Analysis
-
max time kernel
67s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06-05-2022 12:17
Static task
static1
Behavioral task
behavioral1
Sample
3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe
Resource
win10v2004-20220414-en
General
-
Target
3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe
-
Size
959KB
-
MD5
e2d006ac5e8d76856b516746a50c2a58
-
SHA1
83b6e55dc61a6813dbc992c0b55379e5851d2825
-
SHA256
3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72
-
SHA512
32b9d944c1f6700e58231512cb40de5dc2d2f29090ac5ec6900c785ee24d6f8d1614ca05d8172328d9ed47ec32ec9049cb40be03514f3df6f513ce401c9c7101
Malware Config
Extracted
C:\odt\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Users\Admin\Desktop\LockBit_Ransomware.hta
https://decoding.at/
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or
https://decoding.at
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2856 bcdedit.exe 1888 bcdedit.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertEnter.raw => C:\users\admin\pictures\convertenter.raw.lockbit 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File renamed C:\Users\Admin\Pictures\RepairCopy.tif => C:\users\admin\pictures\repaircopy.tif.lockbit 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File renamed C:\Users\Admin\Pictures\ConfirmGroup.crw => C:\users\admin\pictures\confirmgroup.crw.lockbit 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AA7DFFDE-6262-7906-C463-C4C855FECD29} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe\"" 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe -
Drops file in System32 directory 1 IoCs
Processes:
3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exedescription ioc process File created C:\windows\SysWOW64\3B7D11.ico 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
Processes:
3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exepid process 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe -
Drops file in Program Files directory 64 IoCs
Processes:
3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exedescription ioc process File opened for modification C:\program files\microsoft office\root\office16\logoimages\winwordlogo.contrast-white_scale-100.png 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\add-account\js\nls\sv-se\ui-strings.js 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\config\modules\org-netbeans-modules-masterfs.xml 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365proplusr_subscription2-ul-oob.xrm-ms 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectpro2019demor_bypasstrial180-ul-oob.xrm-ms 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\signatures\images\themes\dark\Restore-My-Files.txt 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\microsoft office\root\vfs\common appdata\microsoft help\ms.winword.16.1033.hxn 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\videolan\vlc\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\ui-strings.js 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\microsoft office\root\licenses16\access2019vl_mak_ae-ul-oob.xrm-ms 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover.png 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\microsoft office\root\office16\pagesize\pglbl065.xml 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\microsoft office\root\office16\sdxs\fa000000027\assets\icons\checkmark.white@2x.png 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\file_types\aic_file_icons_retina_thumb.png 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\scan-files\js\nls\ro-ro\Restore-My-Files.txt 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File created C:\program files\java\jdk1.8.0_66\jre\lib\management\Restore-My-Files.txt 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-modules-appui.jar 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File created C:\program files\videolan\vlc\locale\ach\lc_messages\Restore-My-Files.txt 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\desktop-connector-files\js\nls\Restore-My-Files.txt 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\uss-search\js\nls\hr-hr\Restore-My-Files.txt 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\microsoft office\root\office16\logoimages\excellogo.contrast-white_scale-180.png 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\microsoft office\root\office16\pagesize\pgmn092.xml 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\search-summary\js\nls\nl-nl\ui-strings.js 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.sat4j.core_2.3.5.v201308161310.jar 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectproco365r_subscription-ul-oob.xrm-ms 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\microsoft office\root\office16\bibliography\style\chicago.xsl 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\microsoft office\root\rsod\word.x-none.msi.16.x-none.boot.tree.dat 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\unified-share\js\nls\nl-nl\ui-strings.js 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\java\jre1.8.0_66\lib\javafx.properties 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\microsoft office\root\office16\logoimages\powerpntlogosmall.scale-80.png 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\microsoft office\root\office16\msipc\lt\msipc.dll.mui 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\aicuc\js\nls\it-it\ui-strings.js 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\ob-preview\js\nls\sv-se\Restore-My-Files.txt 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\microsoft office\root\licenses16\word2019r_retail-ul-phn.xrm-ms 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\js\nls\hr-hr\ui-strings.js 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\microsoft office\root\rsod\word.x-none.msi.16.x-none.tree.dat 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\digsig\images\s_checkbox_unselected_18.svg 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\ui-strings.js 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\unified-share\images\close.png 