lockbit | 7b105aba893b98d1ae293b3096854077d430f071d2801f57d8d5c370b53f1964

Resubmissions

08-09-2024 03:04

240908-dk13jatgjb 10

08-09-2024 01:42

240908-b4rl4azdmh 10

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

l.bat
Size

638B
MD5

5b1f0a177a035da3891f91183d77fad7
SHA1

282ae07cdd4630e605de19508ed00b86b0932e76
SHA256

f66f9834a6085ffda1ffa04dbed6a334719ea92e24c2b0950bef9573cffed015
SHA512

145b77756d97a227d967264a4241a9f7984af94a554be28847e2ecd4bc7b628858d0def3d7e665874b1780f9e7a434cc21b86659cf053fa268bdccbf2f8b1f48

Score

10^/10

lockbit defense_evasion discovery ransomware

Malware Config

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 14 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1860-1-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/2264-0-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/1860-3-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/2392-12-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/1644-22-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/2388-28-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/1924-51-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/1936-38-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/1948-123-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/1916-138-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/1932-211-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/2332-215-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/1640-273-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/2264-811-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit

Renames multiple (356) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2376	cmd.exe

Enumerates connected drives 3 TTPs 9 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

LBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exe

description	ioc	Process
File opened (read-only)	\??\G:	LBB_pass.exe
File opened (read-only)	\??\J:	LBB_pass.exe
File opened (read-only)	\??\I:	LBB_pass.exe
File opened (read-only)	\??\Z:	LBB_pass.exe
File opened (read-only)	\??\K:	LBB_pass.exe
File opened (read-only)	\??\X:	LBB_pass.exe
File opened (read-only)	\??\H:	LBB_pass.exe
File opened (read-only)	\??\E:	LBB_pass.exe
File opened (read-only)	\??\L:	LBB_pass.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

LBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe

Modifies registry class 9 IoCs

Processes:

LBB_pass.exeLBB_pass.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.m7RJQMjol	LBB_pass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.m7RJQMjol\ = "m7RJQMjol"	LBB_pass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.m7RJQMjol\ = "m7RJQMjol"	LBB_pass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\m7RJQMjol\DefaultIcon	LBB_pass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\m7RJQMjol\DefaultIcon\ = "C:\\ProgramData\\m7RJQMjol.ico"	LBB_pass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\m7RJQMjol\DefaultIcon	LBB_pass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\m7RJQMjol\DefaultIcon\ = "C:\\ProgramData\\m7RJQMjol.ico"	LBB_pass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.m7RJQMjol	LBB_pass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\m7RJQMjol	LBB_pass.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 12 IoCs

Processes:

LBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exe

pid	Process
2264	LBB_pass.exe
1936	LBB_pass.exe
1916	LBB_pass.exe
1948	LBB_pass.exe
1932	LBB_pass.exe
1924	LBB_pass.exe
1860	LBB_pass.exe
2392	LBB_pass.exe
1640	LBB_pass.exe
1644	LBB_pass.exe
2332	LBB_pass.exe
2388	LBB_pass.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

LBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exe

pid	Process
1936	LBB_pass.exe
1936	LBB_pass.exe
2392	LBB_pass.exe
2392	LBB_pass.exe
1644	LBB_pass.exe
1644	LBB_pass.exe
2388	LBB_pass.exe
2388	LBB_pass.exe
1948	LBB_pass.exe
1948	LBB_pass.exe
1916	LBB_pass.exe
1916	LBB_pass.exe
1860	LBB_pass.exe
1860	LBB_pass.exe
2264	LBB_pass.exe
2264	LBB_pass.exe
1924	LBB_pass.exe
1924	LBB_pass.exe
1640	LBB_pass.exe
1640	LBB_pass.exe
1932	LBB_pass.exe
1932	LBB_pass.exe
2332	LBB_pass.exe
2332	LBB_pass.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

LBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1936	LBB_pass.exe
Token: SeBackupPrivilege	1936	LBB_pass.exe
Token: SeDebugPrivilege	1936	LBB_pass.exe
Token: 36	1936	LBB_pass.exe
Token: SeImpersonatePrivilege	1936	LBB_pass.exe
Token: SeIncBasePriorityPrivilege	1936	LBB_pass.exe
Token: SeIncreaseQuotaPrivilege	1936	LBB_pass.exe
Token: 33	1936	LBB_pass.exe
Token: SeManageVolumePrivilege	1936	LBB_pass.exe
Token: SeProfSingleProcessPrivilege	1936	LBB_pass.exe
Token: SeRestorePrivilege	1936	LBB_pass.exe
Token: SeSecurityPrivilege	1936	LBB_pass.exe
Token: SeSystemProfilePrivilege	1936	LBB_pass.exe
Token: SeTakeOwnershipPrivilege	1936	LBB_pass.exe
Token: SeShutdownPrivilege	1936	LBB_pass.exe
Token: SeAssignPrimaryTokenPrivilege	2392	LBB_pass.exe
Token: SeBackupPrivilege	2392	LBB_pass.exe
Token: SeDebugPrivilege	2392	LBB_pass.exe
Token: 36	2392	LBB_pass.exe
Token: SeImpersonatePrivilege	2392	LBB_pass.exe
Token: SeIncBasePriorityPrivilege	2392	LBB_pass.exe
Token: SeIncreaseQuotaPrivilege	2392	LBB_pass.exe
Token: 33	2392	LBB_pass.exe
Token: SeManageVolumePrivilege	2392	LBB_pass.exe
Token: SeProfSingleProcessPrivilege	2392	LBB_pass.exe
Token: SeRestorePrivilege	2392	LBB_pass.exe
Token: SeSecurityPrivilege	2392	LBB_pass.exe
Token: SeSystemProfilePrivilege	2392	LBB_pass.exe
Token: SeTakeOwnershipPrivilege	2392	LBB_pass.exe
Token: SeShutdownPrivilege	2392	LBB_pass.exe
Token: SeAssignPrimaryTokenPrivilege	1644	LBB_pass.exe
Token: SeBackupPrivilege	1644	LBB_pass.exe
Token: SeDebugPrivilege	1644	LBB_pass.exe
Token: 36	1644	LBB_pass.exe
Token: SeImpersonatePrivilege	1644	LBB_pass.exe
Token: SeIncBasePriorityPrivilege	1644	LBB_pass.exe
Token: SeIncreaseQuotaPrivilege	1644	LBB_pass.exe
Token: 33	1644	LBB_pass.exe
Token: SeManageVolumePrivilege	1644	LBB_pass.exe
Token: SeProfSingleProcessPrivilege	1644	LBB_pass.exe
Token: SeRestorePrivilege	1644	LBB_pass.exe
Token: SeSecurityPrivilege	1644	LBB_pass.exe
Token: SeSystemProfilePrivilege	1644	LBB_pass.exe
Token: SeTakeOwnershipPrivilege	1644	LBB_pass.exe
Token: SeShutdownPrivilege	1644	LBB_pass.exe
Token: SeAssignPrimaryTokenPrivilege	2388	LBB_pass.exe
Token: SeBackupPrivilege	2388	LBB_pass.exe
Token: SeDebugPrivilege	2388	LBB_pass.exe
Token: 36	2388	LBB_pass.exe
Token: SeImpersonatePrivilege	2388	LBB_pass.exe
Token: SeIncBasePriorityPrivilege	2388	LBB_pass.exe
Token: SeIncreaseQuotaPrivilege	2388	LBB_pass.exe
Token: 33	2388	LBB_pass.exe
Token: SeManageVolumePrivilege	2388	LBB_pass.exe
Token: SeProfSingleProcessPrivilege	2388	LBB_pass.exe
Token: SeRestorePrivilege	2388	LBB_pass.exe
Token: SeSecurityPrivilege	2388	LBB_pass.exe
Token: SeSystemProfilePrivilege	2388	LBB_pass.exe
Token: SeTakeOwnershipPrivilege	2388	LBB_pass.exe
Token: SeShutdownPrivilege	2388	LBB_pass.exe
Token: SeAssignPrimaryTokenPrivilege	1948	LBB_pass.exe
Token: SeBackupPrivilege	1948	LBB_pass.exe
Token: SeDebugPrivilege	1948	LBB_pass.exe
Token: 36	1948	LBB_pass.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe

description	pid	Process	procid_target
PID 2320 wrote to memory of 2412	2320	cmd.exe	29
PID 2320 wrote to memory of 2412	2320	cmd.exe	29
PID 2320 wrote to memory of 2412	2320	cmd.exe	29
PID 2320 wrote to memory of 2432	2320	cmd.exe	30
PID 2320 wrote to memory of 2432	2320	cmd.exe	30
PID 2320 wrote to memory of 2432	2320	cmd.exe	30
PID 2320 wrote to memory of 2296	2320	cmd.exe	31
PID 2320 wrote to memory of 2296	2320	cmd.exe	31
PID 2320 wrote to memory of 2296	2320	cmd.exe	31
PID 2320 wrote to memory of 2280	2320	cmd.exe	32
PID 2320 wrote to memory of 2280	2320	cmd.exe	32
PID 2320 wrote to memory of 2280	2320	cmd.exe	32
PID 2320 wrote to memory of 2260	2320	cmd.exe	33
PID 2320 wrote to memory of 2260	2320	cmd.exe	33
PID 2320 wrote to memory of 2260	2320	cmd.exe	33
PID 2320 wrote to memory of 1676	2320	cmd.exe	34
PID 2320 wrote to memory of 1676	2320	cmd.exe	34
PID 2320 wrote to memory of 1676	2320	cmd.exe	34
PID 2320 wrote to memory of 2288	2320	cmd.exe	35
PID 2320 wrote to memory of 2288	2320	cmd.exe	35
PID 2320 wrote to memory of 2288	2320	cmd.exe	35
PID 2320 wrote to memory of 2100	2320	cmd.exe	36
PID 2320 wrote to memory of 2100	2320	cmd.exe	36
PID 2320 wrote to memory of 2100	2320	cmd.exe	36
PID 2320 wrote to memory of 1160	2320	cmd.exe	37
PID 2320 wrote to memory of 1160	2320	cmd.exe	37
PID 2320 wrote to memory of 1160	2320	cmd.exe	37
PID 2320 wrote to memory of 2776	2320	cmd.exe	38
PID 2320 wrote to memory of 2776	2320	cmd.exe	38
PID 2320 wrote to memory of 2776	2320	cmd.exe	38
PID 2320 wrote to memory of 2668	2320	cmd.exe	39
PID 2320 wrote to memory of 2668	2320	cmd.exe	39
PID 2320 wrote to memory of 2668	2320	cmd.exe	39
PID 2320 wrote to memory of 2968	2320	cmd.exe	40
PID 2320 wrote to memory of 2968	2320	cmd.exe	40
PID 2320 wrote to memory of 2968	2320	cmd.exe	40
PID 2320 wrote to memory of 2252	2320	cmd.exe	41
PID 2320 wrote to memory of 2252	2320	cmd.exe	41
PID 2320 wrote to memory of 2252	2320	cmd.exe	41
PID 2320 wrote to memory of 2212	2320	cmd.exe	42
PID 2320 wrote to memory of 2212	2320	cmd.exe	42
PID 2320 wrote to memory of 2212	2320	cmd.exe	42
PID 2320 wrote to memory of 2084	2320	cmd.exe	43
PID 2320 wrote to memory of 2084	2320	cmd.exe	43
PID 2320 wrote to memory of 2084	2320	cmd.exe	43
PID 2320 wrote to memory of 3016	2320	cmd.exe	44
PID 2320 wrote to memory of 3016	2320	cmd.exe	44
PID 2320 wrote to memory of 3016	2320	cmd.exe	44
PID 2320 wrote to memory of 2596	2320	cmd.exe	45
PID 2320 wrote to memory of 2596	2320	cmd.exe	45
PID 2320 wrote to memory of 2596	2320	cmd.exe	45
PID 2320 wrote to memory of 2628	2320	cmd.exe	46
PID 2320 wrote to memory of 2628	2320	cmd.exe	46
PID 2320 wrote to memory of 2628	2320	cmd.exe	46
PID 2320 wrote to memory of 2592	2320	cmd.exe	47
PID 2320 wrote to memory of 2592	2320	cmd.exe	47
PID 2320 wrote to memory of 2592	2320	cmd.exe	47
PID 2320 wrote to memory of 2688	2320	cmd.exe	48
PID 2320 wrote to memory of 2688	2320	cmd.exe	48
PID 2320 wrote to memory of 2688	2320	cmd.exe	48
PID 2320 wrote to memory of 2704	2320	cmd.exe	49
PID 2320 wrote to memory of 2704	2320	cmd.exe	49
PID 2320 wrote to memory of 2704	2320	cmd.exe	49
PID 2320 wrote to memory of 2708	2320	cmd.exe	50

