Analysis
-
max time kernel
4294218s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
15-03-2022 20:26
Behavioral task
behavioral1
Sample
dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe
Resource
win10v2004-20220310-en
General
-
Target
dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe
-
Size
629KB
-
MD5
5982636f09b4cf37916955e91e0ad63b
-
SHA1
660ec44bf0a329125b838765413343eebf091921
-
SHA256
dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d
-
SHA512
f5b80194bb3919a2e1de83ce78467701a7d7ce864aca19d3d7379090dcbb5ad3e757404350a0de0a44ef440621c1507742a094f23fe59dbc0aab50a3b32b01f3
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?9B7FDA8D33FEC3F9B0E237B22759EFD4
http://lockbitks2tvnmwk.onion/?9B7FDA8D33FEC3F9B0E237B22759EFD4
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe\"" dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exepid process 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe -
Drops file in Program Files directory 64 IoCs
Processes:
dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Easter dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbytools.jar dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+9 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\fr-FR\OmdProject.dll.mui dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yakutat dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Vladivostok dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\soniccolorconverter.ax dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_TW.jar dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\Restore-My-Files.txt dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Detroit dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\Restore-My-Files.txt dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.properties dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\Restore-My-Files.txt dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-previous-static.png dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kosrae dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_hu.jar dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.RSA dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Grand_Turk dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chatham dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yakutsk dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\Restore-My-Files.txt dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\Restore-My-Files.txt dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1124 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exepid process 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exevssvc.exedescription pid process Token: SeTakeOwnershipPrivilege 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe Token: SeDebugPrivilege 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe Token: SeBackupPrivilege 2032 vssvc.exe Token: SeRestorePrivilege 2032 vssvc.exe Token: SeAuditPrivilege 2032 vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.execmd.exedescription pid process target process PID 1564 wrote to memory of 1924 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe cmd.exe PID 1564 wrote to memory of 1924 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe cmd.exe PID 1564 wrote to memory of 1924 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe cmd.exe PID 1564 wrote to memory of 1924 1564 dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe cmd.exe PID 1924 wrote to memory of 1124 1924 cmd.exe vssadmin.exe PID 1924 wrote to memory of 1124 1924 cmd.exe vssadmin.exe PID 1924 wrote to memory of 1124 1924 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe"C:\Users\Admin\AppData\Local\Temp\dd8d547af63fe3934931c7113af5eff72147fb55f0dc633a1bd0af9bc621c83d.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken