Analysis
-
max time kernel
149s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 09:21
Static task
static1
Behavioral task
behavioral1
Sample
5e79854b8a92b169212e0ea3ad0252e4a86fc7e186fc162f143bb7754a73ec63.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5e79854b8a92b169212e0ea3ad0252e4a86fc7e186fc162f143bb7754a73ec63.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe
Resource
win10v2004-20220812-en
General
-
Target
f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe
-
Size
1.5MB
-
MD5
48aa442a0670b65a82eee99c1ed1ac78
-
SHA1
12117609b746257a6cdd2808dcb50c6af9c1810d
-
SHA256
f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4
-
SHA512
f76db6e03154e7221f26b3329c434f00d775f99411ee9ec258652a0a7f52c90e0de9794d6754b5910cf169776ae87abf982cd778eb6f06b69fe5a11135e26e5c
-
SSDEEP
24576:9bas1P80H8OziJNLCubRnkkBqKU3QMNrm1gPB7MjsjfoxKHHU4tsQkdZ:VlH8ucW9jhmyPBYjSzHHU4tshdZ
Malware Config
Extracted
C:\odt\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4244 bcdedit.exe 3772 bcdedit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe -
Loads dropped DLL 1 IoCs
Processes:
f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exepid process 2916 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{A7CC3953-6868-6B52-9741-975D7473584C} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe\"" f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe -
Drops file in System32 directory 1 IoCs
Processes:
f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exedescription ioc process File created C:\windows\SysWOW64\2DCCD8.ico f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
Processes:
f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exepid process 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exedescription pid process target process PID 2916 set thread context of 2244 2916 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe -
Drops file in Program Files directory 64 IoCs
Processes:
f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exedescription ioc process File opened for modification C:\program files\java\jdk1.8.0_66\jre\lib\deploy\messages_es.properties f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectproo365r_subtrial-pl.xrm-ms f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\office16\logoimages\winwordlogosmall.contrast-white_scale-80.png f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File created C:\program files\microsoft office\root\office16\msipc\sr-cyrl-ba\Restore-My-Files.txt f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File created C:\program files\videolan\vlc\locale\lg\lc_messages\Restore-My-Files.txt f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\licenses16\outlook2019r_oem_perp-ul-oob.xrm-ms f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectpror_retail-ppd.xrm-ms f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\office16\logoimages\excellogosmall.contrast-black_scale-140.png f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File created C:\program files\videolan\vlc\locale\af\lc_messages\Restore-My-Files.txt f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\videolan\vlc\locale\ko\lc_messages\vlc.mo f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\visualvm\config\modules\org-netbeans-api-visual.xml_hidden f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365smallbuspremr_subtrial2-ppd.xrm-ms f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\licenses16\outlookr_oem_perp-ppd.xrm-ms f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\videolan\vlc\lua\playlist\jamendo.luac f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\java\jdk1.8.0_66\jre\lib\jfr\profile.jfc f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\office16\logoimages\winwordlogo.contrast-white_scale-80.png f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\videolan\vlc\locale\ta\lc_messages\vlc.mo f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\acroapp\enu\inappsign.aapp f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\java\jdk1.8.0_66\db\readme-jdk.html f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File created C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\Restore-My-Files.txt f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File created C:\program files\videolan\vlc\locale\mai\lc_messages\Restore-My-Files.txt f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionprovider.exsd f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\config\modules\org-openide-io.xml f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\licenses16\homestudentdemor_bypasstrial180-ppd.xrm-ms f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\licenses16\homestudentr_grace-ul-oob.xrm-ms f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\videolan\vlc\lua\http\js\controllers.js f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\videolan\vlc\lua\http\mobile_browse.html f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File created C:\program files\videolan\vlc\skins\Restore-My-Files.txt f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di_1.4.0.v20140414-1837.jar f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\licenses16\excel2019r_retail-ul-phn.xrm-ms f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\licenses16\visiopro2019msdnr_retail-pl.xrm-ms f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\licenses16\word2019r_oem_perp-ul-phn.xrm-ms f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File created C:\program files\microsoft office\root\office16\msipc\da\Restore-My-Files.txt f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\vfs\programfilesx64\microsoft analysis services\as oledb\140\cartridges\sql2000.xsl f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\videolan\vlc\lua\playlist\soundcloud.luac f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_zh_cn.jar f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\licenses16\professional2019r_trial-pl.xrm-ms f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\licenses16\proplusr_oem_perp6-ppd.xrm-ms f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\licenses16\skypeforbusinessentryr_prepidbypass-ul-oob.xrm-ms f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\office16\pagesize\pglbl108.xml f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\videolan\vlc\lua\playlist\newgrounds.luac f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\7-zip\lang\tt.txt f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\meta-inf\manifest.mf f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\licenses16\powerpointr_oem_perp-ul-phn.xrm-ms