lockbit | 7b105aba893b98d1ae293b3096854077d430f071d2801f57d8d5c370b53f1964

Resubmissions

08-09-2024 03:04

240908-dk13jatgjb 10

08-09-2024 01:42

240908-b4rl4azdmh 10

Analysis

max time kernel
131s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

l.bat
Size

638B
MD5

5b1f0a177a035da3891f91183d77fad7
SHA1

282ae07cdd4630e605de19508ed00b86b0932e76
SHA256

f66f9834a6085ffda1ffa04dbed6a334719ea92e24c2b0950bef9573cffed015
SHA512

145b77756d97a227d967264a4241a9f7984af94a554be28847e2ecd4bc7b628858d0def3d7e665874b1780f9e7a434cc21b86659cf053fa268bdccbf2f8b1f48

Score

10^/10

lockbit defense_evasion discovery ransomware

Malware Config

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 14 IoCs

Processes:

resource	yara_rule
behavioral4/memory/1772-0-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/692-1-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/2540-2-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/2180-66-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/3884-65-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/1776-6-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/2500-100-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/3044-101-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/1292-99-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/4568-98-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/4680-97-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/676-3-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/692-739-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit
behavioral4/memory/1772-2947-0x0000000000400000-0x0000000000427000-memory.dmp	family_lockbit

Renames multiple (614) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 9 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

LBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exe

description	ioc	Process
File opened (read-only)	\??\H:	LBB_pass.exe
File opened (read-only)	\??\J:	LBB_pass.exe
File opened (read-only)	\??\E:	LBB_pass.exe
File opened (read-only)	\??\K:	LBB_pass.exe
File opened (read-only)	\??\Z:	LBB_pass.exe
File opened (read-only)	\??\L:	LBB_pass.exe
File opened (read-only)	\??\I:	LBB_pass.exe
File opened (read-only)	\??\X:	LBB_pass.exe
File opened (read-only)	\??\G:	LBB_pass.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

LBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBB_pass.exe

Modifies registry class 6 IoCs

Processes:

LBB_pass.exeOpenWith.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.m7RJQMjol	LBB_pass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.m7RJQMjol\ = "m7RJQMjol"	LBB_pass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\m7RJQMjol\DefaultIcon	LBB_pass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\m7RJQMjol	LBB_pass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\m7RJQMjol\DefaultIcon\ = "C:\\ProgramData\\m7RJQMjol.ico"	LBB_pass.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

LBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exe

pid	Process
4568	LBB_pass.exe
4568	LBB_pass.exe
692	LBB_pass.exe
692	LBB_pass.exe
2540	LBB_pass.exe
2540	LBB_pass.exe
1776	LBB_pass.exe
1776	LBB_pass.exe
676	LBB_pass.exe
676	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
2180	LBB_pass.exe
2180	LBB_pass.exe
4680	LBB_pass.exe
4680	LBB_pass.exe
3884	LBB_pass.exe
3884	LBB_pass.exe
1292	LBB_pass.exe
1292	LBB_pass.exe
2500	LBB_pass.exe
2500	LBB_pass.exe
3044	LBB_pass.exe
3044	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe
1772	LBB_pass.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

LBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exeLBB_pass.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4568	LBB_pass.exe
Token: SeBackupPrivilege	4568	LBB_pass.exe
Token: SeDebugPrivilege	4568	LBB_pass.exe
Token: 36	4568	LBB_pass.exe
Token: SeImpersonatePrivilege	4568	LBB_pass.exe
Token: SeIncBasePriorityPrivilege	4568	LBB_pass.exe
Token: SeIncreaseQuotaPrivilege	4568	LBB_pass.exe
Token: 33	4568	LBB_pass.exe
Token: SeManageVolumePrivilege	4568	LBB_pass.exe
Token: SeProfSingleProcessPrivilege	4568	LBB_pass.exe
Token: SeRestorePrivilege	4568	LBB_pass.exe
Token: SeSecurityPrivilege	4568	LBB_pass.exe
Token: SeSystemProfilePrivilege	4568	LBB_pass.exe
Token: SeTakeOwnershipPrivilege	4568	LBB_pass.exe
Token: SeShutdownPrivilege	4568	LBB_pass.exe
Token: SeAssignPrimaryTokenPrivilege	692	LBB_pass.exe
Token: SeBackupPrivilege	692	LBB_pass.exe
Token: SeDebugPrivilege	692	LBB_pass.exe
Token: 36	692	LBB_pass.exe
Token: SeImpersonatePrivilege	692	LBB_pass.exe
Token: SeIncBasePriorityPrivilege	692	LBB_pass.exe
Token: SeIncreaseQuotaPrivilege	692	LBB_pass.exe
Token: 33	692	LBB_pass.exe
Token: SeManageVolumePrivilege	692	LBB_pass.exe
Token: SeProfSingleProcessPrivilege	692	LBB_pass.exe
Token: SeRestorePrivilege	692	LBB_pass.exe
Token: SeSecurityPrivilege	692	LBB_pass.exe
Token: SeSystemProfilePrivilege	692	LBB_pass.exe
Token: SeTakeOwnershipPrivilege	692	LBB_pass.exe
Token: SeShutdownPrivilege	692	LBB_pass.exe
Token: SeAssignPrimaryTokenPrivilege	2540	LBB_pass.exe
Token: SeBackupPrivilege	2540	LBB_pass.exe
Token: SeDebugPrivilege	2540	LBB_pass.exe
Token: 36	2540	LBB_pass.exe
Token: SeImpersonatePrivilege	2540	LBB_pass.exe
Token: SeIncBasePriorityPrivilege	2540	LBB_pass.exe
Token: SeIncreaseQuotaPrivilege	2540	LBB_pass.exe
Token: 33	2540	LBB_pass.exe
Token: SeManageVolumePrivilege	2540	LBB_pass.exe
Token: SeProfSingleProcessPrivilege	2540	LBB_pass.exe
Token: SeRestorePrivilege	2540	LBB_pass.exe
Token: SeSecurityPrivilege	2540	LBB_pass.exe
Token: SeSystemProfilePrivilege	2540	LBB_pass.exe
Token: SeTakeOwnershipPrivilege	2540	LBB_pass.exe
Token: SeShutdownPrivilege	2540	LBB_pass.exe
Token: SeAssignPrimaryTokenPrivilege	1776	LBB_pass.exe
Token: SeBackupPrivilege	1776	LBB_pass.exe
Token: SeDebugPrivilege	1776	LBB_pass.exe
Token: 36	1776	LBB_pass.exe
Token: SeImpersonatePrivilege	1776	LBB_pass.exe
Token: SeIncBasePriorityPrivilege	1776	LBB_pass.exe
Token: SeIncreaseQuotaPrivilege	1776	LBB_pass.exe
Token: 33	1776	LBB_pass.exe
Token: SeManageVolumePrivilege	1776	LBB_pass.exe
Token: SeProfSingleProcessPrivilege	1776	LBB_pass.exe
Token: SeRestorePrivilege	1776	LBB_pass.exe
Token: SeSecurityPrivilege	1776	LBB_pass.exe
Token: SeSystemProfilePrivilege	1776	LBB_pass.exe
Token: SeTakeOwnershipPrivilege	1776	LBB_pass.exe
Token: SeShutdownPrivilege	1776	LBB_pass.exe
Token: SeAssignPrimaryTokenPrivilege	676	LBB_pass.exe
Token: SeBackupPrivilege	676	LBB_pass.exe
Token: SeDebugPrivilege	676	LBB_pass.exe
Token: 36	676	LBB_pass.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid	Process
5264	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe

description	pid	Process	procid_target
PID 2956 wrote to memory of 2460	2956	cmd.exe	91
PID 2956 wrote to memory of 2460	2956	cmd.exe	91
PID 2956 wrote to memory of 4036	2956	cmd.exe	92
PID 2956 wrote to memory of 4036	2956	cmd.exe	92
PID 2956 wrote to memory of 3224	2956	cmd.exe	93
PID 2956 wrote to memory of 3224	2956	cmd.exe	93
PID 2956 wrote to memory of 4812	2956	cmd.exe	94
PID 2956 wrote to memory of 4812	2956	cmd.exe	94
PID 2956 wrote to memory of 4560	2956	cmd.exe	95
PID 2956 wrote to memory of 4560	2956	cmd.exe	95
PID 2956 wrote to memory of 4564	2956	cmd.exe	96
PID 2956 wrote to memory of 4564	2956	cmd.exe	96
PID 2956 wrote to memory of 2412	2956	cmd.exe	97
PID 2956 wrote to memory of 2412	2956	cmd.exe	97
PID 2956 wrote to memory of 2836	2956	cmd.exe	98
PID 2956 wrote to memory of 2836	2956	cmd.exe	98
PID 2956 wrote to memory of 2884	2956	cmd.exe	99
PID 2956 wrote to memory of 2884	2956	cmd.exe	99
PID 2956 wrote to memory of 5064	2956	cmd.exe	100
PID 2956 wrote to memory of 5064	2956	cmd.exe	100
PID 2956 wrote to memory of 3188	2956	cmd.exe	101
PID 2956 wrote to memory of 3188	2956	cmd.exe	101
PID 2956 wrote to memory of 2032	2956	cmd.exe	102
PID 2956 wrote to memory of 2032	2956	cmd.exe	102
PID 2956 wrote to memory of 1784	2956	cmd.exe	103
PID 2956 wrote to memory of 1784	2956	cmd.exe	103
PID 2956 wrote to memory of 1584	2956	cmd.exe	104
PID 2956 wrote to memory of 1584	2956	cmd.exe	104
PID 2956 wrote to memory of 2952	2956	cmd.exe	105
PID 2956 wrote to memory of 2952	2956	cmd.exe	105
PID 2956 wrote to memory of 3316	2956	cmd.exe	106
PID 2956 wrote to memory of 3316	2956	cmd.exe	106
PID 2956 wrote to memory of 4444	2956	cmd.exe	107
PID 2956 wrote to memory of 4444	2956	cmd.exe	107
PID 2956 wrote to memory of 624	2956	cmd.exe	108
PID 2956 wrote to memory of 624	2956	cmd.exe	108
PID 2956 wrote to memory of 2252	2956	cmd.exe	109
PID 2956 wrote to memory of 2252	2956	cmd.exe	109
PID 2956 wrote to memory of 3588	2956	cmd.exe	110
PID 2956 wrote to memory of 3588	2956	cmd.exe	110
PID 2956 wrote to memory of 2540	2956	cmd.exe	111
PID 2956 wrote to memory of 2540	2956	cmd.exe	111
PID 2956 wrote to memory of 4856	2956	cmd.exe	112
PID 2956 wrote to memory of 4856	2956	cmd.exe	112
PID 2956 wrote to memory of 648	2956	cmd.exe	113
PID 2956 wrote to memory of 648	2956	cmd.exe	113
PID 2956 wrote to memory of 1568	2956	cmd.exe	114
PID 2956 wrote to memory of 1568	2956	cmd.exe	114
PID 2956 wrote to memory of 2720	2956	cmd.exe	115
PID 2956 wrote to memory of 2720	2956	cmd.exe	115
PID 2956 wrote to memory of 3120	2956	cmd.exe	116
PID 2956 wrote to memory of 3120	2956	cmd.exe	116
PID 2956 wrote to memory of 3780	2956	cmd.exe	117
PID 2956 wrote to memory of 3780	2956	cmd.exe	117
PID 2956 wrote to memory of 4744	2956	cmd.exe	118
PID 2956 wrote to memory of 4744	2956	cmd.exe	118
PID 2956 wrote to memory of 3180	2956	cmd.exe	119
PID 2956 wrote to memory of 3180	2956	cmd.exe	119
PID 2956 wrote to memory of 1528	2956	cmd.exe	120
PID 2956 wrote to memory of 1528	2956	cmd.exe	120
PID 2956 wrote to memory of 4064	2956	cmd.exe	121
PID 2956 wrote to memory of 4064	2956	cmd.exe	121
PID 2956 wrote to memory of 3080	2956	cmd.exe	122
PID 2956 wrote to memory of 3080	2956	cmd.exe	122

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\l.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:2460
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Backup"
  2⤵
  PID:4036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:3224
- C:\Windows\system32\findstr.exe
  findstr /I /C:"σñçΣ╗╜"
  2⤵
  PID:4812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:4560
- C:\Windows\system32\findstr.exe
  findstr /I /C:"bak"
  2⤵
  PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:2412
- C:\Windows\system32\findstr.exe
  findstr /I /C:"weaver"
  2⤵
  PID:2836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:2884
- C:\Windows\system32\findstr.exe
  findstr /I /C:"E-office"
  2⤵
  PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:3188
- C:\Windows\system32\findstr.exe
  findstr /I /C:"OA"
  2⤵
  PID:2032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:1784
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Seeyon"
  2⤵
  PID:1584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:2952
- C:\Windows\system32\findstr.exe
  findstr /I /C:"beifen"
  2⤵
  PID:3316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\PerfLogs "
  2⤵
  PID:4444
- C:\Windows\system32\findstr.exe
  findstr /I /C:"U8"
  2⤵
  PID:624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2252
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Backup"
  2⤵
  PID:3588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2540
- C:\Windows\system32\findstr.exe
  findstr /I /C:"σñçΣ╗╜"
  2⤵
  PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:648
- C:\Windows\system32\findstr.exe
  findstr /I /C:"bak"
  2⤵
  PID:1568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:2720
- C:\Windows\system32\findstr.exe
  findstr /I /C:"weaver"
  2⤵
  PID:3120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:3780
- C:\Windows\system32\findstr.exe
  findstr /I /C:"E-office"
  2⤵
  PID:4744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:3180
- C:\Windows\system32\findstr.exe
  findstr /I /C:"OA"
  2⤵
  PID:1528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:4064
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Seeyon"
  2⤵
  PID:3080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:4380
- C:\Windows\system32\findstr.exe
  findstr /I /C:"beifen"
  2⤵
  PID:3208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files "
  2⤵
  PID:4600
- C:\Windows\system32\findstr.exe
  findstr /I /C:"U8"
  2⤵
  PID:2892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:2832
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Backup"
  2⤵
  PID:3172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:828
- C:\Windows\system32\findstr.exe
  findstr /I /C:"σñçΣ╗╜"
  2⤵
  PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:1032
- C:\Windows\system32\findstr.exe
  findstr /I /C:"bak"
  2⤵
  PID:3876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:3160
- C:\Windows\system32\findstr.exe
  findstr /I /C:"weaver"
  2⤵
  PID:3284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:2464
- C:\Windows\system32\findstr.exe
  findstr /I /C:"E-office"
  2⤵
  PID:1372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:4796
- C:\Windows\system32\findstr.exe
  findstr /I /C:"OA"
  2⤵
  PID:2432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:4688
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Seeyon"
  2⤵
  PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:3984
- C:\Windows\system32\findstr.exe
  findstr /I /C:"beifen"
  2⤵
  PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86) "
  2⤵
  PID:4420
- C:\Windows\system32\findstr.exe
  findstr /I /C:"U8"
  2⤵
  PID:620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:3716
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Backup"
  2⤵
  PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:4004
- C:\Windows\system32\findstr.exe
  findstr /I /C:"σñçΣ╗╜"
  2⤵
  PID:3616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:4100
- C:\Windows\system32\findstr.exe
  findstr /I /C:"bak"
  2⤵
  PID:3432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:544
- C:\Windows\system32\findstr.exe
  findstr /I /C:"weaver"
  2⤵
  PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:4264
- C:\Windows\system32\findstr.exe
  findstr /I /C:"E-office"
  2⤵
  PID:1156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:5080
- C:\Windows\system32\findstr.exe
  findstr /I /C:"OA"
  2⤵
  PID:452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:3104
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Seeyon"
  2⤵
  PID:2812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:3332
- C:\Windows\system32\findstr.exe
  findstr /I /C:"beifen"
  2⤵
  PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users "
  2⤵
  PID:4532
- C:\Windows\system32\findstr.exe
  findstr /I /C:"U8"
  2⤵
  PID:4268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:3448
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Backup"
  2⤵
  PID:1484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:2780
- C:\Windows\system32\findstr.exe
  findstr /I /C:"σñçΣ╗╜"
  2⤵
  PID:2024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:2808
- C:\Windows\system32\findstr.exe
  findstr /I /C:"bak"
  2⤵
  PID:4460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:936
- C:\Windows\system32\findstr.exe
  findstr /I /C:"weaver"
  2⤵
  PID:4740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:1688
- C:\Windows\system32\findstr.exe
  findstr /I /C:"E-office"
  2⤵
  PID:1780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:1104
- C:\Windows\system32\findstr.exe
  findstr /I /C:"OA"
  2⤵
  PID:4224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:4160
- C:\Windows\system32\findstr.exe
  findstr /I /C:"Seeyon"
  2⤵
  PID:3008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:4180
- C:\Windows\system32\findstr.exe
  findstr /I /C:"beifen"
  2⤵
  PID:4484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows "
  2⤵
  PID:5024
- C:\Windows\system32\findstr.exe
  findstr /I /C:"U8"
  2⤵
  PID:2488
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path C:\
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1772
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path D:\
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path E:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3044
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path F:\
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path G:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3884
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path H:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path I:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path Z:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4680
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path L:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:692
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path K:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2500
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path J:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1292
- C:\Users\Admin\AppData\Local\Temp\LBB_pass.exe
  LBB_pass.exe -pass 83e8738681edd0c2e95e64ee13b8c2e8 -path X:\
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2180
- C:\Windows\system32\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\l.bat"
  2⤵
  PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:8
1⤵
PID:1516

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\m7RJQMjol.README.txt

Filesize
104B

MD5
cd2440a52d042617c57ce07e78468f3f

SHA1
2669f011eff9b70d9329e98ede60ea20e89c334a

SHA256
78a56914d4e581a491c601093f1c2c74f5fcaca99098bd730100d4b3221b0aea

SHA512
ebd0bdda081d8bb542c7c855792dfae307d3d2d619ee952d9bd607d255588c42cc04318d3b06b117c2bd2aa0d6f2b5d94c43d130573e79ab1f89bb7ff2598a80

Download Submit
memory/676-3-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/692-1-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/692-739-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1292-99-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1772-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1772-2947-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1776-6-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2180-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2500-100-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2540-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3044-101-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3884-65-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4568-98-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4680-97-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download