lockbit | b2f1ec9408272cc125b96a4f3b7c06c23742d69845e9b6a24f7eafad4da72faa

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 19:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

022091772db14e763fcceeb462d150d1.exe
Size

969KB
MD5

022091772db14e763fcceeb462d150d1
SHA1

dcc81069eccf55b6b292fa0b284265c6af4c4e74
SHA256

b2f1ec9408272cc125b96a4f3b7c06c23742d69845e9b6a24f7eafad4da72faa
SHA512

67ac81a397f7e0c73167ead29a412e0d2f5e9d552f68059d431bbb8b04767d0783ea49bbedabe025331cc9067a3a959666765ccd7b88b16e28ca9ed5d53c131b
SSDEEP

24576:PbqIi4vsu1NQ9+aubOj+vCVCdN/4yMdkzkxwccmiF:DqIiW7Qoau174IkxwVD

Score

10^/10

lockbit discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Restore-My-Files.txt

Ransom Note

LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: FCE1FD7644DB7C6D8B3F46C32A826DB0

URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4036	bcdedit.exe
3740	bcdedit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	022091772db14e763fcceeb462d150d1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{B0E1BE76-DBDB-7C37-816E-81107837D142} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\022091772db14e763fcceeb462d150d1.exe\""	022091772db14e763fcceeb462d150d1.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	022091772db14e763fcceeb462d150d1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\program files\microsoft office\root\office16\borders\msart13.bdr	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\microsoft office\root\templates\1033\widescreenpresentation.potx	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.skypeapp_14.53.77.0_x64__kzf8qxf38zg5c\assets\audio\skype_dtmf_7.m4a	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.zunemusic_10.19071.19011.0_x64__8wekyb3d8bbwe\assets\contrast-white\applist.targetsize-32_altform-unplated_contrast-white.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowspowershell\modules\microsoft.powershell.operation.validation\1.0.1\microsoft.powershell.operation.validation.psm1	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\microsoft office\root\office16\borders\msart11.bdr	022091772db14e763fcceeb462d150d1.exe
File created	C:\program files\windowsapps\microsoft.net.native.framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\appxmetadata\Restore-My-Files.txt	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.xboxapp_48.49.31001.0_x64__8wekyb3d8bbwe\assets\navigationicons\nav_icons_store.targetsize-48.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.gethelp_10.1706.13331.0_x64__8wekyb3d8bbwe\assets\tinytile.targetsize-16_contrast-white.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.office.onenote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jscripts\wefgallerywinrt.js	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\hxmailwidetile.scale-200.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\secondarytiles\directions\place\ltr\contrast-black\widetile.scale-100.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_x64__8wekyb3d8bbwe\assets\apptiles\contrast-black\mapsapplist.targetsize-20_altform-unplated.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_x64__8wekyb3d8bbwe\assets\apptiles\contrast-white\mapsapplist.targetsize-20.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowsstore_11910.1002.5.0_x64__8wekyb3d8bbwe\resources\retaildemo\data\en-us\retaildemodata.json	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.mixedreality.portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\assets\background_cliffhouse.jpg	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\microsoft office\root\office16\1033\skypeforbusinessbasic2019_eula.txt	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\microsoft office\root\office16\pagesize\pgmn102.xml	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.heifimageextension_1.0.22742.0_x64__8wekyb3d8bbwe\assets\contrast-black\widetile.scale-100_contrast-black.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.office.onenote_16001.12026.20112.0_x64__8wekyb3d8bbwe\sr-cyrl-cs\mso.acl	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\mondovl_mak-ul-phn.xrm-ms	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\videolan\vlc\locale\uk\lc_messages\vlc.mo	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\outlookaccount.scale-100.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowssoundrecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\assets\voicerecorderapplist.contrast-black_targetsize-30.