Analysis
-
max time kernel
178s -
max time network
138s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 13:04
Static task
static1
Behavioral task
behavioral1
Sample
90af3848d5a0c5eb9c6ddc1ee2e6c539dd6cb5ec5a433d00a6dae22fb221c446.exe
Resource
win10-en-20210920
General
-
Target
90af3848d5a0c5eb9c6ddc1ee2e6c539dd6cb5ec5a433d00a6dae22fb221c446.exe
-
Size
7.5MB
-
MD5
ce5d09832339eb7ef86f2c22b4904a20
-
SHA1
e2db01d0a5572f580f5b7b28b4c9f1a04b35dc06
-
SHA256
90af3848d5a0c5eb9c6ddc1ee2e6c539dd6cb5ec5a433d00a6dae22fb221c446
-
SHA512
3c6c6dc0943320f151aacdf04bb417fe42454f52b7b5a1cf2a1e8f6c0e57e8d73a1637c90253cbef87815dfc857c118cb1d29f313e2814d1ea30a19789db5d26
Malware Config
Extracted
C:\odt\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Users\Admin\Desktop\LockBit_Ransomware.hta
https://decoding.at/
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or
https://decoding.at
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1688 bcdedit.exe 3300 bcdedit.exe -
Executes dropped EXE 2 IoCs
Processes:
irsetup.exesharpsvn.exepid process 3580 irsetup.exe 840 sharpsvn.exe -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
sharpsvn.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompressAssert.tiff => C:\users\admin\pictures\compressassert.tiff.lockbit sharpsvn.exe File opened for modification C:\users\admin\pictures\compressassert.tiff sharpsvn.exe File renamed C:\Users\Admin\Pictures\InvokeUnregister.tif => C:\users\admin\pictures\invokeunregister.tif.lockbit sharpsvn.exe File renamed C:\Users\Admin\Pictures\ResolveEnable.png => C:\users\admin\pictures\resolveenable.png.lockbit sharpsvn.exe File renamed C:\Users\Admin\Pictures\UnlockMerge.tiff => C:\users\admin\pictures\unlockmerge.tiff.lockbit sharpsvn.exe File renamed C:\Users\Admin\Pictures\ResolveAssert.tif => C:\users\admin\pictures\resolveassert.tif.lockbit sharpsvn.exe File opened for modification C:\users\admin\pictures\unlockmerge.tiff sharpsvn.exe File renamed C:\Users\Admin\Pictures\PingDebug.crw => C:\users\admin\pictures\pingdebug.crw.lockbit sharpsvn.exe File renamed C:\Users\Admin\Pictures\LockRead.crw => C:\users\admin\pictures\lockread.crw.lockbit sharpsvn.exe File renamed C:\Users\Admin\Pictures\OutConvert.crw => C:\users\admin\pictures\outconvert.crw.lockbit sharpsvn.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx -
Loads dropped DLL 4 IoCs
Processes:
irsetup.exesharpsvn.exepid process 3580 irsetup.exe 3580 irsetup.exe 3580 irsetup.exe 840 sharpsvn.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
sharpsvn.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sharpsvn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\{4461224A-7171-AB9C-E118-E1E7D9586D2C} = "\"C:\\Users\\Admin\\AppData\\Roaming\\SBOP Crystal\\sharpsvn.exe\"" sharpsvn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\Users\\Admin\\Desktop\\LockBit_Ransomware.hta" sharpsvn.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
sharpsvn.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2481030822-2828258191-1606198294-1000\desktop.ini sharpsvn.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
sharpsvn.exedescription ioc process File opened (read-only) \??\Z: sharpsvn.exe -
Drops file in System32 directory 1 IoCs
Processes:
sharpsvn.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\00002.SPL sharpsvn.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
sharpsvn.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\24B5.tmp.bmp" sharpsvn.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
Processes:
sharpsvn.exepid process 840 sharpsvn.exe 840 sharpsvn.exe 840 sharpsvn.exe 840 sharpsvn.exe 840 sharpsvn.exe 840 sharpsvn.exe 840 sharpsvn.exe 840 sharpsvn.exe 840 sharpsvn.exe 840 sharpsvn.exe 840 sharpsvn.exe 840 sharpsvn.exe 840 sharpsvn.exe 840 sharpsvn.exe 840 sharpsvn.exe 840 sharpsvn.exe 840 sharpsvn.exe 840 sharpsvn.exe 840 sharpsvn.exe 840 sharpsvn.exe -
Drops file in Program Files directory 64 IoCs
Processes:
sharpsvn.exedescription ioc process File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar sharpsvn.exe File opened for modification C:\program files\microsoft office\root\office16\sdxs\fa000000027\assets\icons\hintbarellipses.16.grayf.png sharpsvn.exe File created C:\program files\videolan\vlc\locale\bn\lc_messages\Restore-My-Files.txt sharpsvn.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\app\dev\nls\es-es\Restore-My-Files.txt sharpsvn.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\files\dev\nls\it-it\Restore-My-Files.txt sharpsvn.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar sharpsvn.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\combinepdf\images\rhp_world_icon.png sharpsvn.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\fss\js\nls\ja-jp\Restore-My-Files.txt sharpsvn.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar sharpsvn.exe File opened for modification C:\program files\microsoft office\root\office16\msipc\thirdpartynotices.txt sharpsvn.exe File opened for modification C:\program files\videolan\vlc\locale\th\lc_messages\vlc.mo sharpsvn.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\home\js\nls\it-it\Restore-My-Files.txt sharpsvn.exe File opened for modification C:\program files\microsoft office\root\licenses16\proplus2019r_retail-ul-phn.xrm-ms sharpsvn.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer\js\nls\hr-hr\Restore-My-Files.txt sharpsvn.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\reviews\js\nls\it-it\ui-strings.js sharpsvn.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\config\modules\org-openide-options.xml sharpsvn.exe File opened for modification C:\program files\microsoft office\root\licenses16\visiopromsdnr_retail-ppd.xrm-ms sharpsvn.exe File opened for modification C:\program files\java\jdk1.8.0_66\jre\lib\deploy\messages_ja.properties sharpsvn.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html sharpsvn.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\profiler\config\modules\org-netbeans-modules-profiler-snaptracer.xml sharpsvn.exe File opened for modification C:\program files\microsoft office\root\licenses16\publisher2019r_retail-pl.xrm-ms sharpsvn.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\sample-files\js\nls\uk-ua\Restore-My-Files.txt sharpsvn.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\fillnsign_visual.svg sharpsvn.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml sharpsvn.exe File created C:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\meta-inf\Restore-My-Files.txt sharpsvn.exe File opened for modification C:\program files\microsoft office\root\licenses16\access2019r_trial-ul-oob.xrm-ms sharpsvn.exe File opened for modification C:\program files\microsoft office\root\office16\logoimages\winwordlogo.contrast-black_scale-80.png sharpsvn.exe File created C:\program files\mozilla firefox\browser\visualelements\Restore-My-Files.txt sharpsvn.exe File opened for modification C:\program files\videolan\vlc\locale\de\lc_messages\vlc.mo sharpsvn.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\ct.sym sharpsvn.exe File opened for modification C:\program files\microsoft office\root\office16\msocrres.orp sharpsvn.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js sharpsvn.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\combinepdf\js\nls\ro-ro\ui-strings.js sharpsvn.exe File opened for modification C:\program files\java\jdk1.8.0_66\db\bin\sysinfo sharpsvn.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\apple-touch-icon-72x72-precomposed.png sharpsvn.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\themes\dark\s_illuemptyfolder_160.svg sharpsvn.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\signatures\js\nls\de-de\Restore-My-Files.txt sharpsvn.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html sharpsvn.exe File opened for modification C:\program files\microsoft office\root\licenses16\mondovl_mak-ppd.xrm-ms sharpsvn.exe File opened for modification C:\program files\microsoft office\root\vfs\programfilesx86\microsoft analysis services\as oledb\140\cartridges\orcl7.xsl sharpsvn.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\sample-files\js\nls\hu-hu\Restore-My-Files.txt sharpsvn.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\scan-files\images\themeless\appstore\download_on_the_app_store_badge_ja_135x40.svg sharpsvn.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar sharpsvn.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365proplusedur_subscription-ppd.xrm-ms sharpsvn.exe File opened for modification C:\program files\microsoft office\root\licenses16\outlook2019r_oem_perp-ul-phn.xrm-ms sharpsvn.exe File opened for modification C:\program files\microsoft office\root\office16\livepersonacard\lpc.win32.bundle sharpsvn.exe File created C:\program files\videolan\vlc\locale\pt_br\lc_messages\Restore-My-Files.txt sharpsvn.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\sample-files\js\nls\nl-nl\Restore-My-Files.txt sharpsvn.exe File opened for modification C:\program files\microsoft office\root\licenses16\visiopro2019xc2rvl_makc2r-pl.xrm-ms sharpsvn.exe File opened for modification C:\program files\microsoft office\root\office16\pagesize\pglbl111.xml sharpsvn.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\scan-files\images\themeless\playstore\cs_get.svg sharpsvn.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar sharpsvn.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365homepremr_subscription3-pl.xrm-ms sharpsvn.exe File opened for modification C:\program files\microsoft office\root\licenses16\professional2019r_trial-ul-oob.xrm-ms sharpsvn.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js sharpsvn.exe File opened for modification C:\program files\microsoft office\root\office16\sdxs\fa000000027\assets\icons\send2.16.white@2x.png sharpsvn.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer\js\nls\zh-tw\ui-strings.js sharpsvn.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\ob-preview\js\nls\it-it\Restore-My-Files.txt sharpsvn.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\send-for-sign\js\Restore-My-Files.txt sharpsvn.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\uss-search\js\nls\ru-ru\ui-strings.js sharpsvn.exe File opened for modification C:\program files\java\jdk1.8.0_66\jre\lib\cmm\srgb.pf sharpsvn.exe File opened for modification C:\program files\microsoft office\root\licenses16\skypeforbusinessr_trial-ul-oob.xrm-ms sharpsvn.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\files\dev\nls\zh-tw\ui-strings.js sharpsvn.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\ui-strings.js sharpsvn.exe -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\1195458082.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3068621934.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3900 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
sharpsvn.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\WallpaperStyle = "2" sharpsvn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\TileWallpaper = "0" sharpsvn.exe -
Modifies registry class 28 IoCs
Processes:
irsetup.exesharpsvn.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13DEF622-983C-4FA4-91CD-238C72DE4F3F}\InprocServer32 irsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 irsetup.exe Key created \Registry\Machine\Software\Classes\htafile\DefaultIcon sharpsvn.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings sharpsvn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08C10075-CA5C-4EDE-A033-AD28827A2F66} irsetup.exe Key created \Registry\Machine\Software\Classes\.lockbit sharpsvn.exe Key created \Registry\Machine\Software\Classes\Lockbit sharpsvn.exe Key created \Registry\Machine\Software\Classes\Lockbit\DefaultIcon sharpsvn.exe Key created \Registry\Machine\Software\Classes\Lockbit\shell\Open\Command sharpsvn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\ = "LockBit Class" sharpsvn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13DEF622-983C-4FA4-91CD-238C72DE4F3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\SBOP Crystal\\Filters\\LC.dll" irsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" irsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13DEF622-983C-4FA4-91CD-238C72DE4F3F}\ = "Elecard LC" irsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08C10075-CA5C-4EDE-A033-AD28827A2F66}\InprocServer32\ThreadingModel = "both" irsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\ = "LockBit" sharpsvn.exe Key created \Registry\Machine\Software\Classes\Lockbit\shell sharpsvn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\shell\Open\Command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Admin\\Desktop\\LockBit_Ransomware.hta\"" sharpsvn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htafile\DefaultIcon\ = "C:\\windows\\SysWow64\\C761DC.ico" sharpsvn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13DEF622-983C-4FA4-91CD-238C72DE4F3F} irsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08C10075-CA5C-4EDE-A033-AD28827A2F66}\InprocServer32 irsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08C10075-CA5C-4EDE-A033-AD28827A2F66}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\SBOP Crystal\\Filters\\LC.dll" irsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" irsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13DEF622-983C-4FA4-91CD-238C72DE4F3F}\InprocServer32\ThreadingModel = "both" irsetup.exe Key created \Registry\Machine\Software\Classes\Lockbit\shell\Open sharpsvn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\SBOP Crystal\\7-zip.dll" irsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08C10075-CA5C-4EDE-A033-AD28827A2F66}\ = "Elecard LC" irsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} irsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\C761DC.ico" sharpsvn.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exesharpsvn.exepid process 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 840 sharpsvn.exe 840 sharpsvn.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 840 sharpsvn.exe 840 sharpsvn.exe 768 taskmgr.exe 840 sharpsvn.exe 840 sharpsvn.exe 768 taskmgr.exe 768 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 768 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
taskmgr.exesharpsvn.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 768 taskmgr.exe Token: SeSystemProfilePrivilege 768 taskmgr.exe Token: SeCreateGlobalPrivilege 768 taskmgr.exe Token: SeTakeOwnershipPrivilege 840 sharpsvn.exe Token: SeDebugPrivilege 840 sharpsvn.exe Token: SeBackupPrivilege 660 vssvc.exe Token: SeRestorePrivilege 660 vssvc.exe Token: SeAuditPrivilege 660 vssvc.exe Token: SeIncreaseQuotaPrivilege 664 WMIC.exe Token: SeSecurityPrivilege 664 WMIC.exe Token: SeTakeOwnershipPrivilege 664 WMIC.exe Token: SeLoadDriverPrivilege 664 WMIC.exe Token: SeSystemProfilePrivilege 664 WMIC.exe Token: SeSystemtimePrivilege 664 WMIC.exe Token: SeProfSingleProcessPrivilege 664 WMIC.exe Token: SeIncBasePriorityPrivilege 664 WMIC.exe Token: SeCreatePagefilePrivilege 664 WMIC.exe Token: SeBackupPrivilege 664 WMIC.exe Token: SeRestorePrivilege 664 WMIC.exe Token: SeShutdownPrivilege 