Analysis
-
max time kernel
109s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25/02/2023, 04:13
Static task
static1
Behavioral task
behavioral1
Sample
sample2.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
sample2.exe
Resource
win10v2004-20230220-en
General
-
Target
sample2.exe
-
Size
959KB
-
MD5
41687e58130c8bdca248e1403e565afb
-
SHA1
6eda5da62e5073a67ff89dd89b85328dd2df73d1
-
SHA256
fef1f9664fde9b23754c691b15a05fdc35a51a0ceb8a18fb9a5a0166e6377c69
-
SHA512
6cd670e5f14a8d6fa1b5894a89cfe514d403f3f8dc82be9c83f86345be72d218844cd3f8c1c045deae6a292796d6d280efe49c8de724abda038c522407a14cde
-
SSDEEP
24576:TLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdAF:Pjrc2So1Ff+B3k796W
Malware Config
Extracted
C:\Program Files\Java\jdk1.8.0_66\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Users\Admin\Desktop\LockBit_Ransomware.hta
https://decoding.at/
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or
https://decoding.at
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE is not expected to spawn this process 2092 3124 OfficeC2RClient.exe 99 -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2624 bcdedit.exe 4204 bcdedit.exe -
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ConvertEnter.png => C:\users\admin\pictures\convertenter.png.lockbit sample2.exe File renamed C:\Users\Admin\Pictures\RedoConnect.raw => C:\users\admin\pictures\redoconnect.raw.lockbit sample2.exe File renamed C:\Users\Admin\Pictures\PushWatch.tiff => C:\users\admin\pictures\pushwatch.tiff.lockbit sample2.exe File opened for modification C:\users\admin\pictures\lockwatch.tiff sample2.exe File opened for modification C:\users\admin\pictures\pushwatch.tiff sample2.exe File renamed C:\Users\Admin\Pictures\AssertHide.png => C:\users\admin\pictures\asserthide.png.lockbit sample2.exe File renamed C:\Users\Admin\Pictures\LockWatch.tiff => C:\users\admin\pictures\lockwatch.tiff.lockbit sample2.exe File renamed C:\Users\Admin\Pictures\SwitchBlock.png => C:\users\admin\pictures\switchblock.png.lockbit sample2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation sample2.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\Users\\Admin\\Desktop\\LockBit_Ransomware.hta" sample2.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sample2.exe Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{6E5E24E4-E8E8-78AC-0E52-0E6D43D0CFEE} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sample2.exe\"" sample2.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL sample2.exe File created C:\Windows\system32\spool\PRINTERS\00003.SPL sample2.exe File created C:\Windows\system32\spool\PRINTERS\PPwawi0307hvj4z7kkf90njiv3b.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP6vlbvkh0mw2dyp8vf04s0jocd.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP33pfu4mpi3nbl6s7oyt5711ac.TMP printfilterpipelinesvc.exe File created C:\windows\SysWOW64\FB5EDC.ico sample2.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AAC7.tmp.bmp" sample2.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\program files\microsoft office\root\office16\addins\Restore-My-Files.txt sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\acroapp\enu\redact_r_rhp.aapp sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\themes\dark\spectrum_spinner_process.svg sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\ob-preview\images\themeless\edit_pdf_poster2x.jpg sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\scan-files\images\themeless\inline-error-1x.png sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\images\illustrations_retina.png sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js sample2.exe File created C:\program files\microsoft office\root\document themes 16\Restore-My-Files.txt sample2.exe File opened for modification C:\program files\microsoft office\root\office16\logoimages\winwordlogo.scale-180.png sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\themes\dark\organize.svg sample2.