Analysis
-
max time kernel
173s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 14:37
Static task
static1
Behavioral task
behavioral1
Sample
0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe
Resource
win7-20220812-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe
-
Size
959KB
-
MD5
1c4bb14ba990b670d74489cbf7566333
-
SHA1
29835566ba50053ea892f7729bb9f63cea0d21ce
-
SHA256
0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1
-
SHA512
8e61c2179c95dd3459aa9b880ab93263eed9b5fe8b1d6f47fa7489cba8043cbf2aca1b58777020cf59f0f10c8632a1fe7cae1cedb7e11a2c2782bf484df1db3d
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdpF:Ujrc2So1Ff+B3k796v
Score
10/10
Malware Config
Extracted
Path
C:\odt\Restore-My-Files.txt
Ransom Note
LockBit 2.0 Ransomware
Your data are stolen and encrypted
The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
You can contact us and decrypt one file for free on these TOR sites
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
OR
https://decoding.at
Decryption ID: D220E497BF7948387C73D445F43CC1E6
URLs
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4816 bcdedit.exe 4700 bcdedit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{D0202F97-7979-48E2-F34C-F370E2755A1C} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe\"" 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\windows\SysWOW64\D220E4.ico 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\program files\7-zip\lang\ar.txt 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.properties 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\standardr_retail-ppd.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectpro2019r_prepidbypass-ul-oob.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\proplusr_trial-ul-oob.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\mondor_retail-ppd.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jre1.8.0_66\lib\javafx.properties 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\accessr_retail-ul-oob.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jre1.8.0_66\lib\images\cursors\invalid32x32.gif 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jre1.8.0_66\lib\psfontj2d.properties 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\standardmsdnr_retail-pl.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\office16\msipc\sr-latn-rs\msipc.dll.mui 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\powerpointr_retail-ppd.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\office16\bibliography\author2xml.xsl 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\office16\1033\msouc_f_col.hxk 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\packagemanifests\appxmanifest.90160000-00e1-0000-1000-0000000ff1ce.xml 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\access2019vl_mak_ae-ul-phn.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\proplus2019r_oem_perp4-ppd.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\professional2019r_grace-ppd.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\skypeforbusinessr_trial-ppd.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\jre\lib\javaws.jar 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\mactsframe.png 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\office16\slerror.xml 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\publisherr_retail-ul-phn.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\office16\lpklegal.txt 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\jre\lib\jfxswt.jar 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.properties 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\proplus2019xc2rvl_kms_clientc2r-ul-oob.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\visiostdxc2rvl_makc2r-ul-phn.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\disconnectping.gif 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\homebusinessr_retail-ul-oob.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\personal2019r_oem_perp-pl.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\office16\bibliography\sort\author.xsl 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_cn.jar 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-nodes.xml 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-charts.jar 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\office16\addins\eduworks data streamer add-in\microsoftdatastreamerforexcel.vsto 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\visioproxc2rvl_makc2r-ul-oob.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\visiopror_retail2-ppd.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\powerpointr_oem_perp-ul-phn.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\powerpoint2019r_retail-ppd.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jre1.8.0_66\lib\plugin.jar 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File created C:\program files\java\jdk1.8.0_66\jre\lib\jfr\Restore-My-Files.txt 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\proplus2019demor_bypasstrial180-ul-oob.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\licenses16\standard2019vl_kms_client_ae-ul.xrm-ms 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_zh_cn.jar 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_cn.jar 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\fre\startmenu_win7.wmv 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\microsoft office\root\office16\logoimages\powerpntlogo.scale-140.png 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe File opened for modification C:\program files\java\jdk1.8.0_66\jre\lib\accessibility.properties 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3532 vssadmin.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \Registry\Machine\Software\Classes\.lockbit 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\D220E4.ico" 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe Token: SeDebugPrivilege 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe Token: SeBackupPrivilege 1748 vssvc.exe Token: SeRestorePrivilege 1748 vssvc.exe Token: SeAuditPrivilege 1748 vssvc.exe Token: SeIncreaseQuotaPrivilege 4316 WMIC.exe Token: SeSecurityPrivilege 4316 WMIC.exe Token: SeTakeOwnershipPrivilege 4316 WMIC.exe Token: SeLoadDriverPrivilege 4316 WMIC.exe Token: SeSystemProfilePrivilege 4316 WMIC.exe Token: SeSystemtimePrivilege 4316 WMIC.exe Token: SeProfSingleProcessPrivilege 4316 WMIC.exe Token: SeIncBasePriorityPrivilege 4316 WMIC.exe Token: SeCreatePagefilePrivilege 4316 WMIC.exe Token: SeBackupPrivilege 4316 WMIC.exe Token: SeRestorePrivilege 4316 WMIC.exe Token: SeShutdownPrivilege 4316 WMIC.exe Token: SeDebugPrivilege 4316 WMIC.exe Token: SeSystemEnvironmentPrivilege 4316 WMIC.exe Token: SeRemoteShutdownPrivilege 4316 WMIC.exe Token: SeUndockPrivilege 4316 WMIC.exe Token: SeManageVolumePrivilege 4316 WMIC.exe Token: 33 4316 WMIC.exe Token: 34 4316 WMIC.exe Token: 35 4316 WMIC.exe Token: 36 4316 WMIC.exe Token: SeIncreaseQuotaPrivilege 4316 WMIC.exe Token: SeSecurityPrivilege 4316 WMIC.exe Token: SeTakeOwnershipPrivilege 4316 WMIC.exe Token: SeLoadDriverPrivilege 4316 WMIC.exe Token: SeSystemProfilePrivilege 4316 WMIC.exe Token: SeSystemtimePrivilege 4316 WMIC.exe Token: SeProfSingleProcessPrivilege 4316 WMIC.exe Token: SeIncBasePriorityPrivilege 4316 WMIC.exe Token: SeCreatePagefilePrivilege 4316 WMIC.exe Token: SeBackupPrivilege 4316 WMIC.exe Token: SeRestorePrivilege 4316 WMIC.exe Token: SeShutdownPrivilege 4316 WMIC.exe Token: SeDebugPrivilege 4316 WMIC.exe Token: SeSystemEnvironmentPrivilege 4316 WMIC.exe Token: SeRemoteShutdownPrivilege 4316 WMIC.exe Token: SeUndockPrivilege 4316 WMIC.exe Token: SeManageVolumePrivilege 4316 WMIC.exe Token: 33 4316 WMIC.exe Token: 34 4316 WMIC.exe Token: 35 4316 WMIC.exe Token: 36 4316 WMIC.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 5028 wrote to memory of 3308 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 80 PID 5028 wrote to memory of 3308 5028 0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe 80 PID 3308 wrote to memory of 3532 3308 cmd.exe 82 PID 3308 wrote to memory of 3532 3308 cmd.exe 82 PID 3308 wrote to memory of 4316 3308 cmd.exe 86 PID 3308 wrote to memory of 4316 3308 cmd.exe 86 PID 3308 wrote to memory of 4816 3308 cmd.exe 87 PID 3308 wrote to memory of 4816 3308 cmd.exe 87 PID 3308 wrote to memory of 4700 3308 cmd.exe 88 PID 3308 wrote to memory of 4700 3308 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe"C:\Users\Admin\AppData\Local\Temp\0dcbc979c995eeec6e76fa87dfc301228d230101b9acecba53289c1c085eadb1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3532
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4316
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:4816
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:4700
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748