lockbit | 7b105aba893b98d1ae293b3096854077d430f071d2801f57d8d5c370b53f1964

Resubmissions

08-09-2024 03:04

240908-dk13jatgjb 10

08-09-2024 01:42

240908-b4rl4azdmh 10

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

l.bat
Size

638B
MD5

5b1f0a177a035da3891f91183d77fad7
SHA1

282ae07cdd4630e605de19508ed00b86b0932e76
SHA256

f66f9834a6085ffda1ffa04dbed6a334719ea92e24c2b0950bef9573cffed015
SHA512

145b77756d97a227d967264a4241a9f7984af94a554be28847e2ecd4bc7b628858d0def3d7e665874b1780f9e7a434cc21b86659cf053fa268bdccbf2f8b1f48

Score

10^/10

lockbit defense_evasion discovery ransomware

Malware Config

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 15 IoCs

resource	yara_rule
behavioral3/memory/2176-1-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/2920-0-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/2936-3-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/2172-5-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/2176-6-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/2312-4-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/2184-184-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/1080-349-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/2276-659-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/2476-660-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/2528-658-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/448-648-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/912-795-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/2920-811-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral3/memory/1132-812-0x0000000140000000-0x00000001405E8000-memory.dmp	family_lockbit

Renames multiple (352) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2416	cmd.exe

Enumerates connected drives 3 TTPs 9 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	LBB_pass.exe
File opened (read-only)	\??\G:	LBB_pass.exe
File opened (read-only)	\??\X:	LBB_pass.exe
File opened (read-only)	\??\J:	LBB_pass.exe
File opened (read-only)	\??\Z:	LBB_pass.exe
File opened (read-only)	\??\I:	LBB_pass.exe
File opened (read-only)	\??\H:	LBB_pass.exe
File opened (read-only)	\??\K:	LBB_pass.exe
File opened (read-only)	\??\L:	LBB_pass.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\m7RJQMjol\DefaultIcon	LBB_pass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\m7RJQMjol	LBB_pass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\m7RJQMjol\DefaultIcon\ = "C:\\ProgramData\\m7RJQMjol.ico"	LBB_pass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.m7RJQMjol	LBB_pass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\m7RJQMjol\DefaultIcon\ = "C:\\ProgramData\\m7RJQMjol.ico"	LBB_pass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.m7RJQMjol	LBB_pass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.m7RJQMjol	LBB_pass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\m7RJQMjol\DefaultIcon\ = "C:\\ProgramData\\m7RJQMjol.ico"	LBB_pass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\m7RJQMjol\DefaultIcon	LBB_pass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.m7RJQMjol\ = "m7RJQMjol"	LBB_pass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.m7RJQMjol\ = "m7RJQMjol"	LBB_pass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\m7RJQMjol\DefaultIcon	LBB_pass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.m7RJQMjol\ = "m7RJQMjol"	LBB_pass.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 12 IoCs

pid	Process
2920	LBB_pass.exe
2176	LBB_pass.exe
2172	LBB_pass.exe
2184	LBB_pass.exe
2312	LBB_pass.exe
2528	LBB_pass.exe
2936	LBB_pass.exe
912	LBB_pass.exe
2276	LBB_pass.exe
2476	LBB_pass.exe
448	LBB_pass.exe
1080	LBB_pass.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2920	LBB_pass.exe
2920	LBB_pass.exe
2176	LBB_pass.exe
2176	LBB_pass.exe
2184	LBB_pass.exe
2184	LBB_pass.exe
2936	LBB_pass.exe
2936	LBB_pass.exe
2172	LBB_pass.exe
2172	LBB_pass.exe
2312	LBB_pass.exe
2312	LBB_pass.exe
448	LBB_pass.exe
448	LBB_pass.exe
1080	LBB_pass.exe
1080	LBB_pass.exe
912	LBB_pass.exe
912	LBB_pass.exe
2528	LBB_pass.exe
2528	LBB_pass.exe
2476	LBB_pass.exe
2276	LBB_pass.exe
2476	LBB_pass.exe
2276	LBB_pass.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1132	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2920	LBB_pass.exe
Token: SeBackupPrivilege	2920	LBB_pass.exe
Token: SeDebugPrivilege	2920	LBB_pass.exe
Token: 36	2920	LBB_pass.exe
Token: SeImpersonatePrivilege	2920	LBB_pass.exe
Token: SeIncBasePriorityPrivilege	2920	LBB_pass.exe
Token: SeIncreaseQuotaPrivilege	2920	LBB_pass.exe
Token: 33	2920	LBB_pass.exe
Token: SeManageVolumePrivilege	2920	LBB_pass.exe
Token: SeProfSingleProcessPrivilege	2920	LBB_pass.exe
Token: SeRestorePrivilege	2920	LBB_pass.exe
Token: SeSecurityPrivilege	2920	LBB_pass.exe
Token: SeSystemProfilePrivilege	2920	LBB_pass.exe
Token: SeTakeOwnershipPrivilege	2920	LBB_pass.exe
Token: SeShutdownPrivilege	2920	LBB_pass.exe
Token: SeAssignPrimaryTokenPrivilege	2176	LBB_pass.exe
Token: SeBackupPrivilege	2176	LBB_pass.exe
Token: SeDebugPrivilege	2176	LBB_pass.exe
Token: 36	2176	LBB_pass.exe
Token: SeImpersonatePrivilege	2176	LBB_pass.exe
Token: SeIncBasePriorityPrivilege	2176	LBB_pass.exe
Token: SeIncreaseQuotaPrivilege	2176	LBB_pass.exe
Token: 33	2176	LBB_pass.exe
Token: SeManageVolumePrivilege	2176	LBB_pass.exe
Token: SeProfSingleProcessPrivilege	2176	LBB_pass.exe
Token: SeRestorePrivilege	2176	LBB_pass.exe
Token: SeSecurityPrivilege	2176	LBB_pass.exe
Token: SeSystemProfilePrivilege	2176	LBB_pass.exe
Token: SeTakeOwnershipPrivilege	2176	LBB_pass.exe
Token: SeShutdownPrivilege	2176	LBB_pass.exe
Token: SeAssignPrimaryTokenPrivilege	2184	LBB_pass.exe
Token: SeBackupPrivilege	2184	LBB_pass.exe
Token: SeDebugPrivilege	2184	LBB_pass.exe
Token: 36	2184	LBB_pass.exe
Token: SeImpersonatePrivilege	2184	LBB_pass.exe
Token: SeIncBasePriorityPrivilege	2184	LBB_pass.exe
Token: SeIncreaseQuotaPrivilege	2184	LBB_pass.exe
Token: 33	2184	LBB_pass.exe
Token: SeManageVolumePrivilege	2184	LBB_pass.exe
Token: SeProfSingleProcessPrivilege	2184	LBB_pass.exe
Token: SeRestorePrivilege	2184	LBB_pass.exe
Token: SeSecurityPrivilege	2184	LBB_pass.exe
Token: SeSystemProfilePrivilege	2184	LBB_pass.exe
Token: SeTakeOwnershipPrivilege	2184	LBB_pass.exe
Token: SeShutdownPrivilege	2184	LBB_pass.exe
Token: SeAssignPrimaryTokenPrivilege	2936	LBB_pass.exe
Token: SeBackupPrivilege	2936	LBB_pass.exe
Token: SeDebugPrivilege	2936	LBB_pass.exe
Token: 36	2936	LBB_pass.exe
Token: SeImpersonatePrivilege	2936	LBB_pass.exe
Token: SeIncBasePriorityPrivilege	2936	LBB_pass.exe
Token: SeIncreaseQuotaPrivilege	2936	LBB_pass.exe
Token: 33	2936	LBB_pass.exe
Token: SeManageVolumePrivilege	2936	LBB_pass.exe
Token: SeProfSingleProcessPrivilege	2936	LBB_pass.exe
Token: SeRestorePrivilege	2936	LBB_pass.exe
Token: SeSecurityPrivilege	2936	LBB_pass.exe
Token: SeSystemProfilePrivilege	2936	LBB_pass.exe
Token: SeTakeOwnershipPrivilege	2936	LBB_pass.exe
Token: SeShutdownPrivilege	2936	LBB_pass.exe
Token: SeAssignPrimaryTokenPrivilege	2172	LBB_pass.exe
Token: SeBackupPrivilege	2172	LBB_pass.exe
Token: SeDebugPrivilege	2172	LBB_pass.exe
Token: 36	2172	LBB_pass.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 840	3048	cmd.exe	31
PID 3048 wrote to memory of 840	3048	cmd.exe	31
PID 3048 wrote to memory of 840	3048	cmd.exe	31
PID 3048 wrote to memory of 2680	3048	cmd.exe	32
PID 3048 wrote to memory of 2680	3048	cmd.exe	32
PID 3048 wrote to memory of 2680	3048	cmd.exe	32
PID 3048 wrote to memory of 2732	3048	cmd.exe	33
PID 3048 wrote to memory of 2732	3048	cmd.exe	33
PID 3048 wrote to memory of 2732	3048	cmd.exe	33
PID 3048 wrote to memory of 2748	3048	cmd.exe	34
PID 3048 wrote to memory of 2748	3048	cmd.exe	34
PID 3048 wrote to memory of 2748	3048	cmd.exe	34
PID 3048 wrote to memory of 2752	3048	cmd.exe	35
PID 3048 wrote to memory of 2752	3048	cmd.exe	35
PID 3048 wrote to memory of 2752	3048	cmd.exe	35
PID 3048 wrote to memory of 2776	3048	cmd.exe	36
PID 3048 wrote to memory of 2776	3048	cmd.exe	36
PID 3048 wrote to memory of 2776	3048	cmd.exe	36
PID 3048 wrote to memory of 2780	3048	cmd.exe	37
PID 3048 wrote to memory of 2780	3048	cmd.exe	37
PID 3048 wrote to memory of 2780	3048	cmd.exe	37
PID 3048 wrote to memory of 2736	3048	cmd.exe	38
PID 3048 wrote to memory of 2736	3048	cmd.exe	38
PID 3048 wrote to memory of 2736	3048	cmd.exe	38
PID 3048 wrote to memory of 2708	3048	cmd.exe	39
PID 3048 wrote to memory of 2708	3048	cmd.exe	39
PID 3048 wrote to memory of 2708	3048	cmd.exe	39
PID 3048 wrote to memory of 2392	3048	cmd.exe	40
PID 3048 wrote to memory of 2392	3048	cmd.exe	40
PID 3048 wrote to memory of 2392	3048	cmd.exe	40
PID 3048 wrote to memory of 2676	3048	cmd.exe	41
PID 3048 wrote to memory of 2676	3048	cmd.exe	41
PID 3048 wrote to memory of 2676	3048	cmd.exe	41
PID 3048 wrote to memory of 2908	3048	cmd.exe	42
PID 3048 wrote to memory of 2908	3048	cmd.exe	42
PID 3048 wrote to memory of 2908	3048	cmd.exe	42
PID 3048 wrote to memory of 2812	3048	cmd.exe	43
PID 3048 wrote to memory of 2812	3048	cmd.exe	43
PID 3048 wrote to memory of 2812	3048	cmd.exe	43
PID 3048 wrote to memory of 2836	3048	cmd.exe	44
PID 3048 wrote to memory of 2836	3048	cmd.exe	44
PID 3048 wrote to memory of 2836	3048	cmd.exe	44
PID 3048 wrote to memory of 2556	3048	cmd.exe	45
PID 3048 wrote to memory of 2556	3048	cmd.exe	45
PID 3048 wrote to memory of 2556	3048	cmd.exe	45
PID 3048 wrote to memory of 2136	3048	cmd.exe	46
PID 3048 wrote to memory of 2136	3048	cmd.exe	46
PID 3048 wrote to memory of 2136	3048	cmd.exe	46
PID 3048 wrote to memory of 2808	3048	cmd.exe	47
PID 3048 wrote to memory of 2808	3048	cmd.exe	47
PID 3048 wrote to memory of 2808	3048	cmd.exe	47
PID 3048 wrote to memory of 2668	3048	cmd.exe	48
PID 3048 wrote to memory of 2668	3048	cmd.exe	48
PID 3048 wrote to memory of 2668	3048	cmd.exe	48
PID 3048 wrote to memory of 2820	3048	cmd.exe	49
PID 3048 wrote to memory of 2820	3048	cmd.exe	49
PID 3048 wrote to memory of 2820	3048	cmd.exe	49
PID 3048 wrote to memory of 2224	3048	cmd.exe	50
PID 3048 wrote to memory of 2224	3048	cmd.exe	50
PID 3048 wrote to memory of 2224	3048	cmd.exe	50
PID 3048 wrote to memory of 2856	3048	cmd.exe	51
PID 3048 wrote to memory of 2856	3048	cmd.exe	51
PID 3048 wrote to memory of 2856	3048	cmd.exe	51
PID 3048 wrote to memory of 2588	3048	cmd.exe	52

