Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 04:06
Static task
static1
Behavioral task
behavioral1
Sample
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe
Resource
win10v2004-20240226-en
General
-
Target
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe
-
Size
959KB
-
MD5
fec0ba68b3118f490dbee9dc5cc382d4
-
SHA1
c5a76c237314d970fb5acfc118c1f1109d012704
-
SHA256
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0
-
SHA512
4c202c11503607baa0fccc23223933eaf1ffe052607f46f3d596520ced90359d1bcf1369ce335d4b63de9c221cf137d6354ce88fead6e3164c54903c8e20f81c
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdMF:Ujrc2So1Ff+B3k796W
Malware Config
Extracted
C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1552 bcdedit.exe 2020 bcdedit.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2920 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7866A3C0-E0E0-3A21-40E3-40AA4E080B68} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe\"" 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exedescription ioc process File opened (read-only) \??\F: 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe -
Drops file in System32 directory 2 IoCs
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exedescription ioc process File created C:\windows\SysWOW64\AE664D.ico 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AFFE.tmp.bmp" 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exepid process 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe -
Drops file in Program Files directory 64 IoCs
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exedescription ioc process File opened for modification C:\program files\videolan\vlc\lua\playlist\cue.luac 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\windows sidebar\gadgets\mediacenter.gadget\images\gadget_star_empty.png 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\fd02097_.wmf 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\navbrph2.poc 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\7-zip\lang\sr-spl.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\specialoccasion\navigationleft_selectionsubpicture.png 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\java\jre7\lib\jfr\profile.jfc 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms\menu_arrow.gif 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\office14\pagesize\pgmn089.xml 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\undocked_black_moon-first-quarter.png 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\windows sidebar\gadgets\rssfeeds.gadget\en-us\gadget.xml 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0152688.wmf 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\na02066_.wmf 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\templates\1033\apothecarynewsletter.dotx 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\gmt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\java\jre7\lib\zi\systemv\yst9 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\java\jdk1.7.0_80\db\readme-jdk.html 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-keymap.jar 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\document themes 14\theme effects\solstice.eftx 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0153518.wmf 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\office14\infopathom\microsoft.office.infopath.xml 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\lines\bd21448_.gif 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\office14\mscol11.ppd 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\currency.gadget\fr-fr\css\currency.css 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\templates\1033\access\wss\107.accdt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.ui_1.1.200.v20130626-2037.jar 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\program files\videolan\vlc\locale\he\lc_messages\Restore-My-Files.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\windows sidebar\gadgets\weather.gadget\images\35.png 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\41.png 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_cn_5.5.0.165303\feature.properties 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\bl00932_.wmf 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0178460.jpg 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\windows sidebar\gadgets\rssfeeds.gadget\images\item_hover_flyout.png 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0252669.wmf 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\lines\bd14883_.gif 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\xlintl32.rest.idx_dll 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\dgwebcal.dpv 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\microsoft games\multiplayer\spades\it-it\shvlres.dll.mui 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File created C:\program files\videolan\vlc\locale\it\lc_messages\Restore-My-Files.txt 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\an04384_.wmf 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0171847.wmf 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0387882.jpg 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\autoshap\bd18212_.wmf 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\outllibr.dll.idx_dll 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\europe\volgograd 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\java\jre7\lib\zi\asia\kuala_lumpur 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\office14\outlookautodiscover\ameritech.net.xml 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\adrespel.poc 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubspapr\pdir32b.gif 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\toolbmps\webtoolimagesmask16x16.bmp 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0240189.wmf 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\ph02754u.bmp 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\document themes 14\theme colors\urban.xml 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\office14\pagesize\pglbl012.xml 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\en-us\gadget.xml 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\it-it\css\settings.css 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files\java\jre7\lib\zi\africa\cairo 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\adobe\reader 9.0\resource\font\pfm\zy______.pfm 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0198234.wmf 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe File opened for modification C:\program files (x86)\microsoft office\office14\proof\msth7es.lex 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2032 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallpaperStyle = "2" 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\TileWallpaper = "0" 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe -
Modifies registry class 3 IoCs
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exedescription ioc process Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\AE664D.ico" 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Key created \Registry\Machine\Software\Classes\.lockbit 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exepid process 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exevssvc.exeWMIC.exedescription pid process Token: SeTakeOwnershipPrivilege 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Token: SeDebugPrivilege 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe Token: SeBackupPrivilege 676 vssvc.exe Token: SeRestorePrivilege 676 vssvc.exe Token: SeAuditPrivilege 676 vssvc.exe Token: SeIncreaseQuotaPrivilege 964 WMIC.exe Token: SeSecurityPrivilege 964 WMIC.exe Token: SeTakeOwnershipPrivilege 964 WMIC.exe Token: SeLoadDriverPrivilege 964 WMIC.exe Token: SeSystemProfilePrivilege 964 WMIC.exe Token: SeSystemtimePrivilege 964 WMIC.exe Token: SeProfSingleProcessPrivilege 964 WMIC.exe Token: SeIncBasePriorityPrivilege 964 WMIC.exe Token: SeCreatePagefilePrivilege 964 WMIC.exe Token: SeBackupPrivilege 964 WMIC.exe Token: SeRestorePrivilege 964 WMIC.exe Token: SeShutdownPrivilege 964 WMIC.exe Token: SeDebugPrivilege 964 WMIC.exe Token: SeSystemEnvironmentPrivilege 964 WMIC.exe Token: SeRemoteShutdownPrivilege 964 WMIC.exe Token: SeUndockPrivilege 964 WMIC.exe Token: SeManageVolumePrivilege 964 WMIC.exe Token: 33 964 WMIC.exe Token: 34 964 WMIC.exe Token: 35 964 WMIC.exe Token: SeIncreaseQuotaPrivilege 964 WMIC.exe Token: SeSecurityPrivilege 964 WMIC.exe Token: SeTakeOwnershipPrivilege 964 WMIC.exe Token: SeLoadDriverPrivilege 964 WMIC.exe Token: SeSystemProfilePrivilege 964 WMIC.exe Token: SeSystemtimePrivilege 964 WMIC.exe Token: SeProfSingleProcessPrivilege 964 WMIC.exe Token: SeIncBasePriorityPrivilege 964 WMIC.exe Token: SeCreatePagefilePrivilege 964 WMIC.exe Token: SeBackupPrivilege 964 WMIC.exe Token: SeRestorePrivilege 964 WMIC.exe Token: SeShutdownPrivilege 964 WMIC.exe Token: SeDebugPrivilege 964 WMIC.exe Token: SeSystemEnvironmentPrivilege 964 WMIC.exe Token: SeRemoteShutdownPrivilege 964 WMIC.exe Token: SeUndockPrivilege 964 WMIC.exe Token: SeManageVolumePrivilege 964 WMIC.exe Token: 33 964 WMIC.exe Token: 34 964 WMIC.exe Token: 35 964 WMIC.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.execmd.execmd.exedescription pid process target process PID 2136 wrote to memory of 1236 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe cmd.exe PID 2136 wrote to memory of 1236 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe cmd.exe PID 2136 wrote to memory of 1236 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe cmd.exe PID 2136 wrote to memory of 1236 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe cmd.exe PID 1236 wrote to memory of 2032 1236 cmd.exe vssadmin.exe PID 1236 wrote to memory of 2032 1236 cmd.exe vssadmin.exe PID 1236 wrote to memory of 2032 1236 cmd.exe vssadmin.exe PID 1236 wrote to memory of 964 1236 cmd.exe WMIC.exe PID 1236 wrote to memory of 964 1236 cmd.exe WMIC.exe PID 1236 wrote to memory of 964 1236 cmd.exe WMIC.exe PID 1236 wrote to memory of 1552 1236 cmd.exe bcdedit.exe PID 1236 wrote to memory of 1552 1236 cmd.exe bcdedit.exe PID 1236 wrote to memory of 1552 1236 cmd.exe bcdedit.exe PID 1236 wrote to memory of 2020 1236 cmd.exe bcdedit.exe PID 1236 wrote to memory of 2020 1236 cmd.exe bcdedit.exe PID 1236 wrote to memory of 2020 1236 cmd.exe bcdedit.exe PID 2136 wrote to memory of 2920 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe cmd.exe PID 2136 wrote to memory of 2920 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe cmd.exe PID 2136 wrote to memory of 2920 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe cmd.exe PID 2136 wrote to memory of 2920 2136 19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe cmd.exe PID 2920 wrote to memory of 2604 2920 cmd.exe PING.EXE PID 2920 wrote to memory of 2604 2920 cmd.exe PING.EXE PID 2920 wrote to memory of 2604 2920 cmd.exe PING.EXE PID 2920 wrote to memory of 2604 2920 cmd.exe PING.EXE PID 2920 wrote to memory of 2284 2920 cmd.exe fsutil.exe PID 2920 wrote to memory of 2284 2920 cmd.exe fsutil.exe PID 2920 wrote to memory of 2284 2920 cmd.exe fsutil.exe PID 2920 wrote to memory of 2284 2920 cmd.exe fsutil.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe"C:\Users\Admin\AppData\Local\Temp\19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2032 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:964 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:1552 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:2020 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:2604 -
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe"3⤵PID:2284
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD53a1c3552e69b198bc32d49db67548ff3
SHA194a11ee8239862688bd424a4acf6e5f67cfc43d0
SHA2565f9d14b113634e65258f49e8a2cf0271a0fdd62c96ea6e12d76cf97e21a363e3
SHA512aafec7aafe1cf1c6ceee0d4f336d562a6a4192b2f274f99d41e4e61b771ae73cacb5d19c9c366f53da523e6f7f9c272a32c321261f2013c60d2c127f266c3cbf