Resubmissions
24-05-2022 14:41
220524-r2jrgaadeq 10Analysis
-
max time kernel
28s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 14:41
Static task
static1
Behavioral task
behavioral1
Sample
5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe
Resource
win10v2004-20220414-en
General
-
Target
5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe
-
Size
959KB
-
MD5
1923ac09a520ea22858484f88fa6d925
-
SHA1
bda0ed6db876ce19ebca21b338d4ddcb85d3c340
-
SHA256
5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566
-
SHA512
ab02d27c045107510441328d5c78eab955444505179456b23737d84147030b37cefc7d7fb05bc541e122e2f91f828fdd4b53bd7747af162eb6d64fc28ded3a9c
Malware Config
Extracted
C:\program files\7-zip\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2992 bcdedit.exe 2980 bcdedit.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\{1EA67357-A0A0-C57C-D621-D63CD136DCD2} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe\"" 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe -
Drops file in System32 directory 1 IoCs
Processes:
5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exedescription ioc process File created C:\windows\SysWOW64\62A6E2.ico 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exepid process 1696 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe 1696 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe 1696 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe 1696 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe 1696 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe 1696 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe -
Drops file in Program Files directory 64 IoCs
Processes:
5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exedescription ioc process File opened for modification C:\program files\dvd maker\rtstreamsource.ax 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\rectangles\navigationup_selectionsubpicture.png 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\riyadh88 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\meta-inf\manifest.mf 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\config\modules\org-netbeans-modules-options-api.xml 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\updater.jar 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerevaluators.exsd 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\config\modules\org-netbeans-core-ui.xml 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\flippage\navigationleft_buttongraphic.png 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\huecycle\colorcycle.png 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\specialoccasion\specialnavigationup_selectionsubpicture.png 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\australia\eucla 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\hst 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\license 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-windows.jar 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\huecycle\15x15dot.png 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\travel\travelintrotomainmask.wmv 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\dvd maker\soniccolorconverter.ax 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\cst6cdt 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\7-zip\lang\he.txt 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\sports\highlight.png 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\deploy\messages_fr.properties 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\etc\utc 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_cn.jar 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-core-kit.jar 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\deploy.jar 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File created C:\program files\java\jdk1.7.0_80\jre\lib\zi\europe\Restore-My-Files.txt 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\pacific\midway 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_zh_4.4.0.v20140623020002.jar 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_zh_4.4.0.v20140623020002.jar 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File created C:\program files\java\jdk1.7.0_80\lib\visualvm\profiler\modules\Restore-My-Files.txt 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\meta-inf\manifest.mf 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_zh_4.4.0.v20140623020002.jar 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\rectangles\1047x576_91n92.png 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\stacking\720x480icongraphic.png 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\stacking\navigationup_buttongraphic.png 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_ja_4.4.0.v20140623020002.jar 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\config\modules\org-netbeans-spi-quicksearch.xml 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\include\win32\bridge\accessbridgecalls.h 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\ust-nera 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\meta-inf\eclipse_.rsa 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winclassictsframe.png 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\huecycle\navigationright_buttongraphic.png 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\images\cursors\cursors.properties 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\meta-inf\eclipse_.sf 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\heart_buttongraphic.png 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\tools.jar 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2696 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exedescription ioc process Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\62A6E2.ico" 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe Key created \Registry\Machine\Software\Classes\.lockbit 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exepid process 1696 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exedescription pid process Token: SeTakeOwnershipPrivilege 1696 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe Token: SeDebugPrivilege 1696 5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe"C:\Users\Admin\AppData\Local\Temp\5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe"2⤵
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe"3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no1⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures1⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet1⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 31⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/388-62-0x0000000000000000-mapping.dmp
-
memory/1696-54-0x0000000076171000-0x0000000076173000-memory.dmpFilesize
8KB
-
memory/2684-61-0x0000000000000000-mapping.dmp
-
memory/2900-57-0x0000000000000000-mapping.dmp
-
memory/2980-58-0x0000000000000000-mapping.dmp
-
memory/2992-59-0x0000000000000000-mapping.dmp
-
memory/3056-60-0x0000000000000000-mapping.dmp