Analysis
-
max time kernel
146s -
max time network
83s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
08/02/2023, 09:00
Static task
static1
Behavioral task
behavioral1
Sample
411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe
Resource
win7-20221111-en
General
-
Target
411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe
-
Size
1.5MB
-
MD5
fe5101b50e92a923d74cc6f0f4225539
-
SHA1
f7a2fc4e471a203c8a5683c02ada2c3931c8f0ec
-
SHA256
411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10
-
SHA512
bd1fa89a7a1f7b9f1bcb6ac574b9ad09d8cd053723b24f8d5fbe4a5946e6fce4325040364d1e9e79f98421bc8c656e4601ba4c96ff63b1472bbb01b59e0414ee
-
SSDEEP
24576:EbRKGN66DdkfD2mtArFoZpAQbuSy6Pj44aOLu5S3+RIYMpS:+RK4ZWDVt4G2r67458tYMU
Malware Config
Extracted
C:\program files\7-zip\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2108 bcdedit.exe 2120 bcdedit.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\users\admin\pictures\convertmerge.tiff 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File renamed C:\Users\Admin\Pictures\ConvertMerge.tiff => C:\users\admin\pictures\convertmerge.tiff.lockbit 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File renamed C:\Users\Admin\Pictures\MeasureRemove.crw => C:\users\admin\pictures\measureremove.crw.lockbit 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File renamed C:\Users\Admin\Pictures\UnregisterPublish.tif => C:\users\admin\pictures\unregisterpublish.tif.lockbit 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File renamed C:\Users\Admin\Pictures\UnlockRename.tif => C:\users\admin\pictures\unlockrename.tif.lockbit 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File renamed C:\Users\Admin\Pictures\ReceiveEnable.tif => C:\users\admin\pictures\receiveenable.tif.lockbit 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe -
Loads dropped DLL 1 IoCs
pid Process 2040 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{3CF25EED-8383-EBDC-B35F-B320ACC5E097} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe\"" 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\windows\SysWOW64\8DF287.ico 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
pid Process 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2040 set thread context of 936 2040 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 28 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\formsstyles\brightyellow\Restore-My-Files.txt 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt_0.11.101.v20140818-1343.jar 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\microsoft games\multiplayer\checkers\en-us\chkrres.dll.mui 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\autoshap\bd18222_.wmf 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\navigationup_buttongraphic.png 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File created C:\program files\java\jdk1.7.0_80\db\lib\Restore-My-Files.txt 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\templates\1033\apothecaryletter.dotx 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\java\jre7\lib\zi\america\port-au-prince 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\java\jre7\lib\zi\america\dawson_creek 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0289430.jpg 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubcolor.scm 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File created C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveprojecttoolset\projecttool\project report type\basic\Restore-My-Files.txt 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\dgmasthd.dpv 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File created C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\Restore-My-Files.txt 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\bl00045_.wmf 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\hm00172_.wmf 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\clipart\publisher\backgrounds\j0143754.gif 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubftscm\scheme48.css 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubspapr\zpdir16f.gif 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File created C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\formsstyles\sts2\Restore-My-Files.txt 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\core\org-openide-filesystems.jar 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\videolan\vlc\locale\bn_in\lc_messages\vlc.mo 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\hh00235_.wmf 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\na00458_.wmf 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\chita 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0232171.wmf 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\groove_f_col.hxk 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms5\save.gif 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\office14\pagesize\pgmn082.xml 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\ps9crnrh.poc 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\europe\simferopol 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\videolan\vlc\locale\ach\lc_messages\vlc.mo 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\bullets\bd15020_.gif 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\lines\j0115876.gif 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\slideshow.gadget\drag.png 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\java\jdk1.7.0_80\db\lib\derbylocale_cs.jar 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\microsoft games\more games\fr-fr\moregames.dll.mui 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\ppintl.dll.idx_dll 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\office14\outlookautodiscover\sbcglobal.net.xml 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\fr-fr\js\weather.js 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_cn.jar 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so00170_.wmf 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\media\cagcat10\j0283209.gif 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubspapr\zpdir30f.gif 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\office14\wordcnvpxy.cnv 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\picturepuzzle.gadget\images\shuffle_down.png 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\undocked_gray_thunderstorm.png 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\dvd maker\en-us\wmm2clip.dll.mui 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\jvm.hprof.txt 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0238983.wmf 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so02886_.wmf 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\videolan\vlc\lua\http\css\main.css 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\de-de\clock.html 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\17.png 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\flippage\pagecurl.png 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\37.png 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\deploy\messages_ko.properties 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0199609.wmf 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\grooveforms5\formsstyles\brightorange\tab_on.gif 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\4.png 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 900 2040 WerFault.exe 27 2568 936 WerFault.exe 28 -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2152 vssadmin.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \Registry\Machine\Software\Classes\.lockbit 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\8DF287.ico" 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2040 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe Token: SeDebugPrivilege 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe Token: SeBackupPrivilege 2212 vssvc.exe Token: SeRestorePrivilege 2212 vssvc.exe Token: SeAuditPrivilege 2212 vssvc.exe Token: SeIncreaseQuotaPrivilege 752 WMIC.exe Token: SeSecurityPrivilege 752 WMIC.exe Token: SeTakeOwnershipPrivilege 752 WMIC.exe Token: SeLoadDriverPrivilege 752 WMIC.exe Token: SeSystemProfilePrivilege 752 WMIC.exe Token: SeSystemtimePrivilege 752 WMIC.exe Token: SeProfSingleProcessPrivilege 752 WMIC.exe Token: SeIncBasePriorityPrivilege 752 WMIC.exe Token: SeCreatePagefilePrivilege 752 WMIC.exe Token: SeBackupPrivilege 752 WMIC.exe Token: SeRestorePrivilege 752 WMIC.exe Token: SeShutdownPrivilege 752 WMIC.exe Token: SeDebugPrivilege 752 WMIC.exe Token: SeSystemEnvironmentPrivilege 752 WMIC.exe Token: SeRemoteShutdownPrivilege 752 WMIC.exe Token: SeUndockPrivilege 752 WMIC.exe Token: SeManageVolumePrivilege 752 WMIC.exe Token: 33 752 WMIC.exe Token: 34 752 WMIC.exe Token: 35 752 WMIC.exe Token: SeIncreaseQuotaPrivilege 752 WMIC.exe Token: SeSecurityPrivilege 752 WMIC.exe Token: SeTakeOwnershipPrivilege 752 WMIC.exe Token: SeLoadDriverPrivilege 752 WMIC.exe Token: SeSystemProfilePrivilege 752 WMIC.exe Token: SeSystemtimePrivilege 752 WMIC.exe Token: SeProfSingleProcessPrivilege 752 WMIC.exe Token: SeIncBasePriorityPrivilege 752 WMIC.exe Token: SeCreatePagefilePrivilege 752 WMIC.exe Token: SeBackupPrivilege 752 WMIC.exe Token: SeRestorePrivilege 752 WMIC.exe Token: SeShutdownPrivilege 752 WMIC.exe Token: SeDebugPrivilege 752 WMIC.exe Token: SeSystemEnvironmentPrivilege 752 WMIC.exe Token: SeRemoteShutdownPrivilege 752 WMIC.exe Token: SeUndockPrivilege 752 WMIC.exe Token: SeManageVolumePrivilege 752 WMIC.exe Token: 33 752 WMIC.exe Token: 34 752 WMIC.exe Token: 35 752 WMIC.exe Token: 33 2664 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2664 AUDIODG.EXE Token: 33 2664 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2664 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2040 wrote to memory of 936 2040 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 28 PID 2040 wrote to memory of 936 2040 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 28 PID 2040 wrote to memory of 936 2040 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 28 PID 2040 wrote to memory of 936 2040 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 28 PID 2040 wrote to memory of 936 2040 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 28 PID 2040 wrote to memory of 936 2040 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 28 PID 2040 wrote to memory of 936 2040 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 28 PID 2040 wrote to memory of 936 2040 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 28 PID 2040 wrote to memory of 936 2040 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 28 PID 2040 wrote to memory of 900 2040 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 29 PID 2040 wrote to memory of 900 2040 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 29 PID 2040 wrote to memory of 900 2040 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 29 PID 2040 wrote to memory of 900 2040 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 29 PID 936 wrote to memory of 2100 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 31 PID 936 wrote to memory of 2100 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 31 PID 936 wrote to memory of 2100 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 31 PID 936 wrote to memory of 2100 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 31 PID 2100 wrote to memory of 2152 2100 cmd.exe 33 PID 2100 wrote to memory of 2152 2100 cmd.exe 33 PID 2100 wrote to memory of 2152 2100 cmd.exe 33 PID 2100 wrote to memory of 752 2100 cmd.exe 36 PID 2100 wrote to memory of 752 2100 cmd.exe 36 PID 2100 wrote to memory of 752 2100 cmd.exe 36 PID 2100 wrote to memory of 2108 2100 cmd.exe 38 PID 2100 wrote to memory of 2108 2100 cmd.exe 38 PID 2100 wrote to memory of 2108 2100 cmd.exe 38 PID 2100 wrote to memory of 2120 2100 cmd.exe 39 PID 2100 wrote to memory of 2120 2100 cmd.exe 39 PID 2100 wrote to memory of 2120 2100 cmd.exe 39 PID 936 wrote to memory of 2568 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 43 PID 936 wrote to memory of 2568 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 43 PID 936 wrote to memory of 2568 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 43 PID 936 wrote to memory of 2568 936 411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe"C:\Users\Admin\AppData\Local\Temp\411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10.exeï®…2⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2152
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:2108
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:2120
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 17123⤵
- Program crash
PID:2568
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 4802⤵
- Program crash
PID:900
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2400
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0xc81⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Restore-My-Files.txt1⤵PID:236
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5652ce061d8c7011015003b458470dd94
SHA1353640c65c9d98061d3b56076b41db2331b88ec6
SHA256d89af9270fe1a128b0379b82286ee95a5dbfdc96c3850626c537a7e40bfa3b7a
SHA5123c1f72d95424773024b1e7e574e03c507f3776c715721f335dd574092e3c1705a210619b2ce6f6efd66399808b319fb9b1b3fd555fea96b64781c4ed27bfcc56
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88