lockbit | b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893

Analysis

max time kernel
72s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-08-2022 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
Size

81KB
MD5

3ee21dbaa37d0048e2e174cb41a664d6
SHA1

f7799dc7530c3234dd2d5c11b74361b7ec1daefb
SHA256

b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893
SHA512

7cfcc286522cc1d70f4f0d83e8a6e9ed27a7b94ead3f272a271ce1bf6708c91b0f19ddbf7cdebe44239c903142bd8f9b1949d17cbce0dd39e9491acb9744e947
SSDEEP

1536:+uBQrT1eLBBdU/1GJj4UgvpedwwtVNUmrTF3MqqU+hV2xQie:+uBUwX0C4Vvs2wT+mr5MqqD/Fi

Score

10^/10

lockbit evasion persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Restore-My-Files.txt

Family

lockbit

Ransom Note

All your important files are encrypted! There is only one way to get your files back: 1. Contact with us 2. Send us 1 any encrypted your file and your personal key 3. We will decrypt 1 file for test(maximum file size - 1 MB), its guarantee what we can decrypt your files 4. Pay 5. We send for you decryptor software We accept Bitcoin Attention! Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price(they add their fee to our) Contact information: [email protected] Be sure to duplicate your message on the e-mail: [email protected] Your personal id: �iWZuyP7ksR1Dh7AUQsobNSR01MgVTLtA2LqvnBDjLUDRgCze3ZT/+vRJCA4Oy8nX 6ZIwIhvr29lEG8CE9LjB7TsMiKpqXp5oeBdq0ut9gGUbUYJXLrkErCdHmEnc9var DiJCJ73OFL2eFytIWWY/MV3lli3E7teh6QdzYazYG34ODSUu8UKSVUBfr6qIAUUA krCL9GIYdUA+BoDFEludWqgGAa/ZlsBvGHGhR8/hJBneEY3eKIZJNMHHKVJCwnYp jp2C7igsls8c7H2k53ddsmpFM9oftSvK+g67olChGiKnuHVojfe09xq/OG5uogkI a3KV5DBtZ6g0tkSt93aH/WqiyvxoRGJWKVoxOXz9oo5I10Pm1tdFjc/BBWX8mEsd KN1qrZRsIIbJ0+vOJYK9F6VZfD0hPTiqxvijv7tC5BLCXMin+2QoRrykzC6idi+a Sw11hnowI3FyJC9GpJj7G4YhHFBvL/cckdsaCc430D+TMjVMgqHuoUN75Lnzohi2 crWw+SAXOwk+DmRZ2KpPMgoIjRrLHiuReLN5ekKNii/E6fo19o5AGH3r9cYYh1XH sVf3ib7e8+TM4C0jLsawCgTYispQ8RD9WrNCF9sgoW/FYM8PFQIbDjUBTpfmNRR7 9kZafCdzaLsDdqn2/1qXO05MULT8BeF7239FwWc8tNNRoLDhgXlKob7X4GqrCB3N 6ezZobJC6fkG2Cbt6xfgM9Hj4Qxzagbmvy5YrXfC1yls80K2Du+8XsGdWiOaSouY QShfGxp/CKjdiZSFV/25FgQEjdi7HKrbdGY1NC9T4Ho7789kz/KJMsHEwlnzrajD MSICVv4IwvZo1zYB6PhkdnfqxScaoR9YVi3C/1D/uznVFFMK2bW7LCAWCto0d996 Kp/oameloWu3Qt4iBHSBbmF8QPfLXHVitVQmZtmJyxesOr5bwUGx9JmkTAbuD5LY 73kqH5QETaGTAqTkEUbHrAiyWvCMgRjSWArqzpe2ykWtnG4/iubB2M7/ylieVnLo XOptqZeZOBa2T0EZHqi1QQKwVqYgkJ9jnpfPjdAprUpLHsxmmMSWuLmnJ6PePdQR ccWhqJFD+4JGF6NVXQC5wj3ZAoLHCHEgD5zdwnuepn3RNtEqYtxyrdyecIcGh/ZA qPif6fifCEKHj7wTNGnrb8m39Hgcha3+pM06cYIjhjk+f0yOOUG54Bd6Zpft2Jyy rFd5kBw2KYELSNXxLF7G7PO75FgfPMd++DDvZHoMEHGCuj5eziNOzejfyj+/kE6F xqyb7iZQvGSvykx201RN+pWQG3zmWmPrTK4dPH1aW6vL+uGP1R9kiKuKL510HYDg Iiptsc1KC8FQutx7XchkW3n4pRjKmVCs34uosmLjgKbp77q3VtA+8waqvm+CgBlS CFPJSDdCbFeX0z16DoNa2EGTfdemEwkJbfA7yIBJtQrFjKUhH1pZV2zTQc7jMRvF thcz4Cwl5J2rjf1r3gE02jQ5pX/UZtGyT8TL3zjPLYw9ZpbJkeC6o4lravEWu8C3 l3ByS2Vn+Vf+knqBLc5oHdXKrA1heKDskvZ5USTr9mGgIC1e0ncEmKCQ19TaDvTU viSCa7LkQNePBivutd7spGuzSgcTT6EV2X32ONt7OotvFW0VZXUchFmJVm9MZCVO SPlARno1ypvo7GueAHyZWAV/PcKiWnCmpakk19p0yrM=

