Analysis
-
max time kernel
84s -
max time network
94s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
25/02/2023, 07:41
Static task
static1
Behavioral task
behavioral1
Sample
6a98b2b6e37c7c92368548e902e9a139_modified.exe
Resource
win7-20230220-en
General
-
Target
6a98b2b6e37c7c92368548e902e9a139_modified.exe
-
Size
512KB
-
MD5
58b1064c6417659bdd71dd9047cd0443
-
SHA1
df06d4fd095b0f2d80141db2716e3fc673c8ff98
-
SHA256
c54b5dc58fa48c51cb899eb0a50af02514f9d2c37526b1808e797b9017a0e6f9
-
SHA512
c28300bcf2cdb048cef3796cb2a6d9c8c484f623ced1ddec232c3b20217a3532355ce6ca1ec607064355fdfef72c467ca8bf53458e1b7973c4c67b641af6bacd
-
SSDEEP
12288:IyPQxK0GtV6Yc2rzgfur479pAZDATfzmRf9mC6H:LQk/tQz2HWFNTfzqfoh
Malware Config
Extracted
C:\Program Files\Java\jdk1.7.0_80\db\bin\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2100 bcdedit.exe 224 bcdedit.exe -
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\AddUninstall.raw => C:\users\admin\pictures\adduninstall.raw.lockbit 6a98b2b6e37c7c92368548e902e9a139_modified.exe File renamed C:\Users\Admin\Pictures\GetAssert.tif => C:\users\admin\pictures\getassert.tif.lockbit 6a98b2b6e37c7c92368548e902e9a139_modified.exe File renamed C:\Users\Admin\Pictures\UnregisterComplete.tiff => C:\users\admin\pictures\unregistercomplete.tiff.lockbit 6a98b2b6e37c7c92368548e902e9a139_modified.exe File renamed C:\Users\Admin\Pictures\MeasureGrant.raw => C:\users\admin\pictures\measuregrant.raw.lockbit 6a98b2b6e37c7c92368548e902e9a139_modified.exe File renamed C:\Users\Admin\Pictures\RestoreExit.tiff => C:\users\admin\pictures\restoreexit.tiff.lockbit 6a98b2b6e37c7c92368548e902e9a139_modified.exe File renamed C:\Users\Admin\Pictures\UnprotectClose.raw => C:\users\admin\pictures\unprotectclose.raw.lockbit 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\users\admin\pictures\confirmread.tiff 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\users\admin\pictures\restoreexit.tiff 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\users\admin\pictures\unregistercomplete.tiff 6a98b2b6e37c7c92368548e902e9a139_modified.exe File renamed C:\Users\Admin\Pictures\ApproveNew.png => C:\users\admin\pictures\approvenew.png.lockbit 6a98b2b6e37c7c92368548e902e9a139_modified.exe File renamed C:\Users\Admin\Pictures\ConfirmRead.tiff => C:\users\admin\pictures\confirmread.tiff.lockbit 6a98b2b6e37c7c92368548e902e9a139_modified.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6a98b2b6e37c7c92368548e902e9a139_modified.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\{B86730D8-2222-CFA4-089E-08ED1790086A} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a98b2b6e37c7c92368548e902e9a139_modified.exe\"" 6a98b2b6e37c7c92368548e902e9a139_modified.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\windows\SysWOW64\D167D5.ico 6a98b2b6e37c7c92368548e902e9a139_modified.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
pid Process 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so00911_.wmf 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubspapr\pdir21f.gif 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\picturepuzzle.gadget\de-de\css\settings.css 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_zh_cn.jar 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\windows sidebar\gadgets\cpu.gadget\de-de\js\cpu.js 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\ph02028k.jpg 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\wb01300_.gif 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\dgpquot.dpv 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jre7\lib\zi\america\cuiaba 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\rplbrf35.chm 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\office14\borders\msart1.bdr 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\stationery\1033\currency.gif 6a98b2b6e37c7c92368548e902e9a139_modified.exe File created C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\meta-inf\Restore-My-Files.txt 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0182898.wmf 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\pe00998_.wmf 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\xlate_init.xsn 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\16.png 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\28.png 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\argentina\salta 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\dgatnget.dpv 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\performance\titlebuttonicon.png 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\meta-inf\eclipse.inf 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\mactsframe.png 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\windows sidebar\gadgets\clock.gadget\fr-fr\js\timezones.js 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\na01468_.wmf 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\ph02223u.bmp 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\groovedocumentreview\inactivetabimage.jpg 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\meta-inf\eclipse.inf 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jre7\lib\zi\europe\andorra 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\windows sidebar\gadgets\weather.gadget\it-it\js\weather.js 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\hh01015_.wmf 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\parnt_10.mid 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticnotification.exsd 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms5\attention.gif 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\dgwebhd.dpv 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\piccap98.poc 