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\fss\js\nls\en-gb\Restore-My-Files.txt sample2.exe File opened for modification C:\program files\microsoft office\root\office16\logoimages\onenotelogosmall.contrast-black_scale-80.png sample2.exe File opened for modification C:\program files\microsoft office\root\office16\msppt.olb sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\tracker\stop_collection_data.gif sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\ui-strings.js sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\combinepdf\images\example_icons2x.png sample2.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\uss-search\js\nls\it-it\Restore-My-Files.txt sample2.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\config\modules\org-netbeans-core-multiview.xml sample2.exe File opened for modification C:\program files\microsoft office\root\licenses16\mondor_trial-pl.xrm-ms sample2.exe File opened for modification C:\program files\microsoft office\root\office16\pagesize\pglbl109.xml sample2.exe File opened for modification C:\program files\microsoft office\root\templates\1033\originresume.dotx sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\plug_ins\checkers.api sample2.exe File created C:\program files\java\jre1.8.0_66\lib\ext\Restore-My-Files.txt sample2.exe File created C:\program files\videolan\vlc\locale\de\lc_messages\Restore-My-Files.txt sample2.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\updater_ja.jar sample2.exe File opened for modification C:\program files\videolan\vlc\locale\ast\lc_messages\vlc.mo sample2.exe File opened for modification C:\program files\videolan\vlc\locale\sl\lc_messages\vlc.mo sample2.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\aicuc\js\nls\nl-nl\Restore-My-Files.txt sample2.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\sample-files\js\nls\sv-se\Restore-My-Files.txt sample2.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\app\dev\nls\ja-jp\Restore-My-Files.txt sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\scan-files\images\themeless\playstore\hu_get.svg sample2.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_ja.jar sample2.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectpror_grace-ul-oob.xrm-ms sample2.exe File opened for modification C:\program files\videolan\vlc\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\themes\dark\s_illuemptyfolder_160.svg sample2.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-files\js\nls\es-es\Restore-My-Files.txt sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\unified-share\images\themes\dark\s_radio_unselected_18.svg sample2.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_cn.jar sample2.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\files\dev\nls\zh-tw\Restore-My-Files.txt sample2.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\search-summary\js\nls\da-dk\Restore-My-Files.txt sample2.exe File opened for modification C:\program files\microsoft office\root\licenses16\mondor_retail-ul-phn.xrm-ms sample2.exe File opened for modification C:\program files\microsoft office\root\licenses16\onenoter_oem_perp-ul-phn.xrm-ms sample2.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\editpdf\js\Restore-My-Files.txt sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\chrome-ext-2x.png sample2.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\search-summary\js\nls\ko-kr\Restore-My-Files.txt sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\unified-share\images\s_close2x.png sample2.exe File created C:\program files\videolan\vlc\locale\fur\lc_messages\Restore-My-Files.txt sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\digsig\images\themes\dark\s_checkbox_selected_18.svg sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\reviews\js\selector.js sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\nub.png sample2.exe File opened for modification C:\program files\microsoft office\root\templates\1033\timelessresume.dotx sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\pages-app\images\example_icons.png sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\ui-strings.js sample2.exe File created C:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\Restore-My-Files.txt sample2.exe File created C:\program files\java\jdk1.8.0_66\lib\visualvm\visualvm\Restore-My-Files.txt sample2.exe File opened for modification C:\program files\microsoft office\root\office16\sdxs\fa000000018\cardview\lib\native-common\assets\[email protected] sample2.exe File opened for modification C:\program files\microsoft office\root\office16\sdxs\fa000000018\cardview\lib\native-common\assets\cardview-flag.png sample2.exe File opened for modification C:\program files\videolan\vlc\lua\playlist\youtube.luac sample2.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\activity-badge\js\nls\Restore-My-Files.txt sample2.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\images\adobe_spinner.gif sample2.exe File opened for modification C:\program files\microsoft office\root\licenses16\homestudentvnextr_retail-pl.xrm-ms sample2.exe File opened for modification C:\program files\microsoft office\root\office16\samples\solvsamp.xls sample2.exe File opened for modification C:\program files\microsoft office\root\office16\sdxs\fa000000027\assets\icons\[email protected] sample2.exe File opened for modification C:\program files\microsoft office\root\rsod\dcfmui.msi.16.en-us.boot.tree.dat sample2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 232 vssadmin.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\Desktop\TileWallpaper = "0" sample2.exe Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\Desktop\WallpaperStyle = "2" sample2.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon sample2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\shell\Open\Command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Admin\\Desktop\\LockBit_Ransomware.hta\"" sample2.exe Key created \Registry\Machine\Software\Classes\.lockbit sample2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\FB5EDC.ico" sample2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\ = "LockBit" sample2.exe Key created \Registry\Machine\Software\Classes\Lockbit\shell sample2.exe Key created \Registry\Machine\Software\Classes\htafile\DefaultIcon sample2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htafile\DefaultIcon\ = "C:\\windows\\SysWow64\\FB5EDC.ico" sample2.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings sample2.exe Key created \Registry\Machine\Software\Classes\Lockbit sample2.exe Key created \Registry\Machine\Software\Classes\Lockbit\DefaultIcon sample2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\FB5EDC.ico" sample2.exe Key created \Registry\Machine\Software\Classes\Lockbit\shell\Open sample2.exe Key created \Registry\Machine\Software\Classes\Lockbit\shell\Open\Command sample2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\ = "LockBit Class" sample2.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4064 PING.EXE -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe 4052 sample2.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4052 sample2.exe Token: SeDebugPrivilege 4052 sample2.exe Token: SeBackupPrivilege 2744 vssvc.exe Token: SeRestorePrivilege 2744 vssvc.exe Token: SeAuditPrivilege 2744 vssvc.exe Token: SeIncreaseQuotaPrivilege 2892 WMIC.exe Token: SeSecurityPrivilege 2892 WMIC.exe Token: SeTakeOwnershipPrivilege 2892 WMIC.exe Token: SeLoadDriverPrivilege 2892 WMIC.exe Token: SeSystemProfilePrivilege 2892 WMIC.exe Token: SeSystemtimePrivilege 2892 WMIC.exe Token: SeProfSingleProcessPrivilege 2892 WMIC.exe Token: SeIncBasePriorityPrivilege 2892 WMIC.exe Token: SeCreatePagefilePrivilege 2892 WMIC.exe Token: SeBackupPrivilege 2892 WMIC.exe Token: SeRestorePrivilege 2892 WMIC.exe Token: SeShutdownPrivilege 2892 WMIC.exe Token: SeDebugPrivilege 2892 WMIC.exe Token: SeSystemEnvironmentPrivilege 2892 WMIC.exe Token: SeRemoteShutdownPrivilege 2892 WMIC.exe Token: SeUndockPrivilege 2892 WMIC.exe Token: SeManageVolumePrivilege 2892 WMIC.exe Token: 33 2892 WMIC.exe Token: 34 2892 WMIC.exe Token: 35 2892 WMIC.exe Token: 36 2892 WMIC.exe Token: SeIncreaseQuotaPrivilege 