664 WMIC.exe Token: SeDebugPrivilege 664 WMIC.exe Token: SeSystemEnvironmentPrivilege 664 WMIC.exe Token: SeRemoteShutdownPrivilege 664 WMIC.exe Token: SeUndockPrivilege 664 WMIC.exe Token: SeManageVolumePrivilege 664 WMIC.exe Token: 33 664 WMIC.exe Token: 34 664 WMIC.exe Token: 35 664 WMIC.exe Token: 36 664 WMIC.exe Token: SeIncreaseQuotaPrivilege 664 WMIC.exe Token: SeSecurityPrivilege 664 WMIC.exe Token: SeTakeOwnershipPrivilege 664 WMIC.exe Token: SeLoadDriverPrivilege 664 WMIC.exe Token: SeSystemProfilePrivilege 664 WMIC.exe Token: SeSystemtimePrivilege 664 WMIC.exe Token: SeProfSingleProcessPrivilege 664 WMIC.exe Token: SeIncBasePriorityPrivilege 664 WMIC.exe Token: SeCreatePagefilePrivilege 664 WMIC.exe Token: SeBackupPrivilege 664 WMIC.exe Token: SeRestorePrivilege 664 WMIC.exe Token: SeShutdownPrivilege 664 WMIC.exe Token: SeDebugPrivilege 664 WMIC.exe Token: SeSystemEnvironmentPrivilege 664 WMIC.exe Token: SeRemoteShutdownPrivilege 664 WMIC.exe Token: SeUndockPrivilege 664 WMIC.exe Token: SeManageVolumePrivilege 664 WMIC.exe Token: 33 664 WMIC.exe Token: 34 664 WMIC.exe Token: 35 664 WMIC.exe Token: 36 664 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe 768 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
irsetup.exepid process 3580 irsetup.exe 3580 irsetup.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
90af3848d5a0c5eb9c6ddc1ee2e6c539dd6cb5ec5a433d00a6dae22fb221c446.exeirsetup.exesharpsvn.execmd.exedescription pid process target process PID 1684 wrote to memory of 3580 1684 90af3848d5a0c5eb9c6ddc1ee2e6c539dd6cb5ec5a433d00a6dae22fb221c446.exe irsetup.exe PID 1684 wrote to memory of 3580 1684 90af3848d5a0c5eb9c6ddc1ee2e6c539dd6cb5ec5a433d00a6dae22fb221c446.exe irsetup.exe PID 1684 wrote to memory of 3580 1684 90af3848d5a0c5eb9c6ddc1ee2e6c539dd6cb5ec5a433d00a6dae22fb221c446.exe irsetup.exe PID 3580 wrote to memory of 840 3580 irsetup.exe sharpsvn.exe PID 3580 wrote to memory of 840 3580 irsetup.exe sharpsvn.exe PID 3580 wrote to memory of 840 3580 irsetup.exe sharpsvn.exe PID 840 wrote to memory of 2784 840 sharpsvn.exe cmd.exe PID 840 wrote to memory of 2784 840 sharpsvn.exe cmd.exe PID 2784 wrote to memory of 3900 2784 cmd.exe vssadmin.exe PID 2784 wrote to memory of 3900 2784 cmd.exe vssadmin.exe PID 2784 wrote to memory of 664 2784 cmd.exe WMIC.exe PID 2784 wrote to memory of 664 2784 cmd.exe WMIC.exe PID 2784 wrote to memory of 1688 2784 cmd.exe bcdedit.exe PID 2784 wrote to memory of 1688 2784 cmd.exe bcdedit.exe PID 2784 wrote to memory of 3300 2784 cmd.exe bcdedit.exe PID 2784 wrote to memory of 3300 2784 cmd.exe bcdedit.exe PID 840 wrote to memory of 2400 840 sharpsvn.exe mshta.exe PID 840 wrote to memory of 2400 840 sharpsvn.exe mshta.exe PID 840 wrote to memory of 2400 840 sharpsvn.exe mshta.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90af3848d5a0c5eb9c6ddc1ee2e6c539dd6cb5ec5a433d00a6dae22fb221c446.exe"C:\Users\Admin\AppData\Local\Temp\90af3848d5a0c5eb9c6ddc1ee2e6c539dd6cb5ec5a433d00a6dae22fb221c446.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\90af3848d5a0c5eb9c6ddc1ee2e6c539dd6cb5ec5a433d00a6dae22fb221c446.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2481030822-2828258191-1606198294-1000"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SBOP Crystal\sharpsvn.exe"C:\Users\Admin\AppData\Roaming\SBOP Crystal\sharpsvn.exe"3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit_Ransomware.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}4⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeMD5
ac23d03c4b8d531016a3c1ebfa2bc91c
SHA111383627d5515ed2257f594db7fbce3a4b9106f8
SHA2560ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06
SHA512bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeMD5
ac23d03c4b8d531016a3c1ebfa2bc91c
