df9f2257213ba558c371752312f007084ca537a693be020d01202ca995fd1ce6

Analysis

max time kernel
130s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2024, 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Size

156KB
MD5

b4373babe6adc1f37cf4c0ea4e8c3633
SHA1

6c843ec38c70c7f58109108cab4ab998c9d039ed
SHA256

df9f2257213ba558c371752312f007084ca537a693be020d01202ca995fd1ce6
SHA512

438f84a8aa27720dc5732683e840b69165139d0191cfd4f46cb61a511886baa02ec5e64eb3adac8bb197232f26066f2ccbad27c2429e880942fa8287eb3615d0
SSDEEP

3072:KDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368/n5BaKkP9Y20+WEJ9W:M5d/zugZqll3tBa1E/E

Score

10^/10

defense_evasion discovery ransomware

Malware Config

Extracted

Path

C:\Users\rf9xIIM0o.README.txt

Ransom Note

~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: 3101C6171318A549A161A05DBD7B92E0 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.

URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Signatures

Renames multiple (157) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	5E09.tmp

Deletes itself 1 IoCs

pid	Process
2468	5E09.tmp

Executes dropped EXE 1 IoCs

pid	Process
2468	5E09.tmp

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\rf9xIIM0o.bmp"	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\rf9xIIM0o.bmp"	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5E09.tmp

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\WallpaperStyle = "10"	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rf9xIIM0o	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rf9xIIM0o\DefaultIcon\ = "C:\\ProgramData\\rf9xIIM0o.ico"	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rf9xIIM0o	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rf9xIIM0o\ = "rf9xIIM0o"	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rf9xIIM0o\DefaultIcon	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp
2468	5E09.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeDebugPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: 36	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeImpersonatePrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeIncBasePriorityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeIncreaseQuotaPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: 33	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeManageVolumePrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeProfSingleProcessPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeRestorePrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSystemProfilePrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeTakeOwnershipPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeShutdownPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeDebugPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	3904	vssvc.exe
Token: SeRestorePrivilege	3904	vssvc.exe
Token: SeAuditPrivilege	3904	vssvc.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeSecurityPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
Token: SeBackupPrivilege	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2468	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe	97
PID 2076 wrote to memory of 2468	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe	97
PID 2076 wrote to memory of 2468	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe	97
PID 2076 wrote to memory of 2468	2076	2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe	97
PID 2468 wrote to memory of 860	2468	5E09.tmp	100
PID 2468 wrote to memory of 860	2468	5E09.tmp	100
PID 2468 wrote to memory of 860	2468	5E09.tmp	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-03_b4373babe6adc1f37cf4c0ea4e8c3633_darkside.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\ProgramData\5E09.tmp
  "C:\ProgramData\5E09.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\5E09.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4132,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:8
1⤵
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\SSSSSSSSSSS

Filesize
129B

MD5
0b0d3c129b610cc939d5dc341c673593

SHA1
e1b3509f6dba6233c382808272574b00a2f0af31

SHA256
1210f9ecbbac10653c0f5269cc7ed1630003c3ecc81b2f936aef0514244f6ef8

SHA512
f6b5fbb2257657ce61044204a68d662ac495c86e5a06ade9c8b0fe153f7075961eaeb424e89a07a8295fdd774856a8395be39da419bafaf1ba7f8091d4a2fdf2

Download Submit
C:\ProgramData\5E09.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

Filesize
156KB

MD5
5bbea8ee30ee9650bb13ed8b41b55a33

SHA1
281362106d716bba337f2f50586a98488236f640

SHA256
7ebc636044047c4d7c3e20a478c8e323281e4861eab856f4292db3081fc17295

SHA512
374b8272e1dd24116eb9969084f5bb14286964fed1383491d10f327eb433ceb11e49b74e21d63d92f4bd03be6ef9f6e818d0e02a07dd389234f52184205a63ca

Download Submit
C:\Users\rf9xIIM0o.README.txt

Filesize
3KB

MD5
4d943092e704cc6168f0fc03e23777f0

SHA1
f9d3716fa184ba28fea6ca06ea2700b510a16ea7

SHA256
22299eca0230bf44a86e8981b42d766d452c5920480e060c7a786d616893679c

SHA512
6208849c47d7fb5b054f00e4b979a5281b2fa1fc860c6493281f9288cf8d69877c021e146ac41024a26bcf7adeeb2c37d846f24f2a07f2552cb2672003243f3c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2170637797-568393320-3232933035-1000\DDDDDDDDDDD

Filesize
129B

MD5
530f57e6b75e48853f01e88d32cb5da3

SHA1
72bca23138372506465af8b421f37126a1bf7f72

SHA256
9862da72c225f0d2c828936a4efa129639e976ca9664edbbab9f457c94f71c59

SHA512
7eb019ae62c23b4a492058b45be1bb32d29ef7d7de8627c50f9fffb50cf96077eda0b5402685f91b537e9c53c31338e1111e16e91fc22bb9f725667ff331997b

Download Submit
memory/2076-2-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/2076-1-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/2076-0-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/2468-311-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2468-312-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2468-341-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2468-344-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download