2892 WMIC.exe Token: SeSecurityPrivilege 2892 WMIC.exe Token: SeTakeOwnershipPrivilege 2892 WMIC.exe Token: SeLoadDriverPrivilege 2892 WMIC.exe Token: SeSystemProfilePrivilege 2892 WMIC.exe Token: SeSystemtimePrivilege 2892 WMIC.exe Token: SeProfSingleProcessPrivilege 2892 WMIC.exe Token: SeIncBasePriorityPrivilege 2892 WMIC.exe Token: SeCreatePagefilePrivilege 2892 WMIC.exe Token: SeBackupPrivilege 2892 WMIC.exe Token: SeRestorePrivilege 2892 WMIC.exe Token: SeShutdownPrivilege 2892 WMIC.exe Token: SeDebugPrivilege 2892 WMIC.exe Token: SeSystemEnvironmentPrivilege 2892 WMIC.exe Token: SeRemoteShutdownPrivilege 2892 WMIC.exe Token: SeUndockPrivilege 2892 WMIC.exe Token: SeManageVolumePrivilege 2892 WMIC.exe Token: 33 2892 WMIC.exe Token: 34 2892 WMIC.exe Token: 35 2892 WMIC.exe Token: 36 2892 WMIC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2092 OfficeC2RClient.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 4052 wrote to memory of 1484 4052 sample2.exe 86 PID 4052 wrote to memory of 1484 4052 sample2.exe 86 PID 1484 wrote to memory of 232 1484 cmd.exe 88 PID 1484 wrote to memory of 232 1484 cmd.exe 88 PID 1484 wrote to memory of 2892 1484 cmd.exe 91 PID 1484 wrote to memory of 2892 1484 cmd.exe 91 PID 1484 wrote to memory of 2624 1484 cmd.exe 92 PID 1484 wrote to memory of 2624 1484 cmd.exe 92 PID 1484 wrote to memory of 4204 1484 cmd.exe 93 PID 1484 wrote to memory of 4204 1484 cmd.exe 93 PID 1616 wrote to memory of 3124 1616 printfilterpipelinesvc.exe 99 PID 1616 wrote to memory of 3124 1616 printfilterpipelinesvc.exe 99 PID 3124 wrote to memory of 2092 3124 ONENOTE.EXE 100 PID 3124 wrote to memory of 2092 3124 ONENOTE.EXE 100 PID 4052 wrote to memory of 4952 4052 sample2.exe 101 PID 4052 wrote to memory of 4952 4052 sample2.exe 101 PID 4052 wrote to memory of 4952 4052 sample2.exe 101 PID 4052 wrote to memory of 1996 4052 sample2.exe 102 PID 4052 wrote to memory of 1996 4052 sample2.exe 102 PID 4052 wrote to memory of 1996 4052 sample2.exe 102 PID 1996 wrote to memory of 4064 1996 cmd.exe 105 PID 1996 wrote to memory of 4064 1996 cmd.exe 105 PID 1996 wrote to memory of 4064 1996 cmd.exe 105 PID 1996 wrote to memory of 1652 1996 cmd.exe 106 PID 1996 wrote to memory of 1652 1996 cmd.exe 106 PID 1996 wrote to memory of 1652 1996 cmd.exe 106 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample2.exe"C:\Users\Admin\AppData\Local\Temp\sample2.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:232
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2624
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:4204
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit_Ransomware.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:4952
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\sample2.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\sample2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:4064
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\sample2.exe"3⤵PID:1652
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:5432
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{8BAFDD32-2382-4A27-9440-9017B83D706B}.xps" 1332177203189600002⤵
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeOfficeC2RClient.exe /error PID=3124 ProcessName="Microsoft OneNote" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=13⤵
- Process spawned unexpected child process
- Suspicious use of SetWindowsHookEx
PID:2092
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD58541995d758927a0797917c1d3a5b63e
SHA1f8166c37ddc1996942e92d307a36ca7dccc305cf
SHA2565b2432bfefe281759d95274e3a7059f85ab445cae19c22990d1b0dca82ae7f73
SHA51244411a1c57db960ec4e06604e68a0b1ce36b0f1750018b47259844be0685836a39460b4c8ea50673f7204f433c9bbc8fd8415f0b86bbfb950b153da5d7a7c2c4
-
Filesize
46KB
MD5c15c6adc8c923ad87981f289025c37b2
SHA1bfe6533f4afe3255046f7178f289a4c75ad89e76
SHA25690f3a33919fdd766e90fd96f8f20a92c2d1376b7cfdc8b738c2f8e7e6c7498b1
SHA51231dd03b208e00ac012fbe4189d5af1306cc8e3640d40efefab4aa1cabab3c4735eef0cb65e7750c3c77021934e145398e5e26389975cf36b193c8f622a5fde83