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\l.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:840
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Backup"
  2⤵
  PID:2680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:2732
- C:\Windows\system32\findstr.exe
  findstr /I /C:"σñçΣ╗╜"
  2⤵
  PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:2752
- C:\Windows\system32\findstr.exe
  findstr /I /C:"bak"
  2⤵
  PID:2776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:2780
- C:\Windows\system32\findstr.exe
  findstr /I /C:"weaver"
  2⤵
  PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:2708
- C:\Windows\system32\findstr.exe
  findstr /I /C:"E-office"
  2⤵
  PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:2676
- C:\Windows\system32\findstr.exe
  findstr /I /C:"OA"
  2⤵
  PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:2812
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Seeyon"
  2⤵
  PID:2836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:2556
- C:\Windows\system32\findstr.exe
  findstr /I /C:"beifen"
  2⤵
  PID:2136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:2808
- C:\Windows\system32\findstr.exe
  findstr /I /C:"U8"
  2⤵
  PID:2668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2820
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Backup"
  2⤵
  PID:2224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2856
- C:\Windows\system32\findstr.exe
  findstr /I /C:"σñçΣ╗╜"
  2⤵
  PID:2588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2572
- C:\Windows\system32\findstr.exe
  findstr /I /C:"bak"
  2⤵
  PID:2688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2716
- C:\Windows\system32\findstr.exe
  findstr /I /C:"weaver"
  2⤵
  PID:2720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2664
- C:\Windows\system32\findstr.exe
  findstr /I /C:"E-office"
  2⤵
  PID:2604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2516
- C:\Windows\system32\findstr.exe
  findstr /I /C:"OA"
  2⤵
  PID:2544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2564
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Seeyon"
  2⤵
  PID:2580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2600
- C:\Windows\system32\findstr.exe
  findstr /I /C:"beifen"
  2⤵
  PID:2628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2340
- C:\Windows\system32\findstr.exe
  findstr /I /C:"U8"
  2⤵
  PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:2980
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Backup"
  2⤵
  PID:2348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:2496
- C:\Windows\system32\findstr.exe
  findstr /I /C:"σñçΣ╗╜"
  2⤵
  PID:2220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:2552
- C:\Windows\system32\findstr.exe
  findstr /I /C:"bak"
  2⤵
  PID:1696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:1524
- C:\Windows\system32\findstr.exe
  findstr /I /C:"weaver"
  2⤵
  PID:1028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:1032
- C:\Windows\system32\findstr.exe
  findstr /I /C:"E-office"
  2⤵
  PID:880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:1972
- C:\Windows\system32\findstr.exe
  findstr /I /C:"OA"
  2⤵
  PID:812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:2612
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Seeyon"
  2⤵
  PID:2620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:1708
- C:\Windows\system32\findstr.exe
  findstr /I /C:"beifen"
  2⤵
  PID:1484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:1736
- C:\Windows\system32\findstr.exe
  findstr /I /C:"U8"
  2⤵
  PID:1980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:2004
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Backup"
  2⤵
  PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:1620
- C:\Windows\system32\findstr.exe
  findstr /I /C:"σñçΣ╗╜"
  2⤵
  PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:2076
- C:\Windows\system32\findstr.exe
  findstr /I /C:"bak"
  2⤵
  PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:1284
- C:\Windows\system32\findstr.exe
  findstr /I /C:"weaver"
  2⤵
  PID:324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:1440
- C:\Windows\system32\findstr.exe
  findstr /I /C:"E-office"
  2⤵
  PID:352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:1044
- C:\Windows\system32\findstr.exe
  findstr /I /C:"OA"
  2⤵
  PID:1040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:1496
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Seeyon"
  2⤵
  PID:572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:1292
- C:\Windows\system32\findstr.exe
  findstr /I /C:"beifen"
  2⤵
  PID:1528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:2284
- C:\Windows\system32\findstr.exe
  findstr /I /C:"U8"
  2⤵
  PID:532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:380
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Backup"
  2⤵
  PID:320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:776
- C:\Windows\system32\findstr.exe
  findstr /I /C:"σñçΣ╗╜"
  2⤵
  PID:476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:1432
- C:\Windows\system32\findstr.exe
  findstr /I /C:"bak"
  2⤵
  PID:1904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:2648
- C:\Windows\system32\findstr.exe
  findstr /I /C:"weaver"
  2⤵
  PID:1272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:2368
- C:\Windows\system32\findstr.exe
  findstr /I /C:"E-office"
  2⤵
  PID:1132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:796
- C:\Windows\system32\findstr.exe
  findstr /I /C:"OA"
  2⤵
  PID:2092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:2244
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Seeyon"
  2⤵
  PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:2404
- C:\Windows\system32\findstr.exe
  findstr /I /C:"beifen"
  2⤵
  PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:1396
- C:\Windows\system32\findstr.exe
  findstr /I /C:"U8"
  2⤵
  PID:2388
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path C:\
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path D:\
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path E:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path F:\
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path G:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  PID:2312
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path H:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  PID:2528
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path I:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path Z:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  PID:912
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path L:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  PID:2276
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path K:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  PID:2476
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path J:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  PID:448
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path X:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  PID:1080
- C:\Windows\system32\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\l.bat"
  2⤵
  - Deletes itself
  PID:2416

