Analysis
-
max time kernel
135s -
max time network
137s -
platform
windows10_x64 -
resource
win10 -
submitted
19-06-2020 17:58
Static task
static1
Behavioral task
behavioral1
Sample
Lockbit.bin.exe
Resource
win7
Behavioral task
behavioral2
Sample
Lockbit.bin.exe
Resource
win10
General
-
Target
Lockbit.bin.exe
-
Size
101KB
-
MD5
889328e2cf5f5d74531b9b0a25c1871c
-
SHA1
d14a6e699a1f0805bd1248c80c2dc9dfccf0f403
-
SHA256
0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f
-
SHA512
f14ed75d97d2cd7e351f3cf75f9f374c2e9e388a1f5855a478d50b098b1250a67e375bdbd193b24d00bc052e0b3f8018cb3e74760be8c40b860be9f3d0ba2493
Malware Config
Extracted
C:\odt\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?D0407AC9D97C78CBBA0A23576F9C683E
Signatures
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
Lockbit.bin.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 4092 Lockbit.bin.exe Token: SeTakeOwnershipPrivilege 4092 Lockbit.bin.exe Token: SeBackupPrivilege 1056 vssvc.exe Token: SeRestorePrivilege 1056 vssvc.exe Token: SeAuditPrivilege 1056 vssvc.exe Token: SeIncreaseQuotaPrivilege 1612 WMIC.exe Token: SeSecurityPrivilege 1612 WMIC.exe Token: SeTakeOwnershipPrivilege 1612 WMIC.exe Token: SeLoadDriverPrivilege 1612 WMIC.exe Token: SeSystemProfilePrivilege 1612 WMIC.exe Token: SeSystemtimePrivilege 1612 WMIC.exe Token: SeProfSingleProcessPrivilege 1612 WMIC.exe Token: SeIncBasePriorityPrivilege 1612 WMIC.exe Token: SeCreatePagefilePrivilege 1612 WMIC.exe Token: SeBackupPrivilege 1612 WMIC.exe Token: SeRestorePrivilege 1612 WMIC.exe Token: SeShutdownPrivilege 1612 WMIC.exe Token: SeDebugPrivilege 1612 WMIC.exe Token: SeSystemEnvironmentPrivilege 1612 WMIC.exe Token: SeRemoteShutdownPrivilege 1612 WMIC.exe Token: SeUndockPrivilege 1612 WMIC.exe Token: SeManageVolumePrivilege 1612 WMIC.exe Token: 33 1612 WMIC.exe Token: 34 1612 WMIC.exe Token: 35 1612 WMIC.exe Token: 36 1612 WMIC.exe Token: SeIncreaseQuotaPrivilege 1612 WMIC.exe Token: SeSecurityPrivilege 1612 WMIC.exe Token: SeTakeOwnershipPrivilege 1612 WMIC.exe Token: SeLoadDriverPrivilege 1612 WMIC.exe Token: SeSystemProfilePrivilege 1612 WMIC.exe Token: SeSystemtimePrivilege 1612 WMIC.exe Token: SeProfSingleProcessPrivilege 1612 WMIC.exe Token: SeIncBasePriorityPrivilege 1612 WMIC.exe Token: SeCreatePagefilePrivilege 1612 WMIC.exe Token: SeBackupPrivilege 1612 WMIC.exe Token: SeRestorePrivilege 1612 WMIC.exe Token: SeShutdownPrivilege 1612 WMIC.exe Token: SeDebugPrivilege 1612 WMIC.exe Token: SeSystemEnvironmentPrivilege 1612 WMIC.exe Token: SeRemoteShutdownPrivilege 1612 WMIC.exe Token: SeUndockPrivilege 1612 WMIC.exe Token: SeManageVolumePrivilege 1612 WMIC.exe Token: 33 1612 WMIC.exe Token: 34 1612 WMIC.exe Token: 35 1612 WMIC.exe Token: 36 1612 WMIC.exe Token: SeBackupPrivilege 2256 wbengine.exe Token: SeRestorePrivilege 2256 wbengine.exe Token: SeSecurityPrivilege 2256 wbengine.exe -
Processes:
wbadmin.exepid process 1392 wbadmin.exe -
Drops file in Program Files directory 8895 IoCs
Processes:
Lockbit.bin.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-windows.xml.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\THMBNAIL.PNG.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\trdtv2r41.xsl.lockbit Lockbit.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif.lockbit Lockbit.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\edit-pdf.png.lockbit Lockbit.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql2000.xsl.lockbit Lockbit.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Updater.api.lockbit Lockbit.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\es-es\Restore-My-Files.txt Lockbit.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\Restore-My-Files.txt Lockbit.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-phn.xrm-ms.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png.lockbit Lockbit.bin.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\Restore-My-Files.txt Lockbit.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\ui-strings.js.lockbit Lockbit.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt.lockbit Lockbit.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Info.png.lockbit Lockbit.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\Restore-My-Files.txt Lockbit.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties.lockbit Lockbit.bin.exe File created C:\Program Files\VideoLAN\VLC\plugins\Restore-My-Files.txt Lockbit.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\Restore-My-Files.txt Lockbit.bin.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotExist.snippets.ps1xml.lockbit Lockbit.bin.exe File created C:\Program Files\7-Zip\Lang\Restore-My-Files.txt Lockbit.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL087.XML.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\PREVIEW.GIF.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml.lockbit Lockbit.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\ui-strings.js.lockbit Lockbit.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\Restore-My-Files.txt Lockbit.bin.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\Restore-My-Files.txt Lockbit.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac.lockbit Lockbit.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\ui-strings.js.lockbit Lockbit.bin.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Restore-My-Files.txt Lockbit.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar.lockbit Lockbit.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\main.css.lockbit Lockbit.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\illustrations.png.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ppd.xrm-ms.lockbit Lockbit.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\cs-cz\ui-strings.js.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML.lockbit Lockbit.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview_selected.svg.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms.lockbit Lockbit.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-gb\Restore-My-Files.txt Lockbit.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\selector.js.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.lockbit Lockbit.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_ru_135x40.svg.lockbit Lockbit.bin.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\Restore-My-Files.txt Lockbit.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\Restore-My-Files.txt Lockbit.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_fi_135x40.svg.lockbit Lockbit.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\Restore-My-Files.txt Lockbit.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\ui-strings.js.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\BREEZE.WAV.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar.lockbit Lockbit.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msmdsrvi.rll.lockbit Lockbit.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_hiContrast_wob.png.lockbit Lockbit.bin.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Lockbit.bin.execmd.execmd.exedescription pid process target process PID 4092 wrote to memory of 796 4092 Lockbit.bin.exe cmd.exe PID 4092 wrote to memory of 796 4092 Lockbit.bin.exe cmd.exe PID 796 wrote to memory of 420 796 cmd.exe vssadmin.exe PID 796 wrote to memory of 420 796 cmd.exe vssadmin.exe PID 796 wrote to memory of 1612 796 cmd.exe WMIC.exe PID 796 wrote to memory of 1612 796 cmd.exe WMIC.exe PID 796 wrote to memory of 1792 796 cmd.exe bcdedit.exe PID 796 wrote to memory of 1792 796 cmd.exe bcdedit.exe PID 796 wrote to memory of 2036 796 cmd.exe bcdedit.exe PID 796 wrote to memory of 2036 796 cmd.exe bcdedit.exe PID 796 wrote to memory of 1392 796 cmd.exe wbadmin.exe PID 796 wrote to memory of 1392 796 cmd.exe wbadmin.exe PID 4092 wrote to memory of 5080 4092 Lockbit.bin.exe cmd.exe PID 4092 wrote to memory of 5080 4092 Lockbit.bin.exe cmd.exe PID 4092 wrote to memory of 5080 4092 Lockbit.bin.exe cmd.exe PID 5080 wrote to memory of 1320 5080 cmd.exe PING.EXE PID 5080 wrote to memory of 1320 5080 cmd.exe PING.EXE PID 5080 wrote to memory of 1320 5080 cmd.exe PING.EXE -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Lockbit.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8FE2.tmp.bmp" Lockbit.bin.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
Lockbit.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Lockbit.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C\"" Lockbit.bin.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
Processes:
Lockbit.bin.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2066881839-3229799743-3576549721-1000\desktop.ini Lockbit.bin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 420 vssadmin.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1792 bcdedit.exe 2036 bcdedit.exe -
Deletes system backup catalog 2 TTPs
Ransomware often tries to delete backup files to inhibit system recovery.
-
Modifies control panel 2 IoCs
Processes:
Lockbit.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\WallpaperStyle = "2" Lockbit.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\TileWallpaper = "0" Lockbit.bin.exe -
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Enumerates connected drives 3 TTPs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Lockbit.bin.exepid process 4092 Lockbit.bin.exe 4092 Lockbit.bin.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lockbit.bin.exe"C:\Users\Admin\AppData\Local\Temp\Lockbit.bin.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Sets desktop wallpaper using registry
- Adds Run entry to start application
- Drops desktop.ini file(s)
- Modifies control panel
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 20 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Lockbit.bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 203⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/420-1-0x0000000000000000-mapping.dmp
-
memory/796-0-0x0000000000000000-mapping.dmp
-
memory/1320-7-0x0000000000000000-mapping.dmp
-
memory/1392-5-0x0000000000000000-mapping.dmp
-
memory/1612-2-0x0000000000000000-mapping.dmp
-
memory/1792-3-0x0000000000000000-mapping.dmp
-
memory/2036-4-0x0000000000000000-mapping.dmp
-
memory/5080-6-0x0000000000000000-mapping.dmp