lockbit | b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3

General

Target

b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
Size

790KB
MD5

6105cc40a80f098971b76589781682de
SHA1

0eb1d178dcfa1ecc853ba3d912a1e2c7e0cd1005
SHA256

b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3
SHA512

28ad1b772effa8bd5cfe31060368a9d49d848b97533f891f571845295d9ce89173f4901daea407bbb6cc2e7c9e920b485edd99b72b2121579eeed40c9c77bd99

Score

10^/10

lockbit evasion persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Restore-My-Files.txt

Family

lockbit

Ransom Note

All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?A2232793F05765B5B85BB84C8DA9DB4D | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?A2232793F05765B5B85BB84C8DA9DB4D This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about

URLs

http://lockbit-decryptor.top/?A2232793F05765B5B85BB84C8DA9DB4D

http://lockbitks2tvnmwk.onion/?A2232793F05765B5B85BB84C8DA9DB4D

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3016 bcdedit.exe
3004 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3028 wbadmin.exe

pid	process
3016	bcdedit.exe
3004	bcdedit.exe

pid	process
3028	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe\""	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe

pid	process
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe

Drops file in Program Files directory 64 IoCs

Processes:

b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Restore-My-Files.txt	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\OmdProject.dll.mui	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\Restore-My-Files.txt	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\DVDMaker.exe.mui	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File created	C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\full.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\audiodepthconverter.ax	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\OmdProject.dll.mui	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\WMM2CLIP.dll.mui	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\WMM2CLIP.dll.mui	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_babypink_Thumbnail.bmp	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File created	C:\Program Files\Restore-My-Files.txt	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2020 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe

pid process

908 b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe

pid	process
2020	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exevssvc.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
Token: SeDebugPrivilege	908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
Token: SeBackupPrivilege	2004	vssvc.exe
Token: SeRestorePrivilege	2004	vssvc.exe
Token: SeAuditPrivilege	2004	vssvc.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.execmd.exe

description	pid	process	target process
PID 908 wrote to memory of 836	908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe	cmd.exe
PID 908 wrote to memory of 836	908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe	cmd.exe
PID 908 wrote to memory of 836	908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe	cmd.exe
PID 908 wrote to memory of 836	908	b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe	cmd.exe
PID 836 wrote to memory of 2020	836	cmd.exe	vssadmin.exe
PID 836 wrote to memory of 2020	836	cmd.exe	vssadmin.exe
PID 836 wrote to memory of 2020	836	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe
"C:\Users\Admin\AppData\Local\Temp\b01cc4f779965060248a62bdd2826a78d9d55f774850bb251ed29ca3a652bde3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
PID:2912

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:3028

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:3016

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:3004

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:2020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:1640

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

3

T1107

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/836-56-0x0000000000000000-mapping.dmp

Download
memory/908-54-0x00000000752A1000-0x00000000752A3000-memory.dmp

Filesize
8KB

Download
memory/908-55-0x0000000000230000-0x0000000000258000-memory.dmp

Filesize
160KB

Download
memory/908-58-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2020-57-0x0000000000000000-mapping.dmp

Download
memory/2912-59-0x0000000000000000-mapping.dmp

Download
memory/3004-60-0x0000000000000000-mapping.dmp

Download
memory/3016-61-0x0000000000000000-mapping.dmp

Download
memory/3028-62-0x0000000000000000-mapping.dmp

Download
memory/3028-63-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads