Analysis
-
max time kernel
271s -
max time network
244s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 09:42
Static task
static1
Behavioral task
behavioral1
Sample
797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
Resource
win10-en-20210920
General
-
Target
797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe
-
Size
959KB
-
MD5
f1f4cf1e1f9312bd1d0745fdbdf7bad4
-
SHA1
0928f787f9086cea0f78505e657532f740710349
-
SHA256
797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b
-
SHA512
a99efe999c311a82605882b34583fe6bcb1aaa69f18eb0a8f6446c492678bb96940eb534b23f3b9a010053b11e8657fd2b64fecdb5c78e87269deaf11e6a0bea
Malware Config
Extracted
C:\odt\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Users\Admin\Desktop\LockBit_Ransomware.hta
https://decoding.at/
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or
https://decoding.at
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2588 bcdedit.exe 3276 bcdedit.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\RepairOpen.png => C:\users\admin\pictures\repairopen.png.lockbit 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File renamed C:\Users\Admin\Pictures\ClosePublish.png => C:\users\admin\pictures\closepublish.png.lockbit 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File renamed C:\Users\Admin\Pictures\FindSuspend.tiff => C:\users\admin\pictures\findsuspend.tiff.lockbit 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\users\admin\pictures\findsuspend.tiff 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\users\admin\pictures\readconnect.tiff 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File renamed C:\Users\Admin\Pictures\AssertDisconnect.crw => C:\users\admin\pictures\assertdisconnect.crw.lockbit 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File renamed C:\Users\Admin\Pictures\ReadConnect.tiff => C:\users\admin\pictures\readconnect.tiff.lockbit 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\{339CD09F-4E4E-EF2E-AB93-ABC99586992C} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe\"" 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\Users\\Admin\\Desktop\\LockBit_Ransomware.hta" 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2481030822-2828258191-1606198294-1000\desktop.ini 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exedescription ioc process File opened (read-only) \??\Z: 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe -
Drops file in System32 directory 2 IoCs
Processes:
797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exedescription ioc process File created C:\windows\SysWOW64\6C9C50.ico 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2D8F.tmp.bmp" 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
Processes:
797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exepid process 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe -
Drops file in Program Files directory 64 IoCs
Processes:
797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exedescription ioc process File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\themes\dark\adobe_spinner.gif 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\videolan\vlc\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\microsoft office\root\office16\excel-udf-host.win32.bundle 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\unlockwatch.midi 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\search-summary\js\nls\sv-se\Restore-My-Files.txt 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\sample-files\js\nls\sk-sk\ui-strings.js 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sk-sk\Restore-My-Files.txt 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\microsoft office\root\licenses16\homestudent2019r_trial-ppd.xrm-ms 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\videolan\vlc\locale\ko\lc_messages\vlc.mo 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\app\dev\nls\zh-cn\ui-strings.js 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\js\nls\zh-tw\Restore-My-Files.txt 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\editpdf\js\nls\de-de\ui-strings.js 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\walk-through\images\themes\dark\close-2.svg 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\createpdfupsell-app\images\Restore-My-Files.txt 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\zh-tw_get.svg 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\send-for-sign\images\themes\dark\progress.gif 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\task-handler\css\main-selector.css 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\app-center\js\nls\ro-ro\Restore-My-Files.txt 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer-select\js\nls\en-gb\ui-strings.js 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\scan-files\js\nls\ro-ro\Restore-My-Files.txt 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectpror_retail-ul-phn.xrm-ms 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File created C:\program files\microsoft office\root\office16\fpa_f3\Restore-My-Files.txt 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\add-account-select\css\Restore-My-Files.txt 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\js\viewer\nls\Restore-My-Files.txt 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File created C:\program files\videolan\vlc\locale\nl\lc_messages\Restore-My-Files.txt 