Analysis
-
max time kernel
143s -
max time network
100s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 05:53
Static task
static1
Behavioral task
behavioral1
Sample
dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe
Resource
win10v2004-20220414-en
General
-
Target
dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe
-
Size
194KB
-
MD5
5e6d55651cbc4c4759c487bc7c8431bc
-
SHA1
d233f81a38c263357dddf846144ef970c46bccbe
-
SHA256
dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81
-
SHA512
32b2cbc4bf04ffc28153e1cb688a7d1aed4f5ac66ff32152e58bfce8d02258cef2596e714265a6cb90ca3e9c2b3ccdd9b4e52cef8871d05054d0996ed633e889
Malware Config
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?96B283EF5B7ACD4C9EA6D36AAD088C6A
http://lockbitks2tvnmwk.onion/?96B283EF5B7ACD4C9EA6D36AAD088C6A
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2876 bcdedit.exe 2864 bcdedit.exe -
Processes:
wbadmin.exepid process 2888 wbadmin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe\"" dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exepid process 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe -
Drops file in Program Files directory 64 IoCs
Processes:
dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_ja_4.4.0.v20140623020002.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javaws.policy dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\Restore-My-Files.txt dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-ui.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\WET dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\Restore-My-Files.txt dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Colombo dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cuiaba dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-3 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Metlakatla dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_zh_4.4.0.v20140623020002.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services_3.4.0.v20140312-2051.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_ja_4.4.0.v20140623020002.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\3RDPARTY dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-search.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyDrop32x32.gif dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Palmer dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\classlist dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_zh_4.4.0.v20140623020002.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.png dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\Restore-My-Files.txt dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\Restore-My-Files.txt dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\London dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santarem dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Macau dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kosrae dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.configuration_5.5.0.165303.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hidden dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\Restore-My-Files.txt dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1764 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exepid process 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeTakeOwnershipPrivilege 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe Token: SeDebugPrivilege 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe Token: SeBackupPrivilege 1436 vssvc.exe Token: SeRestorePrivilege 1436 vssvc.exe Token: SeAuditPrivilege 1436 vssvc.exe Token: SeIncreaseQuotaPrivilege 2784 WMIC.exe Token: SeSecurityPrivilege 2784 WMIC.exe Token: SeTakeOwnershipPrivilege 2784 WMIC.exe Token: SeLoadDriverPrivilege 2784 WMIC.exe Token: SeSystemProfilePrivilege 2784 WMIC.exe Token: SeSystemtimePrivilege 2784 WMIC.exe Token: SeProfSingleProcessPrivilege 2784 WMIC.exe Token: SeIncBasePriorityPrivilege 2784 WMIC.exe Token: SeCreatePagefilePrivilege 2784 WMIC.exe Token: SeBackupPrivilege 2784 WMIC.exe Token: SeRestorePrivilege 2784 WMIC.exe Token: SeShutdownPrivilege 2784 WMIC.exe Token: SeDebugPrivilege 2784 WMIC.exe Token: SeSystemEnvironmentPrivilege 2784 WMIC.exe Token: SeRemoteShutdownPrivilege 2784 WMIC.exe Token: SeUndockPrivilege 2784 WMIC.exe Token: SeManageVolumePrivilege 2784 WMIC.exe Token: 33 2784 WMIC.exe Token: 34 2784 WMIC.exe Token: 35 2784 WMIC.exe Token: SeIncreaseQuotaPrivilege 2784 WMIC.exe Token: SeSecurityPrivilege 2784 WMIC.exe Token: SeTakeOwnershipPrivilege 2784 WMIC.exe Token: SeLoadDriverPrivilege 2784 WMIC.exe Token: SeSystemProfilePrivilege 2784 WMIC.exe Token: SeSystemtimePrivilege 2784 WMIC.exe Token: SeProfSingleProcessPrivilege 2784 WMIC.exe Token: SeIncBasePriorityPrivilege 2784 WMIC.exe Token: SeCreatePagefilePrivilege 2784 WMIC.exe Token: SeBackupPrivilege 2784 WMIC.exe Token: SeRestorePrivilege 2784 WMIC.exe Token: SeShutdownPrivilege 2784 WMIC.exe Token: SeDebugPrivilege 2784 WMIC.exe Token: SeSystemEnvironmentPrivilege 2784 WMIC.exe Token: SeRemoteShutdownPrivilege 2784 WMIC.exe Token: SeUndockPrivilege 2784 WMIC.exe Token: SeManageVolumePrivilege 2784 WMIC.exe Token: 33 2784 WMIC.exe Token: 34 2784 WMIC.exe Token: 35 2784 WMIC.exe Token: SeBackupPrivilege 2948 wbengine.exe Token: SeRestorePrivilege 2948 wbengine.exe Token: SeSecurityPrivilege 2948 wbengine.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.execmd.exedescription pid process target process PID 1928 wrote to memory of 944 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe cmd.exe PID 1928 wrote to memory of 944 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe cmd.exe PID 1928 wrote to memory of 944 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe cmd.exe PID 1928 wrote to memory of 944 1928 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe cmd.exe PID 944 wrote to memory of 1764 944 cmd.exe vssadmin.exe PID 944 wrote to memory of 1764 944 cmd.exe vssadmin.exe PID 944 wrote to memory of 1764 944 cmd.exe vssadmin.exe PID 944 wrote to memory of 2784 944 cmd.exe WMIC.exe PID 944 wrote to memory of 2784 944 cmd.exe WMIC.exe PID 944 wrote to memory of 2784 944 cmd.exe WMIC.exe PID 944 wrote to memory of 2864 944 cmd.exe bcdedit.exe PID 944 wrote to memory of 2864 944 cmd.exe bcdedit.exe PID 944 wrote to memory of 2864 944 cmd.exe bcdedit.exe PID 944 wrote to memory of 2876 944 cmd.exe bcdedit.exe PID 944 wrote to memory of 2876 944 cmd.exe bcdedit.exe PID 944 wrote to memory of 2876 944 cmd.exe bcdedit.exe PID 944 wrote to memory of 2888 944 cmd.exe wbadmin.exe PID 944 wrote to memory of 2888 944 cmd.exe wbadmin.exe PID 944 wrote to memory of 2888 944 cmd.exe wbadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe"C:\Users\Admin\AppData\Local\Temp\dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet1⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/944-59-0x0000000000000000-mapping.dmp
-
memory/1764-60-0x0000000000000000-mapping.dmp
-
memory/1928-56-0x0000000000230000-0x0000000000330000-memory.dmpFilesize
1024KB
-
memory/1928-55-0x0000000076721000-0x0000000076723000-memory.dmpFilesize
8KB
-
memory/1928-57-0x00000000003A0000-0x00000000003C6000-memory.dmpFilesize
152KB
-
memory/1928-58-0x0000000000400000-0x00000000007ED000-memory.dmpFilesize
3.9MB
-
memory/2784-61-0x0000000000000000-mapping.dmp
-
memory/2864-62-0x0000000000000000-mapping.dmp
-
memory/2876-63-0x0000000000000000-mapping.dmp
-
memory/2888-64-0x0000000000000000-mapping.dmp
-
memory/2888-65-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmpFilesize
8KB