Emails

[email protected]

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 8 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

2748 bcdedit.exe
2780 bcdedit.exe
2636 bcdedit.exe
2652 bcdedit.exe
2812 bcdedit.exe
2928 bcdedit.exe
1444 bcdedit.exe
1000 bcdedit.exe
Deletes System State backups 3 TTPs 6 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exe

pid process

2812 wbadmin.exe
2888 wbadmin.exe
2984 wbadmin.exe
2864 wbadmin.exe
2676 wbadmin.exe
2900 wbadmin.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2708 wbadmin.exe

pid	process
2748	bcdedit.exe
2780	bcdedit.exe
2636	bcdedit.exe
2652	bcdedit.exe
2812	bcdedit.exe
2928	bcdedit.exe
1444	bcdedit.exe
1000	bcdedit.exe

pid	process
2812	wbadmin.exe
2888	wbadmin.exe
2984	wbadmin.exe
2864	wbadmin.exe
2676	wbadmin.exe
2900	wbadmin.exe

pid	process
2708	wbadmin.exe

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\NewComplete.tiff	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Users\Admin\Pictures\TraceJoin.tiff	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File renamed	C:\Users\Admin\Pictures\CopyEdit.tif => C:\Users\Admin\Pictures\CopyEdit.tif.abcd	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File renamed	C:\Users\Admin\Pictures\WatchExport.raw => C:\Users\Admin\Pictures\WatchExport.raw.abcd	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File renamed	C:\Users\Admin\Pictures\TraceJoin.tiff => C:\Users\Admin\Pictures\TraceJoin.tiff.abcd	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File renamed	C:\Users\Admin\Pictures\UnblockReceive.tif => C:\Users\Admin\Pictures\UnblockReceive.tif.abcd	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Users\Admin\Pictures\SearchTest.tiff	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File renamed	C:\Users\Admin\Pictures\BlockNew.crw => C:\Users\Admin\Pictures\BlockNew.crw.abcd	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File renamed	C:\Users\Admin\Pictures\NewComplete.tiff => C:\Users\Admin\Pictures\NewComplete.tiff.abcd	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File renamed	C:\Users\Admin\Pictures\SearchTest.tiff => C:\Users\Admin\Pictures\SearchTest.tiff.abcd	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2704 cmd.exe

pid	process
2704	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C\""	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe

Drops file in Program Files directory 64 IoCs

Processes:

b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\micaut.dll.mui	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kwajalein	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00788_.WMF	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME05.CSS	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\1100.accdt	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\Restore-My-Files.txt	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui_4.0.100.v20140401-0608.jar	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Regina	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCOUPON.XML	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9F.GIF	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RESP98.POC	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_streams.luac	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\RIPPLE.ELM	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPLTMPL.CFG	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIconsMask.bmp	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewFrame.html	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\slideShow.js	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107746.WMF	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183574.WMF	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251871.WMF	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\flyout.html	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\Restore-My-Files.txt	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\Restore-My-Files.txt	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\es-ES\msadcfr.dll.mui	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21331_.GIF	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBAR.DPV	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Monticello	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\Restore-My-Files.txt	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382969.JPG	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15019_.GIF	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\Restore-My-Files.txt	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATHEDITOR_COL.HXC	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\11.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Funafuti	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105506.WMF	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Austin.xml	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0186002.WMF	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14532_.GIF	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02085_.GIF	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Eucla	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\ChkrRes.dll.mui	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe

Drops file in Windows directory 18 IoCs

Processes:

wbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 4 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

2508 vssadmin.exe
2656 vssadmin.exe
2516 vssadmin.exe
1700 vssadmin.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3016 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe

pid process

1244 b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe

pid	process
2508	vssadmin.exe
2656	vssadmin.exe
2516	vssadmin.exe
1700	vssadmin.exe

pid	process
3016	PING.EXE

pid	process
1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exevssvc.exewmic.exeWMIC.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
Token: SeDebugPrivilege	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
Token: SeBackupPrivilege	2544	vssvc.exe
Token: SeRestorePrivilege	2544	vssvc.exe
Token: SeAuditPrivilege	2544	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2944	wmic.exe
Token: SeSecurityPrivilege	2944	wmic.exe
Token: SeTakeOwnershipPrivilege	2944	wmic.exe
Token: SeLoadDriverPrivilege	2944	wmic.exe
Token: SeSystemProfilePrivilege	2944	wmic.exe
Token: SeSystemtimePrivilege	2944	wmic.exe
Token: SeProfSingleProcessPrivilege	2944	wmic.exe
Token: SeIncBasePriorityPrivilege	2944	wmic.exe
Token: SeCreatePagefilePrivilege	2944	wmic.exe
Token: SeBackupPrivilege	2944	wmic.exe
Token: SeRestorePrivilege	2944	wmic.exe
Token: SeShutdownPrivilege	2944	wmic.exe
Token: SeDebugPrivilege	2944	wmic.exe
Token: SeSystemEnvironmentPrivilege	2944	wmic.exe
Token: SeRemoteShutdownPrivilege	2944	wmic.exe
Token: SeUndockPrivilege	2944	wmic.exe
Token: SeManageVolumePrivilege	2944	wmic.exe
Token: 33	2944	wmic.exe
Token: 34	2944	wmic.exe
Token: 35	2944	wmic.exe
Token: SeIncreaseQuotaPrivilege	2996	WMIC.exe
Token: SeSecurityPrivilege	2996	WMIC.exe
Token: SeTakeOwnershipPrivilege	2996	WMIC.exe
Token: SeLoadDriverPrivilege	2996	WMIC.exe
Token: SeSystemProfilePrivilege	2996	WMIC.exe
Token: SeSystemtimePrivilege	2996	WMIC.exe
Token: SeProfSingleProcessPrivilege	2996	WMIC.exe
Token: SeIncBasePriorityPrivilege	2996	WMIC.exe
Token: SeCreatePagefilePrivilege	2996	WMIC.exe
Token: SeBackupPrivilege	2996	WMIC.exe
Token: SeRestorePrivilege	2996	WMIC.exe
Token: SeShutdownPrivilege	2996	WMIC.exe
Token: SeDebugPrivilege	2996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2996	WMIC.exe
Token: SeRemoteShutdownPrivilege	2996	WMIC.exe
Token: SeUndockPrivilege	2996	WMIC.exe
Token: SeManageVolumePrivilege	2996	WMIC.exe
Token: 33	2996	WMIC.exe
Token: 34	2996	WMIC.exe
Token: 35	2996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2996	WMIC.exe
Token: SeSecurityPrivilege	2996	WMIC.exe
Token: SeTakeOwnershipPrivilege	2996	WMIC.exe
Token: SeLoadDriverPrivilege	2996	WMIC.exe
Token: SeSystemProfilePrivilege	2996	WMIC.exe
Token: SeSystemtimePrivilege	2996	WMIC.exe
Token: SeProfSingleProcessPrivilege	2996	WMIC.exe
Token: SeIncBasePriorityPrivilege	2996	WMIC.exe
Token: SeCreatePagefilePrivilege	2996	WMIC.exe
Token: SeBackupPrivilege	2996	WMIC.exe
Token: SeRestorePrivilege	2996	WMIC.exe
Token: SeShutdownPrivilege	2996	WMIC.exe
Token: SeDebugPrivilege	2996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2996	WMIC.exe
Token: SeRemoteShutdownPrivilege	2996	WMIC.exe
Token: SeUndockPrivilege	2996	WMIC.exe
Token: SeManageVolumePrivilege	2996	WMIC.exe
Token: 33	2996	WMIC.exe
Token: 34	2996	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.execmd.exe

description	pid	process	target process
PID 1244 wrote to memory of 1164	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	cmd.exe
PID 1244 wrote to memory of 1164	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	cmd.exe
PID 1244 wrote to memory of 1164	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	cmd.exe
PID 1244 wrote to memory of 1164	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	cmd.exe
PID 1164 wrote to memory of 2508	1164	cmd.exe	vssadmin.exe
PID 1164 wrote to memory of 2508	1164	cmd.exe	vssadmin.exe
PID 1164 wrote to memory of 2508	1164	cmd.exe	vssadmin.exe
PID 1244 wrote to memory of 2656	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	vssadmin.exe
PID 1244 wrote to memory of 2656	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	vssadmin.exe
PID 1244 wrote to memory of 2656	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	vssadmin.exe
PID 1244 wrote to memory of 2656	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	vssadmin.exe
PID 1244 wrote to memory of 2748	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 1244 wrote to memory of 2748	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 1244 wrote to memory of 2748	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 1244 wrote to memory of 2748	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 1244 wrote to memory of 2780	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 1244 wrote to memory of 2780	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 1244 wrote to memory of 2780	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 1244 wrote to memory of 2780	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 1244 wrote to memory of 2812	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 1244 wrote to memory of 2812	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 1244 wrote to memory of 2812	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 1244 wrote to memory of 2812	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 1244 wrote to memory of 2888	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 1244 wrote to memory of 2888	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 1244 wrote to memory of 2888	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 1244 wrote to memory of 2888	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 1244 wrote to memory of 2944	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wmic.exe
PID 1244 wrote to memory of 2944	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wmic.exe
PID 1244 wrote to memory of 2944	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wmic.exe
PID 1244 wrote to memory of 2944	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wmic.exe
PID 1164 wrote to memory of 2996	1164	cmd.exe	WMIC.exe
PID 1164 wrote to memory of 2996	1164	cmd.exe	WMIC.exe
PID 1164 wrote to memory of 2996	1164	cmd.exe	WMIC.exe
PID 1244 wrote to memory of 2516	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	vssadmin.exe
PID 1244 wrote to memory of 2516	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	vssadmin.exe
PID 1244 wrote to memory of 2516	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	vssadmin.exe
PID 1244 wrote to memory of 2516	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	vssadmin.exe
PID 1164 wrote to memory of 2636	1164	cmd.exe	bcdedit.exe
PID 1164 wrote to memory of 2636	1164	cmd.exe	bcdedit.exe
PID 1164 wrote to memory of 2636	1164	cmd.exe	bcdedit.exe
PID 1164 wrote to memory of 2652	1164	cmd.exe	bcdedit.exe
PID 1164 wrote to memory of 2652	1164	cmd.exe	bcdedit.exe
PID 1164 wrote to memory of 2652	1164	cmd.exe	bcdedit.exe
PID 1164 wrote to memory of 2708	1164	cmd.exe	wbadmin.exe
PID 1164 wrote to memory of 2708	1164	cmd.exe	wbadmin.exe
PID 1164 wrote to memory of 2708	1164	cmd.exe	wbadmin.exe
PID 1244 wrote to memory of 2812	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 1244 wrote to memory of 2812	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 1244 wrote to memory of 2812	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 1244 wrote to memory of 2812	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 1244 wrote to memory of 2928	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 1244 wrote to memory of 2928	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 1244 wrote to memory of 2928	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 1244 wrote to memory of 2928	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 1244 wrote to memory of 2984	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 1244 wrote to memory of 2984	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 1244 wrote to memory of 2984	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 1244 wrote to memory of 2984	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 1244 wrote to memory of 2864	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 1244 wrote to memory of 2864	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 1244 wrote to memory of 2864	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 1244 wrote to memory of 2864	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 1244 wrote to memory of 3016	1244	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
"C:\Users\Admin\AppData\Local\Temp\b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2508
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2636
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2652
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:2708
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2656
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2748
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2780
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:2812
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:2888
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2516
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2812
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2928
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:2984
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:2864
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:3016
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1700
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1444
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1000
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:2676
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:2900
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:2972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 20 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe"
  2⤵
  - Deletes itself
  PID:2704
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 20
    3⤵
    - Runs ping.exe
    PID:3016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2756

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2788

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1000-80-0x0000000000000000-mapping.dmp

Download
memory/1164-55-0x0000000000000000-mapping.dmp

Download
memory/1244-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1444-79-0x0000000000000000-mapping.dmp

Download
memory/1700-78-0x0000000000000000-mapping.dmp

Download
memory/2508-56-0x0000000000000000-mapping.dmp

Download
memory/2516-66-0x0000000000000000-mapping.dmp

Download
memory/2636-67-0x0000000000000000-mapping.dmp

Download
memory/2652-68-0x0000000000000000-mapping.dmp

Download
memory/2656-57-0x0000000000000000-mapping.dmp

Download
memory/2676-81-0x0000000000000000-mapping.dmp

Download
memory/2704-86-0x0000000000000000-mapping.dmp

Download
memory/2708-69-0x0000000000000000-mapping.dmp

Download
memory/2748-58-0x0000000000000000-mapping.dmp

Download
memory/2780-59-0x0000000000000000-mapping.dmp

Download
memory/2812-61-0x000007FEFB941000-0x000007FEFB943000-memory.dmp

Filesize
8KB

Download
memory/2812-71-0x0000000000000000-mapping.dmp

Download
memory/2812-60-0x0000000000000000-mapping.dmp

Download
memory/2864-75-0x0000000000000000-mapping.dmp

Download
memory/2888-62-0x0000000000000000-mapping.dmp

Download
memory/2900-83-0x0000000000000000-mapping.dmp

Download
memory/2928-72-0x0000000000000000-mapping.dmp

Download
memory/2944-64-0x0000000000000000-mapping.dmp

Download
memory/2972-85-0x0000000000000000-mapping.dmp

Download
memory/2984-73-0x0000000000000000-mapping.dmp

Download
memory/2996-65-0x0000000000000000-mapping.dmp

Download
memory/3016-77-0x0000000000000000-mapping.dmp

Download
memory/3016-87-0x0000000000000000-mapping.dmp

Download