e097f98ea3416330ed2fd7856743d68a7ca880c6d57e8c264a384a112ac5a390

General

Target

lk.exe
Size

146KB
MD5

7f6830b77ad13b244bc5d702d67137bf
SHA1

1fbd763388a3e9679ac66b35da8a78e041611fe4
SHA256

e097f98ea3416330ed2fd7856743d68a7ca880c6d57e8c264a384a112ac5a390
SHA512

488cb83c7267cfc70989e09489373f4372325531f7c02b1711fbdf6dfeaa377c39b84d5e971136e0e41d0a6dcde52ec4d21a749169eedb9e9ba43eb9caf077de
SSDEEP

3072:c6glyuxE4GsUPnliByocWep0XL63DjDeprS:c6gDBGpvEByocWeOmuNS

Score

9^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Signatures

Renames multiple (668) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

F454.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation F454.tmp
Deletes itself 1 IoCs

Processes:

F454.tmp

pid process

2576 F454.tmp
Executes dropped EXE 1 IoCs

Processes:

F454.tmp

pid process

2576 F454.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	F454.tmp

Drops desktop.ini file(s) 2 IoCs

Processes:

lk.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini	lk.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini	lk.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

Processes:

splwow64.exeprintfilterpipelinesvc.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PP25o6yerdn57hyodxzuup1ui3c.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP0v2o8cf8qol04uk2nqk1mr00.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPa337ahnub7pxdkhs70w63cffb.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

lk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\XQk8iLzOQ.bmp"	lk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\XQk8iLzOQ.bmp"	lk.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

lk.exeF454.tmp

pid process

3592 lk.exe
3592 lk.exe
3592 lk.exe
3592 lk.exe
2576 F454.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

lk.exeF454.tmpcmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F454.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

lk.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop	lk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\WallpaperStyle = "10"	lk.exe

Modifies registry class 5 IoCs

Processes:

lk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.XQk8iLzOQ\ = "XQk8iLzOQ"	lk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XQk8iLzOQ\DefaultIcon	lk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XQk8iLzOQ	lk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XQk8iLzOQ\DefaultIcon\ = "C:\\ProgramData\\XQk8iLzOQ.ico"	lk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.XQk8iLzOQ	lk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

lk.exe

pid	process
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe
3592	lk.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

F454.tmp

pid	process
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp
2576	F454.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

lk.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeDebugPrivilege	3592	lk.exe
Token: 36	3592	lk.exe
Token: SeImpersonatePrivilege	3592	lk.exe
Token: SeIncBasePriorityPrivilege	3592	lk.exe
Token: SeIncreaseQuotaPrivilege	3592	lk.exe
Token: 33	3592	lk.exe
Token: SeManageVolumePrivilege	3592	lk.exe
Token: SeProfSingleProcessPrivilege	3592	lk.exe
Token: SeRestorePrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeSystemProfilePrivilege	3592	lk.exe
Token: SeTakeOwnershipPrivilege	3592	lk.exe
Token: SeShutdownPrivilege	3592	lk.exe
Token: SeDebugPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeBackupPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe
Token: SeSecurityPrivilege	3592	lk.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	process
4408	ONENOTE.EXE
4408	ONENOTE.EXE
4408	ONENOTE.EXE
4408	ONENOTE.EXE
4408	ONENOTE.EXE
4408	ONENOTE.EXE
4408	ONENOTE.EXE
4408	ONENOTE.EXE
4408	ONENOTE.EXE
4408	ONENOTE.EXE
4408	ONENOTE.EXE
4408	ONENOTE.EXE
4408	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

lk.exeprintfilterpipelinesvc.exeF454.tmp

description	pid	process	target process
PID 3592 wrote to memory of 3832	3592	lk.exe	splwow64.exe
PID 3592 wrote to memory of 3832	3592	lk.exe	splwow64.exe
PID 4592 wrote to memory of 4408	4592	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 4592 wrote to memory of 4408	4592	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 3592 wrote to memory of 2576	3592	lk.exe	F454.tmp
PID 3592 wrote to memory of 2576	3592	lk.exe	F454.tmp
PID 3592 wrote to memory of 2576	3592	lk.exe	F454.tmp
PID 3592 wrote to memory of 2576	3592	lk.exe	F454.tmp
PID 2576 wrote to memory of 1720	2576	F454.tmp	cmd.exe
PID 2576 wrote to memory of 1720	2576	F454.tmp	cmd.exe
PID 2576 wrote to memory of 1720	2576	F454.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\lk.exe
"C:\Users\Admin\AppData\Local\Temp\lk.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
- Drops file in System32 directory
PID:3832

