Analysis
-
max time kernel
124s -
max time network
112s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
13/02/2023, 05:20
Static task
static1
Behavioral task
behavioral1
Sample
2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe
Resource
win10v2004-20221111-en
General
-
Target
2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe
-
Size
959KB
-
MD5
e9cd8c321b68118611a0863b0b91b8f5
-
SHA1
dde3509b41639f4ae7383bcd7b1c17db88b667cf
-
SHA256
74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78
-
SHA512
35fd50ec73ac69aab6c98a1f107c418acaffd9c4c933133064776962520a94d54f796b59558d72ede581e78e405b55c22f7a40d0788244f6d274fe399facacf3
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdAF:Ujrc2So1Ff+B3k796W
Malware Config
Extracted
C:\program files\7-zip\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1452 bcdedit.exe 2520 bcdedit.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\PushTrace.tiff => C:\users\admin\pictures\pushtrace.tiff.lockbit 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File renamed C:\Users\Admin\Pictures\WaitHide.png => C:\users\admin\pictures\waithide.png.lockbit 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File renamed C:\Users\Admin\Pictures\JoinReset.tif => C:\users\admin\pictures\joinreset.tif.lockbit 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\users\admin\pictures\pushtrace.tiff 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe -
Deletes itself 1 IoCs
pid Process 3140 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6E5E24E4-E8E8-78AC-0E52-0E6D43D0CFEE} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe\"" 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\windows\SysWOW64\FB5EDC.ico 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\D9BD.tmp.bmp" 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
pid Process 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\program files (x86)\microsoft office\office14\pagesize\pglbl109.xml 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\picturepuzzle.gadget\images\6.png 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft analysis services\as oledb\10\cartridges\informix.xsl 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubftscm\scheme02.css 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\formsstyles\graycheck.css 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\bullets\j0115865.gif 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\stationery\1033\jungle.gif 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\java\jre7\lib\zi\america\montevideo 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\windows sidebar\gadgets\currency.gadget\en-us\js\library.js 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0241037.wmf 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\document themes 14\theme colors\apothecary.xml 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\toolbmps\messageattachmenticonimagesmask.bmp 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms\view.js 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File created C:\program files (x86)\microsoft office\office14\onenote\Restore-My-Files.txt 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\sports\sportsnotesbackground.wmv 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\microsoft games\hearts\es-es\hearts.exe.mui 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\windows sidebar\gadgets\cpu.gadget\es-es\gadget.xml 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\content-types.properties 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\creston 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\document themes 14\theme effects\pushpin.eftx 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\rtf_alignright.gif 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\marquee.poc 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\slideshow.gadget\de-de\css\slideshow.css 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\msword.olb 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\pulqot98.poc 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\etc\gmt-11 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0107492.wmf 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\na02092_.wmf 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\windows sidebar\gadgets\rssfeeds.gadget\it-it\css\settings.css 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\windows sidebar\gadgets\weather.gadget\ja-jp\js\localizedstrings.js 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\picturepuzzle.gadget\de-de\js\settings.js 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\mozilla firefox\firefox.exe.sig 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\mp00132_.wmf 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\media\cagcat10\j0149887.wmf 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\xmlsdk5.chm 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\managua 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\thirdpartylicensereadme.txt 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\java\jre7\lib\zi\etc\gmt+6 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0313974.jpg 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\lines\bd21305_.gif 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\forms\1033\postit.cfg 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\specialoccasion\specialnavigationleft_selectionsubpicture.png 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\sports\circlesubpicture.png 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic_5.5.0.165303.jar 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\wb01299_.gif 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\media\cagcat10\j0186002.wmf 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\formsstyles\slateblue.css 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\config\modules\org-netbeans-core-execution.xml 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0228959.wmf 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0285782.wmf 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\microsoft games\solitaire\de-de\solitaire.exe.mui 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0292278.wmf 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so02265_.wmf 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\toolbmps\webtoolimagesmask16x16.bmp 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\wpulqt98.poc 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\resizingpanels\navigationleft_selectionsubpicture.png 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\config\modules\org-netbeans-modules-options-keymap.xml 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_ja.jar 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\calendar.gadget\images\calendar_single_orange.png 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0152882.wmf 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so02025_.wmf 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\autoshap\bd18230_.wmf 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\convert\1033\delimr.fae 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.ja_5.5.0.165303.jar 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2020 vssadmin.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\Desktop\WallpaperStyle = "2" 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\Desktop\TileWallpaper = "0" 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \Registry\Machine\Software\Classes\.lockbit 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\FB5EDC.ico" 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3856 PING.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe Token: SeDebugPrivilege 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe Token: SeBackupPrivilege 1880 vssvc.exe Token: SeRestorePrivilege 1880 vssvc.exe Token: SeAuditPrivilege 1880 vssvc.exe Token: SeIncreaseQuotaPrivilege 3032 WMIC.exe Token: SeSecurityPrivilege 3032 WMIC.exe Token: SeTakeOwnershipPrivilege 3032 WMIC.exe Token: SeLoadDriverPrivilege 3032 WMIC.exe Token: SeSystemProfilePrivilege 3032 WMIC.exe Token: SeSystemtimePrivilege 3032 WMIC.exe Token: SeProfSingleProcessPrivilege 3032 WMIC.exe Token: SeIncBasePriorityPrivilege 3032 WMIC.exe Token: SeCreatePagefilePrivilege 3032 WMIC.exe Token: SeBackupPrivilege 3032 WMIC.exe Token: SeRestorePrivilege 3032 WMIC.exe Token: SeShutdownPrivilege 3032 WMIC.exe Token: SeDebugPrivilege 3032 WMIC.exe Token: SeSystemEnvironmentPrivilege 3032 WMIC.exe Token: SeRemoteShutdownPrivilege 3032 WMIC.exe Token: SeUndockPrivilege 3032 WMIC.exe Token: SeManageVolumePrivilege 3032 WMIC.exe Token: 33 3032 WMIC.exe Token: 34 3032 WMIC.exe Token: 35 3032 WMIC.exe Token: SeIncreaseQuotaPrivilege 3032 WMIC.exe Token: SeSecurityPrivilege 3032 WMIC.exe Token: SeTakeOwnershipPrivilege 3032 WMIC.exe Token: SeLoadDriverPrivilege 3032 WMIC.exe Token: SeSystemProfilePrivilege 3032 WMIC.exe Token: SeSystemtimePrivilege 3032 WMIC.exe Token: SeProfSingleProcessPrivilege 3032 WMIC.exe Token: SeIncBasePriorityPrivilege 3032 WMIC.exe Token: SeCreatePagefilePrivilege 3032 WMIC.exe Token: SeBackupPrivilege 3032 WMIC.exe Token: SeRestorePrivilege 3032 WMIC.exe Token: SeShutdownPrivilege 3032 WMIC.exe Token: SeDebugPrivilege 3032 WMIC.exe Token: SeSystemEnvironmentPrivilege 3032 WMIC.exe Token: SeRemoteShutdownPrivilege 3032 WMIC.exe Token: SeUndockPrivilege 3032 WMIC.exe Token: SeManageVolumePrivilege 3032 WMIC.exe Token: 33 3032 WMIC.exe Token: 34 3032 WMIC.exe Token: 35 3032 WMIC.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 956 wrote to memory of 844 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 29 PID 956 wrote to memory of 844 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 29 PID 956 wrote to memory of 844 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 29 PID 956 wrote to memory of 844 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 29 PID 844 wrote to memory of 2020 844 cmd.exe 31 PID 844 wrote to memory of 2020 844 cmd.exe 31 PID 844 wrote to memory of 2020 844 cmd.exe 31 PID 844 wrote to memory of 3032 844 cmd.exe 35 PID 844 wrote to memory of 3032 844 cmd.exe 35 PID 844 wrote to memory of 3032 844 cmd.exe 35 PID 844 wrote to memory of 1452 844 cmd.exe 37 PID 844 wrote to memory of 1452 844 cmd.exe 37 PID 844 wrote to memory of 1452 844 cmd.exe 37 PID 844 wrote to memory of 2520 844 cmd.exe 38 PID 844 wrote to memory of 2520 844 cmd.exe 38 PID 844 wrote to memory of 2520 844 cmd.exe 38 PID 956 wrote to memory of 3140 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 40 PID 956 wrote to memory of 3140 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 40 PID 956 wrote to memory of 3140 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 40 PID 956 wrote to memory of 3140 956 2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe 40 PID 3140 wrote to memory of 3856 3140 cmd.exe 42 PID 3140 wrote to memory of 3856 3140 cmd.exe 42 PID 3140 wrote to memory of 3856 3140 cmd.exe 42 PID 3140 wrote to memory of 3856 3140 cmd.exe 42 PID 3140 wrote to memory of 3560 3140 cmd.exe 43 PID 3140 wrote to memory of 3560 3140 cmd.exe 43 PID 3140 wrote to memory of 3560 3140 cmd.exe 43 PID 3140 wrote to memory of 3560 3140 cmd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe"C:\Users\Admin\AppData\Local\Temp\2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2020
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:1452
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:2520
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:3856
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2023-02-12_e9cd8c321b68118611a0863b0b91b8f5_lockbit.exe"3⤵PID:3560
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880