lockbit | 51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92

General

Target

51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
Size

959KB
MD5

766b41b04125024cb0c6e4d6b84db9cc
SHA1

ad47f0186e7f99c6c5c67b07cd89af63223289d7
SHA256

51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92
SHA512

e149f7dbc46329a8cad9056e1c4253b3099334a80722183aff40111a62527ab8700515d1748cf6355a7a424f7bf75f82504e4cd76618cad77f0d32ce56d59dab

Score

10^/10

lockbit discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\program files\7-zip\Restore-My-Files.txt

Ransom Note

LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: 0894816CA8BC525C065534BCFCAF9678

URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2372 bcdedit.exe
2436 bcdedit.exe

pid	process
2372	bcdedit.exe
2436	bcdedit.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe

description	ioc	process
File opened for modification	C:\users\admin\pictures\mergeout.tiff	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File renamed	C:\Users\Admin\Pictures\InstallSend.png => C:\users\admin\pictures\installsend.png.lockbit	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File renamed	C:\Users\Admin\Pictures\MergeOut.tiff => C:\users\admin\pictures\mergeout.tiff.lockbit	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File renamed	C:\Users\Admin\Pictures\ProtectLock.tif => C:\users\admin\pictures\protectlock.tif.lockbit	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File renamed	C:\Users\Admin\Pictures\ReceiveGroup.raw => C:\users\admin\pictures\receivegroup.raw.lockbit	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File renamed	C:\Users\Admin\Pictures\RedoRepair.tif => C:\users\admin\pictures\redorepair.tif.lockbit	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File renamed	C:\Users\Admin\Pictures\StartReset.tif => C:\users\admin\pictures\startreset.tif.lockbit	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\{8394C26C-BCBC-525F-17BF-17C273BD172B} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe\""	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe

Drops file in System32 directory 2 IoCs

Processes:

51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe

description	ioc	process
File created	C:\windows\SysWOW64\089481.ico	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs

Processes:

51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe

pid	process
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe

Drops file in Program Files directory 64 IoCs

Processes:

51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe

description	ioc	process
File opened for modification	C:\program files\java\jre7\lib\zi\america\rainy_river	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\adobe\reader 9.0\reader\tracker\end_review.gif	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0105348.wmf	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\media\office14\bullets\bd15135_.gif	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\borders\msart7.bdr	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winxphandle.png	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\exlirm.xml	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\rssfeeds.gadget\ja-jp\css\rssfeeds.css	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\windows sidebar\gadgets\clock.gadget\images\trad.png	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\windows sidebar\gadgets\slideshow.gadget\de-de\css\settings.css	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\ph02223u.bmp	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\stationery\1033\techtool.gif	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\calendar.gadget\images\bprev-hot.png	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jmx.jar	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\publisher\backgrounds\j0143745.gif	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms\utilityfunctions.js	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\info.png	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\dvd maker\shared\dvdstyles\vignette\vignettemask25.png	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\meta-inf\eclipse.inf	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_ja_4.4.0.v20140623020002.jar	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\dd00405_.wmf	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\forms\1033\schdreq.cfg	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\formsstyles\desert.css	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\xlcprtid.xml	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\java\jre7\lib\zi\europe\luxembourg	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\windows sidebar\gadgets\slideshow.gadget\images\pause_down.png	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0101866.bmp	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\1033\grooveforms5\formsstyles\rtf_underline.gif	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\1033\pubftscm\scheme49.css	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\java\jre7\lib\zi\asia\ashgabat	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File created	C:\program files (x86)\adobe\reader 9.0\reader\plug_ins3d\Restore-My-Files.txt	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\windows sidebar\en-us\sbdrop.dll.mui	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0382961.jpg	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\picturepuzzle.gadget\images\daisies.png	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\dvd maker\es-es\omdproject.dll.mui	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\oral	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\java\jre7\lib\zi\antarctica\mawson	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\windows sidebar\gadgets\clock.gadget\images\modern_s.png	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\1033\prottplv.doc	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\calendar\calendartooliconimagesmask.bmp	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\templates\1033\blacktiemergeletter.dotx	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\currency.gadget\de-de\currency.html	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\java\jre7\copyright	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\java\jre7\lib\zi\europe\oslo	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\windows sidebar\gadgets\calendar.gadget\icon.png	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\adobe\reader 9.0\reader\plug_ins\hls.api	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\fd00297_.wmf	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\forms\1033\smimes.cfg	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_ja_4.4.0.v20140623020002.jar	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\weather.gadget\ja-jp\weather.html	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\nome	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\windows sidebar\gadgets\calendar.gadget\images\calendar_ring_docked.png	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File created	C:\program files\microsoft games\hearts\ja-jp\Restore-My-Files.txt	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\windows sidebar\gadgets\clock.gadget\en-us\js\settings.js	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files\windows sidebar\gadgets\weather.gadget\images\120dpi\(120dpi)alerticon.png	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\pubwiz\bzcrd98.poc	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\pubwiz\greeting.xml	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2504 948 WerFault.exe 51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2640 vssadmin.exe

pid	pid_target	process	target process
2504	948	WerFault.exe	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe

pid	process
2640	vssadmin.exe

Modifies registry class 3 IoCs

Processes:

