Analysis
-
max time kernel
145s -
max time network
90s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-05-2022 14:49
Static task
static1
Behavioral task
behavioral1
Sample
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe
Resource
win10v2004-20220414-en
General
-
Target
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe
-
Size
252KB
-
MD5
676a80221c30288c2bb8a26bfc549b9a
-
SHA1
1a03cadea471f4a5412628b2995c6e988b0c5073
-
SHA256
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e
-
SHA512
d5a0b68bf7702cce1992f7050e4af82ca2be64b0cb5525102fcccbbd14b1aae7ae59a762f368aeb500efc7d193f5507937f1a01f13bed5d3f76664adabf9ab4e
Malware Config
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?96B283EF5B7ACD4CBF37248AB20916DD
http://lockbitks2tvnmwk.onion/?96B283EF5B7ACD4CBF37248AB20916DD
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2796 bcdedit.exe 2808 bcdedit.exe -
Processes:
wbadmin.exepid process 2820 wbadmin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe\"" b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exepid process 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe -
Drops file in Program Files directory 64 IoCs
Processes:
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Martinique b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File created C:\Program Files\Microsoft Games\Chess\Restore-My-Files.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00165_.GIF b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-awt.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yerevan b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-1 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Omsk b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File created C:\Program Files\Windows Photo Viewer\it-IT\Restore-My-Files.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00076_.WMF b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187839.WMF b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xml b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152594.WMF b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099158.WMF b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182898.WMF b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384888.JPG b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter.png b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\gadget.xml b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File created C:\Program Files\Microsoft Games\Mahjong\de-DE\Restore-My-Files.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Restore-My-Files.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Windows Media Player\es-ES\wmpnetwk.exe.mui b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File created C:\Program Files\Windows Media Player\Skins\Restore-My-Files.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\flyout.css b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_up.png b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\settings.css b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Adak b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105244.WMF b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02091_.WMF b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00336_.WMF b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099150.JPG b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Saipan b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\ShvlRes.dll.mui b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105638.WMF b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\Restore-My-Files.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Kosrae b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\gadget.xml b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02009_.WMF b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01040_.WMF b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\vlc.mo b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File created C:\Program Files\VideoLAN\VLC\skins\Restore-My-Files.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01039_.WMF b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151073.WMF b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1936 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exepid process 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeTakeOwnershipPrivilege 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe Token: SeDebugPrivilege 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe Token: SeBackupPrivilege 2044 vssvc.exe Token: SeRestorePrivilege 2044 vssvc.exe Token: SeAuditPrivilege 2044 vssvc.exe Token: SeIncreaseQuotaPrivilege 2720 WMIC.exe Token: SeSecurityPrivilege 2720 WMIC.exe Token: SeTakeOwnershipPrivilege 2720 WMIC.exe Token: SeLoadDriverPrivilege 2720 WMIC.exe Token: SeSystemProfilePrivilege 2720 WMIC.exe Token: SeSystemtimePrivilege 2720 WMIC.exe Token: SeProfSingleProcessPrivilege 2720 WMIC.exe Token: SeIncBasePriorityPrivilege 2720 WMIC.exe Token: SeCreatePagefilePrivilege 2720 WMIC.exe Token: SeBackupPrivilege 2720 WMIC.exe Token: SeRestorePrivilege 2720 WMIC.exe Token: SeShutdownPrivilege 2720 WMIC.exe Token: SeDebugPrivilege 2720 WMIC.exe Token: SeSystemEnvironmentPrivilege 2720 WMIC.exe Token: SeRemoteShutdownPrivilege 2720 WMIC.exe Token: SeUndockPrivilege 2720 WMIC.exe Token: SeManageVolumePrivilege 2720 WMIC.exe Token: 33 2720 WMIC.exe Token: 34 2720 WMIC.exe Token: 35 2720 WMIC.exe Token: SeIncreaseQuotaPrivilege 2720 WMIC.exe Token: SeSecurityPrivilege 2720 WMIC.exe Token: SeTakeOwnershipPrivilege 2720 WMIC.exe Token: SeLoadDriverPrivilege 2720 WMIC.exe Token: SeSystemProfilePrivilege 2720 WMIC.exe Token: SeSystemtimePrivilege 2720 WMIC.exe Token: SeProfSingleProcessPrivilege 2720 WMIC.exe Token: SeIncBasePriorityPrivilege 2720 WMIC.exe Token: SeCreatePagefilePrivilege 2720 WMIC.exe Token: SeBackupPrivilege 2720 WMIC.exe Token: SeRestorePrivilege 2720 WMIC.exe Token: SeShutdownPrivilege 2720 WMIC.exe Token: SeDebugPrivilege 2720 WMIC.exe Token: SeSystemEnvironmentPrivilege 2720 WMIC.exe Token: SeRemoteShutdownPrivilege 2720 WMIC.exe Token: SeUndockPrivilege 2720 WMIC.exe Token: SeManageVolumePrivilege 2720 WMIC.exe Token: 33 2720 WMIC.exe Token: 34 2720 WMIC.exe Token: 35 2720 WMIC.exe Token: SeBackupPrivilege 2880 wbengine.exe Token: SeRestorePrivilege 2880 wbengine.exe Token: SeSecurityPrivilege 2880 wbengine.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.execmd.exedescription pid process target process PID 1212 wrote to memory of 1072 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe cmd.exe PID 1212 wrote to memory of 1072 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe cmd.exe PID 1212 wrote to memory of 1072 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe cmd.exe PID 1212 wrote to memory of 1072 1212 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe cmd.exe PID 1072 wrote to memory of 1936 1072 cmd.exe vssadmin.exe PID 1072 wrote to memory of 1936 1072 cmd.exe vssadmin.exe PID 1072 wrote to memory of 1936 1072 cmd.exe vssadmin.exe PID 1072 wrote to memory of 2720 1072 cmd.exe WMIC.exe PID 1072 wrote to memory of 2720 1072 cmd.exe WMIC.exe PID 1072 wrote to memory of 2720 1072 cmd.exe WMIC.exe PID 1072 wrote to memory of 2796 1072 cmd.exe bcdedit.exe PID 1072 wrote to memory of 2796 1072 cmd.exe bcdedit.exe PID 1072 wrote to memory of 2796 1072 cmd.exe bcdedit.exe PID 1072 wrote to memory of 2808 1072 cmd.exe bcdedit.exe PID 1072 wrote to memory of 2808 1072 cmd.exe bcdedit.exe PID 1072 wrote to memory of 2808 1072 cmd.exe bcdedit.exe PID 1072 wrote to memory of 2820 1072 cmd.exe wbadmin.exe PID 1072 wrote to memory of 2820 1072 cmd.exe wbadmin.exe PID 1072 wrote to memory of 2820 1072 cmd.exe wbadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe"C:\Users\Admin\AppData\Local\Temp\b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1072-55-0x0000000000000000-mapping.dmp
-
memory/1212-54-0x0000000075701000-0x0000000075703000-memory.dmpFilesize
8KB
-
memory/1212-57-0x0000000004F5B000-0x0000000004F72000-memory.dmpFilesize
92KB
-
memory/1212-58-0x0000000000220000-0x0000000000246000-memory.dmpFilesize
152KB
-
memory/1212-59-0x0000000000400000-0x0000000004DBB000-memory.dmpFilesize
73.7MB
-
memory/1936-56-0x0000000000000000-mapping.dmp
-
memory/2720-60-0x0000000000000000-mapping.dmp
-
memory/2796-61-0x0000000000000000-mapping.dmp
-
memory/2808-62-0x0000000000000000-mapping.dmp
-
memory/2820-63-0x0000000000000000-mapping.dmp
-
memory/2820-64-0x000007FEFB7D1000-0x000007FEFB7D3000-memory.dmpFilesize
8KB