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\hxa-advanced-dark.scale-125.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.zunevideo_10.19071.19011.0_x64__8wekyb3d8bbwe\appxmanifest.xml	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\deletedalluserpackages\microsoft.xboxapp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\gamesxboxhubstorelogo.scale-125_contrast-high.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.bingweather_4.25.20211.0_x64__8wekyb3d8bbwe\assets\apptiles\weatherimages\423x173\39.jpg	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.microsoft3dviewer_6.1908.2042.0_x64__8wekyb3d8bbwe\common.view.uwp\strings\nl-nl\view3d\3dviewerproductdescription-universal.xml	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.mixedreality.portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\assets\contrast-white\mixedrealityportalapplist.targetsize-16_altform-unplated_contrast-white.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\hxa-google.scale-250.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\microsoft office\root\rsod\excelmui.msi.16.en-us.boot.tree.dat	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\microsoft office\root\office16\1033\stslist.chm	022091772db14e763fcceeb462d150d1.exe
File created	C:\program files\windowsapps\microsoft.storepurchaseapp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\Restore-My-Files.txt	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.zunevideo_10.19071.19011.0_x64__8wekyb3d8bbwe\assets\contrast-white\applist.targetsize-30_altform-unplated_contrast-white.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\homebusinessr_oem_perp2-ul-phn.xrm-ms	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.zunevideo_10.19071.19011.0_x64__8wekyb3d8bbwe\assets\orientationcontrolconehover.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\proplusr_retail-ul-oob.xrm-ms	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.office.onenote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\onenotenewnotewidetile.scale-150.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\java\jdk-1.8\jre\lib\deploy\messages_sv.properties	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\deletedalluserpackages\microsoft.desktopappinstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\apppackagesmalltile.scale-125.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowsalarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\timerlargetile.contrast-white_scale-100.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowssoundrecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\appxmetadata\codeintegrity.cat	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.webpimageextension_1.0.22753.0_x64__8wekyb3d8bbwe\assets\storelogo.scale-125.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\email.ot	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_x64__8wekyb3d8bbwe\assets\secondarytiles\directions\car\ltr\contrast-white\smalltile.scale-200.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\powerpoint2019vl_mak_ae-ul-phn.xrm-ms	022091772db14e763fcceeb462d150d1.exe
File created	C:\program files\windowsapps\microsoft.services.store.engagement_10.0.18101.0_x64__8wekyb3d8bbwe\Restore-My-Files.txt	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\previewmaillist.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowsfeedbackhub_1.1907.3152.0_x64__8wekyb3d8bbwe\assets\insiderhubapplist.targetsize-256_contrast-white.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\aboutadscorebackgroundimage.jpg	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\microsoft office\root\office16\livepersonacard\images\default\linkedin_logo_small.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\deletedalluserpackages\microsoft.windows.photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\appxsignature.p7x	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\deletedalluserpackages\microsoft.windows.photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\photosapplist.contrast-white_scale-100.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\hxcalendarwidetile.scale-200.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.mixedreality.portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\appxblockmap.xml	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.vp9videoextensions_1.0.22681.0_x64__8wekyb3d8bbwe\assets\applist.targetsize-30.