Resubmissions
05/08/2024, 05:00
240805-fnb9paxdrr 1005/08/2024, 01:11
240805-bj9xyawemf 1005/08/2024, 01:07
240805-bg3e3sscrn 10Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/08/2024, 01:07
Behavioral task
behavioral1
Sample
d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe
Resource
win7-20240708-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe
-
Size
147KB
-
MD5
1973ccbab82020881d531ccd1f2ca48e
-
SHA1
7e18f712e26ea32b0e8aeb4cd3c958eb8d32dfed
-
SHA256
d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847
-
SHA512
67654e67afe6a3e1ddf335dff4b976e254c45d8046853607cb4e98af6cd43accee8f2e35e296b932385bc9a6b7fed96ee4be6e113457eb5eb057bd8301f476f6
-
SSDEEP
1536:PzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xD8UhzyIccE+72p2Kbm+0ep3PeAM:wqJogYkcSNm9V7D8URMcS0ep3BcTT
Malware Config
Extracted
Path
C:\xcEElHqGu.README.txt
Family
lockbit
Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware~~~
>>>> Your data are stolen and encrypted
The data will be published on TOR website if you do not pay the ransom
All of your files have been encrypted! (Warning: Attempting to remove the software will corrupt your hard drives meaning no further use even when wiped. We simply charge $25 which is far cheaper than buying a new drive.)
Your computer was infected with a ransomware software. Your files have been encrypted and you won't be able to decrypt them without purchasing $25 BTC. What can I do to get my files back? You will send payment of $25 BTC to gain access to your files again, once payment is made after 3 confirmations on the blockchain (15 mins) your files will be restored and the software will un-install itself from your computer.
How do I pay, where do I get Bitcoin?
Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search
yourself to find out how to buy Bitcoin.
Many of our customers have reported these sites to be fast and reliable:
Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
Payment will increase soon to double, be cooperative and your files will be released.
Payment information Amount: 0.000385636 BTC
Bitcoin Address: bc1qc76qr24pxnms9f93mytfg4dn7ztuvmje7g43dr
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (647) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation E56F.tmp -
Deletes itself 1 IoCs
pid Process 1692 E56F.tmp -
Executes dropped EXE 1 IoCs
pid Process 1692 E56F.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP05szjanj1d9p9hogmy405qo8d.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPl2x1eywu30wbmsz3whrnki5u.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP61413hhscb0l5cg0vbp5zmv9c.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\xcEElHqGu.bmp" d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\xcEElHqGu.bmp" d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1692 E56F.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E56F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\WallpaperStyle = "10" d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xcEElHqGu d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xcEElHqGu\ = "xcEElHqGu" d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xcEElHqGu\DefaultIcon d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xcEElHqGu d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xcEElHqGu\DefaultIcon\ = "C:\\ProgramData\\xcEElHqGu.ico" d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp 1692 E56F.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeDebugPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: 36 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeImpersonatePrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeIncBasePriorityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeIncreaseQuotaPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: 33 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeManageVolumePrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeProfSingleProcessPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeRestorePrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSystemProfilePrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeTakeOwnershipPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeShutdownPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeDebugPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 1832 ONENOTE.EXE 1832 ONENOTE.EXE 1832 ONENOTE.EXE 1832 ONENOTE.EXE 1832 ONENOTE.EXE 1832 ONENOTE.EXE 1832 ONENOTE.EXE 1832 ONENOTE.EXE 1832 ONENOTE.EXE 1832 ONENOTE.EXE 1832 ONENOTE.EXE 1832 ONENOTE.EXE 1832 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2032 wrote to memory of 1968 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 89 PID 2032 wrote to memory of 1968 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 89 PID 3964 wrote to memory of 1832 3964 printfilterpipelinesvc.exe 92 PID 3964 wrote to memory of 1832 3964 printfilterpipelinesvc.exe 92 PID 2032 wrote to memory of 1692 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 93 PID 2032 wrote to memory of 1692 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 93 PID 2032 wrote to memory of 1692 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 93 PID 2032 wrote to memory of 1692 2032 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 93 PID 1692 wrote to memory of 4624 1692 E56F.tmp 94 PID 1692 wrote to memory of 4624 1692 E56F.tmp 94 PID 1692 wrote to memory of 4624 1692 E56F.tmp 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe"C:\Users\Admin\AppData\Local\Temp\d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:1968
-
-
C:\ProgramData\E56F.tmp"C:\ProgramData\E56F.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E56F.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:4624
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:116
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{05E0F468-C58B-497E-A3BC-0D2B0DECF19F}.xps" 1336729368657300002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5c16a54bec1241b8240e334d1fb368b72
SHA1cb183105b326732df308b27966fa0ef3e1090a6a
SHA256d0bf30a4878ecf962ce8e7868cd9a5025cb0afbcbbd6d41728964d1147280d5e
SHA512c44efefea1dc1d537f7ef2c35dbb4c35fa0a569e06300a6f940844eb519c2d71451a1f8d0716f29e8f733539ae5cde0a69ea8490e6cabf2e5e299ab9ddae17a2
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize147KB
MD5ef9410a7938a06b56167e99546d52062
SHA1ef25a5400fe0a1c6a248368804a699130ddb80be
SHA2563da871ef81f982b64ac9af5c41d2232a3b7ea0b6aaae10f434917dbb4953b5e8
SHA512b9ae26ba60baecb2358418b7d969bb039554a6e986eeed6873707aba05f5efc9a10569649fa43e72e20da6e5292d3fe7ad474803a8c1f325a0795f9e66085e28
-
Filesize
4KB
MD5e937d66ef8cb389ee449d17022b6ee62
SHA1af57779a064de453993c0c0041332faf68688d3d
SHA256aa1f34961e7ea965e4e943ee7292218bb16bc368ed382f4a7b28467cce2537b2
SHA5123995a0da79c7d6e27429b83240fd8620bba082104a55cc20bfe42b4e455d02405b12390e3ca0b5173f70c840612abb8e4a2986cdecf7c4c19b0952e9489efc7e
-
Filesize
4KB
MD50b0890ab6fbed0b5439fbf2e4aece6cf
SHA1698bddabd2f042c466dda086c2d39bb95cb18392
SHA256c4ebb92a736b27206d009c4fb4a1f69fa3fbb012642416f879eaf6016345c9b3
SHA512b4e9e81d3a2e67285ad0b9f180f04b6bc0fad6cd4ae35fda070845fa876312d137871556b43e144b26804f18d733c815e9cfcc21fa35bfcdb8f2be1c89f2fac6
-
Filesize
1KB
MD57fd2336a4cae4c2f51bb0860a6748860
SHA169ef22fd3afb86945d371d4be0fe9c507880dd1b
SHA256413dd9df6327c861bd0ba99a1e99b2b00b75961230d8b499c993419da1ecca29
SHA5128791bd4195522517edd5a05cec17473fb01bd9865d4f4ea9966ee105fc0dc9d720c56c84af278d3bb5b31915aba678b7786e086f4890ea138f2ff47f0288c523
-
Filesize
129B
MD5d1d9e85f98f0811757c2ab331783b05a
SHA1ef1a112d48dee21a5cb7f5e1de6e9df433bf553f
SHA256cbad6a82af5774f3dd4f4b3391547185bcac008525b31d76217cdc78b355c2ac
SHA5124e8fcbfcc242503ba94f563628069568247efbf5eea3a86bdf4e78053957a9b239641bb36f9be83bcecd021136d89a860a71fc0f5c71666339a29aad7d75a11c