Resubmissions
05-08-2024 05:00
240805-fnb9paxdrr 1005-08-2024 01:11
240805-bj9xyawemf 1005-08-2024 01:07
240805-bg3e3sscrn 10Analysis
-
max time kernel
96s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2024 05:00
Behavioral task
behavioral1
Sample
d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe
-
Size
147KB
-
MD5
1973ccbab82020881d531ccd1f2ca48e
-
SHA1
7e18f712e26ea32b0e8aeb4cd3c958eb8d32dfed
-
SHA256
d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847
-
SHA512
67654e67afe6a3e1ddf335dff4b976e254c45d8046853607cb4e98af6cd43accee8f2e35e296b932385bc9a6b7fed96ee4be6e113457eb5eb057bd8301f476f6
-
SSDEEP
1536:PzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xD8UhzyIccE+72p2Kbm+0ep3PeAM:wqJogYkcSNm9V7D8URMcS0ep3BcTT
Malware Config
Extracted
Path
C:\xcEElHqGu.README.txt
Family
lockbit
Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware~~~
>>>> Your data are stolen and encrypted
The data will be published on TOR website if you do not pay the ransom
All of your files have been encrypted! (Warning: Attempting to remove the software will corrupt your hard drives meaning no further use even when wiped. We simply charge $25 which is far cheaper than buying a new drive.)
Your computer was infected with a ransomware software. Your files have been encrypted and you won't be able to decrypt them without purchasing $25 BTC. What can I do to get my files back? You will send payment of $25 BTC to gain access to your files again, once payment is made after 3 confirmations on the blockchain (15 mins) your files will be restored and the software will un-install itself from your computer.
How do I pay, where do I get Bitcoin?
Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search
yourself to find out how to buy Bitcoin.
Many of our customers have reported these sites to be fast and reliable:
Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
Payment will increase soon to double, be cooperative and your files will be released.
Payment information Amount: 0.000385636 BTC
Bitcoin Address: bc1qc76qr24pxnms9f93mytfg4dn7ztuvmje7g43dr
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (635) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 97BD.tmp -
Deletes itself 1 IoCs
pid Process 5512 97BD.tmp -
Executes dropped EXE 1 IoCs
pid Process 5512 97BD.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP7m8cqh2u70x5_6hp4luhybvr.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP_8tv6g480m5lidl7r8sfx3r3d.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPb5bogxv9kdr660cfht7u4m4_c.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\xcEElHqGu.bmp" d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\xcEElHqGu.bmp" d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 5512 97BD.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 97BD.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\WallpaperStyle = "10" d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xcEElHqGu d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xcEElHqGu\ = "xcEElHqGu" d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xcEElHqGu\DefaultIcon d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xcEElHqGu d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xcEElHqGu\DefaultIcon\ = "C:\\ProgramData\\xcEElHqGu.ico" d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 5908 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5460 ONENOTE.EXE 5460 ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp 5512 97BD.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeDebugPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: 36 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeImpersonatePrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeIncBasePriorityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeIncreaseQuotaPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: 33 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeManageVolumePrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeProfSingleProcessPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeRestorePrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSystemProfilePrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeTakeOwnershipPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeShutdownPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeDebugPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeBackupPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe Token: SeSecurityPrivilege 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 5460 ONENOTE.EXE 5460 ONENOTE.EXE 5460 ONENOTE.EXE 5460 ONENOTE.EXE 5460 ONENOTE.EXE 5460 ONENOTE.EXE 5460 ONENOTE.EXE 5460 ONENOTE.EXE 5460 ONENOTE.EXE 5460 ONENOTE.EXE 5460 ONENOTE.EXE 5460 ONENOTE.EXE 5460 ONENOTE.EXE 5460 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 512 wrote to memory of 5232 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 90 PID 512 wrote to memory of 5232 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 90 PID 5424 wrote to memory of 5460 5424 printfilterpipelinesvc.exe 94 PID 5424 wrote to memory of 5460 5424 printfilterpipelinesvc.exe 94 PID 512 wrote to memory of 5512 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 95 PID 512 wrote to memory of 5512 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 95 PID 512 wrote to memory of 5512 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 95 PID 512 wrote to memory of 5512 512 d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe 95 PID 5512 wrote to memory of 5924 5512 97BD.tmp 97 PID 5512 wrote to memory of 5924 5512 97BD.tmp 97 PID 5512 wrote to memory of 5924 5512 97BD.tmp 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe"C:\Users\Admin\AppData\Local\Temp\d20d22dd302f51341405794a8fb3866c234fafe614b67b55934a9a959a4cd847.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:5232
-
-
C:\ProgramData\97BD.tmp"C:\ProgramData\97BD.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5512 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\97BD.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:5924
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:6012
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5424 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{B75B4EBD-261B-40AA-A83D-5903991DD14F}.xps" 1336730766000300002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5460
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\xcEElHqGu.README.txt1⤵
- Opens file in notepad (likely ransom note)
PID:5908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5145743577fd8d3f4663764bb27cb19fd
SHA1ae5a2bc2b2addd4635983ad082e124263127414c
SHA2560811e9e5a92864eb2b22c971e9347188bedd72597c7b4f0c38ea82296812d600
SHA5122ce46015c1cbf30bca50b3ace9a863a3b058c0422870d5b4bf384e3c1134767c8e8daccd359f06d8075113979a3cee80047225470f1dced02e1ab678f2062b1e
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize147KB
MD5147310da90f8a558ed45c3d5d95f1d7d
SHA15e763d841a2fdb03e078f2ebe982b940fb39972d
SHA2565924a8617ace527416e86dc790a8b3591401e29617baec07d5b0c8ea77e1dee2
SHA512faaaebc29a3867c1c8d5133cebda73a12fef84a04e2920ca87b29572d220f3fb080f1535ac8bcc7053494a5cc0730cc3121cbef5c56dd268c87e2b5b53437a25
-
Filesize
4KB
MD54feadaa6e76d5401a9498b42882b7d14
SHA142574d3f321383209b919e7168abf4da59207197
SHA25633292d96cd50656a839216103fc98838212af9fbf845eae182b43c5227028bd8
SHA512fab2a88dde9778c8f9651f5e0addd0ab64145d03fec5e31961fee7d27e906dcfbe7584484d26e515c62d44a029106fb47d6759d02fafa0249a73617d56226fca
-
Filesize
4KB
MD5e425f870da76d06f83835a3572240a71
SHA15a63d0214faa5fda5b803040e046672f817c8d17
SHA256963ebf589e0458cbde383ba6a59fd21a1b614a3f7ec99baf87e34eb591610460
SHA512a56ab5daca2ed9943089ef575e7c50a95a221dc0fed9705b210d5f3c40bed2849d5d2a118cf21a630c4fbbf5738dfb6d5db33a6341c7fc9f93094ff5b1f333ae
-
Filesize
4KB
MD5c5524b4e7ba8d859f8771616cce84239
SHA18d708923cb6bf04f72ad34e583ac75a7fe331cf9
SHA256bd93c0cbd02ee85e9dd022fe981b695d8ee410f0c1404d9ece7e85d0408ff445
SHA5128f8f56dee89de87c79f522167d5330b574bbccc9fc50e2da95e3923787d49aaf67633644f607b7ca3e48bf86fd113a942c039658108b899abb3a664f48673129
-
Filesize
1KB
MD57fd2336a4cae4c2f51bb0860a6748860
SHA169ef22fd3afb86945d371d4be0fe9c507880dd1b
SHA256413dd9df6327c861bd0ba99a1e99b2b00b75961230d8b499c993419da1ecca29
SHA5128791bd4195522517edd5a05cec17473fb01bd9865d4f4ea9966ee105fc0dc9d720c56c84af278d3bb5b31915aba678b7786e086f4890ea138f2ff47f0288c523
-
Filesize
129B
MD5bf15defb70f90b28fbeca1535202ddf2
SHA19a59cf6af39f1c97ee8ee80e85cda1d87b0c7d36
SHA2560789f738c5bdc163f886d7e37784124dc14f73ac52243af9eb7f45468bb07c0e
SHA512636e2b04eed6a8c8fe11ac18910e46eda83ad038055a2bc2cf96719f637f7a6fb21f111b53e2a39ce420ed35c7992078f6bc60d78b3136b196560a04e06a62f2