Overview
overview
10Static
static
10329D6F9DDB...I_I386
ubuntu-22.04-amd64
329D6F9DDB...XI_X64
ubuntu-24.04-amd64
8LBB.exe
windows7-x64
9LBB.exe
windows10-2004-x64
9LBB_PS1.ps1
windows7-x64
5LBB_PS1.ps1
windows10-2004-x64
9LBB_PS1_ob...ed.ps1
windows7-x64
3LBB_PS1_ob...ed.ps1
windows10-2004-x64
3LBB_PS1_pass.ps1
windows7-x64
10LBB_PS1_pass.ps1
windows10-2004-x64
10LBB_Reflec...in.dll
windows7-x64
9LBB_Reflec...in.dll
windows10-2004-x64
7LBB_Rundll32.dll
windows7-x64
3LBB_Rundll32.dll
windows10-2004-x64
3LBB_Rundll32_pass.dll
windows7-x64
10LBB_Rundll32_pass.dll
windows10-2004-x64
10LBB_pass.exe
windows7-x64
10LBB_pass.exe
windows10-2004-x64
10FC8E43EC21...32.exe
windows7-x64
7FC8E43EC21...32.exe
windows10-2004-x64
7FC8E43EC21...64.exe
windows7-x64
7FC8E43EC21...64.exe
windows10-2004-x64
7Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 14:36
Behavioral task
behavioral1
Sample
329D6F9DDBF138D4/locker_ESXI_I386
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral2
Sample
329D6F9DDBF138D4/locker_ESXI_X64
Resource
ubuntu2404-amd64-20240729-en
Behavioral task
behavioral3
Sample
LBB.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
LBB.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
LBB_PS1.ps1
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
LBB_PS1.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
LBB_PS1_obfuscated.ps1
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
LBB_PS1_obfuscated.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
LBB_PS1_pass.ps1
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
LBB_PS1_pass.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
LBB_Rundll32.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
LBB_Rundll32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
LBB_Rundll32_pass.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
LBB_Rundll32_pass.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
LBB_pass.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
LBB_pass.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win10v2004-20241007-en
General
-
Target
FC8E43EC21BE9047/lbg32.exe
-
Size
60KB
-
MD5
c5cc3c5cef6b382568a54f579b2965ff
-
SHA1
e85b5bf2fd1ea0d5d71841f2cc8d46fc2055c22b
-
SHA256
48e2033a286775c3419bea8702a717de0b2aaf1e737ef0e6b3bf31ef6ae00eb5
-
SHA512
74d93ba3dc7b3fdfafe30663162dad3fee0b278d12fea527eb535b4eb25979dcc365b49cb702ac9c2addbb0ee550310759e88c2657b61a2b0e4906d4099281eb
-
SSDEEP
1536:SAndsqiqdYMRgIaN04k27Gtdf/3U9s1iGbQTqL9:Fds3vIaN04kKGhjmq
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2316 lbg32.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Restore-My-Files.txt lbg32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: lbg32.exe File opened (read-only) \??\X: lbg32.exe File opened (read-only) \??\E: lbg32.exe File opened (read-only) \??\S: lbg32.exe File opened (read-only) \??\B: lbg32.exe File opened (read-only) \??\M: lbg32.exe File opened (read-only) \??\O: lbg32.exe File opened (read-only) \??\H: lbg32.exe File opened (read-only) \??\K: lbg32.exe File opened (read-only) \??\L: lbg32.exe File opened (read-only) \??\Z: lbg32.exe File opened (read-only) \??\V: lbg32.exe File opened (read-only) \??\P: lbg32.exe File opened (read-only) \??\J: lbg32.exe File opened (read-only) \??\U: lbg32.exe File opened (read-only) \??\I: lbg32.exe File opened (read-only) \??\A: lbg32.exe File opened (read-only) \??\N: lbg32.exe File opened (read-only) \??\D: lbg32.exe File opened (read-only) \??\F: lbg32.exe File opened (read-only) \??\T: lbg32.exe File opened (read-only) \??\Y: lbg32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\SpiderSolitaire.exe.mui.f26e9f62905a lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04355_.WMF.07d8dc9be5d3 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00146_.WMF.066267aea4f6 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00135_.WMF.c578be596711 lbg32.exe File created C:\Program Files\Microsoft Games\More Games\it-IT\Restore-My-Files.txt lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\Restore-My-Files.txt lbg32.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\SpiderSolitaire.exe.mui.3e97aa7e6436 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099153.WMF.4f377b6d5385 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105280.WMF.ebbc54fff927 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086420.WMF.6a58310638ee lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101856.BMP.bb7cc42f2977 lbg32.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE.be46fb5e6496 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPCORE.DLL.56184d4a5462 lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\sl\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00130_.WMF.d53ee8c9cb21 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00222_.WMF.a1389a3dc3f5 lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\Restore-My-Files.txt lbg32.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Restore-My-Files.txt lbg32.exe File created C:\Program Files\Microsoft Games\Solitaire\it-IT\Restore-My-Files.txt lbg32.exe File created C:\Program Files\Common Files\System\Ole DB\ja-JP\Restore-My-Files.txt lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\cy\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00004_.GIF.4489ce382670 lbg32.exe File created C:\Program Files\Java\jre7\lib\fonts\Restore-My-Files.txt lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145904.JPG.21230153451b lbg32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODTXT.DLL.a5b513cbc9f3 lbg32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.TXT.d4489f48b660 lbg32.exe File created C:\Program Files\VideoLAN\VLC\plugins\access_output\Restore-My-Files.txt lbg32.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\UseConvertTo.odp.b765d1255f8d lbg32.exe File created C:\Program Files\Common Files\System\en-US\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb.7fc1bd151fcd lbg32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DBGHELP.DLL.f8ab5094eedc lbg32.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCVDT.DLL.be873adee496 lbg32.exe File created C:\Program Files\Microsoft Office\Office14\1033\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE.316a58add705 lbg32.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00040_.GIF.663f5a767cae lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105526.WMF.b962d8555f8d lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107152.WMF.ef05e98d97e5 lbg32.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt.1fa7bbbd8375 lbg32.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.511547475d6f lbg32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\jvm.lib.abaa02dbd9e3 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151063.WMF.94a0373836e0 lbg32.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml.aabc153e38e6 lbg32.exe File created C:\Program Files\Microsoft Games\FreeCell\ja-JP\Restore-My-Files.txt lbg32.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FINCL_02.MID.301f2c646e3c lbg32.exe File created C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt.b0cf7c646e9c lbg32.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\Restore-My-Files.txt lbg32.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\Restore-My-Files.txt lbg32.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01636_.WMF.8654d16a6c52 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00513_.WMF.592c764d4bb5 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099170.WMF.22d9f8fec036 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106020.WMF.7c4f301022d8 lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD10972_.GIF.b19527e7fd8f lbg32.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\Restore-My-Files.txt lbg32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00923_.WMF.75dcaa292fc1 lbg32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbg32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2316 lbg32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2316 lbg32.exe Token: SeBackupPrivilege 2828 vssvc.exe Token: SeRestorePrivilege 2828 vssvc.exe Token: SeAuditPrivilege 2828 vssvc.exe Token: SeIncreaseQuotaPrivilege 2336 WMIC.exe Token: SeSecurityPrivilege 2336 WMIC.exe Token: SeTakeOwnershipPrivilege 2336 WMIC.exe Token: SeLoadDriverPrivilege 2336 WMIC.exe Token: SeSystemProfilePrivilege 2336 WMIC.exe Token: SeSystemtimePrivilege 2336 WMIC.exe Token: SeProfSingleProcessPrivilege 2336 WMIC.exe Token: SeIncBasePriorityPrivilege 2336 WMIC.exe Token: SeCreatePagefilePrivilege 2336 WMIC.exe Token: SeBackupPrivilege 2336 WMIC.exe Token: SeRestorePrivilege 2336 WMIC.exe Token: SeShutdownPrivilege 2336 WMIC.exe Token: SeDebugPrivilege 2336 WMIC.exe Token: SeSystemEnvironmentPrivilege 2336 WMIC.exe Token: SeRemoteShutdownPrivilege 2336 WMIC.exe Token: SeUndockPrivilege 2336 WMIC.exe Token: SeManageVolumePrivilege 2336 WMIC.exe Token: 33 2336 WMIC.exe Token: 34 2336 WMIC.exe Token: 35 2336 WMIC.exe Token: SeIncreaseQuotaPrivilege 2336 WMIC.exe Token: SeSecurityPrivilege 2336 WMIC.exe Token: SeTakeOwnershipPrivilege 2336 WMIC.exe Token: SeLoadDriverPrivilege 2336 WMIC.exe Token: SeSystemProfilePrivilege 2336 WMIC.exe Token: SeSystemtimePrivilege 2336 WMIC.exe Token: SeProfSingleProcessPrivilege 2336 WMIC.exe Token: SeIncBasePriorityPrivilege 2336 WMIC.exe Token: SeCreatePagefilePrivilege 2336 WMIC.exe Token: SeBackupPrivilege 2336 WMIC.exe Token: SeRestorePrivilege 2336 WMIC.exe Token: SeShutdownPrivilege 2336 WMIC.exe Token: SeDebugPrivilege 2336 WMIC.exe Token: SeSystemEnvironmentPrivilege 2336 WMIC.exe Token: SeRemoteShutdownPrivilege 2336 WMIC.exe Token: SeUndockPrivilege 2336 WMIC.exe Token: SeManageVolumePrivilege 2336 WMIC.exe Token: 33 2336 WMIC.exe Token: 34 2336 WMIC.exe Token: 35 2336 WMIC.exe Token: SeIncreaseQuotaPrivilege 296 WMIC.exe Token: SeSecurityPrivilege 296 WMIC.exe Token: SeTakeOwnershipPrivilege 296 WMIC.exe Token: SeLoadDriverPrivilege 296 WMIC.exe Token: SeSystemProfilePrivilege 296 WMIC.exe Token: SeSystemtimePrivilege 296 WMIC.exe Token: SeProfSingleProcessPrivilege 296 WMIC.exe Token: SeIncBasePriorityPrivilege 296 WMIC.exe Token: SeCreatePagefilePrivilege 296 WMIC.exe Token: SeBackupPrivilege 296 WMIC.exe Token: SeRestorePrivilege 296 WMIC.exe Token: SeShutdownPrivilege 296 WMIC.exe Token: SeDebugPrivilege 296 WMIC.exe Token: SeSystemEnvironmentPrivilege 296 WMIC.exe Token: SeRemoteShutdownPrivilege 296 WMIC.exe Token: SeUndockPrivilege 296 WMIC.exe Token: SeManageVolumePrivilege 296 WMIC.exe Token: 33 296 WMIC.exe Token: 34 296 WMIC.exe Token: 35 296 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2724 2316 lbg32.exe 33 PID 2316 wrote to memory of 2724 2316 lbg32.exe 33 PID 2316 wrote to memory of 2724 2316 lbg32.exe 33 PID 2316 wrote to memory of 2724 2316 lbg32.exe 33 PID 2724 wrote to memory of 2336 2724 cmd.exe 35 PID 2724 wrote to memory of 2336 2724 cmd.exe 