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\dd01162_.wmf 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\babygirl\flower_trans_rgb.wmv 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\ext\dnsns.jar 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\videolan\vlc\locale\bs\lc_messages\vlc.mo 6a98b2b6e37c7c92368548e902e9a139_modified.exe File created C:\program files\videolan\vlc\locale\ckb\lc_messages\Restore-My-Files.txt 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\windows sidebar\gadgets\currency.gadget\es-es\js\localizedstrings.js 6a98b2b6e37c7c92368548e902e9a139_modified.exe File created C:\program files (x86)\adobe\reader 9.0\reader\plug_ins\vdkhome\enu\Restore-My-Files.txt 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0217872.wmf 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\grooveforms5\formsstyles\springgreen.css 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\powerpnt.dev.hxs 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\templates\1033\access\events.accdt 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jre7\lib\zi\america\menominee 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jre7\lib\zi\asia\brunei 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms\button_right_over.gif 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\de-de\weather.html 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\pe00686_.wmf 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\ext\zipfs.jar 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar 6a98b2b6e37c7c92368548e902e9a139_modified.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\thirdpartylicensereadme.txt 6a98b2b6e37c7c92368548e902e9a139_modified.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1688 vssadmin.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \Registry\Machine\Software\Classes\.lockbit 6a98b2b6e37c7c92368548e902e9a139_modified.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon 6a98b2b6e37c7c92368548e902e9a139_modified.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\D167D5.ico" 6a98b2b6e37c7c92368548e902e9a139_modified.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe Token: SeDebugPrivilege 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe Token: SeBackupPrivilege 1768 vssvc.exe Token: SeRestorePrivilege 1768 vssvc.exe Token: SeAuditPrivilege 1768 vssvc.exe Token: SeIncreaseQuotaPrivilege 1296 WMIC.exe Token: SeSecurityPrivilege 1296 WMIC.exe Token: SeTakeOwnershipPrivilege 1296 WMIC.exe Token: SeLoadDriverPrivilege 1296 WMIC.exe Token: SeSystemProfilePrivilege 1296 WMIC.exe Token: SeSystemtimePrivilege 1296 WMIC.exe Token: SeProfSingleProcessPrivilege 1296 WMIC.exe Token: SeIncBasePriorityPrivilege 1296 WMIC.exe Token: SeCreatePagefilePrivilege 1296 WMIC.exe Token: SeBackupPrivilege 1296 WMIC.exe Token: SeRestorePrivilege 1296 WMIC.exe Token: SeShutdownPrivilege 1296 WMIC.exe Token: SeDebugPrivilege 1296 WMIC.exe Token: SeSystemEnvironmentPrivilege 1296 WMIC.exe Token: SeRemoteShutdownPrivilege 1296 WMIC.exe Token: SeUndockPrivilege 1296 WMIC.exe Token: SeManageVolumePrivilege 1296 WMIC.exe Token: 33 1296 WMIC.exe Token: 34 1296 WMIC.exe Token: 35 1296 WMIC.exe Token: SeIncreaseQuotaPrivilege 1296 WMIC.exe Token: SeSecurityPrivilege 1296 WMIC.exe Token: SeTakeOwnershipPrivilege 1296 WMIC.exe Token: SeLoadDriverPrivilege 1296 WMIC.exe Token: SeSystemProfilePrivilege 1296 WMIC.exe Token: SeSystemtimePrivilege 1296 WMIC.exe Token: SeProfSingleProcessPrivilege 1296 WMIC.exe Token: SeIncBasePriorityPrivilege 1296 WMIC.exe Token: SeCreatePagefilePrivilege 1296 WMIC.exe Token: SeBackupPrivilege 1296 WMIC.exe Token: SeRestorePrivilege 1296 WMIC.exe Token: SeShutdownPrivilege 1296 WMIC.exe Token: SeDebugPrivilege 1296 WMIC.exe Token: SeSystemEnvironmentPrivilege 1296 WMIC.exe Token: SeRemoteShutdownPrivilege 1296 WMIC.exe Token: SeUndockPrivilege 1296 WMIC.exe Token: SeManageVolumePrivilege 1296 WMIC.exe Token: 33 1296 WMIC.exe Token: 34 1296 WMIC.exe Token: 35 1296 WMIC.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1760 wrote to memory of 1828 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 29 PID 1760 wrote to memory of 1828 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 29 PID 1760 wrote to memory of 1828 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 29 PID 1760 wrote to memory of 1828 1760 6a98b2b6e37c7c92368548e902e9a139_modified.exe 29 PID 1828 wrote to memory of 1688 1828 cmd.exe 31 PID 1828 wrote to memory of 1688 1828 cmd.exe 31 PID 1828 wrote to memory of 1688 1828 cmd.exe 31 PID 1828 wrote to memory of 1296 1828 cmd.exe 34 PID 1828 wrote to memory of 1296 1828 cmd.exe 34 PID 1828 wrote to memory of 1296 1828 cmd.exe 34 PID 1828 wrote to memory of 2100 1828 cmd.exe 36 PID 1828 wrote to memory of 2100 1828 cmd.exe 36 PID 1828 wrote to memory of 2100 1828 cmd.exe 36 PID 1828 wrote to memory of 224 1828 cmd.exe 37 PID 1828 wrote to memory of 224 1828 cmd.exe 37 PID 1828 wrote to memory of 224 1828 cmd.exe 37 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a98b2b6e37c7c92368548e902e9a139_modified.exe"C:\Users\Admin\AppData\Local\Temp\6a98b2b6e37c7c92368548e902e9a139_modified.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1688
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2100
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:224
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5a09d956ceb2a16c927631ec694434b96
SHA1031d5e37626823595cd04522a4bdab02d56b6e6f
SHA2564c7b0262087212afcd08f4e08ca30050f31833783895f1d3640523e87892819f
SHA512c98898a7977266170bf542eaf090872df02e2b7acf834c9aa0c61516db0433d69e92cc44eccd3c4de53b5721f9b29e347d2a33eb00972f32e33454be55a24b7f