lockbit | 7b105aba893b98d1ae293b3096854077d430f071d2801f57d8d5c370b53f1964

Resubmissions

08-09-2024 03:04

240908-dk13jatgjb 10

08-09-2024 01:42

240908-b4rl4azdmh 10

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

l.bat
Size

638B
MD5

5b1f0a177a035da3891f91183d77fad7
SHA1

282ae07cdd4630e605de19508ed00b86b0932e76
SHA256

f66f9834a6085ffda1ffa04dbed6a334719ea92e24c2b0950bef9573cffed015
SHA512

145b77756d97a227d967264a4241a9f7984af94a554be28847e2ecd4bc7b628858d0def3d7e665874b1780f9e7a434cc21b86659cf053fa268bdccbf2f8b1f48

Score

10^/10

lockbit defense_evasion discovery ransomware

Malware Config

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 13 IoCs

Processes:

resource	yara_rule
behavioral4/memory/2280-0-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/2196-1-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/2608-316-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/1416-589-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/3376-677-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/4564-4-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/856-3-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/1216-728-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/4368-740-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/1404-765-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/2644-939-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/4344-1269-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/2280-2652-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit

Renames multiple (578) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 9 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

LBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exe

description	ioc	Process
File opened (read-only)	\??\H:	LBB_pass.exe
File opened (read-only)	\??\E:	LBB_pass.exe
File opened (read-only)	\??\G:	LBB_pass.exe
File opened (read-only)	\??\I:	LBB_pass.exe
File opened (read-only)	\??\K:	LBB_pass.exe
File opened (read-only)	\??\Z:	LBB_pass.exe
File opened (read-only)	\??\J:	LBB_pass.exe
File opened (read-only)	\??\L:	LBB_pass.exe
File opened (read-only)	\??\X:	LBB_pass.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

LBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe

Modifies registry class 5 IoCs

Processes:

LBB_pass.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.m7RJQMjol	LBB_pass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.m7RJQMjol\ = "m7RJQMjol"	LBB_pass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\m7RJQMjol\DefaultIcon	LBB_pass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\m7RJQMjol	LBB_pass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\m7RJQMjol\DefaultIcon\ = "C:\\ProgramData\\m7RJQMjol.ico"	LBB_pass.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

LBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exe

pid	Process
2196	LBB_pass.exe
2196	LBB_pass.exe
4344	LBB_pass.exe
4344	LBB_pass.exe
856	LBB_pass.exe
856	LBB_pass.exe
4564	LBB_pass.exe
4564	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2608	LBB_pass.exe
2608	LBB_pass.exe
1416	LBB_pass.exe
1416	LBB_pass.exe
1216	LBB_pass.exe
1216	LBB_pass.exe
3376	LBB_pass.exe
3376	LBB_pass.exe
1404	LBB_pass.exe
1404	LBB_pass.exe
4368	LBB_pass.exe
4368	LBB_pass.exe
2644	LBB_pass.exe
2644	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe
2280	LBB_pass.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

LBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2196	LBB_pass.exe
Token: SeBackupPrivilege	2196	LBB_pass.exe
Token: SeDebugPrivilege	2196	LBB_pass.exe
Token: 36	2196	LBB_pass.exe
Token: SeImpersonatePrivilege	2196	LBB_pass.exe
Token: SeIncBasePriorityPrivilege	2196	LBB_pass.exe
Token: SeIncreaseQuotaPrivilege	2196	LBB_pass.exe
Token: 33	2196	LBB_pass.exe
Token: SeManageVolumePrivilege	2196	LBB_pass.exe
Token: SeProfSingleProcessPrivilege	2196	LBB_pass.exe
Token: SeRestorePrivilege	2196	LBB_pass.exe
Token: SeSecurityPrivilege	2196	LBB_pass.exe
Token: SeSystemProfilePrivilege	2196	LBB_pass.exe
Token: SeTakeOwnershipPrivilege	2196	LBB_pass.exe
Token: SeShutdownPrivilege	2196	LBB_pass.exe
Token: SeAssignPrimaryTokenPrivilege	4344	LBB_pass.exe
Token: SeBackupPrivilege	4344	LBB_pass.exe
Token: SeDebugPrivilege	4344	LBB_pass.exe
Token: 36	4344	LBB_pass.exe
Token: SeImpersonatePrivilege	4344	LBB_pass.exe
Token: SeIncBasePriorityPrivilege	4344	LBB_pass.exe
Token: SeIncreaseQuotaPrivilege	4344	LBB_pass.exe
Token: 33	4344	LBB_pass.exe
Token: SeManageVolumePrivilege	4344	LBB_pass.exe
Token: SeProfSingleProcessPrivilege	4344	LBB_pass.exe
Token: SeRestorePrivilege	4344	LBB_pass.exe
Token: SeSecurityPrivilege	4344	LBB_pass.exe
Token: SeSystemProfilePrivilege	4344	LBB_pass.exe
Token: SeTakeOwnershipPrivilege	4344	LBB_pass.exe
Token: SeShutdownPrivilege	4344	LBB_pass.exe
Token: SeAssignPrimaryTokenPrivilege	856	LBB_pass.exe
Token: SeBackupPrivilege	856	LBB_pass.exe
Token: SeDebugPrivilege	856	LBB_pass.exe
Token: 36	856	LBB_pass.exe
Token: SeImpersonatePrivilege	856	LBB_pass.exe
Token: SeIncBasePriorityPrivilege	856	LBB_pass.exe
Token: SeIncreaseQuotaPrivilege	856	LBB_pass.exe
Token: 33	856	LBB_pass.exe
Token: SeManageVolumePrivilege	856	LBB_pass.exe
Token: SeProfSingleProcessPrivilege	856	LBB_pass.exe
Token: SeRestorePrivilege	856	LBB_pass.exe
Token: SeSecurityPrivilege	856	LBB_pass.exe
Token: SeSystemProfilePrivilege	856	LBB_pass.exe
Token: SeTakeOwnershipPrivilege	856	LBB_pass.exe
Token: SeShutdownPrivilege	856	LBB_pass.exe
Token: SeAssignPrimaryTokenPrivilege	4564	LBB_pass.exe
Token: SeBackupPrivilege	4564	LBB_pass.exe
Token: SeDebugPrivilege	4564	LBB_pass.exe
Token: 36	4564	LBB_pass.exe
Token: SeImpersonatePrivilege	4564	LBB_pass.exe
Token: SeIncBasePriorityPrivilege	4564	LBB_pass.exe
Token: SeIncreaseQuotaPrivilege	4564	LBB_pass.exe
Token: 33	4564	LBB_pass.exe
Token: SeManageVolumePrivilege	4564	LBB_pass.exe
Token: SeProfSingleProcessPrivilege	4564	LBB_pass.exe
Token: SeRestorePrivilege	4564	LBB_pass.exe
Token: SeSecurityPrivilege	4564	LBB_pass.exe
Token: SeSystemProfilePrivilege	4564	LBB_pass.exe
Token: SeTakeOwnershipPrivilege	4564	LBB_pass.exe
Token: SeShutdownPrivilege	4564	LBB_pass.exe
Token: SeAssignPrimaryTokenPrivilege	2280	LBB_pass.exe
Token: SeBackupPrivilege	2280	LBB_pass.exe
Token: SeDebugPrivilege	2280	LBB_pass.exe
Token: 36	2280	LBB_pass.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe

description	pid	Process	procid_target
PID 1356 wrote to memory of 2128	1356	cmd.exe	86
PID 1356 wrote to memory of 2128	1356	cmd.exe	86
PID 1356 wrote to memory of 5100	1356	cmd.exe	87
PID 1356 wrote to memory of 5100	1356	cmd.exe	87
PID 1356 wrote to memory of 4276	1356	cmd.exe	88
PID 1356 wrote to memory of 4276	1356	cmd.exe	88
PID 1356 wrote to memory of 1656	1356	cmd.exe	89
PID 1356 wrote to memory of 1656	1356	cmd.exe	89
PID 1356 wrote to memory of 1408	1356	cmd.exe	90
PID 1356 wrote to memory of 1408	1356	cmd.exe	90
PID 1356 wrote to memory of 4252	1356	cmd.exe	91
PID 1356 wrote to memory of 4252	1356	cmd.exe	91
PID 1356 wrote to memory of 3344	1356	cmd.exe	92
PID 1356 wrote to memory of 3344	1356	cmd.exe	92
PID 1356 wrote to memory of 2924	1356	cmd.exe	93
PID 1356 wrote to memory of 2924	1356	cmd.exe	93
PID 1356 wrote to memory of 440	1356	cmd.exe	94
PID 1356 wrote to memory of 440	1356	cmd.exe	94
PID 1356 wrote to memory of 1252	1356	cmd.exe	95
PID 1356 wrote to memory of 1252	1356	cmd.exe	95
PID 1356 wrote to memory of 4312	1356	cmd.exe	96
PID 1356 wrote to memory of 4312	1356	cmd.exe	96
PID 1356 wrote to memory of 3272	1356	cmd.exe	97
PID 1356 wrote to memory of 3272	1356	cmd.exe	97
PID 1356 wrote to memory of 4608	1356	cmd.exe	98
PID 1356 wrote to memory of 4608	1356	cmd.exe	98
PID 1356 wrote to memory of 4776	1356	cmd.exe	99
PID 1356 wrote to memory of 4776	1356	cmd.exe	99
PID 1356 wrote to memory of 3844	1356	cmd.exe	100
PID 1356 wrote to memory of 3844	1356	cmd.exe	100
PID 1356 wrote to memory of 2432	1356	cmd.exe	101
PID 1356 wrote to memory of 2432	1356	cmd.exe	101
PID 1356 wrote to memory of 4016	1356	cmd.exe	102
PID 1356 wrote to memory of 4016	1356	cmd.exe	102
PID 1356 wrote to memory of 4588	1356	cmd.exe	103
PID 1356 wrote to memory of 4588	1356	cmd.exe	103
PID 1356 wrote to memory of 1792	1356	cmd.exe	104
PID 1356 wrote to memory of 1792	1356	cmd.exe	104
PID 1356 wrote to memory of 3752	1356	cmd.exe	105
PID 1356 wrote to memory of 3752	1356	cmd.exe	105
PID 1356 wrote to memory of 2264	1356	cmd.exe	106
PID 1356 wrote to memory of 2264	1356	cmd.exe	106
PID 1356 wrote to memory of 4744	1356	cmd.exe	107
PID 1356 wrote to memory of 4744	1356	cmd.exe	107
PID 1356 wrote to memory of 4396	1356	cmd.exe	108
PID 1356 wrote to memory of 4396	1356	cmd.exe	108
PID 1356 wrote to memory of 3832	1356	cmd.exe	109
PID 1356 wrote to memory of 3832	1356	cmd.exe	109
PID 1356 wrote to memory of 4784	1356	cmd.exe	110
PID 1356 wrote to memory of 4784	1356	cmd.exe	110
PID 1356 wrote to memory of 3308	1356	cmd.exe	111
PID 1356 wrote to memory of 3308	1356	cmd.exe	111
PID 1356 wrote to memory of 372	1356	cmd.exe	112
PID 1356 wrote to memory of 372	1356	cmd.exe	112
PID 1356 wrote to memory of 184	1356	cmd.exe	113
PID 1356 wrote to memory of 184	1356	cmd.exe	113
PID 1356 wrote to memory of 2580	1356	cmd.exe	114
PID 1356 wrote to memory of 2580	1356	cmd.exe	114
PID 1356 wrote to memory of 4188	1356	cmd.exe	115
PID 1356 wrote to memory of 4188	1356	cmd.exe	115
PID 1356 wrote to memory of 4020	1356	cmd.exe	116
PID 1356 wrote to memory of 4020	1356	cmd.exe	116
PID 1356 wrote to memory of 3680	1356	cmd.exe	117
PID 1356 wrote to memory of 3680	1356	cmd.exe	117

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\l.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:2128
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Backup"
  2⤵
  PID:5100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:4276
- C:\Windows\system32\findstr.exe
  findstr /I /C:"σñçΣ╗╜"
  2⤵
  PID:1656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:1408
- C:\Windows\system32\findstr.exe
  findstr /I /C:"bak"
  2⤵
  PID:4252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:3344
- C:\Windows\system32\findstr.exe
  findstr /I /C:"weaver"
  2⤵
  PID:2924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:440
- C:\Windows\system32\findstr.exe
  findstr /I /C:"E-office"
  2⤵
  PID:1252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:4312
- C:\Windows\system32\findstr.exe
  findstr /I /C:"OA"
  2⤵
  PID:3272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:4608
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Seeyon"
  2⤵
  PID:4776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:3844
- C:\Windows\system32\findstr.exe
  findstr /I /C:"beifen"
  2⤵
  PID:2432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:4016
- C:\Windows\system32\findstr.exe
  findstr /I /C:"U8"
  2⤵
  PID:4588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:1792
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Backup"
  2⤵
  PID:3752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2264
- C:\Windows\system32\findstr.exe
  findstr /I /C:"σñçΣ╗╜"
  2⤵
  PID:4744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:4396
- C:\Windows\system32\findstr.exe
  findstr /I /C:"bak"
  2⤵
  PID:3832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:4784
- C:\Windows\system32\findstr.exe
  findstr /I /C:"weaver"
  2⤵
  PID:3308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:372
- C:\Windows\system32\findstr.exe
  findstr /I /C:"E-office"
  2⤵
  PID:184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2580
- C:\Windows\system32\findstr.exe
  findstr /I /C:"OA"
  2⤵
  PID:4188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:4020
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Seeyon"
  2⤵
  PID:3680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:1920
- C:\Windows\system32\findstr.exe
  findstr /I /C:"beifen"
  2⤵
  PID:3520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:4408
- C:\Windows\system32\findstr.exe
  findstr /I /C:"U8"
  2⤵
  PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:4504
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Backup"
  2⤵
  PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:5040
- C:\Windows\system32\findstr.exe
  findstr /I /C:"σñçΣ╗╜"
  2⤵
  PID:4808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:824
- C:\Windows\system32\findstr.exe
  findstr /I /C:"bak"
  2⤵
  PID:4116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:976
- C:\Windows\system32\findstr.exe
  findstr /I /C:"weaver"
  2⤵
  PID:64
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:2984
- C:\Windows\system32\findstr.exe
  findstr /I /C:"E-office"
  2⤵
  PID:3008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:2220
- C:\Windows\system32\findstr.exe
  findstr /I /C:"OA"
  2⤵
  PID:4236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:1696
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Seeyon"
  2⤵
  PID:3092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:2724
- C:\Windows\system32\findstr.exe
  findstr /I /C:"beifen"
  2⤵
  PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:4948
- C:\Windows\system32\findstr.exe
  findstr /I /C:"U8"
  2⤵
  PID:624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:4648
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Backup"
  2⤵
  PID:4860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:4512
- C:\Windows\system32\findstr.exe
  findstr /I /C:"σñçΣ╗╜"
  2⤵
  PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:1220
- C:\Windows\system32\findstr.exe
  findstr /I /C:"bak"
  2⤵
  PID:5084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:4900
- C:\Windows\system32\findstr.exe
  findstr /I /C:"weaver"
  2⤵
  PID:1012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:4248
- C:\Windows\system32\findstr.exe
  findstr /I /C:"E-office"
  2⤵
  PID:2836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:2436
- C:\Windows\system32\findstr.exe
  findstr /I /C:"OA"
  2⤵
  PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:1352
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Seeyon"
  2⤵
  PID:4632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:3584
- C:\Windows\system32\findstr.exe
  findstr /I /C:"beifen"
  2⤵
  PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:2592
- C:\Windows\system32\findstr.exe
  findstr /I /C:"U8"
  2⤵
  PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:2888
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Backup"
  2⤵
  PID:3984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:3404
- C:\Windows\system32\findstr.exe
  findstr /I /C:"σñçΣ╗╜"
  2⤵
  PID:4284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:3356
- C:\Windows\system32\findstr.exe
  findstr /I /C:"bak"
  2⤵
  PID:4500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:2640
- C:\Windows\system32\findstr.exe
  findstr /I /C:"weaver"
  2⤵
  PID:468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:3532
- C:\Windows\system32\findstr.exe
  findstr /I /C:"E-office"
  2⤵
  PID:3024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:3368
- C:\Windows\system32\findstr.exe
  findstr /I /C:"OA"
  2⤵
  PID:4492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:1612
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Seeyon"
  2⤵
  PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:1676
- C:\Windows\system32\findstr.exe
  findstr /I /C:"beifen"
  2⤵
  PID:3936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:3704
- C:\Windows\system32\findstr.exe
  findstr /I /C:"U8"
  2⤵
  PID:5044
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path C:\
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path D:\
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1404
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path E:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path F:\
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1216
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path G:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1416
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path H:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4564
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path I:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2644
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path Z:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path L:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3376
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path K:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path J:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2608
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path X:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4368
- C:\Windows\system32\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\l.bat"
  2⤵
  PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\m7RJQMjol.README.txt

Filesize
104B

MD5
93bc86396b2ab9af9b69a830a995a9bd

SHA1
e5336a342ad8630687e0da6a7c98e446bb004c4d

SHA256
f66ed57bb4b8ddf72d071de972f31e6abb443399eae4d20d17c46d7fe6ed2e55

SHA512
86d7e2148abbfa00cb7569e82a3b34666bb745c6d84d60a48bf5c0f128a4ef88befbd8716ad409fbbe0da7bbe1ab704aee6f115e8f649ff9e257a4b2cc71b92e

Download Submit
memory/856-3-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1216-728-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1404-765-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1416-589-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2196-1-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2280-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2280-2652-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2608-316-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2644-939-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3376-677-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4344-1269-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4368-740-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4564-4-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download