35 PID 2724 wrote to memory of 2336 2724 cmd.exe 35 PID 2316 wrote to memory of 1836 2316 lbg32.exe 36 PID 2316 wrote to memory of 1836 2316 lbg32.exe 36 PID 2316 wrote to memory of 1836 2316 lbg32.exe 36 PID 2316 wrote to memory of 1836 2316 lbg32.exe 36 PID 1836 wrote to memory of 296 1836 cmd.exe 38 PID 1836 wrote to memory of 296 1836 cmd.exe 38 PID 1836 wrote to memory of 296 1836 cmd.exe 38 PID 2316 wrote to memory of 1804 2316 lbg32.exe 39 PID 2316 wrote to memory of 1804 2316 lbg32.exe 39 PID 2316 wrote to memory of 1804 2316 lbg32.exe 39 PID 2316 wrote to memory of 1804 2316 lbg32.exe 39 PID 1804 wrote to memory of 2452 1804 cmd.exe 41 PID 1804 wrote to memory of 2452 1804 cmd.exe 41 PID 1804 wrote to memory of 2452 1804 cmd.exe 41 PID 2316 wrote to memory of 2520 2316 lbg32.exe 42 PID 2316 wrote to memory of 2520 2316 lbg32.exe 42 PID 2316 wrote to memory of 2520 2316 lbg32.exe 42 PID 2316 wrote to memory of 2520 2316 lbg32.exe 42 PID 2520 wrote to memory of 2888 2520 cmd.exe 44 PID 2520 wrote to memory of 2888 2520 cmd.exe 44 PID 2520 wrote to memory of 2888 2520 cmd.exe 44 PID 2316 wrote to memory of 2508 2316 lbg32.exe 45 PID 2316 wrote to memory of 2508 2316 lbg32.exe 45 PID 2316 wrote to memory of 2508 2316 lbg32.exe 45 PID 2316 wrote to memory of 2508 2316 lbg32.exe 45 PID 2508 wrote to memory of 1992 2508 cmd.exe 47 PID 2508 wrote to memory of 1992 2508 cmd.exe 47 PID 2508 wrote to memory of 1992 2508 cmd.exe 47 PID 2316 wrote to memory of 2912 2316 lbg32.exe 48 PID 2316 wrote to memory of 2912 2316 lbg32.exe 48 PID 2316 wrote to memory of 2912 2316 lbg32.exe 48 PID 2316 wrote to memory of 2912 2316 lbg32.exe 48 PID 2912 wrote to memory of 1776 2912 cmd.exe 50 PID 2912 wrote to memory of 1776 2912 cmd.exe 50 PID 2912 wrote to memory of 1776 2912 cmd.exe 50 PID 2316 wrote to memory of 1904 2316 lbg32.exe 51 PID 2316 wrote to memory of 1904 2316 lbg32.exe 51 PID 2316 wrote to memory of 1904 2316 lbg32.exe 51 PID 2316 wrote to memory of 1904 2316 lbg32.exe 51 PID 1904 wrote to memory of 1060 1904 cmd.exe 53 PID 1904 wrote to memory of 1060 1904 cmd.exe 53 PID 1904 wrote to memory of 1060 1904 cmd.exe 53 PID 2316 wrote to memory of 2704 2316 lbg32.exe 54 PID 2316 wrote to memory of 2704 2316 lbg32.exe 54 PID 2316 wrote to memory of 2704 2316 lbg32.exe 54 PID 2316 wrote to memory of 2704 2316 lbg32.exe 54 PID 2704 wrote to memory of 2968 2704 cmd.exe 56 PID 2704 wrote to memory of 2968 2704 cmd.exe 56 PID 2704 wrote to memory of 2968 2704 cmd.exe 56 PID 2316 wrote to memory of 1440 2316 lbg32.exe 57 PID 2316 wrote to memory of 1440 2316 lbg32.exe 57 PID 2316 wrote to memory of 1440 2316 lbg32.exe 57 PID 2316 wrote to memory of 1440 2316 lbg32.exe 57 PID 1440 wrote to memory of 2012 1440 cmd.exe 59 PID 1440 wrote to memory of 2012 1440 cmd.exe 59 PID 1440 wrote to memory of 2012 1440 cmd.exe 59 PID 2316 wrote to memory of 1508 2316 lbg32.exe 60 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FC8E43EC21BE9047\lbg32.exe"C:\Users\Admin\AppData\Local\Temp\FC8E43EC21BE9047\lbg32.exe"1⤵
- Deletes itself
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C0A7565B-A19F-4402-9B8C-EE58F5677206}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C0A7565B-A19F-4402-9B8C-EE58F5677206}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4EEC8685-DBBC-40B7-83F7-EBE9F961E50A}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4EEC8685-DBBC-40B7-83F7-EBE9F961E50A}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:296
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D3EF019B-3827-46D5-AAE6-7A5F9B72E352}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D3EF019B-3827-46D5-AAE6-7A5F9B72E352}'" delete3⤵PID:2452
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C46025E1-89AE-4E89-A6B2-627BD36BEBA7}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C46025E1-89AE-4E89-A6B2-627BD36BEBA7}'" delete3⤵PID:2888
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7FEB2B6D-C65D-4F8B-96F4-5C290BF1392E}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7FEB2B6D-C65D-4F8B-96F4-5C290BF1392E}'" delete3⤵PID:1992
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{38024B4B-EA00-4E0B-9254-7847544CB184}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{38024B4B-EA00-4E0B-9254-7847544CB184}'" delete3⤵PID:1776
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{070F76DF-8D94-4D9C-8D5E-8288E6D99D33}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{070F76DF-8D94-4D9C-8D5E-8288E6D99D33}'" delete3⤵PID:1060
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0DBC292F-1D3D-47BB-98CD-05C9763CDD70}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0DBC292F-1D3D-47BB-98CD-05C9763CDD70}'" delete3⤵PID:2968
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BFDEA41B-0C5B-4A69-8904-D0D8C8B4BD52}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BFDEA41B-0C5B-4A69-8904-D0D8C8B4BD52}'" delete3⤵PID:2012
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{661ADE96-9D98-4439-A4A3-21497C149A84}'" delete2⤵PID:1508
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{661ADE96-9D98-4439-A4A3-21497C149A84}'" delete3⤵PID:908
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{49F9E8B9-5C23-4EFC-922F-403BF3CF1CD8}'" delete2⤵PID:1768
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{49F9E8B9-5C23-4EFC-922F-403BF3CF1CD8}'" delete3⤵PID:2324
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B00B17C0-9080-4AFD-B9FE-5625D3C964B6}'" delete2⤵PID:2248
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B00B17C0-9080-4AFD-B9FE-5625D3C964B6}'" delete3⤵PID:3012
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B42A6924-C6F8-405C-A922-10D4551D692A}'" delete2⤵PID:1760
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B42A6924-C6F8-405C-A922-10D4551D692A}'" delete3⤵PID:1080
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4EE259E2-D2AC-45D1-9714-41C32E03FEA5}'" delete2⤵PID:2432
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4EE259E2-D2AC-45D1-9714-41C32E03FEA5}'" delete3⤵PID:448
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{06EF4E8E-D39F-475F-AFE4-9F81C5C17F7B}'" delete2⤵PID:2008
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{06EF4E8E-D39F-475F-AFE4-9F81C5C17F7B}'" delete3⤵PID:1612
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B30B3BC9-99AA-45F9-A653-DBB54ECA8A3A}'" delete2⤵PID:2568
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B30B3BC9-99AA-45F9-A653-DBB54ECA8A3A}'" delete3⤵PID:1784
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BD7099CD-3DAF-4D00-874E-B6365BD7580B}'" delete2⤵PID:1780
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BD7099CD-3DAF-4D00-874E-B6365BD7580B}'" delete3⤵PID:1732
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA251BFA-C949-4FDE-98A2-277792D6DA8E}'" delete2⤵PID:560
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA251BFA-C949-4FDE-98A2-277792D6DA8E}'" delete3⤵PID:1532
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2828
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD574a77bd81fa83b32b595eafa20c978ec
SHA15ce7e2079a61d012d4839a84eb7bb329651a2ead
SHA25649cc31e84e5f3cf75de5d5f58f62ac6c43d9dca726dfc750593129b730a56616
SHA51271accd7c7e1060a696718a4f11a7e04c2f6c16b05dfe4fa12e80878d703a403b7d33861b1315436f881fba37e1a0c3ae2aefc09499f5e7b04b2c582ba0e635e4