Analysis
-
max time kernel
104s -
max time network
75s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/02/2023, 05:03
Static task
static1
Behavioral task
behavioral1
Sample
2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe
Resource
win10v2004-20230221-en
General
-
Target
2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe
-
Size
959KB
-
MD5
1e9e399b7a31cc85062cb039bae72a44
-
SHA1
3702b81069cbb9251be59f85d25c54b55443ae72
-
SHA256
b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060
-
SHA512
edf2c5cc11d564b40850e1741eec8477d90e55304d1bc08646c826f100877ae71057e8fbd4b1df164d67e891c826f30be1127d7d9a8dced09dafad7693031a9a
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdxF:Ujrc2So1Ff+B3k796n
Malware Config
Extracted
C:\Program Files\Java\jdk1.8.0_66\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Users\Admin\Desktop\LockBit_Ransomware.hta
https://decoding.at/
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or
https://decoding.at
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE is not expected to spawn this process 5044 3796 OfficeC2RClient.exe 93 -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2184 bcdedit.exe 1800 bcdedit.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\FormatRepair.raw => C:\users\admin\pictures\formatrepair.raw.lockbit 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File renamed C:\Users\Admin\Pictures\MountUpdate.tif => C:\users\admin\pictures\mountupdate.tif.lockbit 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File renamed C:\Users\Admin\Pictures\NewReset.png => C:\users\admin\pictures\newreset.png.lockbit 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File renamed C:\Users\Admin\Pictures\SplitWait.png => C:\users\admin\pictures\splitwait.png.lockbit 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File renamed C:\Users\Admin\Pictures\WaitResolve.png => C:\users\admin\pictures\waitresolve.png.lockbit 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File renamed C:\Users\Admin\Pictures\MeasureRead.raw => C:\users\admin\pictures\measureread.raw.lockbit 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File renamed C:\Users\Admin\Pictures\EditAdd.png => C:\users\admin\pictures\editadd.png.lockbit 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File renamed C:\Users\Admin\Pictures\CompressWatch.raw => C:\users\admin\pictures\compresswatch.raw.lockbit 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File renamed C:\Users\Admin\Pictures\ConvertFromUse.png => C:\users\admin\pictures\convertfromuse.png.lockbit 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File renamed C:\Users\Admin\Pictures\InvokeExit.png => C:\users\admin\pictures\invokeexit.png.lockbit 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File renamed C:\Users\Admin\Pictures\LimitReceive.raw => C:\users\admin\pictures\limitreceive.raw.lockbit 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File renamed C:\Users\Admin\Pictures\TestUndo.tif => C:\users\admin\pictures\testundo.tif.lockbit 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{18F5C893-A5A5-D946-503F-504D77C27140} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe\"" 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\Users\\Admin\\Desktop\\LockBit_Ransomware.hta" 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\PPhuc5xwoefvem4rip0lkt1q59c.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP7rwkhm7yrk6zensdnsun9ifzd.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP0jojtzjk0o4hnyvvpn6tokvac.TMP printfilterpipelinesvc.exe File created C:\windows\SysWOW64\83F567.ico 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File created C:\Windows\system32\spool\PRINTERS\00003.SPL 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3F89.tmp.bmp" 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\version.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\mozilla firefox\private_browsing.visualelementsmanifest.xml 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\Restore-My-Files.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\scan-files\js\nls\sl-si\ui-strings.js 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\videolan\vlc\locale\fa\lc_messages\vlc.mo 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\app\dev\nls\da-dk\ui-strings.js 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\fss\img\themes\dark\faf_field_grabber.png 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\Restore-My-Files.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\ob-preview\images\themeless\standards_poster.png 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\signatures\js\nls\hu-hu\Restore-My-Files.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\meta-inf\eclipse_.rsa 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\microsoft office\root\office16\sdxs\fa000000027\assets\icons\send2.16.white.png 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\Restore-My-Files.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\chrome-ext-2x.png 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\7-zip\lang\nn.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\microsoft office\root\office16\msipc\ca\msipc.dll.mui 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\Restore-My-Files.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\updater.jar 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-views.jar 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\uss-search\js\nls\de-de\Restore-My-Files.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\7-zip\lang\io.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365smallbuspremr_grace-ul-oob.xrm-ms 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\microsoft office\root\office16\addins\powerpivot excel add-in\cartridges\sybase.xsl 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\pages-app\js\nls\de-de\Restore-My-Files.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\microsoft office\root\office16\sdxs\fa000000027\assets\icons\[email protected] 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\acroapp\enu\viewer.aapp 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\no_get.svg 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\task-handler\js\nls\fi-fi\Restore-My-Files.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\microsoft office\root\licenses16\visiopro2019msdnr_retail-ul-oob.xrm-ms 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\videolan\vlc\lua\playlist\cue.luac 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\svgcheckboxunselected.svg 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\combinepdf\css\Restore-My-Files.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\microsoft office\root\office16\pagesize\pgmn011.xml 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\microsoft office\root\vfs\programfilesx86\microsoft office\office16\dcf\en\spreadsheetcompare_k_col.hxk 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\s_illuemptyfolder_160.svg 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\core\dev\nls\sk-sk\Restore-My-Files.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-explorer_zh_cn.jar 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\Restore-My-Files.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jre1.8.0_66\thirdpartylicensereadme.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectstdo365r_subtest-pl.xrm-ms 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\videolan\vlc\lua\http\dialogs\browse_window.html 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\js\nls\ko-kr\Restore-My-Files.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\unified-share\js\nls\nb-no\ui-strings.js 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\microsoft office\root\licenses16\mondor_subscription-ul-oob.xrm-ms 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\microsoft office\root\office16\excel.visualelementsmanifest.xml 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\microsoft office\root\office16\logoimages\winwordlogo.contrast-black_scale-100.png 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\Restore-My-Files.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\images\email\adc_logo.png 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\7-zip\lang\sv.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\microsoft office\root\licenses16\client-issuance-bridge-office.xrm-ms 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\microsoft office\root\office16\msipc\zh-tw\msipc.dll.mui 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\themes\dark\back-arrow-down.svg 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\activity-badge\js\nls\zh-tw\ui-strings.js 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\search-summary\js\Restore-My-Files.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File created C:\program files\java\jdk1.8.0_66\jre\lib\cmm\Restore-My-Files.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files\microsoft office\root\licenses16\visioproxc2rvl_kms_clientc2r-ul.xrm-ms 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File created C:\program files\microsoft office\root\office16\msipc\gl\Restore-My-Files.txt 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-ja_jp.gif 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2116 vssadmin.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\WallpaperStyle = "2" 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\TileWallpaper = "0" 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \Registry\Machine\Software\Classes\.lockbit 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\83F567.ico" 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Key created \Registry\Machine\Software\Classes\Lockbit\shell 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htafile\DefaultIcon\ = "C:\\windows\\SysWow64\\83F567.ico" 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Key created \Registry\Machine\Software\Classes\Lockbit 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Key created \Registry\Machine\Software\Classes\Lockbit\DefaultIcon 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Key created \Registry\Machine\Software\Classes\Lockbit\shell\Open\Command 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\ = "LockBit Class" 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Key created \Registry\Machine\Software\Classes\htafile\DefaultIcon 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\ = "LockBit" 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\83F567.ico" 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Key created \Registry\Machine\Software\Classes\Lockbit\shell\Open 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\shell\Open\Command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Admin\\Desktop\\LockBit_Ransomware.hta\"" 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 836 PING.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Token: SeDebugPrivilege 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe Token: SeBackupPrivilege 5108 vssvc.exe Token: SeRestorePrivilege 5108 vssvc.exe Token: SeAuditPrivilege 5108 vssvc.exe Token: SeIncreaseQuotaPrivilege 4360 WMIC.exe Token: SeSecurityPrivilege 4360 WMIC.exe Token: SeTakeOwnershipPrivilege 4360 WMIC.exe Token: SeLoadDriverPrivilege 4360 WMIC.exe Token: SeSystemProfilePrivilege 4360 WMIC.exe Token: SeSystemtimePrivilege 4360 WMIC.exe Token: SeProfSingleProcessPrivilege 4360 WMIC.exe Token: SeIncBasePriorityPrivilege 4360 WMIC.exe Token: SeCreatePagefilePrivilege 4360 WMIC.exe Token: SeBackupPrivilege 4360 WMIC.exe Token: SeRestorePrivilege 4360 WMIC.exe Token: SeShutdownPrivilege 4360 WMIC.exe Token: SeDebugPrivilege 4360 WMIC.exe Token: SeSystemEnvironmentPrivilege 4360 WMIC.exe Token: SeRemoteShutdownPrivilege 4360 WMIC.exe Token: SeUndockPrivilege 4360 WMIC.exe Token: SeManageVolumePrivilege 4360 WMIC.exe Token: 33 4360 WMIC.exe Token: 34 4360 WMIC.exe Token: 35 4360 WMIC.exe Token: 36 4360 WMIC.exe Token: SeIncreaseQuotaPrivilege 4360 WMIC.exe Token: SeSecurityPrivilege 4360 WMIC.exe Token: SeTakeOwnershipPrivilege 4360 WMIC.exe Token: SeLoadDriverPrivilege 4360 WMIC.exe Token: SeSystemProfilePrivilege 4360 WMIC.exe Token: SeSystemtimePrivilege 4360 WMIC.exe Token: SeProfSingleProcessPrivilege 4360 WMIC.exe Token: SeIncBasePriorityPrivilege 4360 WMIC.exe Token: SeCreatePagefilePrivilege 4360 WMIC.exe Token: SeBackupPrivilege 4360 WMIC.exe Token: SeRestorePrivilege 4360 WMIC.exe Token: SeShutdownPrivilege 4360 WMIC.exe Token: SeDebugPrivilege 4360 WMIC.exe Token: SeSystemEnvironmentPrivilege 4360 WMIC.exe Token: SeRemoteShutdownPrivilege 4360 WMIC.exe Token: SeUndockPrivilege 4360 WMIC.exe Token: SeManageVolumePrivilege 4360 WMIC.exe Token: 33 4360 WMIC.exe Token: 34 4360 WMIC.exe Token: 35 4360 WMIC.exe Token: 36 4360 WMIC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5044 OfficeC2RClient.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 4252 wrote to memory of 1572 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 81 PID 4252 wrote to memory of 1572 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 81 PID 1572 wrote to memory of 2116 1572 cmd.exe 83 PID 1572 wrote to memory of 2116 1572 cmd.exe 83 PID 1572 wrote to memory of 4360 1572 cmd.exe 86 PID 1572 wrote to memory of 4360 1572 cmd.exe 86 PID 1572 wrote to memory of 2184 1572 cmd.exe 87 PID 1572 wrote to memory of 2184 1572 cmd.exe 87 PID 1572 wrote to memory of 1800 1572 cmd.exe 88 PID 1572 wrote to memory of 1800 1572 cmd.exe 88 PID 2172 wrote to memory of 3796 2172 printfilterpipelinesvc.exe 93 PID 2172 wrote to memory of 3796 2172 printfilterpipelinesvc.exe 93 PID 3796 wrote to memory of 5044 3796 ONENOTE.EXE 94 PID 3796 wrote to memory of 5044 3796 ONENOTE.EXE 94 PID 4252 wrote to memory of 3108 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 95 PID 4252 wrote to memory of 3108 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 95 PID 4252 wrote to memory of 3108 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 95 PID 4252 wrote to memory of 1352 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 96 PID 4252 wrote to memory of 1352 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 96 PID 4252 wrote to memory of 1352 4252 2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe 96 PID 1352 wrote to memory of 836 1352 cmd.exe 98 PID 1352 wrote to memory of 836 1352 cmd.exe 98 PID 1352 wrote to memory of 836 1352 cmd.exe 98 PID 1352 wrote to memory of 2248 1352 cmd.exe 100 PID 1352 wrote to memory of 2248 1352 cmd.exe 100 PID 1352 wrote to memory of 2248 1352 cmd.exe 100 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe"C:\Users\Admin\AppData\Local\Temp\2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2116
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4360
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2184
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:1800
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit_Ransomware.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:3108
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:836
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2023-02-23_1e9e399b7a31cc85062cb039bae72a44_lockbit.exe"3⤵PID:2248
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1180
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{97B34CF0-C6BA-4A52-B208-81E75E33EC19}.xps" 1332160582952900002⤵
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeOfficeC2RClient.exe /error PID=3796 ProcessName="Microsoft OneNote" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=13⤵
- Process spawned unexpected child process
- Suspicious use of SetWindowsHookEx
PID:5044
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD59a7652fb9cd632e64a84015c1346ea81
SHA1c1bfc22e7f04474a177b2cba4902a7bd83c9b210
SHA256fb37ba2ffb91426305f7e48deb455ed4e07eee2eeff6b36d7bafd64cf8575e21
SHA51212bb9890ca14af6d0cffe03f84d44c352aee6b7d171863817bdd7cf37f3b6b9c6f17997f5b5429d2971890edd4b827a941cebce8c1542d2608922ed5519a8122
-
Filesize
46KB
MD5c15c6adc8c923ad87981f289025c37b2
SHA1bfe6533f4afe3255046f7178f289a4c75ad89e76
SHA25690f3a33919fdd766e90fd96f8f20a92c2d1376b7cfdc8b738c2f8e7e6c7498b1
SHA51231dd03b208e00ac012fbe4189d5af1306cc8e3640d40efefab4aa1cabab3c4735eef0cb65e7750c3c77021934e145398e5e26389975cf36b193c8f622a5fde83