51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe

description	ioc	process
Key created	\Registry\Machine\Software\Classes\.lockbit	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
Key created	\Registry\Machine\Software\Classes\.lockbit\DefaultIcon	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\089481.ico"	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe

pid	process
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exevssvc.exeWMIC.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
Token: SeDebugPrivilege	948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
Token: SeBackupPrivilege	2676	vssvc.exe
Token: SeRestorePrivilege	2676	vssvc.exe
Token: SeAuditPrivilege	2676	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1964	WMIC.exe
Token: SeSecurityPrivilege	1964	WMIC.exe
Token: SeTakeOwnershipPrivilege	1964	WMIC.exe
Token: SeLoadDriverPrivilege	1964	WMIC.exe
Token: SeSystemProfilePrivilege	1964	WMIC.exe
Token: SeSystemtimePrivilege	1964	WMIC.exe
Token: SeProfSingleProcessPrivilege	1964	WMIC.exe
Token: SeIncBasePriorityPrivilege	1964	WMIC.exe
Token: SeCreatePagefilePrivilege	1964	WMIC.exe
Token: SeBackupPrivilege	1964	WMIC.exe
Token: SeRestorePrivilege	1964	WMIC.exe
Token: SeShutdownPrivilege	1964	WMIC.exe
Token: SeDebugPrivilege	1964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1964	WMIC.exe
Token: SeRemoteShutdownPrivilege	1964	WMIC.exe
Token: SeUndockPrivilege	1964	WMIC.exe
Token: SeManageVolumePrivilege	1964	WMIC.exe
Token: 33	1964	WMIC.exe
Token: 34	1964	WMIC.exe
Token: 35	1964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1964	WMIC.exe
Token: SeSecurityPrivilege	1964	WMIC.exe
Token: SeTakeOwnershipPrivilege	1964	WMIC.exe
Token: SeLoadDriverPrivilege	1964	WMIC.exe
Token: SeSystemProfilePrivilege	1964	WMIC.exe
Token: SeSystemtimePrivilege	1964	WMIC.exe
Token: SeProfSingleProcessPrivilege	1964	WMIC.exe
Token: SeIncBasePriorityPrivilege	1964	WMIC.exe
Token: SeCreatePagefilePrivilege	1964	WMIC.exe
Token: SeBackupPrivilege	1964	WMIC.exe
Token: SeRestorePrivilege	1964	WMIC.exe
Token: SeShutdownPrivilege	1964	WMIC.exe
Token: SeDebugPrivilege	1964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1964	WMIC.exe
Token: SeRemoteShutdownPrivilege	1964	WMIC.exe
Token: SeUndockPrivilege	1964	WMIC.exe
Token: SeManageVolumePrivilege	1964	WMIC.exe
Token: 33	1964	WMIC.exe
Token: 34	1964	WMIC.exe
Token: 35	1964	WMIC.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.execmd.exe

description	pid	process	target process
PID 948 wrote to memory of 2540	948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe	cmd.exe
PID 948 wrote to memory of 2540	948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe	cmd.exe
PID 948 wrote to memory of 2540	948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe	cmd.exe
PID 948 wrote to memory of 2540	948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe	cmd.exe
PID 2540 wrote to memory of 2640	2540	cmd.exe	vssadmin.exe
PID 2540 wrote to memory of 2640	2540	cmd.exe	vssadmin.exe
PID 2540 wrote to memory of 2640	2540	cmd.exe	vssadmin.exe
PID 2540 wrote to memory of 1964	2540	cmd.exe	WMIC.exe
PID 2540 wrote to memory of 1964	2540	cmd.exe	WMIC.exe
PID 2540 wrote to memory of 1964	2540	cmd.exe	WMIC.exe
PID 2540 wrote to memory of 2372	2540	cmd.exe	bcdedit.exe
PID 2540 wrote to memory of 2372	2540	cmd.exe	bcdedit.exe
PID 2540 wrote to memory of 2372	2540	cmd.exe	bcdedit.exe
PID 2540 wrote to memory of 2436	2540	cmd.exe	bcdedit.exe
PID 2540 wrote to memory of 2436	2540	cmd.exe	bcdedit.exe
PID 2540 wrote to memory of 2436	2540	cmd.exe	bcdedit.exe
PID 948 wrote to memory of 2504	948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe	WerFault.exe
PID 948 wrote to memory of 2504	948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe	WerFault.exe
PID 948 wrote to memory of 2504	948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe	WerFault.exe
PID 948 wrote to memory of 2504	948	51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe
"C:\Users\Admin\AppData\Local\Temp\51302b8c1d63640e9001d2ea9f0b5589d502750ed3b620dd9f68a4d40807cf92.bin.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
2⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2640

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:2372

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 12536
2⤵
- Program crash
PID:2504

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

Network Service Scanning

1

T1046

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/948-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1964-57-0x0000000000000000-mapping.dmp

Download
memory/2372-58-0x0000000000000000-mapping.dmp

Download
memory/2436-59-0x0000000000000000-mapping.dmp

Download
memory/2504-60-0x0000000000000000-mapping.dmp

Download
memory/2540-55-0x0000000000000000-mapping.dmp

Download
memory/2640-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads