Analysis
-
max time kernel
183s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-05-2022 14:49
Static task
static1
Behavioral task
behavioral1
Sample
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe
Resource
win10v2004-20220414-en
General
-
Target
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe
-
Size
252KB
-
MD5
676a80221c30288c2bb8a26bfc549b9a
-
SHA1
1a03cadea471f4a5412628b2995c6e988b0c5073
-
SHA256
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e
-
SHA512
d5a0b68bf7702cce1992f7050e4af82ca2be64b0cb5525102fcccbbd14b1aae7ae59a762f368aeb500efc7d193f5507937f1a01f13bed5d3f76664adabf9ab4e
Malware Config
Extracted
C:\odt\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?96B283EF5B7ACD4CA9A01F7006C0A55E
http://lockbitks2tvnmwk.onion/?96B283EF5B7ACD4CA9A01F7006C0A55E
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1940 bcdedit.exe 1668 bcdedit.exe -
Processes:
wbadmin.exepid process 1904 wbadmin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe\"" b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exepid process 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe -
Drops file in Program Files directory 64 IoCs
Processes:
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\af.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_zh_4.4.0.v20140623020002.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\Restore-My-Files.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-api-search.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\JoinUnlock.mhtml b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File created C:\Program Files\Java\jdk1.8.0_66\db\Restore-My-Files.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-options_zh_CN.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.properties b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jaccess.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\Restore-My-Files.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hidden b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaBrightDemiBold.ttf b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_HK.properties b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_HK.properties b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCallbacks.h b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\Restore-My-Files.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\sunjce_provider.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands_3.6.100.v20140528-1422.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbytools.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-templates.xml b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File created C:\Program Files\Java\jdk1.8.0_66\db\lib\Restore-My-Files.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\local_policy.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt_3.103.1.v20140903-1938.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\Restore-My-Files.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\Restore-My-Files.txt b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-loaders.xml b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_zh_4.4.0.v20140623020002.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\access-bridge-64.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\jce.jar b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2180 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exepid process 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeTakeOwnershipPrivilege 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe Token: SeDebugPrivilege 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe Token: SeBackupPrivilege 2344 vssvc.exe Token: SeRestorePrivilege 2344 vssvc.exe Token: SeAuditPrivilege 2344 vssvc.exe Token: SeIncreaseQuotaPrivilege 216 WMIC.exe Token: SeSecurityPrivilege 216 WMIC.exe Token: SeTakeOwnershipPrivilege 216 WMIC.exe Token: SeLoadDriverPrivilege 216 WMIC.exe Token: SeSystemProfilePrivilege 216 WMIC.exe Token: SeSystemtimePrivilege 216 WMIC.exe Token: SeProfSingleProcessPrivilege 216 WMIC.exe Token: SeIncBasePriorityPrivilege 216 WMIC.exe Token: SeCreatePagefilePrivilege 216 WMIC.exe Token: SeBackupPrivilege 216 WMIC.exe Token: SeRestorePrivilege 216 WMIC.exe Token: SeShutdownPrivilege 216 WMIC.exe Token: SeDebugPrivilege 216 WMIC.exe Token: SeSystemEnvironmentPrivilege 216 WMIC.exe Token: SeRemoteShutdownPrivilege 216 WMIC.exe Token: SeUndockPrivilege 216 WMIC.exe Token: SeManageVolumePrivilege 216 WMIC.exe Token: 33 216 WMIC.exe Token: 34 216 WMIC.exe Token: 35 216 WMIC.exe Token: 36 216 WMIC.exe Token: SeIncreaseQuotaPrivilege 216 WMIC.exe Token: SeSecurityPrivilege 216 WMIC.exe Token: SeTakeOwnershipPrivilege 216 WMIC.exe Token: SeLoadDriverPrivilege 216 WMIC.exe Token: SeSystemProfilePrivilege 216 WMIC.exe Token: SeSystemtimePrivilege 216 WMIC.exe Token: SeProfSingleProcessPrivilege 216 WMIC.exe Token: SeIncBasePriorityPrivilege 216 WMIC.exe Token: SeCreatePagefilePrivilege 216 WMIC.exe Token: SeBackupPrivilege 216 WMIC.exe Token: SeRestorePrivilege 216 WMIC.exe Token: SeShutdownPrivilege 216 WMIC.exe Token: SeDebugPrivilege 216 WMIC.exe Token: SeSystemEnvironmentPrivilege 216 WMIC.exe Token: SeRemoteShutdownPrivilege 216 WMIC.exe Token: SeUndockPrivilege 216 WMIC.exe Token: SeManageVolumePrivilege 216 WMIC.exe Token: 33 216 WMIC.exe Token: 34 216 WMIC.exe Token: 35 216 WMIC.exe Token: 36 216 WMIC.exe Token: SeBackupPrivilege 3928 wbengine.exe Token: SeRestorePrivilege 3928 wbengine.exe Token: SeSecurityPrivilege 3928 wbengine.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.execmd.exedescription pid process target process PID 2224 wrote to memory of 4900 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe cmd.exe PID 2224 wrote to memory of 4900 2224 b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe cmd.exe PID 4900 wrote to memory of 2180 4900 cmd.exe vssadmin.exe PID 4900 wrote to memory of 2180 4900 cmd.exe vssadmin.exe PID 4900 wrote to memory of 216 4900 cmd.exe WMIC.exe PID 4900 wrote to memory of 216 4900 cmd.exe WMIC.exe PID 4900 wrote to memory of 1940 4900 cmd.exe bcdedit.exe PID 4900 wrote to memory of 1940 4900 cmd.exe bcdedit.exe PID 4900 wrote to memory of 1668 4900 cmd.exe bcdedit.exe PID 4900 wrote to memory of 1668 4900 cmd.exe bcdedit.exe PID 4900 wrote to memory of 1904 4900 cmd.exe wbadmin.exe PID 4900 wrote to memory of 1904 4900 cmd.exe wbadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe"C:\Users\Admin\AppData\Local\Temp\b4931c56a04ae78d1676c904e5074ec9e637bad4c0e6184102f97d8ad6e75b7e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/216-135-0x0000000000000000-mapping.dmp
-
memory/1668-137-0x0000000000000000-mapping.dmp
-
memory/1904-138-0x0000000000000000-mapping.dmp
-
memory/1940-136-0x0000000000000000-mapping.dmp
-
memory/2180-134-0x0000000000000000-mapping.dmp
-
memory/2224-131-0x0000000004F20000-0x0000000004F46000-memory.dmpFilesize
152KB
-
memory/2224-130-0x0000000005028000-0x000000000503E000-memory.dmpFilesize
88KB
-
memory/2224-132-0x0000000000400000-0x0000000004DBB000-memory.dmpFilesize
73.7MB
-
memory/4900-133-0x0000000000000000-mapping.dmp