Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2023, 04:30
Static task
static1
Behavioral task
behavioral1
Sample
var/lib/docker/overlay2/c1db116cc60dca3291938a069da51751124ce18ffc3fd9e245cfb32b352478ad/merged/ZmU2ZGYw.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
var/lib/docker/overlay2/c1db116cc60dca3291938a069da51751124ce18ffc3fd9e245cfb32b352478ad/merged/ZmU2ZGYw.exe
Resource
win10v2004-20230220-en
General
-
Target
var/lib/docker/overlay2/c1db116cc60dca3291938a069da51751124ce18ffc3fd9e245cfb32b352478ad/merged/ZmU2ZGYw.exe
-
Size
959KB
-
MD5
41687e58130c8bdca248e1403e565afb
-
SHA1
6eda5da62e5073a67ff89dd89b85328dd2df73d1
-
SHA256
fef1f9664fde9b23754c691b15a05fdc35a51a0ceb8a18fb9a5a0166e6377c69
-
SHA512
6cd670e5f14a8d6fa1b5894a89cfe514d403f3f8dc82be9c83f86345be72d218844cd3f8c1c045deae6a292796d6d280efe49c8de724abda038c522407a14cde
-
SSDEEP
24576:TLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdAF:Pjrc2So1Ff+B3k796W
Malware Config
Extracted
C:\Program Files\Java\jdk1.8.0_66\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Users\Admin\Desktop\LockBit_Ransomware.hta
https://decoding.at/
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or
https://decoding.at
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE is not expected to spawn this process 1640 4996 OfficeC2RClient.exe 103 -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2836 bcdedit.exe 3912 bcdedit.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\SkipSelect.raw => C:\users\admin\pictures\skipselect.raw.lockbit ZmU2ZGYw.exe File renamed C:\Users\Admin\Pictures\UninstallRemove.crw => C:\users\admin\pictures\uninstallremove.crw.lockbit ZmU2ZGYw.exe File renamed C:\Users\Admin\Pictures\UnblockNew.png => C:\users\admin\pictures\unblocknew.png.lockbit ZmU2ZGYw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation ZmU2ZGYw.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZmU2ZGYw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{6E5E24E4-E8E8-78AC-0E52-0E6D43D0CFEE} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\var\\lib\\docker\\overlay2\\c1db116cc60dca3291938a069da51751124ce18ffc3fd9e245cfb32b352478ad\\merged\\ZmU2ZGYw.exe\"" ZmU2ZGYw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\Users\\Admin\\Desktop\\LockBit_Ransomware.hta" ZmU2ZGYw.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\windows\SysWOW64\FB5EDC.ico ZmU2ZGYw.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL ZmU2ZGYw.exe File created C:\Windows\system32\spool\PRINTERS\00003.SPL ZmU2ZGYw.exe File created C:\Windows\system32\spool\PRINTERS\PP0x3xm5dbjo9ebfs7817qdw55b.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPx8s50v9f4i32de20k0whr38vb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPidnikjjszl5kilnwx070l71i.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6542.tmp.bmp" ZmU2ZGYw.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\send-for-sign\images\Restore-My-Files.txt ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\ui-strings.js ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\uss-search\js\nls\ru-ru\ui-strings.js ZmU2ZGYw.exe File opened for modification C:\program files\videolan\vlc\lua\http\dialogs\create_stream.html ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\sl_get.svg ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\signatures\js\nls\sv-se\ui-strings.js ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\images\adc_logo.png ZmU2ZGYw.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\Restore-My-Files.txt ZmU2ZGYw.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\meta-inf\eclipse_.sf ZmU2ZGYw.exe File opened for modification C:\program files\microsoft office\root\office16\sdxs\fa000000049\index.win32.bundle ZmU2ZGYw.exe File opened for modification C:\program files\microsoft office\root\vfs\common appdata\microsoft help\ms.onenote.16.1033.hxn ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\resource\typesupport\unicode\mappings\win\cp1253.txt ZmU2ZGYw.