f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectstd2019r_oem_perp-ul-phn.xrm-ms f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\office16\proof\ltshyph_fr.lex f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\vfs\programfilesx86\microsoft analysis services\as oledb\140\cartridges\db2v0801.xsl f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\licenses16\publishervl_kms_client-ul.xrm-ms f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\videolan\vlc\lua\http\custom.lua f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\videolan\vlc\lua\intf\modules\host.luac f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\java\jdk1.8.0_66\jre\lib\ext\sunec.jar f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File created C:\program files\microsoft office\root\vfs\programfilesx86\microsoft analysis services\as oledb\140\cartridges\Restore-My-Files.txt f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\vfs\programfilesx86\microsoft analysis services\as oledb\140\cartridges\sql120.xsl f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\tracker\server_ok.gif f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\config\moduleautodeps\org-openide-execution.xml f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe File opened for modification C:\program files\microsoft office\root\office16\pagesize\pgmn010.xml f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1480 2916 WerFault.exe f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3080 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\2DCCD8.ico" f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe Key created \Registry\Machine\Software\Classes\.lockbit f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exepid process 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exepid process 2916 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exevssvc.exeWMIC.exedescription pid process Token: SeTakeOwnershipPrivilege 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe Token: SeDebugPrivilege 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe Token: SeBackupPrivilege 2920 vssvc.exe Token: SeRestorePrivilege 2920 vssvc.exe Token: SeAuditPrivilege 2920 vssvc.exe Token: SeIncreaseQuotaPrivilege 2536 WMIC.exe Token: SeSecurityPrivilege 2536 WMIC.exe Token: SeTakeOwnershipPrivilege 2536 WMIC.exe Token: SeLoadDriverPrivilege 2536 WMIC.exe Token: SeSystemProfilePrivilege 2536 WMIC.exe Token: SeSystemtimePrivilege 2536 WMIC.exe Token: SeProfSingleProcessPrivilege 2536 WMIC.exe Token: SeIncBasePriorityPrivilege 2536 WMIC.exe Token: SeCreatePagefilePrivilege 2536 WMIC.exe Token: SeBackupPrivilege 2536 WMIC.exe Token: SeRestorePrivilege 2536 WMIC.exe Token: SeShutdownPrivilege 2536 WMIC.exe Token: SeDebugPrivilege 2536 WMIC.exe Token: SeSystemEnvironmentPrivilege 2536 WMIC.exe Token: SeRemoteShutdownPrivilege 2536 WMIC.exe Token: SeUndockPrivilege 2536 WMIC.exe Token: SeManageVolumePrivilege 2536 WMIC.exe Token: 33 2536 WMIC.exe Token: 34 2536 WMIC.exe Token: 35 2536 WMIC.exe Token: 36 2536 WMIC.exe Token: SeIncreaseQuotaPrivilege 2536 WMIC.exe Token: SeSecurityPrivilege 2536 WMIC.exe Token: SeTakeOwnershipPrivilege 2536 WMIC.exe Token: SeLoadDriverPrivilege 2536 WMIC.exe Token: SeSystemProfilePrivilege 2536 WMIC.exe Token: SeSystemtimePrivilege 2536 WMIC.exe Token: SeProfSingleProcessPrivilege 2536 WMIC.exe Token: SeIncBasePriorityPrivilege 2536 WMIC.exe Token: SeCreatePagefilePrivilege 2536 WMIC.exe Token: SeBackupPrivilege 2536 WMIC.exe Token: SeRestorePrivilege 2536 WMIC.exe Token: SeShutdownPrivilege 2536 WMIC.exe Token: SeDebugPrivilege 2536 WMIC.exe Token: SeSystemEnvironmentPrivilege 2536 WMIC.exe Token: SeRemoteShutdownPrivilege 2536 WMIC.exe Token: SeUndockPrivilege 2536 WMIC.exe Token: SeManageVolumePrivilege 2536 WMIC.exe Token: 33 2536 WMIC.exe Token: 34 2536 WMIC.exe Token: 35 2536 WMIC.exe Token: 36 2536 WMIC.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exef6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.execmd.exedescription pid process target process PID 2916 wrote to memory of 2244 2916 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe PID 2916 wrote to memory of 2244 2916 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe PID 2916 wrote to memory of 2244 2916 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe PID 2916 wrote to memory of 2244 2916 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe PID 2916 wrote to memory of 2244 2916 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe PID 2916 wrote to memory of 2244 2916 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe PID 2916 wrote to memory of 2244 2916 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe PID 2916 wrote to memory of 2244 2916 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe PID 2244 wrote to memory of 1468 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe cmd.exe PID 2244 wrote to memory of 1468 2244 f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe cmd.exe PID 1468 wrote to memory of 3080 1468 cmd.exe vssadmin.exe PID 1468 wrote to memory of 3080 1468 cmd.exe vssadmin.exe PID 1468 wrote to memory of 2536 1468 cmd.exe WMIC.exe PID 1468 wrote to memory of 2536 1468 cmd.exe WMIC.exe PID 1468 wrote to memory of 4244 1468 cmd.exe bcdedit.exe PID 1468 wrote to memory of 4244 1468 cmd.exe bcdedit.exe PID 1468 wrote to memory of 3772 1468 cmd.exe bcdedit.exe PID 1468 wrote to memory of 3772 1468 cmd.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe"C:\Users\Admin\AppData\Local\Temp\f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exeﮅ2⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 9282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2916 -ip 29161⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsf63D0.tmp\System.dllFilesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
memory/1468-139-0x0000000000000000-mapping.dmp
-
memory/2244-133-0x0000000000000000-mapping.dmp
-
memory/2244-134-0x0000000000401000-0x00000000004E1000-memory.dmpFilesize
896KB
-
memory/2244-135-0x00000000004FA000-0x00000000004FB000-memory.dmpFilesize
4KB
-
memory/2244-136-0x00000000004FA000-0x00000000004FB000-memory.dmpFilesize
4KB
-
memory/2244-137-0x0000000000400000-0x00000000004FB000-memory.dmpFilesize
1004KB
-
memory/2244-138-0x0000000000400000-0x00000000004FB000-memory.dmpFilesize
1004KB
-
memory/2536-141-0x0000000000000000-mapping.dmp
-
memory/3080-140-0x0000000000000000-mapping.dmp
-
memory/3772-143-0x0000000000000000-mapping.dmp
-
memory/4244-142-0x0000000000000000-mapping.dmp