797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample

General
Target

797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe

Filesize

959KB

Completed

20-10-2021 09:47

Score
10/10
MD5

f1f4cf1e1f9312bd1d0745fdbdf7bad4

SHA1

0928f787f9086cea0f78505e657532f740710349

SHA256

797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b

Malware Config

Extracted

Path C:\odt\Restore-My-Files.txt
Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: 6C9C509F204EEF7BC4E8D54DC30DAA5A
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Extracted

Path C:\Users\Admin\Desktop\LockBit_Ransomware.hta
Ransom Note
Any attempts to restore your files with the thrid-party software will be fatal for your files! To recovery your data and not to allow data leakage, it is possible only through purchase of a private key from us There is only one way to get your files back: Through a standard browser Brave (supports Tor links) FireFox Chrome Edge Opera Open link - https://decoding.at/ Through a Tor Browser - recommended Download Tor Browser - https://www.torproject.org/ and install it. Open one of links in Tor browser and follow instructions on these pages: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or mirrorhttp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion/These links work only in the Tor browser! Follow the instructions on this page https://decoding.at may be blocked. We recommend using a Tor browser (or Brave) to access the TOR site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about All your stolen important data will be loaded into our blog if you do not pay ransom. Our blog http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion or https://bigblog.at where you can see data of the companies which refused to pay ransom.
URLs

https://decoding.at/

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or

https://decoding.at

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

Signatures 24

Filter: none

Defense Evasion
Discovery
Impact
Persistence
  • Lockbit

    Description

    Ransomware family with multiple variants released since late 2019.

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies boot configuration data using bcdedit
    bcdedit.exebcdedit.exe

    TTPs

    Inhibit System Recovery

    Reported IOCs

    pidprocess
    2588bcdedit.exe
    3276bcdedit.exe
  • Modifies extensions of user files
    797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\RepairOpen.png => C:\users\admin\pictures\repairopen.png.lockbit797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File renamedC:\Users\Admin\Pictures\ClosePublish.png => C:\users\admin\pictures\closepublish.png.lockbit797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File renamedC:\Users\Admin\Pictures\FindSuspend.tiff => C:\users\admin\pictures\findsuspend.tiff.lockbit797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\users\admin\pictures\findsuspend.tiff797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\users\admin\pictures\readconnect.tiff797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File renamedC:\Users\Admin\Pictures\AssertDisconnect.crw => C:\users\admin\pictures\assertdisconnect.crw.lockbit797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File renamedC:\Users\Admin\Pictures\ReadConnect.tiff => C:\users\admin\pictures\readconnect.tiff.lockbit797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
  • Adds Run key to start application
    797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\{339CD09F-4E4E-EF2E-AB93-ABC99586992C} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe\""797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\Users\\Admin\\Desktop\\LockBit_Ransomware.hta"797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
  • Drops desktop.ini file(s)
    797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modification\??\Z:\$RECYCLE.BIN\S-1-5-21-2481030822-2828258191-1606198294-1000\desktop.ini797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
  • Enumerates connected drives
    797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\Z:797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
  • Drops file in System32 directory
    797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\windows\SysWOW64\6C9C50.ico797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File createdC:\Windows\system32\spool\PRINTERS\00002.SPL797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
  • Sets desktop wallpaper using registry
    797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe

    Tags

    TTPs

    DefacementModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2D8F.tmp.bmp"797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe

