Analysis
-
max time kernel
70s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-05-2022 14:24
Static task
static1
Behavioral task
behavioral1
Sample
setup_super.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
setup_super.exe
Resource
win10v2004-20220414-en
General
-
Target
setup_super.exe
-
Size
15KB
-
MD5
8d4fcd244f393513976aea570df1ffdd
-
SHA1
af02515f2b9693f0920f57b6fcbc304743d5f16b
-
SHA256
c7f353c4ca722da712da454317e9d00b77c9b6cf6194b47009dbd67517cf2abc
-
SHA512
485f361c7f09d3ff51e537124dd342e5358551f18de09c7184360dcac0a4f9225d0a267d7be1e2f908980aad743eb5faab68a824bfd1b0282d6bab5a29676b32
Malware Config
Extracted
C:\odt\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Users\Admin\Desktop\LockBit_Ransomware.hta
https://decoding.at/
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or
https://decoding.at
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 5016 bcdedit.exe 404 bcdedit.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
super.exescreensaver.exepid process 1188 super.exe 1556 screensaver.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
super.exedescription ioc process File renamed C:\Users\Admin\Pictures\SendRemove.png => C:\users\admin\pictures\sendremove.png.lockbit super.exe File renamed C:\Users\Admin\Pictures\DisableUndo.crw => C:\users\admin\pictures\disableundo.crw.lockbit super.exe File renamed C:\Users\Admin\Pictures\WatchGet.tiff => C:\users\admin\pictures\watchget.tiff.lockbit super.exe File opened for modification C:\users\admin\pictures\watchget.tiff super.exe File renamed C:\Users\Admin\Pictures\RedoConvertTo.tif => C:\users\admin\pictures\redoconvertto.tif.lockbit super.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\screensaver.exe upx C:\Users\Admin\AppData\Local\Temp\screensaver.exe upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
setup_super.exesuper.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation setup_super.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation super.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
super.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run super.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{5135B3C8-0E0E-7421-33D0-33788123B203} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\super.exe\"" super.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
Processes:
super.exedescription ioc process File created C:\windows\SysWOW64\A63564.ico super.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
Processes:
super.exepid process 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe -
Drops file in Program Files directory 64 IoCs
Processes:
super.exedescription ioc process File created C:\program files\microsoft office\root\vfs\system\Restore-My-Files.txt super.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\editpdf\images\themes\dark\example_icons2x.png super.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\scan-files\css\main-selector.css super.exe File opened for modification C:\program files\microsoft office\root\licenses16\wordr_oem_perp-ppd.xrm-ms super.exe File opened for modification C:\program files\microsoft office\root\office16\borders\msart4.bdr super.exe File opened for modification C:\program files\microsoft office\root\rsod\osmmui.msi.16.en-us.boot.tree.dat super.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\search-summary\js\nls\en-ae\ui-strings.js super.exe File opened for modification C:\program files\java\jre1.8.0_66\lib\ext\access-bridge-64.jar super.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\themes\dark\svgcheckboxunselected.svg super.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\ar_get.svg super.exe File opened for modification C:\program files\videolan\vlc\lua\meta\art\00_musicbrainz.luac super.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\download_on_the_app_store_badge_ja_135x40.svg super.exe File opened for modification C:\program files\videolan\vlc\locale\ks_in\lc_messages\vlc.mo super.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\locale\en_us\stopwords.enu super.