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\fss\js\nls\zh-cn\ui-strings.js 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\microsoft office\root\rsod\excelmui.msi.16.en-us.tree.dat 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\app\dev\nls\hr-hr\ui-strings.js 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\scan-files\images\themeless\playstore\af_get.svg 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\signatures\js\nls\en-gb\ui-strings.js 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\microsoft office\root\office16\logoimages\firstrunlogo.contrast-white_scale-80.png 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\microsoft office\root\licenses16\outlook2019r_retail-pl.xrm-ms 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\videolan\vlc\locale\ko\lc_messages\vlc.mo 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\acroapp\enu\stamp.aapp 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\files\dev\nls\uk-ua\ui-strings.js 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\add-account\js\nls\fr-fr\Restore-My-Files.txt 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\microsoft office\root\licenses16\visiostdco365r_subtrial-ppd.xrm-ms 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\microsoft office\root\office16\1033\prottpln.xls 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\plug_ins\digsig.api 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\s_empty_state.svg 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkhandle.png 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\java\jre1.8.0_66\lib\deploy\messages_zh_cn.properties 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe File opened for modification C:\program files\microsoft office\root\licenses16\outlookr_trial-ul-oob.xrm-ms 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2056 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exedescription ioc process Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\3B7D11.ico" 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe Key created \Registry\Machine\Software\Classes\.lockbit 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exepid process 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exevssvc.exeWMIC.exedescription pid process Token: SeTakeOwnershipPrivilege 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe Token: SeDebugPrivilege 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe Token: SeBackupPrivilege 2332 vssvc.exe Token: SeRestorePrivilege 2332 vssvc.exe Token: SeAuditPrivilege 2332 vssvc.exe Token: SeIncreaseQuotaPrivilege 5008 WMIC.exe Token: SeSecurityPrivilege 5008 WMIC.exe Token: SeTakeOwnershipPrivilege 5008 WMIC.exe Token: SeLoadDriverPrivilege 5008 WMIC.exe Token: SeSystemProfilePrivilege 5008 WMIC.exe Token: SeSystemtimePrivilege 5008 WMIC.exe Token: SeProfSingleProcessPrivilege 5008 WMIC.exe Token: SeIncBasePriorityPrivilege 5008 WMIC.exe Token: SeCreatePagefilePrivilege 5008 WMIC.exe Token: SeBackupPrivilege 5008 WMIC.exe Token: SeRestorePrivilege 5008 WMIC.exe Token: SeShutdownPrivilege 5008 WMIC.exe Token: SeDebugPrivilege 5008 WMIC.exe Token: SeSystemEnvironmentPrivilege 5008 WMIC.exe Token: SeRemoteShutdownPrivilege 5008 WMIC.exe Token: SeUndockPrivilege 5008 WMIC.exe Token: SeManageVolumePrivilege 5008 WMIC.exe Token: 33 5008 WMIC.exe Token: 34 5008 WMIC.exe Token: 35 5008 WMIC.exe Token: 36 5008 WMIC.exe Token: SeIncreaseQuotaPrivilege 5008 WMIC.exe Token: SeSecurityPrivilege 5008 WMIC.exe Token: SeTakeOwnershipPrivilege 5008 WMIC.exe Token: SeLoadDriverPrivilege 5008 WMIC.exe Token: SeSystemProfilePrivilege 5008 WMIC.exe Token: SeSystemtimePrivilege 5008 WMIC.exe Token: SeProfSingleProcessPrivilege 5008 WMIC.exe Token: SeIncBasePriorityPrivilege 5008 WMIC.exe Token: SeCreatePagefilePrivilege 5008 WMIC.exe Token: SeBackupPrivilege 5008 WMIC.exe Token: SeRestorePrivilege 5008 WMIC.exe Token: SeShutdownPrivilege 5008 WMIC.exe Token: SeDebugPrivilege 5008 WMIC.exe Token: SeSystemEnvironmentPrivilege 5008 WMIC.exe Token: SeRemoteShutdownPrivilege 5008 WMIC.exe Token: SeUndockPrivilege 5008 WMIC.exe Token: SeManageVolumePrivilege 5008 WMIC.exe Token: 33 5008 WMIC.exe Token: 34 5008 WMIC.exe Token: 35 5008 WMIC.exe Token: 36 5008 WMIC.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.execmd.exedescription pid process target process PID 3340 wrote to memory of 4496 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe cmd.exe PID 3340 wrote to memory of 4496 3340 3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe cmd.exe PID 4496 wrote to memory of 2056 4496 cmd.exe vssadmin.exe PID 4496 wrote to memory of 2056 4496 cmd.exe vssadmin.exe PID 4496 wrote to memory of 5008 4496 cmd.exe WMIC.exe PID 4496 wrote to memory of 5008 4496 cmd.exe WMIC.exe PID 4496 wrote to memory of 2856 4496 cmd.exe bcdedit.exe PID 4496 wrote to memory of 2856 4496 cmd.exe bcdedit.exe PID 4496 wrote to memory of 1888 4496 cmd.exe bcdedit.exe PID 4496 wrote to memory of 1888 4496 cmd.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe"C:\Users\Admin\AppData\Local\Temp\3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit_Ransomware.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe"2⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\3f2accb371da418d3b7f0ee689c2cca064cce542a72948fc7793285a43476d72.bin.exe"3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\LockBit_Ransomware.htaFilesize
46KB
MD5c15c6adc8c923ad87981f289025c37b2
SHA1bfe6533f4afe3255046f7178f289a4c75ad89e76
SHA25690f3a33919fdd766e90fd96f8f20a92c2d1376b7cfdc8b738c2f8e7e6c7498b1
SHA51231dd03b208e00ac012fbe4189d5af1306cc8e3640d40efefab4aa1cabab3c4735eef0cb65e7750c3c77021934e145398e5e26389975cf36b193c8f622a5fde83
-
memory/1888-134-0x0000000000000000-mapping.dmp
-
memory/2056-131-0x0000000000000000-mapping.dmp
-
memory/2856-133-0x0000000000000000-mapping.dmp
-
memory/4496-130-0x0000000000000000-mapping.dmp
-
memory/4564-135-0x0000000000000000-mapping.dmp
-
memory/4716-139-0x0000000000000000-mapping.dmp
-
memory/4756-137-0x0000000000000000-mapping.dmp
-
memory/5008-132-0x0000000000000000-mapping.dmp
-
memory/5116-136-0x0000000000000000-mapping.dmp