Analysis
-
max time kernel
168s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
16-03-2022 07:43
Behavioral task
behavioral1
Sample
6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe
Resource
win10v2004-20220310-en
General
-
Target
6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe
-
Size
627KB
-
MD5
1234951c81c9f0950d7ebccf5c0da425
-
SHA1
c51df34b23cc7bfdf58ebdc21df84deab9688f8d
-
SHA256
6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852
-
SHA512
e69fa50b6ff651c2bb916e715e5100946c0be58e78e5867a56345383d0128b25da7a81d8dfa97aef7961f6e2ec1e74b4af903f4b10671face36f3c9cfaf50236
Malware Config
Extracted
C:\odt\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?9B7FDA8D33FEC3F9A886E1A75F23774D
http://lockbitks2tvnmwk.onion/?9B7FDA8D33FEC3F9A886E1A75F23774D
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe\"" 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exepid process 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe -
Drops file in Program Files directory 64 IoCs
Processes:
6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_HK.properties 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ppd.xrm-ms 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\[email protected] 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-pl.xrm-ms 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\Xusage.txt 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\plugin.jar 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_TW.properties 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-views.jar 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-favorites.xml_hidden 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_ja.jar 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File created C:\Program Files\Java\jre1.8.0_66\Restore-My-Files.txt 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Restore-My-Files.txt 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyrun.jar 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_zh_4.4.0.v20140623020002.jar 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-pl.xrm-ms 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\COPYRIGHT 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.zh_CN_5.5.0.165303.jar 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File created C:\Program Files\Microsoft Office\root\fre\Restore-My-Files.txt 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_ja_4.4.0.v20140623020002.jar 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfont.properties.ja 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_cs.jar 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\Restore-My-Files.txt 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-io_ja.jar 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\release 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_ja_4.4.0.v20140623020002.jar 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1976 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exepid process 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exevssvc.exeWMIC.exedescription pid process Token: SeTakeOwnershipPrivilege 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe Token: SeDebugPrivilege 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe Token: SeBackupPrivilege 4712 vssvc.exe Token: SeRestorePrivilege 4712 vssvc.exe Token: SeAuditPrivilege 4712 vssvc.exe Token: SeIncreaseQuotaPrivilege 1356 WMIC.exe Token: SeSecurityPrivilege 1356 WMIC.exe Token: SeTakeOwnershipPrivilege 1356 WMIC.exe Token: SeLoadDriverPrivilege 1356 WMIC.exe Token: SeSystemProfilePrivilege 1356 WMIC.exe Token: SeSystemtimePrivilege 1356 WMIC.exe Token: SeProfSingleProcessPrivilege 1356 WMIC.exe Token: SeIncBasePriorityPrivilege 1356 WMIC.exe Token: SeCreatePagefilePrivilege 1356 WMIC.exe Token: SeBackupPrivilege 1356 WMIC.exe Token: SeRestorePrivilege 1356 WMIC.exe Token: SeShutdownPrivilege 1356 WMIC.exe Token: SeDebugPrivilege 1356 WMIC.exe Token: SeSystemEnvironmentPrivilege 1356 WMIC.exe Token: SeRemoteShutdownPrivilege 1356 WMIC.exe Token: SeUndockPrivilege 1356 WMIC.exe Token: SeManageVolumePrivilege 1356 WMIC.exe Token: 33 1356 WMIC.exe Token: 34 1356 WMIC.exe Token: 35 1356 WMIC.exe Token: 36 1356 WMIC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.execmd.exedescription pid process target process PID 4468 wrote to memory of 3556 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe cmd.exe PID 4468 wrote to memory of 3556 4468 6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe cmd.exe PID 3556 wrote to memory of 1976 3556 cmd.exe vssadmin.exe PID 3556 wrote to memory of 1976 3556 cmd.exe vssadmin.exe PID 3556 wrote to memory of 1356 3556 cmd.exe WMIC.exe PID 3556 wrote to memory of 1356 3556 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe"C:\Users\Admin\AppData\Local\Temp\6edbd520e23625af5f8074103ccbb1c27d3919d2f40fc202bdae8b1e71397852.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken