df9f2257213ba558c371752312f007084ca537a693be020d01202ca995fd1ce6

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
03/08/2024, 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Size

156KB
MD5

b4373babe6adc1f37cf4c0ea4e8c3633
SHA1

6c843ec38c70c7f58109108cab4ab998c9d039ed
SHA256

df9f2257213ba558c371752312f007084ca537a693be020d01202ca995fd1ce6
SHA512

438f84a8aa27720dc5732683e840b69165139d0191cfd4f46cb61a511886baa02ec5e64eb3adac8bb197232f26066f2ccbad27c2429e880942fa8287eb3615d0
SSDEEP

3072:KDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368/n5BaKkP9Y20+WEJ9W:M5d/zugZqll3tBa1E/E

Score

10^/10

defense_evasion discovery ransomware

Malware Config

Extracted

Path

C:\Users\rf9xIIM0o.README.txt

Ransom Note

~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: 3101C6171318A54916F8E37D5108BBDB << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.

URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Signatures

Renames multiple (162) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2900	CC92.tmp

Executes dropped EXE 1 IoCs

pid	Process
2900	CC92.tmp

Loads dropped DLL 1 IoCs

pid	Process
2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\rf9xIIM0o.bmp"	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\rf9xIIM0o.bmp"	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CC92.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\WallpaperStyle = "10"	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rf9xIIM0o\DefaultIcon\ = "C:\\ProgramData\\rf9xIIM0o.ico"	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rf9xIIM0o	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rf9xIIM0o\ = "rf9xIIM0o"	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rf9xIIM0o\DefaultIcon	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rf9xIIM0o	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp
2900	CC92.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeDebugPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: 36	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeImpersonatePrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeIncBasePriorityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeIncreaseQuotaPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: 33	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeManageVolumePrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeProfSingleProcessPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeRestorePrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSystemProfilePrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeTakeOwnershipPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeShutdownPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeDebugPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2932	vssvc.exe
Token: SeRestorePrivilege	2932	vssvc.exe
Token: SeAuditPrivilege	2932	vssvc.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2900	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe	34
PID 2016 wrote to memory of 2900	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe	34
PID 2016 wrote to memory of 2900	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe	34
PID 2016 wrote to memory of 2900	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe	34
PID 2016 wrote to memory of 2900	2016	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe	34
PID 2900 wrote to memory of 1844	2900	CC92.tmp	38
PID 2900 wrote to memory of 1844	2900	CC92.tmp	38
PID 2900 wrote to memory of 1844	2900	CC92.tmp	38
PID 2900 wrote to memory of 1844	2900	CC92.tmp	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\ProgramData\CC92.tmp
  "C:\ProgramData\CC92.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CC92.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x148
1⤵
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini

Filesize
129B

MD5
d79fe5785f716366252196109519e7bc

SHA1
4c7d4dcb0d44aaae346ae42b92f63024f4e8b924

SHA256
8a18c65f0d29ae6bea1c054df7bed340bdb8820e6d3f295e631cff14ed2a7908

SHA512
edddefd4c87ee6fc06657f91d45feb3bff48a02e98bc9be755965f90e7471a897d85afbf04f9ab4a0350eee8385985c6decc00269a511173ae67d3f3ad73e8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
156KB

MD5
f1c3ec5544f9df4d7b37b3f274626bb6

SHA1
2e148d626e64e42def977eb029153d3f3a12a2b8

SHA256
f4022fb13dfde94222deafbd009812ec78b4d66d34b3acc92fd443f96eac5be7

SHA512
bd843883e2f5df07514fad7ec5f8ef3872efeec84ec7b392883b1c1a54303893c3fb21c14842c16c03847404346fd6e2a0dae1d76d16d59e41a33ba5748d50e5

Download Submit
C:\Users\rf9xIIM0o.README.txt

Filesize
3KB

MD5
14d9a9c0300f37b275c91f375a1656ac

SHA1
5c8aa66b92e3c65cb41c88668b1ffac914149688

SHA256
e51cbd3d4bd4dd011e6e9463a3ec26f1697925eae0fd11afd3d5f0487721ffd9

SHA512
e516f6bcee2c66ddfd48a639cf248efa4ab3ef73db8f8e6758563bd9f399e710bb055893de643b7c4dd5c98923ef485d81eb3b454860fabd33c8eb2725406de3

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\DDDDDDDDDDD

Filesize
129B

MD5
1176e45536a2ed51eb36347310378ac7

SHA1
8ed5c5b337201aa4a4d28fb84672718c0129b140

SHA256
e2d2c28a447f987c95f1b9310aa80e0a0f6a2bffb9cd30786f25c6683fd2df73

SHA512
9c85826c07eee67632ae6e99c4f6e12ecc3831020f5b8666f28923bcbdcf1532d565ae82dee985d91a9ccb4315567d0a7d3a12d951e43c67d3b00b57fd2cc1f4

Download Submit
\ProgramData\CC92.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/2016-0-0x0000000000E90000-0x0000000000ED0000-memory.dmp

Filesize
256KB

Download
memory/2900-294-0x0000000002290000-0x00000000022D0000-memory.dmp

Filesize
256KB

Download
memory/2900-296-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/2900-295-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/2900-293-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/2900-327-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/2900-328-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download