Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 04:11
Static task
static1
Behavioral task
behavioral1
Sample
5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe
Resource
win10v2004-20240226-en
General
-
Target
5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe
-
Size
959KB
-
MD5
01c9561a15dc451562ba536d8239fa41
-
SHA1
9566de40d3435be6fac364e11d50d67d8a3c8dc4
-
SHA256
5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0
-
SHA512
42c59fc3052ebcef309bfa2b9824841097cf6e115207da5bd26ccdd273f6382790c83bcd7f666aab045c66fb499d78b377cf4a369b306f1b67e635195f5c4a5b
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdxF:Ujrc2So1Ff+B3k796f
Malware Config
Extracted
C:\Program Files\Java\jdk1.7.0_80\db\bin\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1356 bcdedit.exe 3048 bcdedit.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\{9C4157E5-4C4C-829A-39B6-39FFFC8E572F} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe\"" 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exedescription ioc process File opened (read-only) \??\F: 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe -
Drops file in System32 directory 2 IoCs
Processes:
5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exedescription ioc process File created C:\windows\SysWOW64\6341D6.ico 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9C11.tmp.bmp" 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs
Processes:
5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exepid process 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe -
Drops file in Program Files directory 64 IoCs
Processes:
5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exedescription ioc process File opened for modification C:\program files\java\jre7\lib\zi\asia\yekaterinburg 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\bl00274_.wmf 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\form98.poc 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0198113.wmf 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\na01421_.wmf 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\stationery\1033\dadshirt.htm 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\content-types.properties 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\config\moduleautodeps\org-openide-explorer.xml 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\bullets\j0115840.gif 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0237336.wmf 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File created C:\program files (x86)\microsoft office\office14\addins\Restore-My-Files.txt 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\travel\passportmask_pal.wmv 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\videowall\203x8subpicture.png 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\adobe\reader 9.0\reader\pmd.cer 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\tr00006_.wmf 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\images\flower_m.png 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\videolan\vlc\locale\cs\lc_messages\vlc.mo 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0099164.wmf 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0187859.wmf 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\bullets\bd14792_.gif 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\office14\addins\outex.ecf 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\europe\warsaw 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\microsoft games\multiplayer\backgammon\en-us\bckgres.dll.mui 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\dd00687_.wmf 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\tr00097_.wmf 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\grooveforms5\formsstyles\greentea.css 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\de-de\js\library.js 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\security\local_policy.jar 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_cn_5.5.0.165303.jar 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\windows sidebar\gadgets\mediacenter.gadget\css\settings.css 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\office14\microsoft.sharepoint.businessdata.administration.client.xml 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\images\diner.png 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\picturepuzzle.gadget\images\11.png 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0105298.wmf 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\msouc_col.hxt 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\office14\forms\1033\ipm.cfg 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File created C:\program files\microsoft games\more games\it-it\Restore-My-Files.txt 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\ag00090_.gif 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\office14\forms\1033\distlist.cfg 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\photoedge_selectionsubpicture.png 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\java\jdk1.7.0_80\include\jdwptransport.h 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\picturepuzzle.gadget\images\3.png 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\windows sidebar\gadgets\clock.gadget\images\settings_corner_bottom_right.png 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\adobe\reader 9.0\resource\typesupport\unicode\mappings\mac\cyrillic.txt 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\bd07804_.wmf 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\document themes 14\theme effects\concourse.eftx 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubspapr\zpdir8b.gif 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\specialoccasion\navigationright_buttongraphic.png 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File