Analysis
-
max time kernel
82s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
08/02/2023, 10:56
Static task
static1
Behavioral task
behavioral1
Sample
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe
Resource
win10v2004-20220812-en
General
-
Target
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe
-
Size
150KB
-
MD5
5761ee98b1c2fea31b5408516a8929ea
-
SHA1
4d043df23e55088bfc04c14dfb9ddb329a703cc1
-
SHA256
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76
-
SHA512
9dbf296719bc130bc700db94fd43985c32cb9de3b1867ed7c8666b62e4b9d0826b6df03cb125644c9338118d9caf679bfa1eb55da39f46b94db023bdcd9ff338
-
SSDEEP
3072:pm3/OyVPX/1jTCAR4fsp0Vb2xosM89QJ49cqO2DDHMqqD/Tx0Hv/:pq/1VP1OyysNmJyXsqqD/ls/
Malware Config
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?A0C155001DD0CB018B46E6CF6EE99F96
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1080 bcdedit.exe 1916 bcdedit.exe -
pid Process 1884 wbadmin.exe -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\ReadJoin.tiff 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File renamed C:\Users\Admin\Pictures\ReadJoin.tiff => C:\Users\Admin\Pictures\ReadJoin.tiff.lockbit 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File renamed => C:\Users\Admin\Pictures\SplitPush.png.lockbit 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Users\Admin\Pictures\TraceExit.tiff 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Users\Admin\Pictures\EditTest.tiff 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File renamed => C:\Users\Admin\Pictures\EditTest.tiff.lockbit 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File renamed C:\Users\Admin\Pictures\MeasureRestart.crw => C:\Users\Admin\Pictures\MeasureRestart.crw.lockbit 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File renamed C:\Users\Admin\Pictures\OutStop.tif => C:\Users\Admin\Pictures\OutStop.tif.lockbit 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File renamed C:\Users\Admin\Pictures\RegisterDisable.crw => C:\Users\Admin\Pictures\RegisterDisable.crw.lockbit 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File renamed C:\Users\Admin\Pictures\TraceExit.tiff => C:\Users\Admin\Pictures\TraceExit.tiff.lockbit 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe\"" 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9A3E.tmp.bmp" 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADVTEL.DIC 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Restore-My-Files.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00397_.WMF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103812.WMF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384888.JPG 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00011_.WMF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00419_.WMF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Hobart 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\gadget.xml 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0279644.WMF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR35B.GIF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WNTER_01.MID 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21365_.GIF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_COL.HXT 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pontianak 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\flyout.html 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\currency.css 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\Restore-My-Files.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMask.bmp 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_dot.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\icon.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rainy_River 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\service.js 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01164_.WMF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\Restore-My-Files.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182888.WMF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Distinctive.dotx 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Barbados 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File created C:\Program Files\Windows Media Player\es-ES\Restore-My-Files.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01875_.WMF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\Restore-My-Files.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18207_.WMF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ADD.GIF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7ES.LEX 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File created C:\Program Files\DVD Maker\Restore-My-Files.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Nassau 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Mozilla Firefox\omni.ja 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00260_.WMF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\Restore-My-Files.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-11 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15171_.GIF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiler.jar 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\RSSFeeds.js 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00247_.WMF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00127_.WMF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.INF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\ja-JP\Sidebar.exe.mui 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2944 2040 WerFault.exe 27 -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 676 vssadmin.