SHA111383627d5515ed2257f594db7fbce3a4b9106f8
SHA2560ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06
SHA512bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dllMD5
e7a789232ef503dcb4929791673009a3
SHA18bc28bce4c9d8b4a6e360100441ba54a878de4c1
SHA25689daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1
SHA5126439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87
-
C:\Users\Admin\AppData\Roaming\SBOP Crystal\Guide.pdfMD5
413618ca437d7831df51303188cd207b
SHA185ea80cfb5db25c756da7ba5992665ea80aee560
SHA256f2d0e13a6ec546f169d45ad5b62ced1bcc3a4e01ae6dc3666239defc959e2baa
SHA512f70dab7aca530bd5013903e050bd974c8ad991c5d8d5ef8b5f6f4efba8acc6d37014b8bc63e3e73679a8229a9e33fd4c0ed3c8b6d5b9628a8735cb32210b30e6
-
C:\Users\Admin\AppData\Roaming\SBOP Crystal\qclp-2.3.dllMD5
852ba853bb6e9fc1476a7907a17be760
SHA121ef22a3dd2e4b32fbe8f56b7d87510fd9529d5c
SHA256b98b6b7e4ca7f5827d8d5cb34b39a3f4ca8c3dac5d7751d64876d944301084ff
SHA51279bdc1fc374d2cb147237d5e34bc95ba1744ed111d1bd861c28124732e4c179442aec9f7b0ee33d65eef0c9e4eb939d3a5392b9f81cb518ce3ca47ccd86f6c12
-
C:\Users\Admin\AppData\Roaming\SBOP Crystal\sharpsvn.exeMD5
042f1ad45934818427a842170fd8f8f7
SHA11e689e2ff66ad665a6aecaadff2ccdec68cbe0d4
SHA2561fa7159ab6a545dbaae94e954909cecad354127a2338ce15dea4c79937fd5c7b
SHA512e157f38145ab8dfede75434e5bbd449cf5fb1138103ad062898726e7956cbda12f2b757c050572ec0930b33422c3fc4646f3c75e3324483638492512be77a4c0
-
C:\Users\Admin\AppData\Roaming\SBOP Crystal\sharpsvn.exeMD5
042f1ad45934818427a842170fd8f8f7
SHA11e689e2ff66ad665a6aecaadff2ccdec68cbe0d4
SHA2561fa7159ab6a545dbaae94e954909cecad354127a2338ce15dea4c79937fd5c7b
SHA512e157f38145ab8dfede75434e5bbd449cf5fb1138103ad062898726e7956cbda12f2b757c050572ec0930b33422c3fc4646f3c75e3324483638492512be77a4c0
-
C:\Users\Admin\Desktop\LockBit_Ransomware.htaMD5
c15c6adc8c923ad87981f289025c37b2
SHA1bfe6533f4afe3255046f7178f289a4c75ad89e76
SHA25690f3a33919fdd766e90fd96f8f20a92c2d1376b7cfdc8b738c2f8e7e6c7498b1
SHA51231dd03b208e00ac012fbe4189d5af1306cc8e3640d40efefab4aa1cabab3c4735eef0cb65e7750c3c77021934e145398e5e26389975cf36b193c8f622a5fde83
-
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dllMD5
e7a789232ef503dcb4929791673009a3
SHA18bc28bce4c9d8b4a6e360100441ba54a878de4c1
SHA25689daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1
SHA5126439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87
-
\Users\Admin\AppData\Roaming\SBOP Crystal\7-zip.dllMD5
23c651b2ace76d42fec3989bcba3ce7b
SHA1378776d20133f20a4c42476bdcb0a408ef1dce1c
SHA2561b8410f839283a9483369dacdb22290b065ece6f00c026d953024666761532e2
SHA512e47ae720b9ee4388dacfdbf2ba1e2dc546cc01fdb25a6c82ceeeda03801e449f660e97b3bbb6f65b791bfc1566f21187053472022c6c7c0d68f8cf1187326ec8
-
\Users\Admin\AppData\Roaming\SBOP Crystal\Filters\LC.dllMD5
6316c4082cacf8f3f4f22daef56cb15c
SHA1cea3de90b20396b092797ec8c7e241e822c8faed
SHA2565594b08c79a4d188a674713011cd516618fa36d2f988f7d353fb3370939a4062
SHA512e1e0a6440f91b208b61775e30d8fc1be299a298e00ed564ca7c74fa8728738af66e6c3c0805553abbc4a8d2838cd21bfde61ac2322fff4e62ac4d6796a0821bc
-
\Users\Admin\AppData\Roaming\SBOP Crystal\qclp-2.3.dllMD5
852ba853bb6e9fc1476a7907a17be760
SHA121ef22a3dd2e4b32fbe8f56b7d87510fd9529d5c
SHA256b98b6b7e4ca7f5827d8d5cb34b39a3f4ca8c3dac5d7751d64876d944301084ff
SHA51279bdc1fc374d2cb147237d5e34bc95ba1744ed111d1bd861c28124732e4c179442aec9f7b0ee33d65eef0c9e4eb939d3a5392b9f81cb518ce3ca47ccd86f6c12
-
memory/664-130-0x0000000000000000-mapping.dmp
-
memory/840-122-0x0000000000000000-mapping.dmp
-
memory/1688-131-0x0000000000000000-mapping.dmp
-
memory/2400-134-0x0000000000000000-mapping.dmp
-
memory/2784-128-0x0000000000000000-mapping.dmp
-
memory/3300-132-0x0000000000000000-mapping.dmp
-
memory/3580-115-0x0000000000000000-mapping.dmp
-
memory/3900-129-0x0000000000000000-mapping.dmp