Analysis
-
max time kernel
30s -
max time network
29s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
06-05-2021 15:08
Static task
static1
Behavioral task
behavioral1
Sample
b3175331_by_Libranalysis.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
b3175331_by_Libranalysis.exe
Resource
win10v20210408
General
-
Target
b3175331_by_Libranalysis.exe
-
Size
146KB
-
MD5
b3175331ae74ee277e94d3e0bc982bf4
-
SHA1
db0731d693a1ac46706825dcb91193ae4efec482
-
SHA256
d5ea463e0719ee2d1705ff305cdd8529bd2ff23dde79c502c4f478937a91f874
-
SHA512
38318d3e6461b72c6111e96c4d5aab830e5824b8ef762360d894ea67d9e16b12d54087f7f0fcc8c579824753df039b137294ba6abab0171e294f2c538cc6fa8a
Malware Config
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?8B87A11BCEAB4AA5A78753A51BA078A4
http://lockbitks2tvnmwk.onion/?8B87A11BCEAB4AA5A78753A51BA078A4
Extracted
C:\Users\Admin\Desktop\LockBit-note.hta
http://lockbit-decryptor.top/?8B87A11BCEAB4AA5A78753A51BA078A4
http://lockbitks2tvnmwk.onion/?8B87A11BCEAB4AA5A78753A51BA078A4
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 900 bcdedit.exe 1768 bcdedit.exe -
Processes:
wbadmin.exepid process 1888 wbadmin.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
b3175331_by_Libranalysis.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertFromExport.raw => C:\Users\Admin\Pictures\ConvertFromExport.raw.lockbit b3175331_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\FormatHide.raw => C:\Users\Admin\Pictures\FormatHide.raw.lockbit b3175331_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\MergeShow.tif => C:\Users\Admin\Pictures\MergeShow.tif.lockbit b3175331_by_Libranalysis.exe File renamed C:\Users\Admin\Pictures\SplitInstall.crw => C:\Users\Admin\Pictures\SplitInstall.crw.lockbit b3175331_by_Libranalysis.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 3080 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
b3175331_by_Libranalysis.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run b3175331_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\Users\\Admin\\Desktop\\LockBit-note.hta" b3175331_by_Libranalysis.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b3175331_by_Libranalysis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b3175331_by_Libranalysis.exe\"" b3175331_by_Libranalysis.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
b3175331_by_Libranalysis.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7C80.tmp.bmp" b3175331_by_Libranalysis.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
b3175331_by_Libranalysis.exepid process 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe 1100 b3175331_by_Libranalysis.exe -
Drops file in Program Files directory 64 IoCs
Processes:
b3175331_by_Libranalysis.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL089.XML b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Luis b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thunder_Bay b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Oral b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107750.WMF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241037.WMF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00798_.WMF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03236_.WMF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.HXS b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_fr.dub b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_ja.jar b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Elemental.eftx b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18209_.WMF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15168_.GIF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCD98SP.POC b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityResume.Dotx b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00452_.WMF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03453_.WMF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Havana b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14867_.GIF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZCARD.DPV b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Azores b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_ja.jar