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\l.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:2412
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Backup"
  2⤵
  PID:2432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:2296
- C:\Windows\system32\findstr.exe
  findstr /I /C:"σñçΣ╗╜"
  2⤵
  PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:2260
- C:\Windows\system32\findstr.exe
  findstr /I /C:"bak"
  2⤵
  PID:1676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:2288
- C:\Windows\system32\findstr.exe
  findstr /I /C:"weaver"
  2⤵
  PID:2100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:1160
- C:\Windows\system32\findstr.exe
  findstr /I /C:"E-office"
  2⤵
  PID:2776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:2668
- C:\Windows\system32\findstr.exe
  findstr /I /C:"OA"
  2⤵
  PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:2252
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Seeyon"
  2⤵
  PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:2084
- C:\Windows\system32\findstr.exe
  findstr /I /C:"beifen"
  2⤵
  PID:3016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:2596
- C:\Windows\system32\findstr.exe
  findstr /I /C:"U8"
  2⤵
  PID:2628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2592
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Backup"
  2⤵
  PID:2688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2704
- C:\Windows\system32\findstr.exe
  findstr /I /C:"σñçΣ╗╜"
  2⤵
  PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2744
- C:\Windows\system32\findstr.exe
  findstr /I /C:"bak"
  2⤵
  PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2692
- C:\Windows\system32\findstr.exe
  findstr /I /C:"weaver"
  2⤵
  PID:2644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2612
- C:\Windows\system32\findstr.exe
  findstr /I /C:"E-office"
  2⤵
  PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2620
- C:\Windows\system32\findstr.exe
  findstr /I /C:"OA"
  2⤵
  PID:2336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:3036
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Seeyon"
  2⤵
  PID:2860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2604
- C:\Windows\system32\findstr.exe
  findstr /I /C:"beifen"
  2⤵
  PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2524
- C:\Windows\system32\findstr.exe
  findstr /I /C:"U8"
  2⤵
  PID:2780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:2760
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Backup"
  2⤵
  PID:2712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:2992
- C:\Windows\system32\findstr.exe
  findstr /I /C:"σñçΣ╗╜"
  2⤵
  PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:2652
- C:\Windows\system32\findstr.exe
  findstr /I /C:"bak"
  2⤵
  PID:1980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:2544
- C:\Windows\system32\findstr.exe
  findstr /I /C:"weaver"
  2⤵
  PID:2752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:2492
- C:\Windows\system32\findstr.exe
  findstr /I /C:"E-office"
  2⤵
  PID:2500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:2508
- C:\Windows\system32\findstr.exe
  findstr /I /C:"OA"
  2⤵
  PID:2532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:2552
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Seeyon"
  2⤵
  PID:2560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:1656
- C:\Windows\system32\findstr.exe
  findstr /I /C:"beifen"
  2⤵
  PID:2732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:2664
- C:\Windows\system32\findstr.exe
  findstr /I /C:"U8"
  2⤵
  PID:2820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:2836
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Backup"
  2⤵
  PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:2840
- C:\Windows\system32\findstr.exe
  findstr /I /C:"σñçΣ╗╜"
  2⤵
  PID:2916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:2804
- C:\Windows\system32\findstr.exe
  findstr /I /C:"bak"
  2⤵
  PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:2248
- C:\Windows\system32\findstr.exe
  findstr /I /C:"weaver"
  2⤵
  PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:1784
- C:\Windows\system32\findstr.exe
  findstr /I /C:"E-office"
  2⤵
  PID:2228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:1988
- C:\Windows\system32\findstr.exe
  findstr /I /C:"OA"
  2⤵
  PID:2584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:1712
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Seeyon"
  2⤵
  PID:1684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:1400
- C:\Windows\system32\findstr.exe
  findstr /I /C:"beifen"
  2⤵
  PID:1252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:316
- C:\Windows\system32\findstr.exe
  findstr /I /C:"U8"
  2⤵
  PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:552
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Backup"
  2⤵
  PID:2004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:2268
- C:\Windows\system32\findstr.exe
  findstr /I /C:"σñçΣ╗╜"
  2⤵
  PID:1792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:1984
- C:\Windows\system32\findstr.exe
  findstr /I /C:"bak"
  2⤵
  PID:1444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:1204
- C:\Windows\system32\findstr.exe
  findstr /I /C:"weaver"
  2⤵
  PID:1672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:1208
- C:\Windows\system32\findstr.exe
  findstr /I /C:"E-office"
  2⤵
  PID:1800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:668
- C:\Windows\system32\findstr.exe
  findstr /I /C:"OA"
  2⤵
  PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:1156
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Seeyon"
  2⤵
  PID:2548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:2764
- C:\Windows\system32\findstr.exe
  findstr /I /C:"beifen"
  2⤵
  PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:1608
- C:\Windows\system32\findstr.exe
  findstr /I /C:"U8"
  2⤵
  PID:2080
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path C:\
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  PID:2264
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path D:\
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path E:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  PID:1916
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path F:\
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path G:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  PID:1932
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path H:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  PID:1924
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path I:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  PID:1860
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path Z:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path L:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  PID:1640
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path K:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path J:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path X:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\system32\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\l.bat"
  2⤵
  - Deletes itself
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\m7RJQMjol.ico

Filesize
14KB

MD5
88d9337c4c9cfe2d9aff8a2c718ec76b

SHA1
ce9f87183a1148816a1f777ba60a08ef5ca0d203

SHA256
95e059ef72686460884b9aea5c292c22917f75d56fe737d43be440f82034f438

SHA512
abafea8ca4e85f47befb5aa3efee9eee699ea87786faff39ee712ae498438d19a06bb31289643b620cb8203555ea4e2b546ef2f10d3f0087733bc0ceaccbeafd

Download Submit
C:\m7RJQMjol.README.txt

Filesize
104B

MD5
61744796a485388d5e435cf328562240

SHA1
c7c101abe3c786698ce6e47b2b8390e9f710494d

SHA256
689cb8bb846a5279e4feea39f8c7c0ac1f726ecfdbdcbb4823ff47a73e405878

SHA512
a500dbc3cef72dce6c69bafa3def74e7d8cd48dd9d66c75cb990056a8fb4478d2a08f3a4fcde1c9b9439aa8cb2cd484045dfce270f6747e5850eee0463089d4e

Download Submit
memory/1640-273-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1644-22-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1860-1-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1860-3-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1916-138-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1924-51-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1932-211-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1936-38-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1948-123-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2264-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2264-811-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2332-215-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2388-28-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2392-12-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download