Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 04:11
Static task
static1
Behavioral task
behavioral1
Sample
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe
Resource
win10v2004-20240226-en
General
-
Target
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe
-
Size
959KB
-
MD5
0ee7386109b1f3596ae62735cf53f6b3
-
SHA1
0a67f0154a003fd06597a28dd2fd3e2f63b333b7
-
SHA256
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f
-
SHA512
dbc5f19de20129121c3c8ba6d3230198272a150023a7ec896bec14c2d33c6ed49cb6fc5dbb19250674e763a9e3f2f9dad4badffd9fe712a97b1c36c0d1291a73
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdtF:Ujrc2So1Ff+B3k796L
Malware Config
Extracted
C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1288 bcdedit.exe 1340 bcdedit.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 3656 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\{56C23BDC-7878-BD5D-1D8E-1D415A882499} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe\"" 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exedescription ioc process File opened (read-only) \??\F: 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe -
Drops file in System32 directory 2 IoCs
Processes:
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exedescription ioc process File created C:\windows\SysWOW64\BCC23C.ico 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\905D.tmp.bmp" 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs
Processes:
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exepid process 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe -
Drops file in Program Files directory 64 IoCs
Processes:
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exedescription ioc process File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\config\modules\org-netbeans-modules-keyring-impl.xml 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\na02451_.wmf 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\clipart\publisher\backgrounds\wb02039_.gif 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\bg_formshomepageslice.gif 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.annotation_1.2.0.v201401042248.jar 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\config\modules\org-netbeans-modules-uihandler.xml 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft games\multiplayer\checkers\it-it\chkrres.dll.mui 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\bd06102_.wmf 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\undocked_black_moon-new.png 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\rssfeeds.gadget\fr-fr\css\settings.css 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\media\cagcat10\j0299763.wmf 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\commondata\commsincomingimage.jpg 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms3\formsstyles\oasis\tab_off.gif 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\huecycle\title_stripe.png 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jre7\lib\zi\asia\karachi 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\hh00612_.wmf 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubspapr\pdir9b.gif 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\office14\proof\msgr3es.lex 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jre7\lib\zi\america\yellowknife 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\windows sidebar\gadgets\clock.gadget\ja-jp\clock.html 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\wb01241_.gif 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\clipart\publisher\backgrounds\wb02116_.gif 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\templates\1033\equityreport.dotx 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\travel\btn-next-static.png 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\africa\el_aaiun 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0105710.wmf 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\templates\1033\access\datatype\status.accft 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\commondata\alertimage_off.jpg 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\7-zip\lang\zh-tw.txt 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jar 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File created C:\program files\videolan\vlc\locale\ks_in\lc_messages\Restore-My-Files.txt 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\psrchlts.dat 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File created C:\program files\java\jre7\lib\zi\america\indiana\Restore-My-Files.txt 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\bl00648_.wmf 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\6.png 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0232171.wmf 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\media\cagcat10\j0195812.wmf 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubftscm\scheme39.css 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms3\formsstyles\desert\tab_off.gif 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_zh_4.4.0.v20140623020002.jar 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-api.jar 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File created C:\program files (x86)\adobe\reader 9.0\resource\font\Restore-My-Files.txt 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0151055.wmf 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\formsviewframe.html 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\currency.gadget\fr-fr\js\service.js 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\windows sidebar\gadgets\clock.gadget\images\flower_m.png 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\performance\usercontent_16x9_imagemask.png 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jre7\lib\zi\america\guyana 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\videolan\vlc\locale\ff\lc_messages\vlc.mo 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\videolan\vlc\lua\playlist\anevia_xml.luac 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\windows sidebar\es-es\sbdrop.dll.mui 