b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107282.WMF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIcons.jpg b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightItalic.ttf b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Thatch.eftx b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_COL.HXT b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01242_.WMF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205462.WMF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14755_.GIF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_OFF.GIF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jre7\lib\psfontj2d.properties b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01548_.WMF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00612_.WMF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\LightSpirit.css b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGLINACC.XML b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR25F.GIF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR2B.GIF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\glow.png b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis b3175331_by_Libranalysis.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\Restore-My-Files.txt b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239975.WMF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_COL.HXT b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0093905.WMF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL058.XML b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215718.WMF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02296_.WMF b3175331_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Trek.thmx b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Tell_City b3175331_by_Libranalysis.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\Restore-My-Files.txt b3175331_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml b3175331_by_Libranalysis.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1704 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
b3175331_by_Libranalysis.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "2" b3175331_by_Libranalysis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\TileWallpaper = "0" b3175331_by_Libranalysis.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b3175331_by_Libranalysis.exepid process 1100 b3175331_by_Libranalysis.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
b3175331_by_Libranalysis.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeTakeOwnershipPrivilege 1100 b3175331_by_Libranalysis.exe Token: SeDebugPrivilege 1100 b3175331_by_Libranalysis.exe Token: SeBackupPrivilege 1568 vssvc.exe Token: SeRestorePrivilege 1568 vssvc.exe Token: SeAuditPrivilege 1568 vssvc.exe Token: SeIncreaseQuotaPrivilege 1908 WMIC.exe Token: SeSecurityPrivilege 1908 WMIC.exe Token: SeTakeOwnershipPrivilege 1908 WMIC.exe Token: SeLoadDriverPrivilege 1908 WMIC.exe Token: SeSystemProfilePrivilege 1908 WMIC.exe Token: SeSystemtimePrivilege 1908 WMIC.exe Token: SeProfSingleProcessPrivilege 1908 WMIC.exe Token: SeIncBasePriorityPrivilege 1908 WMIC.exe Token: SeCreatePagefilePrivilege 1908 WMIC.exe Token: SeBackupPrivilege 1908 WMIC.exe Token: SeRestorePrivilege 1908 WMIC.exe Token: SeShutdownPrivilege 1908 WMIC.exe Token: SeDebugPrivilege 1908 WMIC.exe Token: SeSystemEnvironmentPrivilege 1908 WMIC.exe Token: SeRemoteShutdownPrivilege 1908 WMIC.exe Token: SeUndockPrivilege 1908 WMIC.exe Token: SeManageVolumePrivilege 1908 WMIC.exe Token: 33 1908 WMIC.exe Token: 34 1908 WMIC.exe Token: 35 1908 WMIC.exe Token: SeIncreaseQuotaPrivilege 1908 WMIC.exe Token: SeSecurityPrivilege 1908 WMIC.exe Token: SeTakeOwnershipPrivilege 1908 WMIC.exe Token: SeLoadDriverPrivilege 1908 WMIC.exe Token: SeSystemProfilePrivilege 1908 WMIC.exe Token: SeSystemtimePrivilege 1908 WMIC.exe Token: SeProfSingleProcessPrivilege 1908 WMIC.exe Token: SeIncBasePriorityPrivilege 1908 WMIC.exe Token: SeCreatePagefilePrivilege 1908 WMIC.exe Token: SeBackupPrivilege 1908 WMIC.exe Token: SeRestorePrivilege 1908 WMIC.exe Token: SeShutdownPrivilege 1908 WMIC.exe Token: SeDebugPrivilege 1908 WMIC.exe Token: SeSystemEnvironmentPrivilege 1908 WMIC.exe Token: SeRemoteShutdownPrivilege 1908 WMIC.exe Token: SeUndockPrivilege 1908 WMIC.exe Token: SeManageVolumePrivilege 1908 WMIC.exe Token: 33 1908 WMIC.exe Token: 34 1908 WMIC.exe Token: 35 1908 WMIC.exe Token: SeBackupPrivilege 1612 wbengine.exe Token: SeRestorePrivilege 1612 wbengine.exe Token: SeSecurityPrivilege 1612 wbengine.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
b3175331_by_Libranalysis.execmd.execmd.exedescription pid process target process PID 1100 wrote to memory of 1736 1100 b3175331_by_Libranalysis.exe cmd.exe PID 1100 wrote to memory of 1736 1100 b3175331_by_Libranalysis.exe cmd.exe PID 1100 wrote to memory of 1736 1100 b3175331_by_Libranalysis.exe cmd.exe PID 1100 wrote to memory of 1736 1100 b3175331_by_Libranalysis.exe cmd.exe PID 1736 wrote to memory of 1704 1736 cmd.exe vssadmin.exe PID 1736 wrote to memory of 1704 1736 cmd.exe vssadmin.exe PID 1736 wrote to memory of 1704 1736 cmd.exe vssadmin.exe PID 1736 wrote to memory of 1908 1736 cmd.exe WMIC.exe PID 1736 wrote to memory of 1908 1736 cmd.exe WMIC.exe PID 1736 wrote to memory of 1908 1736 cmd.exe WMIC.exe PID 1736 wrote to memory of 900 1736 cmd.exe bcdedit.exe PID 1736 wrote to memory of 900 1736 cmd.exe bcdedit.exe PID 1736 wrote to memory of 900 1736 cmd.exe bcdedit.exe PID 1736 wrote to memory of 1768 1736 cmd.exe bcdedit.exe PID 1736 wrote to memory of 1768 1736 cmd.exe bcdedit.exe PID 1736 wrote to memory of 1768 1736 cmd.exe bcdedit.exe PID 1736 wrote to memory of 1888 1736 cmd.exe wbadmin.exe PID 1736 wrote to memory of 1888 1736 cmd.exe wbadmin.exe PID 1736 wrote to memory of 1888 1736 cmd.exe wbadmin.exe PID 1100 wrote to memory of 532 1100 b3175331_by_Libranalysis.exe mshta.exe PID 1100 wrote to memory of 532 1100 b3175331_by_Libranalysis.exe mshta.exe PID 1100 wrote to memory of 532 1100 b3175331_by_Libranalysis.exe mshta.exe PID 1100 wrote to memory of 532 1100 b3175331_by_Libranalysis.exe mshta.exe PID 1100 wrote to memory of 3080 1100 b3175331_by_Libranalysis.exe cmd.exe PID 1100 wrote to memory of 3080 1100 b3175331_by_Libranalysis.exe cmd.exe PID 1100 wrote to memory of 3080 1100 b3175331_by_Libranalysis.exe cmd.exe PID 1100 wrote to memory of 3080 1100 b3175331_by_Libranalysis.exe cmd.exe PID 3080 wrote to memory of 3116 3080 cmd.exe PING.EXE PID 3080 wrote to memory of 3116 3080 cmd.exe PING.EXE PID 3080 wrote to memory of 3116 3080 cmd.exe PING.EXE PID 3080 wrote to memory of 3116 3080 cmd.exe PING.EXE PID 3080 wrote to memory of 3252 3080 cmd.exe fsutil.exe PID 3080 wrote to memory of 3252 3080 cmd.exe fsutil.exe PID 3080 wrote to memory of 3252 3080 cmd.exe fsutil.exe PID 3080 wrote to memory of 3252 3080 cmd.exe fsutil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3175331_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\b3175331_by_Libranalysis.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit-note.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\b3175331_by_Libranalysis.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\b3175331_by_Libranalysis.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\b3175331_by_Libranalysis.exe"3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\LockBit-note.htaMD5
4f0bef795e2f91849a1f5cd1ea71ce44
SHA1254dd3489d207f061a1b82ac33b4dd52c1511181
SHA25652c3d4c07dd7b62c4dbf998c0f8a1a5f55d5ddc37f9aa141b7f6f0c5483f3179
SHA512f40efff91b9152aca092f2deec505d406c6560f4a6bd4b9feb8153a94fe7f662929c97bd694f7819b785ac219db3c701a9c23465318203cd0ad0f3cdb8f6b5ba
-
memory/532-68-0x0000000000000000-mapping.dmp
-
memory/900-64-0x0000000000000000-mapping.dmp
-
memory/1100-60-0x00000000757D1000-0x00000000757D3000-memory.dmpFilesize
8KB
-
memory/1704-62-0x0000000000000000-mapping.dmp
-
memory/1736-61-0x0000000000000000-mapping.dmp
-
memory/1768-65-0x0000000000000000-mapping.dmp
-
memory/1888-66-0x0000000000000000-mapping.dmp
-
memory/1888-67-0x000007FEFBDA1000-0x000007FEFBDA3000-memory.dmpFilesize
8KB
-
memory/1908-63-0x0000000000000000-mapping.dmp
-
memory/3080-69-0x0000000000000000-mapping.dmp
-
memory/3116-70-0x0000000000000000-mapping.dmp
-
memory/3252-72-0x0000000000000000-mapping.dmp