Analysis
-
max time kernel
144s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
23/02/2023, 05:03
Static task
static1
Behavioral task
behavioral1
Sample
2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe
Resource
win10v2004-20230221-en
General
-
Target
2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe
-
Size
959KB
-
MD5
1e9e399b7a31cc85062cb039bae72a44
-
SHA1
3702b81069cbb9251be59f85d25c54b55443ae72
-
SHA256
b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060
-
SHA512
edf2c5cc11d564b40850e1741eec8477d90e55304d1bc08646c826f100877ae71057e8fbd4b1df164d67e891c826f30be1127d7d9a8dced09dafad7693031a9a
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdxF:Ujrc2So1Ff+B3k796n
Malware Config
Extracted
C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3256 bcdedit.exe 1240 bcdedit.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\users\admin\pictures\redomount.tiff 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File renamed C:\Users\Admin\Pictures\SaveConvertFrom.tif => C:\users\admin\pictures\saveconvertfrom.tif.lockbit 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File renamed C:\Users\Admin\Pictures\RedoMount.tiff => C:\users\admin\pictures\redomount.tiff.lockbit 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe -
Deletes itself 1 IoCs
pid Process 3320 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\{18F5C893-A5A5-D946-503F-504D77C27140} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe\"" 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\windows\SysWOW64\83F567.ico 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1E7A.tmp.bmp" 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
pid Process 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0196142.wmf 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so00820_.wmf 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\certificates\groove.net\components\signedcomponents.cer 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\outlookautodiscover\swbell.net.xml 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\babygirl\chapters-static.png 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\autoshap\bd18237_.wmf 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\onenote_f_col.hxk 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\videolan\vlc\documentation.url 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\dd01163_.wmf 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\msaccess_col.hxc 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\dgborder.dpv 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\performance\notes_loop.wmv 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt_3.103.1.v20140903-1938.jar 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\ph02074u.bmp 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\templates\1033\expensereport.xltx 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubftscm\scheme43.css 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\performance\perf_scenes_subpicture1.png 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\ulaanbaatar 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\meta-inf\eclipse.inf 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\an01044_.wmf 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0227419.jpg 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0304875.wmf 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\document themes 14\concourse.thmx 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft visual studio 8\common7\ide\vsta\itemtemplates\visualbasic\1033\form.zip 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\picturepuzzle.gadget\it-it\picturepuzzle.html 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\adobe\reader 9.0\resource\linguistics\providers\proximity\11.00\engphon.env 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\dd01586_.wmf 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0239063.wmf 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\ipirmv.xml 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\es-es\sbdrop.dll.mui 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jre7\lib\deploy\splash.gif 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\formsstyles\desert\header.gif 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jre7\lib\zi\pacific\pitcairn 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\windows sidebar\gadgets\rssfeeds.gadget\en-us\rssfeeds.html 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\mspub_k_col.hxk 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft visual studio 8\common7\ide\vsta\itemtemplates\visualbasic\1033\class.zip 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\etc\gmt-13 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0151067.wmf 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\fd01196_.wmf 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft visual studio 8\common7\ide\vsta\itemtemplates\csharp\1033\resourceinternal.zip 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\memories\btn-next-static.png 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\microsoft games\multiplayer\checkers\fr-fr\chkrzm.exe.mui 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\ed00019_.wmf 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\gr8galry.gra 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\toolbmps\shared16x16images.jpg 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File created C:\program files (x86)\microsoft office\office14\pubba\Restore-My-Files.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft visual studio 8\common7\ide\vsta\itemtemplates\csharp\1033\form.zip 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\thimphu 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jre7\lib\zi\pacific\kosrae 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\bullets\bd15058_.gif 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\grooveforms5\formsstyles\springgreen\tab_on.gif 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\rssfeeds.gadget\ja-jp\css\flyout.css 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\include\jdwptransport.h 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server-15.jar 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\microsoft games\multiplayer\backgammon\ja-jp\bckgres.dll.mui 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\windows sidebar\gadgets\rssfeeds.gadget\es-es\rssfeeds.html 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0090089.wmf 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\setlang_f_col.hxk 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\microsoft office\templates\1033\access\part\msgbox.accdt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 544 vssadmin.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\WallpaperStyle = "2" 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\TileWallpaper = "0" 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\83F567.ico" 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Key created \Registry\Machine\Software\Classes\.lockbit 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3388 PING.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Token: SeDebugPrivilege 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Token: SeBackupPrivilege 860 vssvc.exe Token: SeRestorePrivilege 860 vssvc.exe Token: SeAuditPrivilege 860 vssvc.exe Token: SeIncreaseQuotaPrivilege 2920 WMIC.exe Token: SeSecurityPrivilege 2920 WMIC.exe Token: SeTakeOwnershipPrivilege 2920 WMIC.exe Token: SeLoadDriverPrivilege 2920 WMIC.exe Token: SeSystemProfilePrivilege 2920 WMIC.exe Token: SeSystemtimePrivilege 2920 WMIC.exe Token: SeProfSingleProcessPrivilege 2920 WMIC.exe Token: SeIncBasePriorityPrivilege 2920 WMIC.exe Token: SeCreatePagefilePrivilege 2920 WMIC.exe Token: SeBackupPrivilege 2920 WMIC.exe Token: SeRestorePrivilege 2920 WMIC.exe Token: SeShutdownPrivilege 2920 WMIC.exe Token: SeDebugPrivilege 2920 WMIC.exe Token: SeSystemEnvironmentPrivilege 2920 WMIC.exe Token: SeRemoteShutdownPrivilege 2920 WMIC.exe Token: SeUndockPrivilege 2920 WMIC.exe Token: SeManageVolumePrivilege 2920 WMIC.exe Token: 33 2920 WMIC.exe Token: 34 2920 WMIC.exe Token: 35 2920 WMIC.exe Token: SeIncreaseQuotaPrivilege 2920 WMIC.exe Token: SeSecurityPrivilege 2920 WMIC.exe Token: SeTakeOwnershipPrivilege 2920 WMIC.exe Token: SeLoadDriverPrivilege 2920 WMIC.exe Token: SeSystemProfilePrivilege 2920 WMIC.exe Token: SeSystemtimePrivilege 2920 WMIC.exe Token: SeProfSingleProcessPrivilege 2920 WMIC.exe Token: SeIncBasePriorityPrivilege 2920 WMIC.exe Token: SeCreatePagefilePrivilege 2920 WMIC.exe Token: SeBackupPrivilege 2920 WMIC.exe Token: SeRestorePrivilege 2920 WMIC.exe Token: SeShutdownPrivilege 2920 WMIC.exe Token: SeDebugPrivilege 2920 WMIC.exe Token: SeSystemEnvironmentPrivilege 2920 WMIC.exe Token: SeRemoteShutdownPrivilege 2920 WMIC.exe Token: SeUndockPrivilege 2920 WMIC.exe Token: SeManageVolumePrivilege 2920 WMIC.exe Token: 33 2920 WMIC.exe Token: 34 2920 WMIC.exe Token: 35 2920 WMIC.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1728 wrote to memory of 1508 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 29 PID 1728 wrote to memory of 1508 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 29 PID 1728 wrote to memory of 1508 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 29 PID 1728 wrote to memory of 1508 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 29 PID 1508 wrote to memory of 544 1508 cmd.exe 31 PID 1508 wrote to memory of 544 1508 cmd.exe 31 PID 1508 wrote to memory of 544 1508 cmd.exe 31 PID 1508 wrote to memory of 2920 1508 cmd.exe 34 PID 1508 wrote to memory of 2920 1508 cmd.exe 34 PID 1508 wrote to memory of 2920 1508 cmd.exe 34 PID 1508 wrote to memory of 3256 1508 cmd.exe 36 PID 1508 wrote to memory of 3256 1508 cmd.exe 36 PID 1508 wrote to memory of 3256 1508 cmd.exe 36 PID 1508 wrote to memory of 1240 1508 cmd.exe 37 PID 1508 wrote to memory of 1240 1508 cmd.exe 37 PID 1508 wrote to memory of 1240 1508 cmd.exe 37 PID 1728 wrote to memory of 3320 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 39 PID 1728 wrote to memory of 3320 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 39 PID 1728 wrote to memory of 3320 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 39 PID 1728 wrote to memory of 3320 1728 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 39 PID 3320 wrote to memory of 3388 3320 cmd.exe 41 PID 3320 wrote to memory of 3388 3320 cmd.exe 41 PID 3320 wrote to memory of 3388 3320 cmd.exe 41 PID 3320 wrote to memory of 3388 3320 cmd.exe 41 PID 3320 wrote to memory of 1644 3320 cmd.exe 42 PID 3320 wrote to memory of 1644 3320 cmd.exe 42 PID 3320 wrote to memory of 1644 3320 cmd.exe 42 PID 3320 wrote to memory of 1644 3320 cmd.exe 42 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe"C:\Users\Admin\AppData\Local\Temp\2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:544
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:3256
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:1240
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:3388
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe"3⤵PID:1644
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:860
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD52aa97e4650e7aa9a540a7fadab3ea15e
SHA14b26caf9e5c42542acad14e0b9f12b5dd8c0cd94
SHA256582fa8a8c49a7d4bf81cafb35971993da19c0256da054eafcf45604dddd86123
SHA51279bf939c39eb68d9a5f9a2c781a82a75a2537e64fe2adb80b2cbecd09989c986db4070e2011e9fc048dcac39c77bb8bcaaeba0d9c65e79340fe6ce5ccfd18170