Analysis
-
max time kernel
148s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-05-2022 05:53
Static task
static1
Behavioral task
behavioral1
Sample
dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe
Resource
win10v2004-20220414-en
General
-
Target
dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe
-
Size
194KB
-
MD5
5e6d55651cbc4c4759c487bc7c8431bc
-
SHA1
d233f81a38c263357dddf846144ef970c46bccbe
-
SHA256
dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81
-
SHA512
32b2cbc4bf04ffc28153e1cb688a7d1aed4f5ac66ff32152e58bfce8d02258cef2596e714265a6cb90ca3e9c2b3ccdd9b4e52cef8871d05054d0996ed633e889
Malware Config
Extracted
C:\odt\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?96B283EF5B7ACD4C956975D05400DE35
http://lockbitks2tvnmwk.onion/?96B283EF5B7ACD4C956975D05400DE35
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4708 bcdedit.exe 2328 bcdedit.exe -
Processes:
wbadmin.exepid process 1636 wbadmin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe\"" dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exepid process 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe -
Drops file in Program Files directory 64 IoCs
Processes:
dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jvmti.h dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui_4.0.100.v20140401-0608.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\jce.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\tools.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\Restore-My-Files.txt dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\Welcome.html dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-nodes.xml dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ppd.xrm-ms dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerEvaluators.exsd dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\meta-index dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvmstat.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-print.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\resources.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\sRGB.pf dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\localedata.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_ja.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\Restore-My-Files.txt dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-text.xml dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\cmm\LINEAR_RGB.pf dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-phn.xrm-ms dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-pl.xrm-ms dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_ja.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_ja.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Retrospect.thmx dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-options.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\Restore-My-Files.txt dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File created C:\Program Files\Java\jre1.8.0_66\lib\cmm\Restore-My-Files.txt dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\resources.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\Restore-My-Files.txt dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-io.xml dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File created C:\Program Files\Java\jre1.8.0_66\Restore-My-Files.txt dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\security\java.security dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_zh_CN.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-charts.jar dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3484 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exepid process 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeTakeOwnershipPrivilege 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe Token: SeDebugPrivilege 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe Token: SeBackupPrivilege 4556 vssvc.exe Token: SeRestorePrivilege 4556 vssvc.exe Token: SeAuditPrivilege 4556 vssvc.exe Token: SeIncreaseQuotaPrivilege 4432 WMIC.exe Token: SeSecurityPrivilege 4432 WMIC.exe Token: SeTakeOwnershipPrivilege 4432 WMIC.exe Token: SeLoadDriverPrivilege 4432 WMIC.exe Token: SeSystemProfilePrivilege 4432 WMIC.exe Token: SeSystemtimePrivilege 4432 WMIC.exe Token: SeProfSingleProcessPrivilege 4432 WMIC.exe Token: SeIncBasePriorityPrivilege 4432 WMIC.exe Token: SeCreatePagefilePrivilege 4432 WMIC.exe Token: SeBackupPrivilege 4432 WMIC.exe Token: SeRestorePrivilege 4432 WMIC.exe Token: SeShutdownPrivilege 4432 WMIC.exe Token: SeDebugPrivilege 4432 WMIC.exe Token: SeSystemEnvironmentPrivilege 4432 WMIC.exe Token: SeRemoteShutdownPrivilege 4432 WMIC.exe Token: SeUndockPrivilege 4432 WMIC.exe Token: SeManageVolumePrivilege 4432 WMIC.exe Token: 33 4432 WMIC.exe Token: 34 4432 WMIC.exe Token: 35 4432 WMIC.exe Token: 36 4432 WMIC.exe Token: SeIncreaseQuotaPrivilege 4432 WMIC.exe Token: SeSecurityPrivilege 4432 WMIC.exe Token: SeTakeOwnershipPrivilege 4432 WMIC.exe Token: SeLoadDriverPrivilege 4432 WMIC.exe Token: SeSystemProfilePrivilege 4432 WMIC.exe Token: SeSystemtimePrivilege 4432 WMIC.exe Token: SeProfSingleProcessPrivilege 4432 WMIC.exe Token: SeIncBasePriorityPrivilege 4432 WMIC.exe Token: SeCreatePagefilePrivilege 4432 WMIC.exe Token: SeBackupPrivilege 4432 WMIC.exe Token: SeRestorePrivilege 4432 WMIC.exe Token: SeShutdownPrivilege 4432 WMIC.exe Token: SeDebugPrivilege 4432 WMIC.exe Token: SeSystemEnvironmentPrivilege 4432 WMIC.exe Token: SeRemoteShutdownPrivilege 4432 WMIC.exe Token: SeUndockPrivilege 4432 WMIC.exe Token: SeManageVolumePrivilege 4432 WMIC.exe Token: 33 4432 WMIC.exe Token: 34 4432 WMIC.exe Token: 35 4432 WMIC.exe Token: 36 4432 WMIC.exe Token: SeBackupPrivilege 4140 wbengine.exe Token: SeRestorePrivilege 4140 wbengine.exe Token: SeSecurityPrivilege 4140 wbengine.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.execmd.exedescription pid process target process PID 1580 wrote to memory of 5100 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe cmd.exe PID 1580 wrote to memory of 5100 1580 dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe cmd.exe PID 5100 wrote to memory of 3484 5100 cmd.exe vssadmin.exe PID 5100 wrote to memory of 3484 5100 cmd.exe vssadmin.exe PID 5100 wrote to memory of 4432 5100 cmd.exe WMIC.exe PID 5100 wrote to memory of 4432 5100 cmd.exe WMIC.exe PID 5100 wrote to memory of 4708 5100 cmd.exe bcdedit.exe PID 5100 wrote to memory of 4708 5100 cmd.exe bcdedit.exe PID 5100 wrote to memory of 2328 5100 cmd.exe bcdedit.exe PID 5100 wrote to memory of 2328 5100 cmd.exe bcdedit.exe PID 5100 wrote to memory of 1636 5100 cmd.exe wbadmin.exe PID 5100 wrote to memory of 1636 5100 cmd.exe wbadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe"C:\Users\Admin\AppData\Local\Temp\dc76447da03688f4c411a9fc4e873aa73d9210cfc2efb524f2bcc95fa5a35e81.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1580-130-0x0000000000A78000-0x0000000000A8F000-memory.dmpFilesize
92KB
-
memory/1580-131-0x0000000002400000-0x0000000002426000-memory.dmpFilesize
152KB
-
memory/1580-132-0x0000000000400000-0x00000000007ED000-memory.dmpFilesize
3.9MB
-
memory/1636-138-0x0000000000000000-mapping.dmp
-
memory/2328-137-0x0000000000000000-mapping.dmp
-
memory/3484-134-0x0000000000000000-mapping.dmp
-
memory/4432-135-0x0000000000000000-mapping.dmp
-
memory/4708-136-0x0000000000000000-mapping.dmp
-
memory/5100-133-0x0000000000000000-mapping.dmp