Analysis
-
max time kernel
153s -
max time network
79s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-04-2022 17:57
Behavioral task
behavioral1
Sample
0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe
Resource
win10v2004-20220414-en
General
-
Target
0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe
-
Size
628KB
-
MD5
c2e08dbd62f3121911275d0931e64780
-
SHA1
48d1e2e0795a51c116412636632c9160fd1ffcea
-
SHA256
0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61
-
SHA512
61694a4372f9461447f03fd50b7ad3af61fa64b9dfeb569979c4f3b9900d3b96aa365fd787f447135dea213e3e2e25ef2496a83332ff257abd3d35b5f927ba86
Malware Config
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?9B7FDA8D33FEC3F9DB236228DDE80C43
http://lockbitks2tvnmwk.onion/?9B7FDA8D33FEC3F9DB236228DDE80C43
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2844 bcdedit.exe 2856 bcdedit.exe -
Processes:
wbadmin.exepid process 2868 wbadmin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe\"" 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exepid process 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe -
Drops file in Program Files directory 64 IoCs
Processes:
0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exedescription ioc process File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Restore-My-Files.txt 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Cordoba 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Easter 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Norfolk 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\Restore-My-Files.txt 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ust-Nera 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jvmti.h 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jerusalem 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\Restore-My-Files.txt 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\MANIFEST.MF 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\MANIFEST.MF 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Singapore 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Chagos 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\DVD Maker\fieldswitch.ax 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\CIEXYZ.pf 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\NOTICE 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ndjamena 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+11 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.zh_CN_5.5.0.165303.jar 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Copenhagen 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\Restore-My-Files.txt 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Vancouver 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wallis 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\DVD Maker\Eurosti.TTF 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jsse.jar 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Fortaleza 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\Restore-My-Files.txt 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\DVD Maker\es-ES\OmdProject.dll.mui 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File created C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\Restore-My-Files.txt 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.src 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Knox 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.security 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1528 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exepid process 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeTakeOwnershipPrivilege 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe Token: SeDebugPrivilege 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe Token: SeBackupPrivilege 1844 vssvc.exe Token: SeRestorePrivilege 1844 vssvc.exe Token: SeAuditPrivilege 1844 vssvc.exe Token: SeIncreaseQuotaPrivilege 2764 WMIC.exe Token: SeSecurityPrivilege 2764 WMIC.exe Token: SeTakeOwnershipPrivilege 2764 WMIC.exe Token: SeLoadDriverPrivilege 2764 WMIC.exe Token: SeSystemProfilePrivilege 2764 WMIC.exe Token: SeSystemtimePrivilege 2764 WMIC.exe Token: SeProfSingleProcessPrivilege 2764 WMIC.exe Token: SeIncBasePriorityPrivilege 2764 WMIC.exe Token: SeCreatePagefilePrivilege 2764 WMIC.exe Token: SeBackupPrivilege 2764 WMIC.exe Token: SeRestorePrivilege 2764 WMIC.exe Token: SeShutdownPrivilege 2764 WMIC.exe Token: SeDebugPrivilege 2764 WMIC.exe Token: SeSystemEnvironmentPrivilege 2764 WMIC.exe Token: SeRemoteShutdownPrivilege 2764 WMIC.exe Token: SeUndockPrivilege 2764 WMIC.exe Token: SeManageVolumePrivilege 2764 WMIC.exe Token: 33 2764 WMIC.exe Token: 34 2764 WMIC.exe Token: 35 2764 WMIC.exe Token: SeIncreaseQuotaPrivilege 2764 WMIC.exe Token: SeSecurityPrivilege 2764 WMIC.exe Token: SeTakeOwnershipPrivilege 2764 WMIC.exe Token: SeLoadDriverPrivilege 2764 WMIC.exe Token: SeSystemProfilePrivilege 2764 WMIC.exe Token: SeSystemtimePrivilege 2764 WMIC.exe Token: SeProfSingleProcessPrivilege 2764 WMIC.exe Token: SeIncBasePriorityPrivilege 2764 WMIC.exe Token: SeCreatePagefilePrivilege 2764 WMIC.exe Token: SeBackupPrivilege 2764 WMIC.exe Token: SeRestorePrivilege 2764 WMIC.exe Token: SeShutdownPrivilege 2764 WMIC.exe Token: SeDebugPrivilege 2764 WMIC.exe Token: SeSystemEnvironmentPrivilege 2764 WMIC.exe Token: SeRemoteShutdownPrivilege 2764 WMIC.exe Token: SeUndockPrivilege 2764 WMIC.exe Token: SeManageVolumePrivilege 2764 WMIC.exe Token: 33 2764 WMIC.exe Token: 34 2764 WMIC.exe Token: 35 2764 WMIC.exe Token: SeBackupPrivilege 2964 wbengine.exe Token: SeRestorePrivilege 2964 wbengine.exe Token: SeSecurityPrivilege 2964 wbengine.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.execmd.exedescription pid process target process PID 1480 wrote to memory of 1352 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe cmd.exe PID 1480 wrote to memory of 1352 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe cmd.exe PID 1480 wrote to memory of 1352 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe cmd.exe PID 1480 wrote to memory of 1352 1480 0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe cmd.exe PID 1352 wrote to memory of 1528 1352 cmd.exe vssadmin.exe PID 1352 wrote to memory of 1528 1352 cmd.exe vssadmin.exe PID 1352 wrote to memory of 1528 1352 cmd.exe vssadmin.exe PID 1352 wrote to memory of 2764 1352 cmd.exe WMIC.exe PID 1352 wrote to memory of 2764 1352 cmd.exe WMIC.exe PID 1352 wrote to memory of 2764 1352 cmd.exe WMIC.exe PID 1352 wrote to memory of 2844 1352 cmd.exe bcdedit.exe PID 1352 wrote to memory of 2844 1352 cmd.exe bcdedit.exe PID 1352 wrote to memory of 2844 1352 cmd.exe bcdedit.exe PID 1352 wrote to memory of 2856 1352 cmd.exe bcdedit.exe PID 1352 wrote to memory of 2856 1352 cmd.exe bcdedit.exe PID 1352 wrote to memory of 2856 1352 cmd.exe bcdedit.exe PID 1352 wrote to memory of 2868 1352 cmd.exe wbadmin.exe PID 1352 wrote to memory of 2868 1352 cmd.exe wbadmin.exe PID 1352 wrote to memory of 2868 1352 cmd.exe wbadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe"C:\Users\Admin\AppData\Local\Temp\0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1352-57-0x0000000000000000-mapping.dmp
-
memory/1480-54-0x0000000074F91000-0x0000000074F93000-memory.dmpFilesize
8KB
-
memory/1480-55-0x00000000001B0000-0x00000000001D6000-memory.dmpFilesize
152KB
-
memory/1480-56-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/1528-58-0x0000000000000000-mapping.dmp
-
memory/2764-59-0x0000000000000000-mapping.dmp
-
memory/2844-60-0x0000000000000000-mapping.dmp
-
memory/2856-61-0x0000000000000000-mapping.dmp
-
memory/2868-62-0x0000000000000000-mapping.dmp
-
memory/2868-63-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmpFilesize
8KB