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\Desktop\WallpaperStyle = "2" 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\Desktop\TileWallpaper = "0" 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2964 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe Token: SeDebugPrivilege 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe Token: SeBackupPrivilege 664 vssvc.exe Token: SeRestorePrivilege 664 vssvc.exe Token: SeAuditPrivilege 664 vssvc.exe Token: SeIncreaseQuotaPrivilege 1196 WMIC.exe Token: SeSecurityPrivilege 1196 WMIC.exe Token: SeTakeOwnershipPrivilege 1196 WMIC.exe Token: SeLoadDriverPrivilege 1196 WMIC.exe Token: SeSystemProfilePrivilege 1196 WMIC.exe Token: SeSystemtimePrivilege 1196 WMIC.exe Token: SeProfSingleProcessPrivilege 1196 WMIC.exe Token: SeIncBasePriorityPrivilege 1196 WMIC.exe Token: SeCreatePagefilePrivilege 1196 WMIC.exe Token: SeBackupPrivilege 1196 WMIC.exe Token: SeRestorePrivilege 1196 WMIC.exe Token: SeShutdownPrivilege 1196 WMIC.exe Token: SeDebugPrivilege 1196 WMIC.exe Token: SeSystemEnvironmentPrivilege 1196 WMIC.exe Token: SeRemoteShutdownPrivilege 1196 WMIC.exe Token: SeUndockPrivilege 1196 WMIC.exe Token: SeManageVolumePrivilege 1196 WMIC.exe Token: 33 1196 WMIC.exe Token: 34 1196 WMIC.exe Token: 35 1196 WMIC.exe Token: SeIncreaseQuotaPrivilege 1196 WMIC.exe Token: SeSecurityPrivilege 1196 WMIC.exe Token: SeTakeOwnershipPrivilege 1196 WMIC.exe Token: SeLoadDriverPrivilege 1196 WMIC.exe Token: SeSystemProfilePrivilege 1196 WMIC.exe Token: SeSystemtimePrivilege 1196 WMIC.exe Token: SeProfSingleProcessPrivilege 1196 WMIC.exe Token: SeIncBasePriorityPrivilege 1196 WMIC.exe Token: SeCreatePagefilePrivilege 1196 WMIC.exe Token: SeBackupPrivilege 1196 WMIC.exe Token: SeRestorePrivilege 1196 WMIC.exe Token: SeShutdownPrivilege 1196 WMIC.exe Token: SeDebugPrivilege 1196 WMIC.exe Token: SeSystemEnvironmentPrivilege 1196 WMIC.exe Token: SeRemoteShutdownPrivilege 1196 WMIC.exe Token: SeUndockPrivilege 1196 WMIC.exe Token: SeManageVolumePrivilege 1196 WMIC.exe Token: 33 1196 WMIC.exe Token: 34 1196 WMIC.exe Token: 35 1196 WMIC.exe Token: SeBackupPrivilege 1676 wbengine.exe Token: SeRestorePrivilege 1676 wbengine.exe Token: SeSecurityPrivilege 1676 wbengine.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1512 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 29 PID 2040 wrote to memory of 1512 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 29 PID 2040 wrote to memory of 1512 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 29 PID 2040 wrote to memory of 1512 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 29 PID 1512 wrote to memory of 676 1512 cmd.exe 31 PID 1512 wrote to memory of 676 1512 cmd.exe 31 PID 1512 wrote to memory of 676 1512 cmd.exe 31 PID 1512 wrote to memory of 1196 1512 cmd.exe 34 PID 1512 wrote to memory of 1196 1512 cmd.exe 34 PID 1512 wrote to memory of 1196 1512 cmd.exe 34 PID 1512 wrote to memory of 1080 1512 cmd.exe 36 PID 1512 wrote to memory of 1080 1512 cmd.exe 36 PID 1512 wrote to memory of 1080 1512 cmd.exe 36 PID 1512 wrote to memory of 1916 1512 cmd.exe 37 PID 1512 wrote to memory of 1916 1512 cmd.exe 37 PID 1512 wrote to memory of 1916 1512 cmd.exe 37 PID 1512 wrote to memory of 1884 1512 cmd.exe 38 PID 1512 wrote to memory of 1884 1512 cmd.exe 38 PID 1512 wrote to memory of 1884 1512 cmd.exe 38 PID 2040 wrote to memory of 2916 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 43 PID 2040 wrote to memory of 2916 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 43 PID 2040 wrote to memory of 2916 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 43 PID 2040 wrote to memory of 2916 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 43 PID 2040 wrote to memory of 2944 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 45 PID 2040 wrote to memory of 2944 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 45 PID 2040 wrote to memory of 2944 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 45 PID 2040 wrote to memory of 2944 2040 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 45 PID 2916 wrote to memory of 2964 2916 cmd.exe 46 PID 2916 wrote to memory of 2964 2916 cmd.exe 46 PID 2916 wrote to memory of 2964 2916 cmd.exe 46 PID 2916 wrote to memory of 2964 2916 cmd.exe 46 PID 2916 wrote to memory of 3020 2916 cmd.exe 47 PID 2916 wrote to memory of 3020 2916 cmd.exe 47 PID 2916 wrote to memory of 3020 2916 cmd.exe 47 PID 2916 wrote to memory of 3020 2916 cmd.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe"C:\Users\Admin\AppData\Local\Temp\0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:676
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:1080
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:1916
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:1884
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:2964
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe"3⤵PID:3020
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 10842⤵
- Program crash
PID:2944
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:664
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:852
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1632