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\s_gridview-hover.svg 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\Restore-My-Files.txt 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\resource\typesupport\unicode\mappings\mac\romanian.txt 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_cn_5.5.0.165303\feature.xml 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-options_zh_cn.jar 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-io.xml 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\microsoft office\root\office16\1033\excel_k_col.hxk 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\unified-share\images\themes\dark\completecheckmark.png 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File created C:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\Restore-My-Files.txt 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\aicuc\css\main.css 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-files\js\nls\pl-pl\ui-strings.js 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\scan-files\js\nls\cs-cz\Restore-My-Files.txt 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\editpdf\js\nls\zh-tw\ui-strings.js 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\search-summary\js\nls\sk-sk\Restore-My-Files.txt 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\java\jdk1.8.0_66\jre\lib\ext\localedata.jar 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\microsoft office\root\licenses16\mondor_oem_perp-ppd.xrm-ms 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\videolan\vlc\locale\bg\lc_messages\vlc.mo 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\files\dev\nls\ui-strings.js 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\ui-strings.js 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\homebanner.svg 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File created C:\program files\microsoft office\root\fre\Restore-My-Files.txt 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\microsoft office\root\licenses16\outlookvl_mak-pl.xrm-ms 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\win8-scrollbar\arrow-right.gif 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\combinepdf\js\Restore-My-Files.txt 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\home\js\nls\nl-nl\ui-strings.js 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\draghandle.png 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365businessr_subscription-ppd.xrm-ms 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\core\dev\nls\es-es\ui-strings.js 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\app-center\js\nls\eu-es\ui-strings.js 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-de_de_2x.gif 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\uss-search\js\nls\ar-ae\ui-strings.js 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\java\jre1.8.0_66\lib\ext\meta-index 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\microsoft office\root\licenses16\skypeforbusinessvl_mak-pl.xrm-ms 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\ui-strings.js 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-files\js\nls\pt-br\ui-strings.js 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_cn.jar 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\microsoft office\root\licenses16\homestudentr_retail-ul-phn.xrm-ms 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe File opened for modification C:\program files\microsoft office\root\office16\logoimages\firstrunlogo.contrast-black_scale-140.png 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\1195458082.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3068621934.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1156 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\WallpaperStyle = "2" 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\TileWallpaper = "0" 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe -
Modifies registry class 15 IoCs
Processes:
797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exedescription ioc process Key created \Registry\Machine\Software\Classes\Lockbit\shell\Open 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htafile\DefaultIcon\ = "C:\\windows\\SysWow64\\6C9C50.ico" 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe Key created \Registry\Machine\Software\Classes\.lockbit 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\6C9C50.ico" 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe Key created \Registry\Machine\Software\Classes\Lockbit\shell\Open\Command 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe Key created \Registry\Machine\Software\Classes\Lockbit\shell 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\ = "LockBit Class" 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\shell\Open\Command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Admin\\Desktop\\LockBit_Ransomware.hta\"" 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe Key created \Registry\Machine\Software\Classes\htafile\DefaultIcon 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\6C9C50.ico" 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\ = "LockBit" 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe Key created \Registry\Machine\Software\Classes\Lockbit 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe Key created \Registry\Machine\Software\Classes\Lockbit\DefaultIcon 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exetaskmgr.exepid process 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2976 taskmgr.exe 2976 taskmgr.