Analysis
-
max time kernel
166s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 04:08
Static task
static1
Behavioral task
behavioral1
Sample
2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe
Resource
win10v2004-20240226-en
General
-
Target
2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe
-
Size
959KB
-
MD5
9dbb0838eb857c2cf22ca5407d6c85d7
-
SHA1
fe486f8741f2f94fc79def45b4872030e5504d3a
-
SHA256
2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495
-
SHA512
1abacf15c959e3f31e54385de34ecec00291aa2dec2e00d663939edf93ff975a1303d579de1d89d00cf557e2e2984862e993ab05f1e0b125eb93d01d5618f417
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdMF:Ujrc2So1Ff+B3k796u
Malware Config
Extracted
C:\Program Files\dotnet\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3712 bcdedit.exe 5096 bcdedit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{B6BBAC74-BFBF-7719-358C-353603CF0C0E} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe\"" 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exedescription ioc process File opened (read-only) \??\F: 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
Processes:
2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exepid process 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exedescription ioc process File created C:\program files\java\jre-1.8\lib\amd64\Restore-My-Files.txt 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\java\jre-1.8\lib\jsse.jar 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\java\jre-1.8\lib\management\jmxremote.access 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365smallbuspremr_subtrial1-ul-oob.xrm-ms 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\licenses16\powerpointvl_mak-ul-oob.xrm-ms 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\office16\addins\power view excel add-in\microsoft.reporting.adhoc.shell.bootstrapper.xap 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File created C:\program files\java\jdk-1.8\jre\lib\ext\Restore-My-Files.txt 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\java\jre-1.8\legal\jdk\zlib.md 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File created C:\program files\microsoft office\root\office16\msipc\et\Restore-My-Files.txt 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File created C:\program files\microsoft office\root\office16\pagesize\Restore-My-Files.txt 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\document themes 16\theme fonts\century schoolbook.xml 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\licenses16\word2019r_retail-pl.xrm-ms 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\document themes 16\theme fonts\constantia-franklin gothic book.xml 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\office16\pagesize\pglbl082.xml 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\java\jre-1.8\legal\jdk\mesa3d.md 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\java\jre-1.8\lib\psfont.properties.ja 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\java\jdk-1.8\jre\lib\security\blacklist 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\java\jdk-1.8\jre\lib\security\java.security 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\licenses16\outlookr_oem_perp-ul-phn.xrm-ms 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\licenses16\professional2019r_prepidbypass-ppd.xrm-ms 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\office16\library\solver\solver.xlam 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\7-zip\lang\sq.txt 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\java\jdk-1.8\jre\legal\jdk\zlib.md 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\licenses16\visioprovl_kms_client-ul-oob.xrm-ms 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\office16\1033\msouc_k_col.hxk 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\office16\logoimages\firstrunlogosmall.contrast-black_scale-100.png 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\java\jdk-1.8\jre\lib\deploy.jar 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\java\jre-1.8\legal\jdk\colorimaging.md 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File created C:\program files\microsoft office\root\office16\sdxs\fa000000018\Restore-My-Files.txt 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\licenses16\visiostdco365r_subtest-ppd.xrm-ms 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File created C:\program files\microsoft office\root\office16\onenote\Restore-My-Files.txt 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File created C:\program files\microsoft office\root\office16\addins\Restore-My-Files.txt 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365smallbuspremr_subtrial1-ppd.xrm-ms 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\licenses16\word2019r_retail-ppd.xrm-ms 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\office16\sdxs\fa000000042\assets\assets\images\assets_picker-account-addperson-48.png 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File created C:\program files\microsoft office\root\office16\msipc\sl\Restore-My-Files.txt 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\office16\sdxs\fa000000018\cardviewicon.png 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\document themes 16\gallery.thmx 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\licenses16\accessr_grace-ul-oob.xrm-ms 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectpror_retail-ul-phn.xrm-ms 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\licenses16\standardr_trial-pl.xrm-ms 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\licenses16\visiostdo365r_subtrial-pl.xrm-ms 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\office16\pagesize\pglbl010.xml 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\7-zip\lang\th.txt 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\java\jdk-1.8\jre\legal\jdk\giflib.md 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\office16\pagesize\pglbl109.xml 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File created C:\program files\microsoft office\root\document themes 16\theme effects\Restore-My-Files.txt 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\office16\mscss7wre_fr.dub 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\java\jdk-1.8\lib\packager.jar 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\java\jre-1.8\legal\jdk\cryptix.md 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\licenses16\powerpoint2019vl_mak_ae-ul-oob.xrm-ms 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\licenses16\proplusvl_kms_client-ul-oob.xrm-ms 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\licenses16\publisherr_retail-ul-oob.xrm-ms 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\java\jre-1.8\lib\deploy.jar 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\packagemanifests\appxmanifest.90160000-00e2-0409-1000-0000000ff1ce.xml 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\java\jdk-1.8\jre\lib\deploy\messages_de.properties 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\licenses16\homebusinessr_retail3-ppd.xrm-ms 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365educloudedur_grace-ul-oob.xrm-ms 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\licenses16\powerpointvl_mak-ppd.xrm-ms 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\licenses16\standardvl_mak-ul-oob.xrm-ms 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\licenses16\visiostdr_oem_perp-ul-phn.xrm-ms 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File created C:\program files\microsoft office\root\office16\personaspy\Restore-My-Files.txt 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\java\jre-1.8\lib\deploy\messages_zh_hk.properties 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe File opened for modification C:\program files\microsoft office\root\document themes 16\facet.thmx 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4852 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exepid process 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exevssvc.exeWMIC.exedescription pid process Token: SeTakeOwnershipPrivilege 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe Token: SeDebugPrivilege 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe Token: SeBackupPrivilege 4708 vssvc.exe Token: SeRestorePrivilege 4708 vssvc.exe Token: SeAuditPrivilege 4708 vssvc.exe Token: SeIncreaseQuotaPrivilege 1364 WMIC.exe Token: SeSecurityPrivilege 1364 WMIC.exe Token: SeTakeOwnershipPrivilege 1364 WMIC.exe Token: SeLoadDriverPrivilege 1364 WMIC.exe Token: SeSystemProfilePrivilege 1364 WMIC.exe Token: SeSystemtimePrivilege 1364 WMIC.exe Token: SeProfSingleProcessPrivilege 1364 WMIC.exe Token: SeIncBasePriorityPrivilege 1364 WMIC.exe Token: SeCreatePagefilePrivilege 1364 WMIC.exe Token: SeBackupPrivilege 1364 WMIC.exe Token: SeRestorePrivilege 1364 WMIC.exe Token: SeShutdownPrivilege 1364 WMIC.exe Token: SeDebugPrivilege 1364 WMIC.exe Token: SeSystemEnvironmentPrivilege 1364 WMIC.exe Token: SeRemoteShutdownPrivilege 1364 WMIC.exe Token: SeUndockPrivilege 1364 WMIC.exe Token: SeManageVolumePrivilege 1364 WMIC.exe Token: 33 1364 WMIC.exe Token: 34 1364 WMIC.exe Token: 35 1364 WMIC.exe Token: 36 1364 WMIC.exe Token: SeIncreaseQuotaPrivilege 1364 WMIC.exe Token: SeSecurityPrivilege 1364 WMIC.exe Token: SeTakeOwnershipPrivilege 1364 WMIC.exe Token: SeLoadDriverPrivilege 1364 WMIC.exe Token: SeSystemProfilePrivilege 1364 WMIC.exe Token: SeSystemtimePrivilege 1364 WMIC.exe Token: SeProfSingleProcessPrivilege 1364 WMIC.exe Token: SeIncBasePriorityPrivilege 1364 WMIC.exe Token: SeCreatePagefilePrivilege 1364 WMIC.exe Token: SeBackupPrivilege 1364 WMIC.exe Token: SeRestorePrivilege 1364 WMIC.exe Token: SeShutdownPrivilege 1364 WMIC.exe Token: SeDebugPrivilege 1364 WMIC.exe Token: SeSystemEnvironmentPrivilege 1364 WMIC.exe Token: SeRemoteShutdownPrivilege 1364 WMIC.exe Token: SeUndockPrivilege 1364 WMIC.exe Token: SeManageVolumePrivilege 1364 WMIC.exe Token: 33 1364 WMIC.exe Token: 34 1364 WMIC.exe Token: 35 1364 WMIC.exe Token: 36 1364 WMIC.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.execmd.exedescription pid process target process PID 3460 wrote to memory of 3196 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe cmd.exe PID 3460 wrote to memory of 3196 3460 2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe cmd.exe PID 3196 wrote to memory of 4852 3196 cmd.exe vssadmin.exe PID 3196 wrote to memory of 4852 3196 cmd.exe vssadmin.exe PID 3196 wrote to memory of 1364 3196 cmd.exe WMIC.exe PID 3196 wrote to memory of 1364 3196 cmd.exe WMIC.exe PID 3196 wrote to memory of 3712 3196 cmd.exe bcdedit.exe PID 3196 wrote to memory of 3712 3196 cmd.exe bcdedit.exe PID 3196 wrote to memory of 5096 3196 cmd.exe bcdedit.exe PID 3196 wrote to memory of 5096 3196 cmd.exe bcdedit.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe"C:\Users\Admin\AppData\Local\Temp\2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4852 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1364 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:3712 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:5096
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5abc703fb9fe6eec2df7c2366b28b9097
SHA1a40141405af2eb9e7a71ae164c00887bfabece5d
SHA256661ccde6c5a10fa376d51ebc0964c6c2416e26835b81f73853d5f2327f7af013
SHA512676f62ede3522491fac63e81afea4f128ce216951b85b5f05e215d1c109e9c1f4a1f5973c2982f5ffabe368013638e3ca56937f848d28bf6340ca4efca2ecc50