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\images\email\empty.png super.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\uss-search\css\main-selector.css super.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\uss-search\js\nls\hr-hr\ui-strings.js super.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml super.exe File opened for modification C:\program files\microsoft office\root\office16\mscss7wre_fr.dub super.exe File opened for modification C:\program files\microsoft office\root\office16\winword.visualelementsmanifest.xml super.exe File opened for modification C:\program files\microsoft office\root\office16\1033\winword.hxs super.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\export.svg super.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png super.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\Restore-My-Files.txt super.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt_3.103.1.v20140903-1938.jar super.exe File opened for modification C:\program files\microsoft office\root\licenses16\visiostdvl_mak-ul-oob.xrm-ms super.exe File opened for modification C:\program files\videolan\vlc\lua\http\js\jquery.jstree.js super.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_ja.jar super.exe File opened for modification C:\program files\java\jre1.8.0_66\lib\security\us_export_policy.jar super.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\uss-search\js\nls\ko-kr\Restore-My-Files.txt super.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorprovider.exsd super.exe File opened for modification C:\program files\videolan\vlc\lua\http\requests\browse.json super.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\app-center\js\nls\nb-no\Restore-My-Files.txt super.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker_1.1.200.v20131119-0908.jar super.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar super.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365educloudedur_subtrial-pl.xrm-ms super.exe File opened for modification C:\program files\java\jdk1.8.0_66\jre\lib\deploy\messages_ja.properties super.exe File opened for modification C:\program files\microsoft office\root\templates\1033\studentreport.dotx super.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\s_sortedby_up_18.svg super.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\task-handler\js\nls\nl-nl\Restore-My-Files.txt super.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar super.exe File opened for modification C:\program files\microsoft office\root\licenses16\onenotevl_mak-ul-phn.xrm-ms super.exe File opened for modification C:\program files\microsoft office\root\office16\logoimages\winwordlogosmall.scale-140.png super.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer-select\js\nls\ru-ru\ui-strings.js super.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar super.exe File opened for modification C:\program files\microsoft office\root\licenses16\accessvl_kms_client-ul-oob.xrm-ms super.exe File opened for modification C:\program files\microsoft office\root\licenses16\powerpointvl_mak-ppd.xrm-ms super.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-recent-files\js\nls\da-dk\Restore-My-Files.txt super.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\ui-strings.js super.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\uss-search\js\Restore-My-Files.txt super.exe File opened for modification C:\program files\videolan\vlc\lua\playlist\anevia_streams.luac super.exe File created C:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\meta-inf\Restore-My-Files.txt super.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\meta-inf\manifest.mf super.exe File opened for modification C:\program files\videolan\vlc\locale\he\lc_messages\vlc.mo super.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\ob-preview\js\nls\de-de\Restore-My-Files.txt super.exe File opened for modification C:\program files\microsoft office\root\office16\msipc\id\msipc.dll.mui super.exe File created C:\program files\videolan\vlc\locale\cy\lc_messages\Restore-My-Files.txt super.