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\meta-inf\eclipse_.rsa ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\ui-strings.js ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\localized_images\fi-fi\appstore_icon.svg ZmU2ZGYw.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\walk-through\js\nls\nl-nl\Restore-My-Files.txt ZmU2ZGYw.exe File created C:\program files\videolan\vlc\lua\playlist\Restore-My-Files.txt ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\ob-preview\images\themeless\protect_poster.jpg ZmU2ZGYw.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\uss-search\js\nls\tr-tr\Restore-My-Files.txt ZmU2ZGYw.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml ZmU2ZGYw.exe File opened for modification C:\program files\microsoft office\root\licenses16\homebusiness2019r_oem_perp-ul-phn.xrm-ms ZmU2ZGYw.exe File opened for modification C:\program files\microsoft office\root\office16\sdxs\fa000000027\assets\icons\[email protected] ZmU2ZGYw.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365smallbuspremr_subtrial2-ppd.xrm-ms ZmU2ZGYw.exe File opened for modification C:\program files\microsoft office\root\licenses16\proplus2019r_oem_perp-ul-oob.xrm-ms ZmU2ZGYw.exe File opened for modification C:\program files\microsoft office\root\licenses16\word2019vl_mak_ae-pl.xrm-ms ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\s_checkbox_partialselected-default_18.svg ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\win-scrollbar\themes\dark\vscroll-thumb.png ZmU2ZGYw.exe File opened for modification C:\program files\java\jdk1.8.0_66\jre\lib\security\javaws.policy ZmU2ZGYw.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar ZmU2ZGYw.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365homepremr_subscription5-pl.xrm-ms ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\core\dev\nls\de-de\ui-strings.js ZmU2ZGYw.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\fss\js\nls\fr-fr\Restore-My-Files.txt ZmU2ZGYw.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\scan-files\js\Restore-My-Files.txt ZmU2ZGYw.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif ZmU2ZGYw.exe File opened for modification C:\program files\microsoft office\root\licenses16\professionalr_retail-ul-oob.xrm-ms ZmU2ZGYw.exe File opened for modification C:\program files\mozilla firefox\precomplete ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\ob-preview\js\nls\ko-kr\ui-strings.js ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured.png ZmU2ZGYw.exe File opened for modification C:\program files\microsoft office\root\licenses16\word2019r_retail-ppd.xrm-ms ZmU2ZGYw.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\activity-badge\js\nls\it-it\Restore-My-Files.txt ZmU2ZGYw.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\app-center\js\nls\en-il\Restore-My-Files.txt ZmU2ZGYw.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365homepremr_subtest4-pl.xrm-ms ZmU2ZGYw.exe File opened for modification C:\program files\microsoft office\root\licenses16\professional2019demor_bypasstrial180-ul-oob.xrm-ms ZmU2ZGYw.exe File opened for modification C:\program files\microsoft office\root\licenses16\publisher2019vl_mak_ae-ul-oob.xrm-ms ZmU2ZGYw.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\files\dev\nls\zh-cn\Restore-My-Files.txt ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\pages-app\js\nls\sv-se\ui-strings.js ZmU2ZGYw.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_cn_5.5.0.165303.jar ZmU2ZGYw.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_cn.jar ZmU2ZGYw.exe File opened for modification C:\program files\microsoft office\root\licenses16\mondor_subtrial2-pl.xrm-ms ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\be_get.svg ZmU2ZGYw.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\aicuc\js\nls\nb-no\Restore-My-Files.txt ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-es_es_2x.gif ZmU2ZGYw.exe File opened for modification C:\program files\java\jre1.8.0_66\lib\security\trusted.libraries ZmU2ZGYw.exe File opened for modification C:\program files\microsoft office\root\licenses16\visiostdxc2rvl_kms_clientc2r-ul-oob.xrm-ms ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\plug_ins\search.api ZmU2ZGYw.