 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeImpersonatePrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeIncBasePriorityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeIncreaseQuotaPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: 33 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeManageVolumePrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeProfSingleProcessPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeRestorePrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSystemProfilePrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeTakeOwnershipPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeShutdownPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeDebugPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeBackupPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe Token: SeSecurityPrivilege 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid Process 216 ONENOTE.EXE 216 ONENOTE.EXE 216 ONENOTE.EXE 216 ONENOTE.EXE 216 ONENOTE.EXE 216 ONENOTE.EXE 216 ONENOTE.EXE 216 ONENOTE.EXE 216 ONENOTE.EXE 216 ONENOTE.EXE 216 ONENOTE.EXE 216 ONENOTE.EXE 216 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exeprintfilterpipelinesvc.exe89B3.tmpdescription pid Process procid_target PID 4600 wrote to memory of 2188 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 95 PID 4600 wrote to memory of 2188 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 95 PID 4864 wrote to memory of 216 4864 printfilterpipelinesvc.exe 100 PID 4864 wrote to memory of 216 4864 printfilterpipelinesvc.exe 100 PID 4600 wrote to memory of 1476 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 101 PID 4600 wrote to memory of 1476 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 101 PID 4600 wrote to memory of 1476 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 101 PID 4600 wrote to memory of 1476 4600 d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe 101 PID 1476 wrote to memory of 624 1476 89B3.tmp 107 PID 1476 wrote to memory of 624 1476 89B3.tmp 107 PID 1476 wrote to memory of 624 1476 89B3.tmp 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe"C:\Users\Admin\AppData\Local\Temp\d569da12fb9fa787609eb83d0ff07e1da2b2a336a681891375a7f0a3f654b41d.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:2188
-
-
C:\ProgramData\89B3.tmp"C:\ProgramData\89B3.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\89B3.tmp >> NUL3⤵PID:624
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2212
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{3C8DB17B-572E-450B-AE4C-F30BFEFCBC8F}.xps" 1336163219279400002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:216
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD560f6b5d2d4940e43c196571200037c00
SHA1e8a97a4d1d501fff69d7abbcc946ad96de98a9e1
SHA2563c0b6c61d604cf0690321418357b2628d10c387a8d8d7a2206183824c0ff8799
SHA512f3e0145dfbaf514b9ba44bef8b3809512fb90bdbd7eb59dc0581aaf4eb8f45140f4d890e9f6a3f363e0c7f30b092c74824eb79ad814d9e129565d4ef17d21c74
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize362KB
MD580fede3d6b4932e723195c1066e0d0d5
SHA1b71efb3da894b099940a3250a834f3c959872695
SHA256dafbf6614a1569110b51fdc580c84e6d6d5557ffcd0b4f435325f798a2131960
SHA51244b0434d2ace1ab21d2c9ea48c4fe7868a24da3fa710cf2b9c62746802f0f4a2e96f2c01680a7604a36c8214944ab12a8959b5481ab89cfcb73d186bf71266fc
-
Filesize
4KB
MD59b2d8a61a548f9fbab0c8849461cef15
SHA10a9881a997a2a34c8a4fcde5d1db4557c07f4c06
SHA2568dce2b0dea20e3ed9b41d9d77ae0fc367850c27ad039e17e9956613c8820fb3e
SHA5129ccbf46404d942c932a3013b1f77eced722dea3e6b8661bc4cab0086724d75bdfa9f73dcec5ddc30d7a2a0fbbf7df9ed8a234b4467da5a2dd84187b3fe116b2c
-
Filesize
10KB
MD5e53b73a8238ac475185a8482376aad38
SHA1351cdf71113e451076c712a57092a8c7f683386b
SHA256c82de52cb9da0d31bf1dc700d7a4361e2209c249e5fff15d68c1957f12cdbc87
SHA512dbf11448b283b8a64d280cd7fc5fa02746350677e2544dd525051ec8c24f6d6f271eb0b127a3f5d6dee16f6b5f78f66ef5d3e6ca09065da50bbb94136ec8b389
-
Filesize
129B
MD5c00a794cf90d2821cb43332b4f0c054b
SHA17001b7426da7bfb0076b089fab2839d5bebe603e
SHA2565033494d246aad5c6f946b9a467024d46e3cb0dea739764c27aec5487ae66b27
SHA512f698702561a8f9b61e647e78a7bb5672abf398991ff2900d66934c4e707ab901fd96906b95fc4bd74ba27569f5541d6e7f284155b8d66394663a490a5fbc08c4