Analysis
-
max time kernel
172s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
15-03-2022 17:22
Behavioral task
behavioral1
Sample
a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe
Resource
win10v2004-20220310-en
General
-
Target
a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe
-
Size
629KB
-
MD5
551d134c5769726aa49edcf2881e3ab6
-
SHA1
fbe0582e76999e1cb36c4fc330f60cbafa65081a
-
SHA256
a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49
-
SHA512
e13d966b7bccc7cf2a5b2043323a53c5c766dd7fc30b3633d2d34ae7efe2cdd75817aba78d39bcb128a02717224536ee24356ef5021171121d5966d3d275d6a2
Malware Config
Extracted
C:\odt\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?9B7FDA8D33FEC3F9CD7580AE26F5F73C
http://lockbitks2tvnmwk.onion/?9B7FDA8D33FEC3F9CD7580AE26F5F73C
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2340 bcdedit.exe 2136 bcdedit.exe -
Processes:
wbadmin.exepid process 3760 wbadmin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe\"" a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exepid process 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe -
Drops file in Program Files directory 64 IoCs
Processes:
a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\cmm\CIEXYZ.pf a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\hijrah-config-umalqura.properties a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul.xrm-ms a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterBold.ttf a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyNoDrop32x32.gif a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-pl.xrm-ms a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.RSA a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\Restore-My-Files.txt a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File created C:\Program Files\Restore-My-Files.txt a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-pl.xrm-ms a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-pl.xrm-ms a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\README.html a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\Restore-My-Files.txt a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-uihandler.xml_hidden a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\CheckpointRestart.dib a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\boot_ja.jar a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.w3c.dom.events_3.0.0.draft20060413_v201105210656.jar a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\ij a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2100 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exepid process 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeTakeOwnershipPrivilege 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe Token: SeDebugPrivilege 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe Token: SeBackupPrivilege 4936 vssvc.exe Token: SeRestorePrivilege 4936 vssvc.exe Token: SeAuditPrivilege 4936 vssvc.exe Token: SeIncreaseQuotaPrivilege 4484 WMIC.exe Token: SeSecurityPrivilege 4484 WMIC.exe Token: SeTakeOwnershipPrivilege 4484 WMIC.exe Token: SeLoadDriverPrivilege 4484 WMIC.exe Token: SeSystemProfilePrivilege 4484 WMIC.exe Token: SeSystemtimePrivilege 4484 WMIC.exe Token: SeProfSingleProcessPrivilege 4484 WMIC.exe Token: SeIncBasePriorityPrivilege 4484 WMIC.exe Token: SeCreatePagefilePrivilege 4484 WMIC.exe Token: SeBackupPrivilege 4484 WMIC.exe Token: SeRestorePrivilege 4484 WMIC.exe Token: SeShutdownPrivilege 4484 WMIC.exe Token: SeDebugPrivilege 4484 WMIC.exe Token: SeSystemEnvironmentPrivilege 4484 WMIC.exe Token: SeRemoteShutdownPrivilege 4484 WMIC.exe Token: SeUndockPrivilege 4484 WMIC.exe Token: SeManageVolumePrivilege 4484 WMIC.exe Token: 33 4484 WMIC.exe Token: 34 4484 WMIC.exe Token: 35 4484 WMIC.exe Token: 36 4484 WMIC.exe Token: SeIncreaseQuotaPrivilege 4484 WMIC.exe Token: SeSecurityPrivilege 4484 WMIC.exe Token: SeTakeOwnershipPrivilege 4484 WMIC.exe Token: SeLoadDriverPrivilege 4484 WMIC.exe Token: SeSystemProfilePrivilege 4484 WMIC.exe Token: SeSystemtimePrivilege 4484 WMIC.exe Token: SeProfSingleProcessPrivilege 4484 WMIC.exe Token: SeIncBasePriorityPrivilege 4484 WMIC.exe Token: SeCreatePagefilePrivilege 4484 WMIC.exe Token: SeBackupPrivilege 4484 WMIC.exe Token: SeRestorePrivilege 4484 WMIC.exe Token: SeShutdownPrivilege 4484 WMIC.exe Token: SeDebugPrivilege 4484 WMIC.exe Token: SeSystemEnvironmentPrivilege 4484 WMIC.exe Token: SeRemoteShutdownPrivilege 4484 WMIC.exe Token: SeUndockPrivilege 4484 WMIC.exe Token: SeManageVolumePrivilege 4484 WMIC.exe Token: 33 4484 WMIC.exe Token: 34 4484 WMIC.exe Token: 35 4484 WMIC.exe Token: 36 4484 WMIC.exe Token: SeBackupPrivilege 2240 wbengine.exe Token: SeRestorePrivilege 2240 wbengine.exe Token: SeSecurityPrivilege 2240 wbengine.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.execmd.exedescription pid process target process PID 2756 wrote to memory of 260 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe cmd.exe PID 2756 wrote to memory of 260 2756 a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe cmd.exe PID 260 wrote to memory of 2100 260 cmd.exe vssadmin.exe PID 260 wrote to memory of 2100 260 cmd.exe vssadmin.exe PID 260 wrote to memory of 4484 260 cmd.exe WMIC.exe PID 260 wrote to memory of 4484 260 cmd.exe WMIC.exe PID 260 wrote to memory of 2340 260 cmd.exe bcdedit.exe PID 260 wrote to memory of 2340 260 cmd.exe bcdedit.exe PID 260 wrote to memory of 2136 260 cmd.exe bcdedit.exe PID 260 wrote to memory of 2136 260 cmd.exe bcdedit.exe PID 260 wrote to memory of 3760 260 cmd.exe wbadmin.exe PID 260 wrote to memory of 3760 260 cmd.exe wbadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe"C:\Users\Admin\AppData\Local\Temp\a6d63a54b5be86d1874d96f25ef8e85c0683ea4d32796931f3241466589a3a49.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
PID:260 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2100 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4484 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2340 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:2136 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:3760
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3740
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:1712