C:\ProgramData\F454.tmp
"C:\ProgramData\F454.tmp"
2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\F454.tmp >> NUL
3⤵
- System Location Discovery: System Language Discovery
PID:1720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1452

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4592

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{BFDC15FC-A67A-4CA2-892F-362B011859CD}.xps" 133697535840310000
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\FFFFFFFFFFF

Filesize
129B

MD5
176c155fcea5838f6dd3292c626d6e9f

SHA1
0bf2ea631f732ebe9dda432ce9975703cb534f36

SHA256
708a2489a48aab4a3165c66e28189f81004f42097f5d34263894b7fc7acc677b

SHA512
ab5bff05d09f560f20d1afc2d8aa94998cf40e1f5d5bc466c048e12ea3995b34e13a1696d482c6984b9c96ff5d4be639d1af5a97090a4b21640a63176374396a

Download Submit
C:\ProgramData\F454.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCCCCC

Filesize
146KB

MD5
978f8c411ab60b61e3ce054577db62eb

SHA1
2f860a61a67a10d5cf137f371f8ad45a6a1683ef

SHA256
ecf91b36bbaf3d5926a9a584e89d2d195f237b143959e9b7c81b7f54a39a9f20

SHA512
f4266ab735a70af96db70ab57b9ff523a6aa9670bb9f7c9ea22835c1022b66f626a9f1595fd622bd39232e52382eff500050ce503b1658eb85300a9826bbd31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ABE4D48D-F722-4759-8E46-DD5D4FFBCDE1}

Filesize
4KB

MD5
dc039dee45de64901b900a71cbf84f1a

SHA1
d9f51599741134681754fadb61b737bb383b5203

SHA256
fa261727b20b8ac302906042f327f250cbaba2d6aeb4d48d216dac19625daeda

SHA512
a66f89cbf7d16180deb866b5df6d59994ac48347a1a9c1631b5003fa7a5ffe361d8aca1e0659c5206791cc0ae6180c44b7e676b3dcc96d81fdc193204f27a89b

Download Submit
C:\XQk8iLzOQ.README.txt

Filesize
343B

MD5
72b1ffaeb7de456483f491ecceadb088

SHA1
ee1953abc295245ab01f35a4a823883826bf2b41

SHA256
eb892eac9899b995047733bb17acd4945eb42b7b49f2ee8ad52b8026bc0297a7

SHA512
c0e7cad617cf1490bb25fc47936edc3ae164b190ed34f2d2a50e7e84ce6e0d6712a6ba9ab351cca1589266078326a00317516c53fecf96f20eaefe15e92ce445

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-355097885-2402257403-2971294179-1000\DDDDDDDDDDD

Filesize
129B

MD5
2cab3deb3bf1df436e822be1f2d76242

SHA1
1e788dbe6c46d7d5c0802c3a2d5d6598f6d4217c

SHA256
3f86385dec8d7ee12f4487b229601f3858b2bc8106fbac4b2f820889af686258

SHA512
e175ebc7e8fd5d637e9111cb99050770f3728e8a814ff5416ed96fd3b201837fcd8cf106ba96f9a27550593399f615cbe2b101686c51c0a1a2f3f4d111e2c21f

Download Submit
memory/3592-3015-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/3592-3017-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/3592-1-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/3592-3016-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/3592-0-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/3592-2-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/4408-3029-0x00007FF8D8730000-0x00007FF8D8740000-memory.dmp

Filesize
64KB

Download
memory/4408-3036-0x00007FF8D8730000-0x00007FF8D8740000-memory.dmp

Filesize
64KB

Download
memory/4408-3034-0x00007FF8D8730000-0x00007FF8D8740000-memory.dmp

Filesize
64KB

Download
memory/4408-3033-0x00007FF8D8730000-0x00007FF8D8740000-memory.dmp

Filesize
64KB

Download
memory/4408-3037-0x00007FF8D8730000-0x00007FF8D8740000-memory.dmp

Filesize
64KB

Download
memory/4408-3066-0x00007FF8D64F0000-0x00007FF8D6500000-memory.dmp

Filesize
64KB

Download
memory/4408-3067-0x00007FF8D64F0000-0x00007FF8D6500000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads