Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/08/2024, 01:56
Behavioral task
behavioral1
Sample
d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe
Resource
win7-20240704-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe
-
Size
147KB
-
MD5
1973ccbab82020881d531ccd1f2ca48e
-
SHA1
7e18f712e26ea32b0e8aeb4cd3c958eb8d32dfed
-
SHA256
d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847
-
SHA512
67654e67afe6a3e1ddf335dff4b976e254c45d8046853607cb4e98af6cd43accee8f2e35e296b932385bc9a6b7fed96ee4be6e113457eb5eb057bd8301f476f6
-
SSDEEP
1536:PzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xD8UhzyIccE+72p2Kbm+0ep3PeAM:wqJogYkcSNm9V7D8URMcS0ep3BcTT
Malware Config
Extracted
Path
C:\xcEElHqGu.README.txt
Family
lockbit
Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware~~~
>>>> Your data are stolen and encrypted
The data will be published on TOR website if you do not pay the ransom
All of your files have been encrypted! (Warning: Attempting to remove the software will corrupt your hard drives meaning no further use even when wiped. We simply charge $25 which is far cheaper than buying a new drive.)
Your computer was infected with a ransomware software. Your files have been encrypted and you won't be able to decrypt them without purchasing $25 BTC. What can I do to get my files back? You will send payment of $25 BTC to gain access to your files again, once payment is made after 3 confirmations on the blockchain (15 mins) your files will be restored and the software will un-install itself from your computer.
How do I pay, where do I get Bitcoin?
Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search
yourself to find out how to buy Bitcoin.
Many of our customers have reported these sites to be fast and reliable:
Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
Payment will increase soon to double, be cooperative and your files will be released.
Payment information Amount: 0.000385636 BTC
Bitcoin Address: bc1qc76qr24pxnms9f93mytfg4dn7ztuvmje7g43dr
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (644) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation E4E3.tmp -
Deletes itself 1 IoCs
pid Process 424 E4E3.tmp -
Executes dropped EXE 1 IoCs
pid Process 424 E4E3.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP945407_iilymp7g81eh48i3ee.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPskopbj8mddqe5jx5z47wrsfmd.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP0qhct8kuu8ymrma3zfvngdcrc.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\xcEElHqGu.bmp" d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\xcEElHqGu.bmp" d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 424 E4E3.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E4E3.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\WallpaperStyle = "10" d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xcEElHqGu\ = "xcEElHqGu" d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xcEElHqGu\DefaultIcon d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xcEElHqGu d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xcEElHqGu\DefaultIcon\ = "C:\\ProgramData\\xcEElHqGu.ico" d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xcEElHqGu d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp 424 E4E3.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeDebugPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: 36 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeImpersonatePrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeIncBasePriorityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeIncreaseQuotaPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: 33 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeManageVolumePrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeProfSingleProcessPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeRestorePrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSystemProfilePrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeTakeOwnershipPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeShutdownPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeDebugPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 956 ONENOTE.EXE 956 ONENOTE.EXE 956 ONENOTE.EXE 956 ONENOTE.EXE 956 ONENOTE.EXE 956 ONENOTE.EXE 956 ONENOTE.EXE 956 ONENOTE.EXE 956 ONENOTE.EXE 956 ONENOTE.EXE 956 ONENOTE.EXE 956 ONENOTE.EXE 956 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1128 wrote to memory of 4936 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 89 PID 1128 wrote to memory of 4936 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 89 PID 2928 wrote to memory of 956 2928 printfilterpipelinesvc.exe 92 PID 2928 wrote to memory of 956 2928 printfilterpipelinesvc.exe 92 PID 1128 wrote to memory of 424 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 93 PID 1128 wrote to memory of 424 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 93 PID 1128 wrote to memory of 424 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 93 PID 1128 wrote to memory of 424 1128 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 93 PID 424 wrote to memory of 2208 424 E4E3.tmp 94 PID 424 wrote to memory of 2208 424 E4E3.tmp 94 PID 424 wrote to memory of 2208 424 E4E3.tmp 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe"C:\Users\Admin\AppData\Local\Temp\d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:4936
-
-
C:\ProgramData\E4E3.tmp"C:\ProgramData\E4E3.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E4E3.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2208
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2636
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{F2BE1A3C-70A8-427C-9D0C-161B8D1C997D}.xps" 1336721017423700002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:956
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5092a75da8baf2857bdebc57872063d7b
SHA18db2a8c801a26b489a965f1fb5bc0b4f3528866c
SHA256dc5087db910511bb597b67561a01412ac99e4949907435e777336fd2e42fc39f
SHA5129c8c5d2bb8e657792e9881697e8f078ea5d4e57fecdb5ec35301244826d9dffc411aa7913310eeef81b561dc57067e7853df7441cb5d7d7ec2f7558e88822f99
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize147KB
MD579463df7a2fc635a1370e32adebcbb58
SHA128d383b5b7b8f6d82ff6f1a0cb66b5c3ac781550
SHA256253239994ca6782c0864240a61c15fb353acdc40a1564aa813b296033c9b91af
SHA51237d1f53b14e13ddbeb96adcf2f1c24a6d831b762924d89d5750dc9e57f3f3bc7aed113b52daf4a11bd296d7a41ecf4efff48d7826ae892dd756b9bfee70a5945
-
Filesize
4KB
MD5340c1b55a5a9b32dc2bd6afd3a0b8aee
SHA180c3c341730529a073f5d3c2e062dc896901e9fc
SHA25626419b3b2e9fb936a4e693aa38c81e1cab8c3244ca16463d589f4dd20068c223
SHA51264bb49bfacfe9d8ec78abf6ee133ae68d5789ba6332eaeeb17b842242c0a6b6b9eca4801409e192aeb0d2a85ad4c9bbed455cd5408e32b2b0a920d3d657f8de5
-
Filesize
4KB
MD5bba84cb96d34b7ad899500b342dacdc9
SHA11bd17f4b421e0d4a52ad7fc0ac0b14a29f74d8bb
SHA256fb057206752c550703b858bcabacff7647acd927d95fa1bc2f1486b1db414b53
SHA512adc7a2373ba10415082ed8e7b6ce2649a737545ce5e722ba16a224b819d62c9a23b93229fcc6960e9c5fa50dd4abaf5c98b77a313b1a150e2864288b4d47a8f4
-
Filesize
1KB
MD57fd2336a4cae4c2f51bb0860a6748860
SHA169ef22fd3afb86945d371d4be0fe9c507880dd1b
SHA256413dd9df6327c861bd0ba99a1e99b2b00b75961230d8b499c993419da1ecca29
SHA5128791bd4195522517edd5a05cec17473fb01bd9865d4f4ea9966ee105fc0dc9d720c56c84af278d3bb5b31915aba678b7786e086f4890ea138f2ff47f0288c523
-
Filesize
129B
MD5ea4eeae9569122e41e67ed1da47b0244
SHA14397884814a24aef8433eb39c2dc71531ca93394
SHA25611aa451b6060d69c27955417b6cc9747347c4570a9fcb7894a10bba569591894
SHA512cdcbbcc9e6e59b04b4b79d961e6a0ef97c2f98532a41b25de884472742731ed78f409952f7d2c51354d1f94a7ef966b5860035473acd92170d2f578fd6237d0f