    Reported IOCs

    pidprocess
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
  • Drops file in Program Files directory
    797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\themes\dark\adobe_spinner.gif797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\videolan\vlc\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\microsoft office\root\office16\excel-udf-host.win32.bundle797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\unlockwatch.midi797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File createdC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\search-summary\js\nls\sv-se\Restore-My-Files.txt797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\sample-files\js\nls\sk-sk\ui-strings.js797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File createdC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sk-sk\Restore-My-Files.txt797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\microsoft office\root\licenses16\homestudent2019r_trial-ppd.xrm-ms797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\videolan\vlc\locale\ko\lc_messages\vlc.mo797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\app\dev\nls\zh-cn\ui-strings.js797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File createdC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\js\nls\zh-tw\Restore-My-Files.txt797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\editpdf\js\nls\de-de\ui-strings.js797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\walk-through\images\themes\dark\close-2.svg797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File createdC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\createpdfupsell-app\images\Restore-My-Files.txt797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\zh-tw_get.svg797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\send-for-sign\images\themes\dark\progress.gif797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\task-handler\css\main-selector.css797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File createdC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\app-center\js\nls\ro-ro\Restore-My-Files.txt797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer-select\js\nls\en-gb\ui-strings.js797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File createdC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\scan-files\js\nls\ro-ro\Restore-My-Files.txt797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\microsoft office\root\licenses16\projectpror_retail-ul-phn.xrm-ms797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File createdC:\program files\microsoft office\root\office16\fpa_f3\Restore-My-Files.txt797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File createdC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\add-account-select\css\Restore-My-Files.txt797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File createdC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\js\viewer\nls\Restore-My-Files.txt797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File createdC:\program files\videolan\vlc\locale\nl\lc_messages\Restore-My-Files.txt797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\s_gridview-hover.svg797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File createdC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\Restore-My-Files.txt797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\resource\typesupport\unicode\mappings\mac\romanian.txt797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_cn_5.5.0.165303\feature.xml797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-options_zh_cn.jar797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-io.xml797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\microsoft office\root\office16\1033\excel_k_col.hxk797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\unified-share\images\themes\dark\completecheckmark.png797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File createdC:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\Restore-My-Files.txt797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\aicuc\css\main.css797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-files\js\nls\pl-pl\ui-strings.js797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File createdC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\scan-files\js\nls\cs-cz\Restore-My-Files.txt797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\editpdf\js\nls\zh-tw\ui-strings.js797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File createdC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\search-summary\js\nls\sk-sk\Restore-My-Files.txt797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\java\jdk1.8.0_66\jre\lib\ext\localedata.jar797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\microsoft office\root\licenses16\mondor_oem_perp-ppd.xrm-ms797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\videolan\vlc\locale\bg\lc_messages\vlc.mo797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\files\dev\nls\ui-strings.js797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\ui-strings.js797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\homebanner.svg797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File createdC:\program files\microsoft office\root\fre\Restore-My-Files.txt797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\microsoft office\root\licenses16\outlookvl_mak-pl.xrm-ms797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\win8-scrollbar\arrow-right.gif797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File createdC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\combinepdf\js\Restore-My-Files.txt797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\home\js\nls\nl-nl\ui-strings.js797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\draghandle.png797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\microsoft office\root\licenses16\o365businessr_subscription-ppd.xrm-ms797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\core\dev\nls\es-es\ui-strings.js797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\app-center\js\nls\eu-es\ui-strings.js797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-de_de_2x.gif797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\uss-search\js\nls\ar-ae\ui-strings.js797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\java\jre1.8.0_66\lib\ext\meta-index797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\microsoft office\root\licenses16\skypeforbusinessvl_mak-pl.xrm-ms797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\ui-strings.js797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-files\js\nls\pt-br\ui-strings.js797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_cn.jar797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\microsoft office\root\licenses16\homestudentr_retail-ul-phn.xrm-ms797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    File opened for modificationC:\program files\microsoft office\root\office16\logoimages\firstrunlogo.contrast-black_scale-140.png797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
  • Drops file in Windows directory
    taskmgr.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\rescache\_merged\4183903823\1195458082.pritaskmgr.exe
    File createdC:\Windows\rescache\_merged\1601268389\3068621934.pritaskmgr.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks SCSI registry key(s)
    taskmgr.exe

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000taskmgr.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000Ataskmgr.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyNametaskmgr.exe
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    1156vssadmin.exe
  • Modifies Control Panel
    797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe

    Tags

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\WallpaperStyle = "2"797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\TileWallpaper = "0"797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
  • Modifies registry class
    797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe