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.windowssoundrecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\assets\voicerecorderlogoextensions.targetsize-128.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\videolan\vlc\locale\nl\lc_messages\vlc.mo	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.microsoft3dviewer_6.1908.2042.0_x64__8wekyb3d8bbwe\assets\square71x71logo.scale-150.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\microsoft office\root\vfs\programfilesx86\microsoft office\office16\dcf\en\spreadsheetcompare_k_col.hxk	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\deletedalluserpackages\microsoft.windowsalarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\alarmssplashscreen.contrast-black_scale-125.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\assets\getstartedapplist.targetsize-20_altform-lightunplated.png	022091772db14e763fcceeb462d150d1.exe
File opened for modification	C:\program files\windowsapps\microsoft.yourphone_0.19051.7.0_x64__8wekyb3d8bbwe\assets\microsoftlogo.scale-200.png	022091772db14e763fcceeb462d150d1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1080	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe
1404	022091772db14e763fcceeb462d150d1.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1404	022091772db14e763fcceeb462d150d1.exe
Token: SeDebugPrivilege	1404	022091772db14e763fcceeb462d150d1.exe
Token: SeBackupPrivilege	1188	vssvc.exe
Token: SeRestorePrivilege	1188	vssvc.exe
Token: SeAuditPrivilege	1188	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1612	WMIC.exe
Token: SeSecurityPrivilege	1612	WMIC.exe
Token: SeTakeOwnershipPrivilege	1612	WMIC.exe
Token: SeLoadDriverPrivilege	1612	WMIC.exe
Token: SeSystemProfilePrivilege	1612	WMIC.exe
Token: SeSystemtimePrivilege	1612	WMIC.exe
Token: SeProfSingleProcessPrivilege	1612	WMIC.exe
Token: SeIncBasePriorityPrivilege	1612	WMIC.exe
Token: SeCreatePagefilePrivilege	1612	WMIC.exe
Token: SeBackupPrivilege	1612	WMIC.exe
Token: SeRestorePrivilege	1612	WMIC.exe
Token: SeShutdownPrivilege	1612	WMIC.exe
Token: SeDebugPrivilege	1612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1612	WMIC.exe
Token: SeRemoteShutdownPrivilege	1612	WMIC.exe
Token: SeUndockPrivilege	1612	WMIC.exe
Token: SeManageVolumePrivilege	1612	WMIC.exe
Token: 33	1612	WMIC.exe
Token: 34	1612	WMIC.exe
Token: 35	1612	WMIC.exe
Token: 36	1612	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1612	WMIC.exe
Token: SeSecurityPrivilege	1612	WMIC.exe
Token: SeTakeOwnershipPrivilege	1612	WMIC.exe
Token: SeLoadDriverPrivilege	1612	WMIC.exe
Token: SeSystemProfilePrivilege	1612	WMIC.exe
Token: SeSystemtimePrivilege	1612	WMIC.exe
Token: SeProfSingleProcessPrivilege	1612	WMIC.exe
Token: SeIncBasePriorityPrivilege	1612	WMIC.exe
Token: SeCreatePagefilePrivilege	1612	WMIC.exe
Token: SeBackupPrivilege	1612	WMIC.exe
Token: SeRestorePrivilege	1612	WMIC.exe
Token: SeShutdownPrivilege	1612	WMIC.exe
Token: SeDebugPrivilege	1612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1612	WMIC.exe
Token: SeRemoteShutdownPrivilege	1612	WMIC.exe
Token: SeUndockPrivilege	1612	WMIC.exe
Token: SeManageVolumePrivilege	1612	WMIC.exe
Token: 33	1612	WMIC.exe
Token: 34	1612	WMIC.exe
Token: 35	1612	WMIC.exe
Token: 36	1612	WMIC.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 3860	1404	022091772db14e763fcceeb462d150d1.exe	92
PID 1404 wrote to memory of 3860	1404	022091772db14e763fcceeb462d150d1.exe	92
PID 3860 wrote to memory of 1080	3860	cmd.exe	94
PID 3860 wrote to memory of 1080	3860	cmd.exe	94
PID 3860 wrote to memory of 1612	3860	cmd.exe	97
PID 3860 wrote to memory of 1612	3860	cmd.exe	97
PID 3860 wrote to memory of 4036	3860	cmd.exe	99
PID 3860 wrote to memory of 4036	3860	cmd.exe	99
PID 3860 wrote to memory of 3740	3860	cmd.exe	100
PID 3860 wrote to memory of 3740	3860	cmd.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\022091772db14e763fcceeb462d150d1.exe
"C:\Users\Admin\AppData\Local\Temp\022091772db14e763fcceeb462d150d1.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1080
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4036
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Restore-My-Files.txt

Filesize
512B

MD5
f4be0eb9fb089fa773acdb0ce1eb55a7

SHA1
e6ffe32d0fed16e64c68eb7e76361a4f8db0ffdd

SHA256
fed994119f80b823eed512d0acc8ba5b3261fcbec339c80ca14f373ef26f1514

SHA512
07da03b6ed10ead428844feaa916b1259b9092ffd90f5b01b9abcf1563e34b179f6d5dbde52a972440a47424e0847ded0d80007bd95423e7e3e4272cbd5f2e19

Download Submit