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1532

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\m7RJQMjol.ico

Filesize
14KB

MD5
88d9337c4c9cfe2d9aff8a2c718ec76b

SHA1
ce9f87183a1148816a1f777ba60a08ef5ca0d203

SHA256
95e059ef72686460884b9aea5c292c22917f75d56fe737d43be440f82034f438

SHA512
abafea8ca4e85f47befb5aa3efee9eee699ea87786faff39ee712ae498438d19a06bb31289643b620cb8203555ea4e2b546ef2f10d3f0087733bc0ceaccbeafd

Download Submit
C:\m7RJQMjol.README.txt

Filesize
104B

MD5
787065c06ec7d089333e9062ee3b6e30

SHA1
50ec32a60df613eeecbd70d2c0a45a1e59dd863d

SHA256
26a6d858afa4af210443864d64d99dd492d76e31c4611471e3072a45d2a89fc5

SHA512
04ec76939575ac3e3b1bd47ff07e3e33b6f1f9d2093f5048a5cdf02db119c45ab1e1e388c3d0b33669388c1ffca239d6ad2b76ba04ac9e2ec240622b39961de3

Download Submit
memory/448-648-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/912-795-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1080-349-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1132-813-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1132-812-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2172-5-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2176-6-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2176-1-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2184-184-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2276-659-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2312-4-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2476-660-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2528-658-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2920-811-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2920-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2936-3-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download