8ff70b14c79a3030f28ecdc49bee79f7ee662c811c1dc9589ad9e37fdca38000

Analysis

max time kernel
77s
max time network
38s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Size

156KB
MD5

827fd84e6c235dbb400442390a538441
SHA1

f88eafeeb71837534f32d7de483497d8d74fb279
SHA256

7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea
SHA512

4e6df341e606cdc5ecafd02b7e9ba979502301e5e89aaecf604018d014019ffd6bd26b1380cb316ec1beb8f533df5125e75ec67d8760f7bcd90f883b72199f6b
SSDEEP

3072:1DDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368yUTtc76PJCW:n5d/zugZqll3OUCuPJ

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\bMHeBJMks.README.txt

Ransom Note

~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: 0B4A03D462BADECEA4002B953BED8E9A << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.

URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Signatures

Renames multiple (166) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2920	F72B.tmp

Executes dropped EXE 1 IoCs

pid	Process
2920	F72B.tmp

Loads dropped DLL 1 IoCs

pid	Process
2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\bMHeBJMks.bmp"	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\bMHeBJMks.bmp"	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\WallpaperStyle = "10"	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bMHeBJMks	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bMHeBJMks\ = "bMHeBJMks"	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bMHeBJMks\DefaultIcon	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bMHeBJMks	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bMHeBJMks\DefaultIcon\ = "C:\\ProgramData\\bMHeBJMks.ico"	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp
2920	F72B.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeDebugPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: 36	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeImpersonatePrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeIncBasePriorityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeIncreaseQuotaPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: 33	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeManageVolumePrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeProfSingleProcessPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeRestorePrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSystemProfilePrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeTakeOwnershipPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeShutdownPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeDebugPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	940	vssvc.exe
Token: SeRestorePrivilege	940	vssvc.exe
Token: SeAuditPrivilege	940	vssvc.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2920	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe	34
PID 2120 wrote to memory of 2920	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe	34
PID 2120 wrote to memory of 2920	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe	34
PID 2120 wrote to memory of 2920	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe	34
PID 2120 wrote to memory of 2920	2120	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
"C:\Users\Admin\AppData\Local\Temp\7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120
- C:\ProgramData\F72B.tmp
  "C:\ProgramData\F72B.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  PID:2920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150
1⤵
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\AAAAAAAAAAA

Filesize
129B

MD5
fc73e2c3875b518812cf37038c166971

SHA1
b8da17f868c81e8c88b9c6df7171d68f8d6d536a

SHA256
f5284eaa39b164e208c1eb206111aab25c10551ad6f449c6a6e4b54a5341e0b2

SHA512
becb885f61075f81dfd924202b41f8f08ce7957a49666488715d926f73f28965c4bb46bd3a82c15409cdc43634103d3bd92bf603c4c27e693522c2035a66b8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
156KB

MD5
1cb9ee7cd5daaada761164a81b4294c6

SHA1
1f3c8d9d9c1411e79b3b6e2c03a5516ab5c34df1

SHA256
cdac026ee20eb730814c46f169b8569b69b51ad62f0dd61054dd7de839194019

SHA512
36787b4fec58b1c4363664f8455450ce339c53c73698a9991823e6c635ef61dc78744eabbca676fa286cf2034d4a373545855239c41fdb1bf22e2524d10f7cf0

Download Submit
C:\Users\bMHeBJMks.README.txt

Filesize
2KB

MD5
b91cfff5e448429226843ea9b26c21fb

SHA1
4f640969b9aab6f514975b8f7140f48af51b05fb

SHA256
f3ead46432ffebb864a244dc0849384732628df648c31f70a5e783daa0140191

SHA512
fc7d8ce8127520f4907500e2a2eddb6fb0827af54f4f1878a7ca6d9c0ae4e74b1b154da07c404751efa15a68e101fe6caeb62ea385fa0dcd1d62bbb3613db140

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\DDDDDDDDDDD

Filesize
129B

MD5
7291728b2dfddbb2fc9d63dfd41266cb

SHA1
e3acb756e6567ba1018693b4e30a70389454af6f

SHA256
e91240c5c82c192f56e8ff857b645aaa898f56c98ed78612cde8a68c47959645

SHA512
5dea1f8f8630bd016c53b42c049e32d376e71bbcde0d84170a0197adbecf73c79f8cb2cc336305c9e9b6c184dac49a701f02dfe5b86c28adedf905641ac7b6f2

Download Submit
\ProgramData\F72B.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/2120-0-0x00000000003D0000-0x0000000000410000-memory.dmp

Filesize
256KB

Download
memory/2920-296-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2920-298-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2920-327-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download