created C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\Restore-My-Files.txt 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\videolan\vlc\lua\http\vlm_export.html 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\document themes 14\theme effects\urban.eftx 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\mozilla firefox\browser\omni.ja 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\videolan\vlc\locale\zh_cn\lc_messages\vlc.mo 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\windows sidebar\gadgets\mediacenter.gadget\images\gadget_main_background_quicklaunch.png 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubftscm\scheme02.css 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\greenstateicon.png 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\undocked_gray_snow.png 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\java\jre7\lib\zi\pacific\port_moresby 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\classic2.wmf 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File created C:\program files (x86)\microsoft office\office14\1033\grooveforms5\formsstyles\sts2\Restore-My-Files.txt 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File opened for modification C:\program files\java\jre7\lib\zi\asia\baku 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe File created C:\program files\microsoft games\spidersolitaire\en-us\Restore-My-Files.txt 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2252 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\WallpaperStyle = "2" 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\TileWallpaper = "0" 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe -
Modifies registry class 3 IoCs
Processes:
5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exedescription ioc process Key created \Registry\Machine\Software\Classes\.lockbit 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\6341D6.ico" 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exepid process 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exevssvc.exeWMIC.exedescription pid process Token: SeTakeOwnershipPrivilege 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe Token: SeDebugPrivilege 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe Token: SeBackupPrivilege 1440 vssvc.exe Token: SeRestorePrivilege 1440 vssvc.exe Token: SeAuditPrivilege 1440 vssvc.exe Token: SeIncreaseQuotaPrivilege 2568 WMIC.exe Token: SeSecurityPrivilege 2568 WMIC.exe Token: SeTakeOwnershipPrivilege 2568 WMIC.exe Token: SeLoadDriverPrivilege 2568 WMIC.exe Token: SeSystemProfilePrivilege 2568 WMIC.exe Token: SeSystemtimePrivilege 2568 WMIC.exe Token: SeProfSingleProcessPrivilege 2568 WMIC.exe Token: SeIncBasePriorityPrivilege 2568 WMIC.exe Token: SeCreatePagefilePrivilege 2568 WMIC.exe Token: SeBackupPrivilege 2568 WMIC.exe Token: SeRestorePrivilege 2568 WMIC.exe Token: SeShutdownPrivilege 2568 WMIC.exe Token: SeDebugPrivilege 2568 WMIC.exe Token: SeSystemEnvironmentPrivilege 2568 WMIC.exe Token: SeRemoteShutdownPrivilege 2568 WMIC.exe Token: SeUndockPrivilege 2568 WMIC.exe Token: SeManageVolumePrivilege 2568 WMIC.exe Token: 33 2568 WMIC.exe Token: 34 2568 WMIC.exe Token: 35 2568 WMIC.exe Token: SeIncreaseQuotaPrivilege 2568 WMIC.exe Token: SeSecurityPrivilege 2568 WMIC.exe Token: SeTakeOwnershipPrivilege 2568 WMIC.exe Token: SeLoadDriverPrivilege 2568 WMIC.exe Token: SeSystemProfilePrivilege 2568 WMIC.exe Token: SeSystemtimePrivilege 2568 WMIC.exe Token: SeProfSingleProcessPrivilege 2568 WMIC.exe Token: SeIncBasePriorityPrivilege 2568 WMIC.exe Token: SeCreatePagefilePrivilege 2568 WMIC.exe Token: SeBackupPrivilege 2568 WMIC.exe Token: SeRestorePrivilege 2568 WMIC.exe Token: SeShutdownPrivilege 2568 WMIC.exe Token: SeDebugPrivilege 2568 WMIC.exe Token: SeSystemEnvironmentPrivilege 2568 WMIC.exe Token: SeRemoteShutdownPrivilege 2568 WMIC.exe Token: SeUndockPrivilege 2568 WMIC.exe Token: SeManageVolumePrivilege 2568 WMIC.exe Token: 33 2568 WMIC.exe Token: 34 2568 WMIC.exe Token: 35 2568 WMIC.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.execmd.exedescription pid process target process PID 2320 wrote to memory of 268 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe cmd.exe PID 2320 wrote to memory of 268 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe cmd.exe PID 2320 wrote to memory of 268 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe cmd.exe PID 2320 wrote to memory of 268 2320 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe cmd.exe PID 268 wrote to memory of 2252 268 cmd.exe vssadmin.exe PID 268 wrote to memory of 2252 268 cmd.exe vssadmin.exe PID 268 wrote to memory of 2252 268 cmd.exe vssadmin.exe PID 268 wrote to memory of 2568 268 cmd.exe WMIC.exe PID 268 wrote to memory of 2568 268 cmd.exe WMIC.exe PID 268 wrote to memory of 2568 268 cmd.exe WMIC.exe PID 268 wrote to memory of 1356 268 cmd.exe bcdedit.exe PID 268 wrote to memory of 1356 268 cmd.exe bcdedit.exe PID 268 wrote to memory of 1356 268 cmd.exe bcdedit.exe PID 268 wrote to memory of 3048 268 cmd.exe bcdedit.exe PID 268 wrote to memory of 3048 268 cmd.exe bcdedit.exe PID 268 wrote to memory of 3048 268 cmd.exe bcdedit.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe"C:\Users\Admin\AppData\Local\Temp\5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2252 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:1356 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:3048
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD55042a444706cf1467b6df3f5e68edc68
SHA10c424c7ac1264516eae8d674b17e1e26a5c9abb9
SHA2565b463738d6f681e2b21562b88c04f00755716453fedbbecec0b20f6005ff1543
SHA51265efe43792022e36a09274f120e01de59ffc8e4ddd3efa6b2a0caf0523bd412514d7bbbace09655c83ca8dcda5febd9cda5e2f9c9a8f83ca8c998bbbf3a2564c