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectpro2019r_trial-pl.xrm-ms ZmU2ZGYw.exe File opened for modification C:\program files\videolan\vlc\locale\it\lc_messages\vlc.mo ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\activity-badge\images\avatar.jpg ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\add-account\images\themes\dark\icons.png ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-recent-files\js\nls\en-il\ui-strings.js ZmU2ZGYw.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar ZmU2ZGYw.exe File opened for modification C:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar ZmU2ZGYw.exe File opened for modification C:\program files\microsoft office\root\licenses16\pkeyconfig-office.xrm-ms ZmU2ZGYw.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview2x.png ZmU2ZGYw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2968 vssadmin.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Desktop\WallpaperStyle = "2" ZmU2ZGYw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Desktop\TileWallpaper = "0" ZmU2ZGYw.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \Registry\Machine\Software\Classes\.lockbit ZmU2ZGYw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\FB5EDC.ico" ZmU2ZGYw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\ = "LockBit" ZmU2ZGYw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\FB5EDC.ico" ZmU2ZGYw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\ = "LockBit Class" ZmU2ZGYw.exe Key created \Registry\Machine\Software\Classes\Lockbit\shell ZmU2ZGYw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\shell\Open\Command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Admin\\Desktop\\LockBit_Ransomware.hta\"" ZmU2ZGYw.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings ZmU2ZGYw.exe Key created \Registry\Machine\Software\Classes\Lockbit\DefaultIcon ZmU2ZGYw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htafile\DefaultIcon\ = "C:\\windows\\SysWow64\\FB5EDC.ico" ZmU2ZGYw.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon ZmU2ZGYw.exe Key created \Registry\Machine\Software\Classes\Lockbit ZmU2ZGYw.exe Key created \Registry\Machine\Software\Classes\Lockbit\shell\Open ZmU2ZGYw.exe Key created \Registry\Machine\Software\Classes\Lockbit\shell\Open\Command ZmU2ZGYw.exe Key created \Registry\Machine\Software\Classes\htafile\DefaultIcon ZmU2ZGYw.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2832 PING.EXE -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe 4956 ZmU2ZGYw.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4956 ZmU2ZGYw.exe Token: SeDebugPrivilege 4956 ZmU2ZGYw.exe Token: SeBackupPrivilege 4636 vssvc.exe Token: SeRestorePrivilege 4636 vssvc.exe Token: SeAuditPrivilege 4636 vssvc.exe Token: SeIncreaseQuotaPrivilege 1204 WMIC.exe Token: SeSecurityPrivilege 1204 WMIC.exe Token: SeTakeOwnershipPrivilege 1204 WMIC.exe Token: SeLoadDriverPrivilege 1204 WMIC.exe Token: SeSystemProfilePrivilege 1204 WMIC.exe Token: SeSystemtimePrivilege 1204 WMIC.exe Token: SeProfSingleProcessPrivilege 1204 WMIC.exe Token: SeIncBasePriorityPrivilege 1204 WMIC.exe Token: SeCreatePagefilePrivilege 1204 WMIC.exe Token: SeBackupPrivilege 1204 WMIC.exe Token: SeRestorePrivilege 1204 WMIC.exe Token: SeShutdownPrivilege 1204 WMIC.exe Token: SeDebugPrivilege 1204 WMIC.exe Token: SeSystemEnvironmentPrivilege 1204 WMIC.exe Token: SeRemoteShutdownPrivilege 1204 WMIC.exe Token: SeUndockPrivilege 1204 WMIC.exe Token: SeManageVolumePrivilege 1204 WMIC.exe Token: 33 1204 WMIC.exe Token: 34 1204 WMIC.exe Token: 35 1204 WMIC.exe Token: 36 1204 WMIC.exe Token: SeIncreaseQuotaPrivilege 1204 WMIC.exe Token: SeSecurityPrivilege 1204 WMIC.exe Token: SeTakeOwnershipPrivilege 1204 WMIC.exe Token: SeLoadDriverPrivilege 1204 WMIC.exe Token: SeSystemProfilePrivilege 1204 WMIC.exe Token: SeSystemtimePrivilege 1204 WMIC.exe Token: SeProfSingleProcessPrivilege 1204 WMIC.exe Token: SeIncBasePriorityPrivilege 1204 WMIC.exe Token: SeCreatePagefilePrivilege 1204 WMIC.exe Token: SeBackupPrivilege 1204 WMIC.exe Token: SeRestorePrivilege 1204 WMIC.exe Token: SeShutdownPrivilege 1204 WMIC.exe Token: SeDebugPrivilege 1204 WMIC.exe Token: SeSystemEnvironmentPrivilege 1204 WMIC.exe Token: SeRemoteShutdownPrivilege 1204 WMIC.exe Token: SeUndockPrivilege 1204 WMIC.exe Token: SeManageVolumePrivilege 1204 WMIC.exe Token: 33 1204 WMIC.exe Token: 34 1204 WMIC.exe Token: 35 1204 WMIC.exe Token: 36 1204 WMIC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1640 OfficeC2RClient.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 4956 wrote to memory of 1076 4956 ZmU2ZGYw.exe 85 PID 4956 wrote to memory of 1076 4956 ZmU2ZGYw.exe 85 PID 1076 wrote to memory of 2968 1076 cmd.exe 87 PID 1076 wrote to memory of 2968 1076 cmd.exe 87 PID 1076 wrote to memory of 1204 1076 cmd.exe 90 PID 1076 wrote to memory of 1204 1076 cmd.exe 90 PID 1076 wrote to memory of 2836 1076 cmd.exe 91 PID 1076 wrote to memory of 2836 1076 cmd.exe 91 PID 1076 wrote to memory of 3912 1076 cmd.exe 92 PID 1076 wrote to memory of 3912 1076 cmd.exe 92 PID 2840 wrote to memory of 4996 2840 printfilterpipelinesvc.exe 103 PID 2840 wrote to memory of 4996 2840 printfilterpipelinesvc.exe 103 PID 4996 wrote to memory of 1640 4996 ONENOTE.EXE 104 PID 4996 wrote to memory of 1640 4996 ONENOTE.EXE 104 PID 4956 wrote to memory of 4424 4956 ZmU2ZGYw.exe 105 PID 4956 wrote to memory of 4424 4956 ZmU2ZGYw.exe 105 PID 4956 wrote to memory of 4424 4956 ZmU2ZGYw.exe 105 PID 4956 wrote to memory of 3960 4956 ZmU2ZGYw.exe 106 PID 4956 wrote to memory of 3960 4956 ZmU2ZGYw.exe 106 PID 4956 wrote to memory of 3960 4956 ZmU2ZGYw.exe 106 PID 3960 wrote to memory of 2832 3960 cmd.exe 108 PID 3960 wrote to memory of 2832 3960 cmd.exe 108 PID 3960 wrote to memory of 2832 3960 cmd.exe 108 PID 3960 wrote to memory of 5032 3960 cmd.exe 110 PID 3960 wrote to memory of 5032 3960 cmd.exe 110 PID 3960 wrote to memory of 5032 3960 cmd.exe 110 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\var\lib\docker\overlay2\c1db116cc60dca3291938a069da51751124ce18ffc3fd9e245cfb32b352478ad\merged\ZmU2ZGYw.exe"C:\Users\Admin\AppData\Local\Temp\var\lib\docker\overlay2\c1db116cc60dca3291938a069da51751124ce18ffc3fd9e245cfb32b352478ad\merged\ZmU2ZGYw.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2968
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2836
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:3912
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit_Ransomware.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:4424
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\var\lib\docker\overlay2\c1db116cc60dca3291938a069da51751124ce18ffc3fd9e245cfb32b352478ad\merged\ZmU2ZGYw.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\var\lib\docker\overlay2\c1db116cc60dca3291938a069da51751124ce18ffc3fd9e245cfb32b352478ad\merged\ZmU2ZGYw.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:2832
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\var\lib\docker\overlay2\c1db116cc60dca3291938a069da51751124ce18ffc3fd9e245cfb32b352478ad\merged\ZmU2ZGYw.exe"3⤵PID:5032
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4384
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{36BB5ACC-BD37-4051-A8D0-88DF0BABAD0F}.xps" 1333007467529800002⤵
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeOfficeC2RClient.exe /error PID=4996 ProcessName="Microsoft OneNote" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=13⤵
- Process spawned unexpected child process
- Suspicious use of SetWindowsHookEx
PID:1640
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD586eabf98147c8a51b378d68b524c28c0
SHA1ed1fdfc2c57b540dbaeb18442956481ef91e10c7
SHA2569c626ccdeb645d8055d2a1f8676ef75428898a1b4a3c32ab522d7725f2630dd5
SHA512e8a3bf9bca0698410ded44219f8e81e725263ec69040021995583e59c23fd32c07b3f9bfc75a92615a388c46703090ace3650b8c6f336161312168cbbe37a525
-
Filesize
46KB
MD5c15c6adc8c923ad87981f289025c37b2
SHA1bfe6533f4afe3255046f7178f289a4c75ad89e76
SHA25690f3a33919fdd766e90fd96f8f20a92c2d1376b7cfdc8b738c2f8e7e6c7498b1
SHA51231dd03b208e00ac012fbe4189d5af1306cc8e3640d40efefab4aa1cabab3c4735eef0cb65e7750c3c77021934e145398e5e26389975cf36b193c8f622a5fde83