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\add-account\js\nls\fr-ma\ui-strings.js super.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer-select\js\nls\sl-si\Restore-My-Files.txt super.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\uss-search\js\nls\ar-ae\Restore-My-Files.txt super.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar super.exe File opened for modification C:\program files\microsoft office\root\licenses16\proplusr_trial2-pl.xrm-ms super.exe File created C:\program files\videolan\vlc\locale\gl\lc_messages\Restore-My-Files.txt super.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\fss\js\nls\eu-es\ui-strings.js super.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 640 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
super.exedescription ioc process Key created \Registry\Machine\Software\Classes\.lockbit super.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon super.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\A63564.ico" super.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
setup_super.exesuper.exepid process 3484 setup_super.exe 3484 setup_super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe 1188 super.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
screensaver.exepid process 1556 screensaver.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
setup_super.exesuper.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 3484 setup_super.exe Token: SeTakeOwnershipPrivilege 1188 super.exe Token: SeDebugPrivilege 1188 super.exe Token: SeBackupPrivilege 2908 vssvc.exe Token: SeRestorePrivilege 2908 vssvc.exe Token: SeAuditPrivilege 2908 vssvc.exe Token: SeIncreaseQuotaPrivilege 216 WMIC.exe Token: SeSecurityPrivilege 216 WMIC.exe Token: SeTakeOwnershipPrivilege 216 WMIC.exe Token: SeLoadDriverPrivilege 216 WMIC.exe Token: SeSystemProfilePrivilege 216 WMIC.exe Token: SeSystemtimePrivilege 216 WMIC.exe Token: SeProfSingleProcessPrivilege 216 WMIC.exe Token: SeIncBasePriorityPrivilege 216 WMIC.exe Token: SeCreatePagefilePrivilege 216 WMIC.exe Token: SeBackupPrivilege 216 WMIC.exe Token: SeRestorePrivilege 216 WMIC.exe Token: SeShutdownPrivilege 216 WMIC.exe Token: SeDebugPrivilege 216 WMIC.exe Token: SeSystemEnvironmentPrivilege 216 WMIC.exe Token: SeRemoteShutdownPrivilege 216 WMIC.exe Token: SeUndockPrivilege 216 WMIC.exe Token: SeManageVolumePrivilege 216 WMIC.exe Token: 33 216 WMIC.exe Token: 34 216 WMIC.exe Token: 35 216 WMIC.exe Token: 36 216 WMIC.exe Token: SeIncreaseQuotaPrivilege 216 WMIC.exe Token: SeSecurityPrivilege 216 WMIC.exe Token: SeTakeOwnershipPrivilege 216 WMIC.exe Token: SeLoadDriverPrivilege 216 WMIC.exe Token: SeSystemProfilePrivilege 216 WMIC.exe Token: SeSystemtimePrivilege 216 WMIC.exe Token: SeProfSingleProcessPrivilege 216 WMIC.exe Token: SeIncBasePriorityPrivilege 216 WMIC.exe Token: SeCreatePagefilePrivilege 216 WMIC.exe Token: SeBackupPrivilege 216 WMIC.exe Token: SeRestorePrivilege 216 WMIC.exe Token: SeShutdownPrivilege 216 WMIC.exe Token: SeDebugPrivilege 216 WMIC.exe Token: SeSystemEnvironmentPrivilege 216 WMIC.exe Token: SeRemoteShutdownPrivilege 216 WMIC.exe Token: SeUndockPrivilege 216 WMIC.exe Token: SeManageVolumePrivilege 216 WMIC.exe Token: 33 216 WMIC.exe Token: 34 216 WMIC.exe Token: 35 216 WMIC.exe Token: 36 216 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
setup_super.exepid process 3484 setup_super.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
setup_super.exepid process 3484 setup_super.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
setup_super.exesuper.execmd.execmd.exedescription pid process target process PID 3484 wrote to memory of 1188 3484 setup_super.exe super.exe PID 3484 wrote to memory of 1188 3484 setup_super.exe super.exe PID 3484 wrote to memory of 1188 3484 setup_super.exe super.exe PID 1188 wrote to memory of 4528 1188 super.exe cmd.exe PID 1188 wrote to memory of 4528 1188 super.exe cmd.exe PID 3484 wrote to memory of 1556 3484 setup_super.exe screensaver.exe PID 3484 wrote to memory of 1556 3484 setup_super.exe screensaver.exe PID 3484 wrote to memory of 1556 3484 setup_super.exe screensaver.exe PID 3484 wrote to memory of 5116 3484 setup_super.exe cmd.exe PID 3484 wrote to memory of 5116 3484 setup_super.exe cmd.exe PID 4528 wrote to memory of 640 4528 cmd.exe vssadmin.exe PID 4528 wrote to memory of 640 4528 cmd.exe vssadmin.exe PID 5116 wrote to memory of 1432 5116 cmd.exe choice.exe PID 5116 wrote to memory of 1432 5116 cmd.exe choice.exe PID 4528 wrote to memory of 216 4528 cmd.exe WMIC.exe PID 4528 wrote to memory of 216 4528 cmd.exe WMIC.exe PID 4528 wrote to memory of 5016 4528 cmd.exe bcdedit.exe PID 4528 wrote to memory of 5016 4528 cmd.exe bcdedit.exe PID 4528 wrote to memory of 404 4528 cmd.exe bcdedit.exe PID 4528 wrote to memory of 404 4528 cmd.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_super.exe"C:\Users\Admin\AppData\Local\Temp\setup_super.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\super.exe"C:\Users\Admin\AppData\Local\Temp\super.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit_Ransomware.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\super.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\super.exe"3⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\super.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\screensaver.exe"C:\Users\Admin\AppData\Local\Temp\screensaver.exe" 7C28913B6F1CE6E452678F117954BF4EJ7521E2B4A224740AAF64D5FAD08520ACDF9F8912E7DE2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\setup_super.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\screensaver.exeFilesize
272KB
MD5f9073cc6566ba11318b425a761f1ce17
SHA1d378ce237e83314c9844b4e6ce4867e2783737db
SHA256c3ec60b8052e31db149c35080afea5b57b1e8a034386555d12035eb5edefdd68
SHA5122a64e17e37a612f8126d9aaee3286d9ca8efa2e2a83a1185766adb73af7c9dc6cfce19ff186efea8bce8fcafc15e0f886bc94fd1ee38b08af292f76faa10a5f2
-
C:\Users\Admin\AppData\Local\Temp\screensaver.exeFilesize
272KB
MD5f9073cc6566ba11318b425a761f1ce17
SHA1d378ce237e83314c9844b4e6ce4867e2783737db
SHA256c3ec60b8052e31db149c35080afea5b57b1e8a034386555d12035eb5edefdd68
SHA5122a64e17e37a612f8126d9aaee3286d9ca8efa2e2a83a1185766adb73af7c9dc6cfce19ff186efea8bce8fcafc15e0f886bc94fd1ee38b08af292f76faa10a5f2
-
C:\Users\Admin\AppData\Local\Temp\super.exeFilesize
959KB
MD5ca4d6c1d508d4add675edb0cf206b1ea
SHA1a5c36dc1b1c307de822004f166829dc02f742f45
SHA25670f85be780b095baa52deda576e4fd2898c3216809a28c396097f9a719f7558e
SHA512c4a3d35914b9d43062188889341437a0c8e293f3b86a18aeff08468d1425f19f368fd0db3aa4511b9dbe91bec405c491f92b414a25e462cf124afa2d6c0bc824
-
C:\Users\Admin\AppData\Local\Temp\super.exeFilesize
959KB
MD5ca4d6c1d508d4add675edb0cf206b1ea
SHA1a5c36dc1b1c307de822004f166829dc02f742f45
SHA25670f85be780b095baa52deda576e4fd2898c3216809a28c396097f9a719f7558e
SHA512c4a3d35914b9d43062188889341437a0c8e293f3b86a18aeff08468d1425f19f368fd0db3aa4511b9dbe91bec405c491f92b414a25e462cf124afa2d6c0bc824
-
C:\Users\Admin\Desktop\LockBit_Ransomware.htaFilesize
46KB
MD5c15c6adc8c923ad87981f289025c37b2
SHA1bfe6533f4afe3255046f7178f289a4c75ad89e76
SHA25690f3a33919fdd766e90fd96f8f20a92c2d1376b7cfdc8b738c2f8e7e6c7498b1
SHA51231dd03b208e00ac012fbe4189d5af1306cc8e3640d40efefab4aa1cabab3c4735eef0cb65e7750c3c77021934e145398e5e26389975cf36b193c8f622a5fde83
-
memory/204-145-0x0000000000000000-mapping.dmp
-
memory/216-142-0x0000000000000000-mapping.dmp
-
memory/404-144-0x0000000000000000-mapping.dmp
-
memory/640-140-0x0000000000000000-mapping.dmp
-
memory/1188-132-0x0000000000000000-mapping.dmp
-
memory/1308-149-0x0000000000000000-mapping.dmp
-
memory/1432-141-0x0000000000000000-mapping.dmp
-
memory/1556-136-0x0000000000000000-mapping.dmp
-
memory/3484-130-0x0000000000070000-0x000000000007A000-memory.dmpFilesize
40KB
-
memory/3484-131-0x00007FF9B79E0000-0x00007FF9B84A1000-memory.dmpFilesize
10.8MB
-
memory/4528-135-0x0000000000000000-mapping.dmp
-
memory/4816-146-0x0000000000000000-mapping.dmp
-
memory/5016-143-0x0000000000000000-mapping.dmp
-
memory/5116-139-0x0000000000000000-mapping.dmp
-
memory/5116-148-0x0000000000000000-mapping.dmp