    Reported IOCs

    descriptioniocprocess
    Key created\Registry\Machine\Software\Classes\Lockbit\shell\Open797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\htafile\DefaultIcon\ = "C:\\windows\\SysWow64\\6C9C50.ico"797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    Key created\Registry\Machine\Software\Classes\.lockbit797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\6C9C50.ico"797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    Key created\Registry\Machine\Software\Classes\Lockbit\shell\Open\Command797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    Key created\Registry\Machine\Software\Classes\Lockbit\shell797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\ = "LockBit Class"797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\shell\Open\Command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Admin\\Desktop\\LockBit_Ransomware.hta\""797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    Key created\Registry\Machine\Software\Classes\htafile\DefaultIcon797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\6C9C50.ico"797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\ = "LockBit"797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    Key created\Registry\Machine\Software\Classes\Lockbit797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    Key created\Registry\Machine\Software\Classes\.lockbit\DefaultIcon797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    Key created\Registry\Machine\Software\Classes\Lockbit\DefaultIcon797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
  • Runs ping.exe
    PING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    3032PING.EXE
  • Suspicious behavior: EnumeratesProcesses
    797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exetaskmgr.exe

    Reported IOCs

    pidprocess
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2976taskmgr.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2976taskmgr.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2976taskmgr.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
  • Suspicious behavior: GetForegroundWindowSpam
    taskmgr.exe

    Reported IOCs

    pidprocess
    2976taskmgr.exe
  • Suspicious use of AdjustPrivilegeToken
    797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exevssvc.exeWMIC.exetaskmgr.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeTakeOwnershipPrivilege2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    Token: SeDebugPrivilege2404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    Token: SeBackupPrivilege1188vssvc.exe
    Token: SeRestorePrivilege1188vssvc.exe
    Token: SeAuditPrivilege1188vssvc.exe
    Token: SeIncreaseQuotaPrivilege2848WMIC.exe
    Token: SeSecurityPrivilege2848WMIC.exe
    Token: SeTakeOwnershipPrivilege2848WMIC.exe
    Token: SeLoadDriverPrivilege2848WMIC.exe
    Token: SeSystemProfilePrivilege2848WMIC.exe
    Token: SeSystemtimePrivilege2848WMIC.exe
    Token: SeProfSingleProcessPrivilege2848WMIC.exe
    Token: SeIncBasePriorityPrivilege2848WMIC.exe
    Token: SeCreatePagefilePrivilege2848WMIC.exe
    Token: SeBackupPrivilege2848WMIC.exe
    Token: SeRestorePrivilege2848WMIC.exe
    Token: SeShutdownPrivilege2848WMIC.exe
    Token: SeDebugPrivilege2848WMIC.exe
    Token: SeSystemEnvironmentPrivilege2848WMIC.exe
    Token: SeRemoteShutdownPrivilege2848WMIC.exe
    Token: SeUndockPrivilege2848WMIC.exe
    Token: SeManageVolumePrivilege2848WMIC.exe
    Token: 332848WMIC.exe
    Token: 342848WMIC.exe
    Token: 352848WMIC.exe
    Token: 362848WMIC.exe
    Token: SeIncreaseQuotaPrivilege2848WMIC.exe
    Token: SeSecurityPrivilege2848WMIC.exe
    Token: SeTakeOwnershipPrivilege2848WMIC.exe
    Token: SeLoadDriverPrivilege2848WMIC.exe
    Token: SeSystemProfilePrivilege2848WMIC.exe
    Token: SeSystemtimePrivilege2848WMIC.exe
    Token: SeProfSingleProcessPrivilege2848WMIC.exe
    Token: SeIncBasePriorityPrivilege2848WMIC.exe
    Token: SeCreatePagefilePrivilege2848WMIC.exe
    Token: SeBackupPrivilege2848WMIC.exe
    Token: SeRestorePrivilege2848WMIC.exe
    Token: SeShutdownPrivilege2848WMIC.exe
    Token: SeDebugPrivilege2848WMIC.exe
    Token: SeSystemEnvironmentPrivilege2848WMIC.exe
    Token: SeRemoteShutdownPrivilege2848WMIC.exe
    Token: SeUndockPrivilege2848WMIC.exe
    Token: SeManageVolumePrivilege2848WMIC.exe
    Token: 332848WMIC.exe
    Token: 342848WMIC.exe
    Token: 352848WMIC.exe
    Token: 362848WMIC.exe
    Token: SeDebugPrivilege2976taskmgr.exe
    Token: SeSystemProfilePrivilege2976taskmgr.exe
    Token: SeCreateGlobalPrivilege2976taskmgr.exe
  • Suspicious use of FindShellTrayWindow
    taskmgr.exe

    Reported IOCs

    pidprocess
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
  • Suspicious use of SendNotifyMessage
    taskmgr.exe

    Reported IOCs

    pidprocess
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
    2976taskmgr.exe
  • Suspicious use of WriteProcessMemory
    797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2404 wrote to memory of 10042404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.execmd.exe
    PID 2404 wrote to memory of 10042404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.execmd.exe
    PID 1004 wrote to memory of 11561004cmd.exevssadmin.exe
    PID 1004 wrote to memory of 11561004cmd.exevssadmin.exe
    PID 1004 wrote to memory of 28481004cmd.exeWMIC.exe
    PID 1004 wrote to memory of 28481004cmd.exeWMIC.exe
    PID 1004 wrote to memory of 25881004cmd.exebcdedit.exe
    PID 1004 wrote to memory of 25881004cmd.exebcdedit.exe
    PID 1004 wrote to memory of 32761004cmd.exebcdedit.exe
    PID 1004 wrote to memory of 32761004cmd.exebcdedit.exe
    PID 2404 wrote to memory of 36842404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exemshta.exe
    PID 2404 wrote to memory of 36842404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exemshta.exe
    PID 2404 wrote to memory of 36842404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exemshta.exe
    PID 2404 wrote to memory of 11122404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.execmd.exe
    PID 2404 wrote to memory of 11122404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.execmd.exe
    PID 2404 wrote to memory of 11122404797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.execmd.exe
    PID 1112 wrote to memory of 30321112cmd.exePING.EXE
    PID 1112 wrote to memory of 30321112cmd.exePING.EXE
    PID 1112 wrote to memory of 30321112cmd.exePING.EXE
    PID 1112 wrote to memory of 11641112cmd.exefsutil.exe
    PID 1112 wrote to memory of 11641112cmd.exefsutil.exe
    PID 1112 wrote to memory of 11641112cmd.exefsutil.exe
Processes 14
  • C:\Users\Admin\AppData\Local\Temp\797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe"
    Modifies extensions of user files
    Adds Run key to start application
    Drops desktop.ini file(s)
    Enumerates connected drives
    Drops file in System32 directory
    Sets desktop wallpaper using registry
    Suspicious use of NtSetInformationThreadHideFromDebugger
    Drops file in Program Files directory
    Modifies Control Panel
    Modifies registry class
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
      Suspicious use of WriteProcessMemory
      PID:1004
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        Interacts with shadow copies
        PID:1156
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        Suspicious use of AdjustPrivilegeToken
        PID:2848
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        Modifies boot configuration data using bcdedit
        PID:2588
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} recoveryenabled no
        Modifies boot configuration data using bcdedit
        PID:3276
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit_Ransomware.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      PID:3684
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe"
      Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.7 -n 3
        Runs ping.exe
        PID:3032
      • C:\Windows\SysWOW64\fsutil.exe
        fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe"
        PID:1164
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
    PID:784
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:1188
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    PID:2332
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    Drops file in Windows directory
    Checks SCSI registry key(s)
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    PID:2976
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Users\Admin\Desktop\LockBit_Ransomware.hta

                    MD5

                    c15c6adc8c923ad87981f289025c37b2

                    SHA1

                    bfe6533f4afe3255046f7178f289a4c75ad89e76

                    SHA256

                    90f3a33919fdd766e90fd96f8f20a92c2d1376b7cfdc8b738c2f8e7e6c7498b1

                    SHA512

                    31dd03b208e00ac012fbe4189d5af1306cc8e3640d40efefab4aa1cabab3c4735eef0cb65e7750c3c77021934e145398e5e26389975cf36b193c8f622a5fde83

                  • memory/1004-115-0x0000000000000000-mapping.dmp

                  • memory/1112-121-0x0000000000000000-mapping.dmp

                  • memory/1156-116-0x0000000000000000-mapping.dmp

                  • memory/1164-124-0x0000000000000000-mapping.dmp

                  • memory/2588-118-0x0000000000000000-mapping.dmp

                  • memory/2848-117-0x0000000000000000-mapping.dmp

                  • memory/3032-122-0x0000000000000000-mapping.dmp

                  • memory/3684-120-0x0000000000000000-mapping.dmp