Overview

overview

10

Static

static

7

18cea7c5ab...45.exe

windows7-x64

10

18cea7c5ab...45.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    0s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2023 12:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18cea7c5ab3ffb0146bad18ea79b6745.exe

  • Size

    4.3MB

  • MD5

    18cea7c5ab3ffb0146bad18ea79b6745

  • SHA1

    08cf96e2bc9509163da4e7c3fdffd9ade068ff66

  • SHA256

    6d26226f99724c18faf355a4e07b74bad72f5837e0de8c8361f7d9a18525b5ae

  • SHA512

    a2e599e74ebb477de6d05da14018dee9537303b56074d62e454e1511c394eb6be223d4dcbbcf92060660fc81cccf0337b9c6b24100b2d54592995504d325f550

  • SSDEEP

    98304:0jrcS5Q99S9RxlDaBDwgrg/rozMMYUvCyBSa99fbPG3kpnmAAmm0JTkj:CQc9RvDkwGgkYiFbfbHDm0JTc

Score
10/10
lockbitevasionpersistenceransomware

Malware Config

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18cea7c5ab3ffb0146bad18ea79b6745.exe
    "C:\Users\Admin\AppData\Local\Temp\18cea7c5ab3ffb0146bad18ea79b6745.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1940
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
      2⤵
        PID:2572
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:664
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
            PID:3288
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} bootstatuspolicy ignoreallfailures
            3⤵
            • Modifies boot configuration data using bcdedit
            PID:3364
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} recoveryenabled no
            3⤵
            • Modifies boot configuration data using bcdedit
            PID:2012
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit_Ransomware.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          2⤵
            PID:216
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1788
              3⤵
              • Program crash
              PID:224
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
            PID:1980
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
            1⤵
              PID:384
            • C:\Windows\system32\printfilterpipelinesvc.exe
              C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
              1⤵
                PID:3284
                • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
                  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{17023282-1795-42ED-B1C0-63E0600127E5}.xps" 133485319579550000
                  2⤵
                    PID:4108
                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
                      OfficeC2RClient.exe /error PID=4108 ProcessName="Microsoft OneNote" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=1
                      3⤵
                      • Process spawned unexpected child process
                      PID:1768
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 216 -ip 216
                  1⤵
                    PID:936

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads