Analysis
-
max time kernel
183s -
max time network
100s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 07:27
Static task
static1
Behavioral task
behavioral1
Sample
17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe
Resource
win10v2004-20220414-en
General
-
Target
17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe
-
Size
380KB
-
MD5
99f0cffadb9b779f276607c99ffca7e0
-
SHA1
05e9419c9eacf7a7cb84611148156a1e47cdf8ca
-
SHA256
17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b
-
SHA512
d20d9890e695a72488ea365a406017df01f71235722ccdcc96e921af532da5e216f88570e3e93d227efb9a6c99e5e42fd189d29b18433ee3c9999e1dc959b6b6
Malware Config
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?96B283EF5B7ACD4C9F9A1CC242625249
http://lockbitks2tvnmwk.onion/?96B283EF5B7ACD4C9F9A1CC242625249
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2984 bcdedit.exe 2996 bcdedit.exe -
Processes:
wbadmin.exepid process 3008 wbadmin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe\"" 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exepid process 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe -
Drops file in Program Files directory 64 IoCs
Processes:
17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_ja.jar 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Monticello 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\Restore-My-Files.txt 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Currie 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\Restore-My-Files.txt 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jre7\lib\plugin.jar 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jre7\Welcome.html 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Luxembourg 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Maldives 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hong_Kong 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Casey 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Yekaterinburg 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\EST5EDT 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Athens 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ko.properties 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\Restore-My-Files.txt 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\Restore-My-Files.txt 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Nauru 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\Restore-My-Files.txt 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\South_Georgia 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-api.jar 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-heapdump.jar 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Havana 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cancun 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\org-openide-filesystems.jar 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Microsoft Games\Chess\de-DE\Chess.exe.mui 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Restore-My-Files.txt 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File created C:\Program Files\Java\jdk1.7.0_80\include\win32\Restore-My-Files.txt 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jre7\lib\management-agent.jar 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\DVD Maker\audiodepthconverter.ax 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Funafuti 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Saipan 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 684 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exepid process 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeTakeOwnershipPrivilege 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe Token: SeDebugPrivilege 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe Token: SeBackupPrivilege 1156 vssvc.exe Token: SeRestorePrivilege 1156 vssvc.exe Token: SeAuditPrivilege 1156 vssvc.exe Token: SeIncreaseQuotaPrivilege 2896 WMIC.exe Token: SeSecurityPrivilege 2896 WMIC.exe Token: SeTakeOwnershipPrivilege 2896 WMIC.exe Token: SeLoadDriverPrivilege 2896 WMIC.exe Token: SeSystemProfilePrivilege 2896 WMIC.exe Token: SeSystemtimePrivilege 2896 WMIC.exe Token: SeProfSingleProcessPrivilege 2896 WMIC.exe Token: SeIncBasePriorityPrivilege 2896 WMIC.exe Token: SeCreatePagefilePrivilege 2896 WMIC.exe Token: SeBackupPrivilege 2896 WMIC.exe Token: SeRestorePrivilege 2896 WMIC.exe Token: SeShutdownPrivilege 2896 WMIC.exe Token: SeDebugPrivilege 2896 WMIC.exe Token: SeSystemEnvironmentPrivilege 2896 WMIC.exe Token: SeRemoteShutdownPrivilege 2896 WMIC.exe Token: SeUndockPrivilege 2896 WMIC.exe Token: SeManageVolumePrivilege 2896 WMIC.exe Token: 33 2896 WMIC.exe Token: 34 2896 WMIC.exe Token: 35 2896 WMIC.exe Token: SeIncreaseQuotaPrivilege 2896 WMIC.exe Token: SeSecurityPrivilege 2896 WMIC.exe Token: SeTakeOwnershipPrivilege 2896 WMIC.exe Token: SeLoadDriverPrivilege 2896 WMIC.exe Token: SeSystemProfilePrivilege 2896 WMIC.exe Token: SeSystemtimePrivilege 2896 WMIC.exe Token: SeProfSingleProcessPrivilege 2896 WMIC.exe Token: SeIncBasePriorityPrivilege 2896 WMIC.exe Token: SeCreatePagefilePrivilege 2896 WMIC.exe Token: SeBackupPrivilege 2896 WMIC.exe Token: SeRestorePrivilege 2896 WMIC.exe Token: SeShutdownPrivilege 2896 WMIC.exe Token: SeDebugPrivilege 2896 WMIC.exe Token: SeSystemEnvironmentPrivilege 2896 WMIC.exe Token: SeRemoteShutdownPrivilege 2896 WMIC.exe Token: SeUndockPrivilege 2896 WMIC.exe Token: SeManageVolumePrivilege 2896 WMIC.exe Token: 33 2896 WMIC.exe Token: 34 2896 WMIC.exe Token: 35 2896 WMIC.exe Token: SeBackupPrivilege 3056 wbengine.exe Token: SeRestorePrivilege 3056 wbengine.exe Token: SeSecurityPrivilege 3056 wbengine.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.execmd.exedescription pid process target process PID 952 wrote to memory of 1588 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe cmd.exe PID 952 wrote to memory of 1588 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe cmd.exe PID 952 wrote to memory of 1588 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe cmd.exe PID 952 wrote to memory of 1588 952 17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe cmd.exe PID 1588 wrote to memory of 684 1588 cmd.exe vssadmin.exe PID 1588 wrote to memory of 684 1588 cmd.exe vssadmin.exe PID 1588 wrote to memory of 684 1588 cmd.exe vssadmin.exe PID 1588 wrote to memory of 2896 1588 cmd.exe WMIC.exe PID 1588 wrote to memory of 2896 1588 cmd.exe WMIC.exe PID 1588 wrote to memory of 2896 1588 cmd.exe WMIC.exe PID 1588 wrote to memory of 2984 1588 cmd.exe bcdedit.exe PID 1588 wrote to memory of 2984 1588 cmd.exe bcdedit.exe PID 1588 wrote to memory of 2984 1588 cmd.exe bcdedit.exe PID 1588 wrote to memory of 2996 1588 cmd.exe bcdedit.exe PID 1588 wrote to memory of 2996 1588 cmd.exe bcdedit.exe PID 1588 wrote to memory of 2996 1588 cmd.exe bcdedit.exe PID 1588 wrote to memory of 3008 1588 cmd.exe wbadmin.exe PID 1588 wrote to memory of 3008 1588 cmd.exe wbadmin.exe PID 1588 wrote to memory of 3008 1588 cmd.exe wbadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe"C:\Users\Admin\AppData\Local\Temp\17b2425219679a71a06aa53f87d45dcca15f54d3473565f68f5163c54c3c371b.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/684-59-0x0000000000000000-mapping.dmp
-
memory/952-54-0x00000000769D1000-0x00000000769D3000-memory.dmpFilesize
8KB
-
memory/952-55-0x0000000000D1A000-0x0000000000D30000-memory.dmpFilesize
88KB
-
memory/952-56-0x0000000000220000-0x0000000000246000-memory.dmpFilesize
152KB
-
memory/952-57-0x0000000000400000-0x0000000000C3B000-memory.dmpFilesize
8.2MB
-
memory/1588-58-0x0000000000000000-mapping.dmp
-
memory/2896-60-0x0000000000000000-mapping.dmp
-
memory/2984-61-0x0000000000000000-mapping.dmp
-
memory/2996-62-0x0000000000000000-mapping.dmp
-
memory/3008-63-0x0000000000000000-mapping.dmp
-
memory/3008-64-0x000007FEFC331000-0x000007FEFC333000-memory.dmpFilesize
8KB