Analysis
-
max time kernel
56s -
max time network
55s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
07/02/2023, 09:13
Static task
static1
Behavioral task
behavioral1
Sample
2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe
Resource
win10v2004-20221111-en
General
-
Target
2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe
-
Size
1.8MB
-
MD5
92429807c7d957566d1897d5bf7c6639
-
SHA1
d1dce09219c0df46742fa0eec6f7a6b72ca877f0
-
SHA256
98900768d564c6962981edde2759889fdda11bb1113c851468e5c40ddafe1d4d
-
SHA512
695335aa19928d59e13966a60c0bc7bb591382585234d2d23b892fd3b4be1937fe2c2faf16225e50971ef2b31c9d6ac8c8c6959e43705694b32c1f450bb08554
-
SSDEEP
49152:rjrc2So1Ff+B3k79nfIVGQ41P9x9tHpYZYp+:rjrcSmQ9Njx9tHi5
Malware Config
Extracted
C:\program files\7-zip\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 780 bcdedit.exe 1848 bcdedit.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\MeasureRemove.crw => C:\users\admin\pictures\measureremove.crw.lockbit 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File renamed C:\Users\Admin\Pictures\UnlockRename.tif => C:\users\admin\pictures\unlockrename.tif.lockbit 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File renamed C:\Users\Admin\Pictures\ReceiveEnable.tif => C:\users\admin\pictures\receiveenable.tif.lockbit 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File renamed C:\Users\Admin\Pictures\UnregisterPublish.tif => C:\users\admin\pictures\unregisterpublish.tif.lockbit 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\users\admin\pictures\convertmerge.tiff 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File renamed C:\Users\Admin\Pictures\ConvertMerge.tiff => C:\users\admin\pictures\convertmerge.tiff.lockbit 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{4461224A-7171-AB9C-E118-E1E7D9586D2C} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe\"" 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
pid Process 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0182946.wmf 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\psrchlex.dat 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\it-it\gadget.xml 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\media\cagcat10\j0196400.wmf 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\media\cagcat10\j0233070.wmf 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\envelopr.dll.idx_dll 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\rainy_river 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\windows sidebar\gadgets\calendar.gadget\logo.png 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so02261_.wmf 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\specialoccasion\specialoccasion.png 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\config\modules\org-netbeans-api-annotations-common.xml 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0145669.jpg 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubftscm\scheme11.css 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\slideshow.gadget\es-es\css\settings.css 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\dd01039_.wmf 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\calendar.gadget\en-us\css\calendar.css 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\templates\1033\access\part\users.accdt 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0099172.wmf 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubspapr\zpdir18f.gif 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\templates\1033\access\datatype\status.accft 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\windows sidebar\gadgets\weather.gadget\images\120dpi\(120dpi)redstateicon.png 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\windows sidebar\gadgets\weather.gadget\images\38.png 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so00423_.wmf 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File created C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\formsstyles\biscay\Restore-My-Files.txt 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File created C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\Restore-My-Files.txt 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\windows sidebar\gadgets\calendar.gadget\images\bprev-hot.png 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\mozilla firefox\uninstall\uninstall.log 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\fd00382_.wmf 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so02790_.wmf 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\outlookautodiscover\yahoo.it.xml 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\rssfeeds.gadget\it-it\settings.html 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File created C:\program files\java\jdk1.7.0_80\jre\Restore-My-Files.txt 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\antarctica\palmer 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\kamchatka 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\rssfeeds.gadget\it-it\js\rssfeeds.js 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\etc\gmt-5 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\java\jre7\lib\zi\pacific\rarotonga 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_zh_cn.jar 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\java\jre7\lib\deploy\messages_es.properties 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\windows sidebar\gadgets\weather.gadget\images\26.png 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\pe00052_.wmf 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\guayaquil 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\pacific\kwajalein 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so02793_.wmf 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubspapr\pdir3b.gif 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\formsstyles\graycheck\header.gif 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\.lastmodified 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0188667.wmf 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\windows sidebar\gadgets\weather.gadget\ja-jp\js\weather.js 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\navigationup_selectionsubpicture.png 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\pyongyang 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formshomepagestyle.css 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\tearoff.poc 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\aqtobe 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\config\modules\org-netbeans-modules-sendopts.xml 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\commondata\commsincomingimagesmall.jpg 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\calendar.gadget\icon.png 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe File created C:\program files\videolan\vlc\locale\ko\lc_messages\Restore-My-Files.txt 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1652 1108 WerFault.exe 27 -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1340 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe Token: SeDebugPrivilege 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe Token: SeBackupPrivilege 524 vssvc.exe Token: SeRestorePrivilege 524 vssvc.exe Token: SeAuditPrivilege 524 vssvc.exe Token: SeIncreaseQuotaPrivilege 240 WMIC.exe Token: SeSecurityPrivilege 240 WMIC.exe Token: SeTakeOwnershipPrivilege 240 WMIC.exe Token: SeLoadDriverPrivilege 240 WMIC.exe Token: SeSystemProfilePrivilege 240 WMIC.exe Token: SeSystemtimePrivilege 240 WMIC.exe Token: SeProfSingleProcessPrivilege 240 WMIC.exe Token: SeIncBasePriorityPrivilege 240 WMIC.exe Token: SeCreatePagefilePrivilege 240 WMIC.exe Token: SeBackupPrivilege 240 WMIC.exe Token: SeRestorePrivilege 240 WMIC.exe Token: SeShutdownPrivilege 240 WMIC.exe Token: SeDebugPrivilege 240 WMIC.exe Token: SeSystemEnvironmentPrivilege 240 WMIC.exe Token: SeRemoteShutdownPrivilege 240 WMIC.exe Token: SeUndockPrivilege 240 WMIC.exe Token: SeManageVolumePrivilege 240 WMIC.exe Token: 33 240 WMIC.exe Token: 34 240 WMIC.exe Token: 35 240 WMIC.exe Token: SeIncreaseQuotaPrivilege 240 WMIC.exe Token: SeSecurityPrivilege 240 WMIC.exe Token: SeTakeOwnershipPrivilege 240 WMIC.exe Token: SeLoadDriverPrivilege 240 WMIC.exe Token: SeSystemProfilePrivilege 240 WMIC.exe Token: SeSystemtimePrivilege 240 WMIC.exe Token: SeProfSingleProcessPrivilege 240 WMIC.exe Token: SeIncBasePriorityPrivilege 240 WMIC.exe Token: SeCreatePagefilePrivilege 240 WMIC.exe Token: SeBackupPrivilege 240 WMIC.exe Token: SeRestorePrivilege 240 WMIC.exe Token: SeShutdownPrivilege 240 WMIC.exe Token: SeDebugPrivilege 240 WMIC.exe Token: SeSystemEnvironmentPrivilege 240 WMIC.exe Token: SeRemoteShutdownPrivilege 240 WMIC.exe Token: SeUndockPrivilege 240 WMIC.exe Token: SeManageVolumePrivilege 240 WMIC.exe Token: 33 240 WMIC.exe Token: 34 240 WMIC.exe Token: 35 240 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1108 wrote to memory of 2008 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 28 PID 1108 wrote to memory of 2008 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 28 PID 1108 wrote to memory of 2008 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 28 PID 1108 wrote to memory of 2008 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 28 PID 2008 wrote to memory of 1340 2008 cmd.exe 30 PID 2008 wrote to memory of 1340 2008 cmd.exe 30 PID 2008 wrote to memory of 1340 2008 cmd.exe 30 PID 2008 wrote to memory of 240 2008 cmd.exe 33 PID 2008 wrote to memory of 240 2008 cmd.exe 33 PID 2008 wrote to memory of 240 2008 cmd.exe 33 PID 2008 wrote to memory of 780 2008 cmd.exe 35 PID 2008 wrote to memory of 780 2008 cmd.exe 35 PID 2008 wrote to memory of 780 2008 cmd.exe 35 PID 2008 wrote to memory of 1848 2008 cmd.exe 36 PID 2008 wrote to memory of 1848 2008 cmd.exe 36 PID 2008 wrote to memory of 1848 2008 cmd.exe 36 PID 1108 wrote to memory of 1652 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 38 PID 1108 wrote to memory of 1652 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 38 PID 1108 wrote to memory of 1652 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 38 PID 1108 wrote to memory of 1652 1108 2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe"C:\Users\Admin\AppData\Local\Temp\2023-02-06_92429807c7d957566d1897d5bf7c6639_lockbit.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1340
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:240
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:780
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:1848
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1061842⤵
- Program crash
PID:1652
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:524