Analysis
-
max time kernel
156s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
16-03-2022 21:36
Behavioral task
behavioral1
Sample
ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe
Resource
win10v2004-en-20220113
General
-
Target
ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe
-
Size
629KB
-
MD5
902bc738cdd4e05d92a0661d8e962b50
-
SHA1
10e8ab02ed6ac267791bea58941141170041877f
-
SHA256
ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317
-
SHA512
57d46c90469c4e5fe290bd4ff00c41266cb592774a262517e2e31cdc57f8323b6725034ba11d4d12564e4bcf9619a633bfb8ba86078f82b22b877e270a868b79
Malware Config
Extracted
C:\odt\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?9B7FDA8D33FEC3F9CB0FA46B92552ECC
http://lockbitks2tvnmwk.onion/?9B7FDA8D33FEC3F9CB0FA46B92552ECC
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4204 bcdedit.exe 696 bcdedit.exe -
Processes:
wbadmin.exepid process 4568 wbadmin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe\"" ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exepid process 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-125.png ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-32.png ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sv-SE\View3d\3DViewerProductDescription-universal.xml ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCalls.h ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_it.jar ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\sdxs.xml ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\content-types.properties ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\Restore-My-Files.txt ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\SmallTile.scale-125.png ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\iheart-radio.scale-125.png ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\sunpkcs11.jar ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\office32mui.msi.16.en-us.boot.tree.dat ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\Restore-My-Files.txt ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_ja.jar ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-24.png ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\SearchPlaceholder-light.png ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-ms ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL010.XML ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.mo ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Windows Media Player\fr-FR\wmpnssci.dll.mui ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-explorer.jar ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare150x150Logo.scale-125.png ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96.png ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedStoreLogo.scale-100.png ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_zh_CN.jar ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ppd.xrm-ms ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-48_altform-lightunplated.png ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Square44x44Logo.scale-200.png ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\ImportStep.mpeg2 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_ja.properties ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-black_scale-125.png ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_contrast-white.png ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-100_contrast-white.png ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\Training.potx ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-200.png ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_ja.jar ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\Restore-My-Files.txt ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-oob.xrm-ms ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File created C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\Restore-My-Files.txt ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-24_contrast-black.png ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-80_altform-unplated.png ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\id-ID\View3d\3DViewerProductDescription-universal.xml ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4112 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exepid process 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeTakeOwnershipPrivilege 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe Token: SeDebugPrivilege 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe Token: SeBackupPrivilege 1180 vssvc.exe Token: SeRestorePrivilege 1180 vssvc.exe Token: SeAuditPrivilege 1180 vssvc.exe Token: SeIncreaseQuotaPrivilege 4612 WMIC.exe Token: SeSecurityPrivilege 4612 WMIC.exe Token: SeTakeOwnershipPrivilege 4612 WMIC.exe Token: SeLoadDriverPrivilege 4612 WMIC.exe Token: SeSystemProfilePrivilege 4612 WMIC.exe Token: SeSystemtimePrivilege 4612 WMIC.exe Token: SeProfSingleProcessPrivilege 4612 WMIC.exe Token: SeIncBasePriorityPrivilege 4612 WMIC.exe Token: SeCreatePagefilePrivilege 4612 WMIC.exe Token: SeBackupPrivilege 4612 WMIC.exe Token: SeRestorePrivilege 4612 WMIC.exe Token: SeShutdownPrivilege 4612 WMIC.exe Token: SeDebugPrivilege 4612 WMIC.exe Token: SeSystemEnvironmentPrivilege 4612 WMIC.exe Token: SeRemoteShutdownPrivilege 4612 WMIC.exe Token: SeUndockPrivilege 4612 WMIC.exe Token: SeManageVolumePrivilege 4612 WMIC.exe Token: 33 4612 WMIC.exe Token: 34 4612 WMIC.exe Token: 35 4612 WMIC.exe Token: 36 4612 WMIC.exe Token: SeIncreaseQuotaPrivilege 4612 WMIC.exe Token: SeSecurityPrivilege 4612 WMIC.exe Token: SeTakeOwnershipPrivilege 4612 WMIC.exe Token: SeLoadDriverPrivilege 4612 WMIC.exe Token: SeSystemProfilePrivilege 4612 WMIC.exe Token: SeSystemtimePrivilege 4612 WMIC.exe Token: SeProfSingleProcessPrivilege 4612 WMIC.exe Token: SeIncBasePriorityPrivilege 4612 WMIC.exe Token: SeCreatePagefilePrivilege 4612 WMIC.exe Token: SeBackupPrivilege 4612 WMIC.exe Token: SeRestorePrivilege 4612 WMIC.exe Token: SeShutdownPrivilege 4612 WMIC.exe Token: SeDebugPrivilege 4612 WMIC.exe Token: SeSystemEnvironmentPrivilege 4612 WMIC.exe Token: SeRemoteShutdownPrivilege 4612 WMIC.exe Token: SeUndockPrivilege 4612 WMIC.exe Token: SeManageVolumePrivilege 4612 WMIC.exe Token: 33 4612 WMIC.exe Token: 34 4612 WMIC.exe Token: 35 4612 WMIC.exe Token: 36 4612 WMIC.exe Token: SeBackupPrivilege 1044 wbengine.exe Token: SeRestorePrivilege 1044 wbengine.exe Token: SeSecurityPrivilege 1044 wbengine.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.execmd.exedescription pid process target process PID 2800 wrote to memory of 1432 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe cmd.exe PID 2800 wrote to memory of 1432 2800 ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe cmd.exe PID 1432 wrote to memory of 4112 1432 cmd.exe vssadmin.exe PID 1432 wrote to memory of 4112 1432 cmd.exe vssadmin.exe PID 1432 wrote to memory of 4612 1432 cmd.exe WMIC.exe PID 1432 wrote to memory of 4612 1432 cmd.exe WMIC.exe PID 1432 wrote to memory of 4204 1432 cmd.exe bcdedit.exe PID 1432 wrote to memory of 4204 1432 cmd.exe bcdedit.exe PID 1432 wrote to memory of 696 1432 cmd.exe bcdedit.exe PID 1432 wrote to memory of 696 1432 cmd.exe bcdedit.exe PID 1432 wrote to memory of 4568 1432 cmd.exe wbadmin.exe PID 1432 wrote to memory of 4568 1432 cmd.exe wbadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe"C:\Users\Admin\AppData\Local\Temp\ec6992702eb2666e3bab7c50b8cb504176a2e50340be944de03d2134255b6317.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)