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2976 taskmgr.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2976 taskmgr.exe 2976 taskmgr.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2976 taskmgr.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2976 taskmgr.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 2976 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exevssvc.exeWMIC.exetaskmgr.exedescription pid process Token: SeTakeOwnershipPrivilege 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe Token: SeDebugPrivilege 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe Token: SeBackupPrivilege 1188 vssvc.exe Token: SeRestorePrivilege 1188 vssvc.exe Token: SeAuditPrivilege 1188 vssvc.exe Token: SeIncreaseQuotaPrivilege 2848 WMIC.exe Token: SeSecurityPrivilege 2848 WMIC.exe Token: SeTakeOwnershipPrivilege 2848 WMIC.exe Token: SeLoadDriverPrivilege 2848 WMIC.exe Token: SeSystemProfilePrivilege 2848 WMIC.exe Token: SeSystemtimePrivilege 2848 WMIC.exe Token: SeProfSingleProcessPrivilege 2848 WMIC.exe Token: SeIncBasePriorityPrivilege 2848 WMIC.exe Token: SeCreatePagefilePrivilege 2848 WMIC.exe Token: SeBackupPrivilege 2848 WMIC.exe Token: SeRestorePrivilege 2848 WMIC.exe Token: SeShutdownPrivilege 2848 WMIC.exe Token: SeDebugPrivilege 2848 WMIC.exe Token: SeSystemEnvironmentPrivilege 2848 WMIC.exe Token: SeRemoteShutdownPrivilege 2848 WMIC.exe Token: SeUndockPrivilege 2848 WMIC.exe Token: SeManageVolumePrivilege 2848 WMIC.exe Token: 33 2848 WMIC.exe Token: 34 2848 WMIC.exe Token: 35 2848 WMIC.exe Token: 36 2848 WMIC.exe Token: SeIncreaseQuotaPrivilege 2848 WMIC.exe Token: SeSecurityPrivilege 2848 WMIC.exe Token: SeTakeOwnershipPrivilege 2848 WMIC.exe Token: SeLoadDriverPrivilege 2848 WMIC.exe Token: SeSystemProfilePrivilege 2848 WMIC.exe Token: SeSystemtimePrivilege 2848 WMIC.exe Token: SeProfSingleProcessPrivilege 2848 WMIC.exe Token: SeIncBasePriorityPrivilege 2848 WMIC.exe Token: SeCreatePagefilePrivilege 2848 WMIC.exe Token: SeBackupPrivilege 2848 WMIC.exe Token: SeRestorePrivilege 2848 WMIC.exe Token: SeShutdownPrivilege 2848 WMIC.exe Token: SeDebugPrivilege 2848 WMIC.exe Token: SeSystemEnvironmentPrivilege 2848 WMIC.exe Token: SeRemoteShutdownPrivilege 2848 WMIC.exe Token: SeUndockPrivilege 2848 WMIC.exe Token: SeManageVolumePrivilege 2848 WMIC.exe Token: 33 2848 WMIC.exe Token: 34 2848 WMIC.exe Token: 35 2848 WMIC.exe Token: 36 2848 WMIC.exe Token: SeDebugPrivilege 2976 taskmgr.exe Token: SeSystemProfilePrivilege 2976 taskmgr.exe Token: SeCreateGlobalPrivilege 2976 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe 2976 taskmgr.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.execmd.execmd.exedescription pid process target process PID 2404 wrote to memory of 1004 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe cmd.exe PID 2404 wrote to memory of 1004 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe cmd.exe PID 1004 wrote to memory of 1156 1004 cmd.exe vssadmin.exe PID 1004 wrote to memory of 1156 1004 cmd.exe vssadmin.exe PID 1004 wrote to memory of 2848 1004 cmd.exe WMIC.exe PID 1004 wrote to memory of 2848 1004 cmd.exe WMIC.exe PID 1004 wrote to memory of 2588 1004 cmd.exe bcdedit.exe PID 1004 wrote to memory of 2588 1004 cmd.exe bcdedit.exe PID 1004 wrote to memory of 3276 1004 cmd.exe bcdedit.exe PID 1004 wrote to memory of 3276 1004 cmd.exe bcdedit.exe PID 2404 wrote to memory of 3684 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe mshta.exe PID 2404 wrote to memory of 3684 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe mshta.exe PID 2404 wrote to memory of 3684 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe mshta.exe PID 2404 wrote to memory of 1112 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe cmd.exe PID 2404 wrote to memory of 1112 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe cmd.exe PID 2404 wrote to memory of 1112 2404 797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe cmd.exe PID 1112 wrote to memory of 3032 1112 cmd.exe PING.EXE PID 1112 wrote to memory of 3032 1112 cmd.exe PING.EXE PID 1112 wrote to memory of 3032 1112 cmd.exe PING.EXE PID 1112 wrote to memory of 1164 1112 cmd.exe fsutil.exe PID 1112 wrote to memory of 1164 1112 cmd.exe fsutil.exe PID 1112 wrote to memory of 1164 1112 cmd.exe fsutil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit_Ransomware.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\797b35dae0cf6a963be9fae0a7314fca0f40be447d72ca9aba75366391b58c8b.bin.sample.exe"3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\LockBit_Ransomware.htaMD5
c15c6adc8c923ad87981f289025c37b2
SHA1bfe6533f4afe3255046f7178f289a4c75ad89e76
SHA25690f3a33919fdd766e90fd96f8f20a92c2d1376b7cfdc8b738c2f8e7e6c7498b1
SHA51231dd03b208e00ac012fbe4189d5af1306cc8e3640d40efefab4aa1cabab3c4735eef0cb65e7750c3c77021934e145398e5e26389975cf36b193c8f622a5fde83
-
memory/1004-115-0x0000000000000000-mapping.dmp
-
memory/1112-121-0x0000000000000000-mapping.dmp
-
memory/1156-116-0x0000000000000000-mapping.dmp
-
memory/1164-124-0x0000000000000000-mapping.dmp
-
memory/2588-118-0x0000000000000000-mapping.dmp
-
memory/2848-117-0x0000000000000000-mapping.dmp
-
memory/3032-122-0x0000000000000000-mapping.dmp
-
memory/3684-120-0x0000000000000000-mapping.dmp