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0105376.wmf 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\office14\convert\1033\odbcr.sam 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\pe03451_.wmf 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\lines\bd14882_.gif 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubspapr\pdir2b.gif 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\hh02282_.wmf 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\pe05665_.wmf 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so02253_.wmf 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files (x86)\microsoft office\media\cagcat10\j0183168.wmf 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2144 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop\WallpaperStyle = "2" 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop\TileWallpaper = "0" 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe -
Modifies registry class 3 IoCs
Processes:
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exedescription ioc process Key created \Registry\Machine\Software\Classes\.lockbit 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\BCC23C.ico" 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exepid process 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exevssvc.exeWMIC.exedescription pid process Token: SeTakeOwnershipPrivilege 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe Token: SeDebugPrivilege 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe Token: SeBackupPrivilege 1008 vssvc.exe Token: SeRestorePrivilege 1008 vssvc.exe Token: SeAuditPrivilege 1008 vssvc.exe Token: SeIncreaseQuotaPrivilege 2620 WMIC.exe Token: SeSecurityPrivilege 2620 WMIC.exe Token: SeTakeOwnershipPrivilege 2620 WMIC.exe Token: SeLoadDriverPrivilege 2620 WMIC.exe Token: SeSystemProfilePrivilege 2620 WMIC.exe Token: SeSystemtimePrivilege 2620 WMIC.exe Token: SeProfSingleProcessPrivilege 2620 WMIC.exe Token: SeIncBasePriorityPrivilege 2620 WMIC.exe Token: SeCreatePagefilePrivilege 2620 WMIC.exe Token: SeBackupPrivilege 2620 WMIC.exe Token: SeRestorePrivilege 2620 WMIC.exe Token: SeShutdownPrivilege 2620 WMIC.exe Token: SeDebugPrivilege 2620 WMIC.exe Token: SeSystemEnvironmentPrivilege 2620 WMIC.exe Token: SeRemoteShutdownPrivilege 2620 WMIC.exe Token: SeUndockPrivilege 2620 WMIC.exe Token: SeManageVolumePrivilege 2620 WMIC.exe Token: 33 2620 WMIC.exe Token: 34 2620 WMIC.exe Token: 35 2620 WMIC.exe Token: SeIncreaseQuotaPrivilege 2620 WMIC.exe Token: SeSecurityPrivilege 2620 WMIC.exe Token: SeTakeOwnershipPrivilege 2620 WMIC.exe Token: SeLoadDriverPrivilege 2620 WMIC.exe Token: SeSystemProfilePrivilege 2620 WMIC.exe Token: SeSystemtimePrivilege 2620 WMIC.exe Token: SeProfSingleProcessPrivilege 2620 WMIC.exe Token: SeIncBasePriorityPrivilege 2620 WMIC.exe Token: SeCreatePagefilePrivilege 2620 WMIC.exe Token: SeBackupPrivilege 2620 WMIC.exe Token: SeRestorePrivilege 2620 WMIC.exe Token: SeShutdownPrivilege 2620 WMIC.exe Token: SeDebugPrivilege 2620 WMIC.exe Token: SeSystemEnvironmentPrivilege 2620 WMIC.exe Token: SeRemoteShutdownPrivilege 2620 WMIC.exe Token: SeUndockPrivilege 2620 WMIC.exe Token: SeManageVolumePrivilege 2620 WMIC.exe Token: 33 2620 WMIC.exe Token: 34 2620 WMIC.exe Token: 35 2620 WMIC.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.execmd.execmd.exedescription pid process target process PID 2536 wrote to memory of 1784 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe cmd.exe PID 2536 wrote to memory of 1784 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe cmd.exe PID 2536 wrote to memory of 1784 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe cmd.exe PID 2536 wrote to memory of 1784 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe cmd.exe PID 1784 wrote to memory of 2144 1784 cmd.exe vssadmin.exe PID 1784 wrote to memory of 2144 1784 cmd.exe vssadmin.exe PID 1784 wrote to memory of 2144 1784 cmd.exe vssadmin.exe PID 1784 wrote to memory of 2620 1784 cmd.exe WMIC.exe PID 1784 wrote to memory of 2620 1784 cmd.exe WMIC.exe PID 1784 wrote to memory of 2620 1784 cmd.exe WMIC.exe PID 1784 wrote to memory of 1288 1784 cmd.exe bcdedit.exe PID 1784 wrote to memory of 1288 1784 cmd.exe bcdedit.exe PID 1784 wrote to memory of 1288 1784 cmd.exe bcdedit.exe PID 1784 wrote to memory of 1340 1784 cmd.exe bcdedit.exe PID 1784 wrote to memory of 1340 1784 cmd.exe bcdedit.exe PID 1784 wrote to memory of 1340 1784 cmd.exe bcdedit.exe PID 2536 wrote to memory of 3656 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe cmd.exe PID 2536 wrote to memory of 3656 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe cmd.exe PID 2536 wrote to memory of 3656 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe cmd.exe PID 2536 wrote to memory of 3656 2536 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe cmd.exe PID 3656 wrote to memory of 2472 3656 cmd.exe PING.EXE PID 3656 wrote to memory of 2472 3656 cmd.exe PING.EXE PID 3656 wrote to memory of 2472 3656 cmd.exe PING.EXE PID 3656 wrote to memory of 2472 3656 cmd.exe PING.EXE PID 3656 wrote to memory of 3624 3656 cmd.exe fsutil.exe PID 3656 wrote to memory of 3624 3656 cmd.exe fsutil.exe PID 3656 wrote to memory of 3624 3656 cmd.exe fsutil.exe PID 3656 wrote to memory of 3624 3656 cmd.exe fsutil.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe"C:\Users\Admin\AppData\Local\Temp\54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2144 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2620 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:1288 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:1340 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:2472 -
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe"3⤵PID:3624
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5fee3826b41e2c13e3d9b85eeacfa97f0
SHA18a8a44207a305df97214e1cd3c1315ae03a54f30
SHA2561aec003eabbcfde978b6d6a8a0a47cd4d0d7f70bd8bb93b46a19bda9b9489699
SHA5127981bc3e54f5a59b7db23d467685b91c77804c6872139e6e5ffa0120c95e9fc7599711449c8acdf2afff132cd9dd1b81fb9acabd3561f374ab277ff3e91bb904