Analysis
-
max time kernel
82s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 04:11
Static task
static1
Behavioral task
behavioral1
Sample
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe
Resource
win10v2004-20240226-en
General
-
Target
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe
-
Size
959KB
-
MD5
0ee7386109b1f3596ae62735cf53f6b3
-
SHA1
0a67f0154a003fd06597a28dd2fd3e2f63b333b7
-
SHA256
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f
-
SHA512
dbc5f19de20129121c3c8ba6d3230198272a150023a7ec896bec14c2d33c6ed49cb6fc5dbb19250674e763a9e3f2f9dad4badffd9fe712a97b1c36c0d1291a73
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdtF:Ujrc2So1Ff+B3k796L
Malware Config
Extracted
C:\Program Files\dotnet\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2428 bcdedit.exe 3276 bcdedit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{56C23BDC-7878-BD5D-1D8E-1D415A882499} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe\"" 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exedescription ioc process File opened (read-only) \??\F: 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe -
Drops file in System32 directory 1 IoCs
Processes:
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exedescription ioc process File created C:\windows\SysWOW64\BCC23C.ico 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
Processes:
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exepid process 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe -
Drops file in Program Files directory 64 IoCs
Processes:
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exedescription ioc process File opened for modification C:\program files\microsoft office\root\licenses16\outlookvl_kms_client-ul-oob.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File created C:\program files\java\jre-1.8\legal\jdk\Restore-My-Files.txt 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\document themes 16\theme colors\violet.xml 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\excel2019r_trial-pl.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\mondor_o16consumerperp_bypass30-ppd.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365proplusr_subscription5-pl.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\packagemanifests\appxmanifest.90160000-00c1-0409-1000-0000000ff1ce.xml 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365proplusdemor_bypasstrial365-ppd.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jre-1.8\legal\jdk\santuario.md 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\integration\c2rmanifest.powerpoint.powerpoint.x-none.msi.16.x-none.xml 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jdk-1.8\legal\jdk\cryptix.md 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jre-1.8\legal\jdk\xalan.md 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\document themes 16\theme effects\reflection.eftx 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\homebusinessr_oem_perp-ul-oob.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365propluse5r_subtrial-ul-oob.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\excel2019r_trial-ul-oob.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\personal2019r_grace-ul-oob.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jdk-1.8\jre\lib\deploy\ffjcext.zip 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\document themes 16\ion boardroom.thmx 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\access2019r_grace-ul-oob.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\mondor_subtest2-ul-oob.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\onenoter_retail-ppd.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File created C:\program files\java\jdk-1.8\jre\lib\images\cursors\Restore-My-Files.txt 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jre-1.8\lib\javafx.properties 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jre-1.8\lib\tzmappings 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\mondor_grace-ul-oob.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\onenotevl_kms_client-ul.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\7-zip\lang\hy.txt 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\7-zip\lang\ku-ckb.txt 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jdk-1.8\jre\lib\security\public_suffix_list.dat 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\homestudentr_retail-ul-oob.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jdk-1.8\jre\legal\jdk\libpng.md 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jdk-1.8\lib\ct.sym 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365homepremr_subtest1-ul-oob.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\7-zip\lang\ja.txt 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jdk-1.8\jre\lib\accessibility.properties 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\packagemanifests\appxmanifest.90160000-0115-0409-1000-0000000ff1ce.xml 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\homebusiness2019r_oem_perp4-ul-oob.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\homestudentr_oem_perp-ul-oob.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\integration\c2rmanifest.powerview.powerview.x-none.msi.16.x-none.xml 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\homebusinesspipcdemor_bypasstrial365-ppd.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\homestudentvnextr_trial-ul-oob.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\7-zip\lang\kk.txt 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File created C:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\Restore-My-Files.txt 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jdk-1.8\lib\sa-jdi.jar 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jre-1.8\lib\calendars.properties 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jre-1.8\lib\jsse.jar 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365businessr_subscription-ul-oob.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\excelr_oem_perp-ul-phn.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\7-zip\lang\mn.txt 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\7-zip\lang\sr-spc.txt 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jdk-1.8\legal\jdk\joni.md 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\java\jre-1.8\lib\management\management.properties 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\integration\c2rmanifest.proof.culture.msi.16.en-us.xml 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\personal2019r_oem_perp-ppd.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\personal2019r_trial-ul-oob.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\7-zip\lang\bn.txt 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\7-zip\lang\co.txt 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\packagemanifests\appxmanifestloc.16.en-us.xml 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365proplusr_subscription1-ul-oob.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365smallbuspremr_subtrial3-ppd.xrm-ms 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\microsoft office\root\integration\c2rmanifest.word.word.x-none.msi.16.x-none.xml 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\7-zip\descript.ion 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe File opened for modification C:\program files\7-zip\lang\tt.txt 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4188 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exedescription ioc process Key created \Registry\Machine\Software\Classes\.lockbit 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\BCC23C.ico" 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exepid process 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exevssvc.exeWMIC.exedescription pid process Token: SeTakeOwnershipPrivilege 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe Token: SeDebugPrivilege 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe Token: SeBackupPrivilege 4132 vssvc.exe Token: SeRestorePrivilege 4132 vssvc.exe Token: SeAuditPrivilege 4132 vssvc.exe Token: SeIncreaseQuotaPrivilege 1904 WMIC.exe Token: SeSecurityPrivilege 1904 WMIC.exe Token: SeTakeOwnershipPrivilege 1904 WMIC.exe Token: SeLoadDriverPrivilege 1904 WMIC.exe Token: SeSystemProfilePrivilege 1904 WMIC.exe Token: SeSystemtimePrivilege 1904 WMIC.exe Token: SeProfSingleProcessPrivilege 1904 WMIC.exe Token: SeIncBasePriorityPrivilege 1904 WMIC.exe Token: SeCreatePagefilePrivilege 1904 WMIC.exe Token: SeBackupPrivilege 1904 WMIC.exe Token: SeRestorePrivilege 1904 WMIC.exe Token: SeShutdownPrivilege 1904 WMIC.exe Token: SeDebugPrivilege 1904 WMIC.exe Token: SeSystemEnvironmentPrivilege 1904 WMIC.exe Token: SeRemoteShutdownPrivilege 1904 WMIC.exe Token: SeUndockPrivilege 1904 WMIC.exe Token: SeManageVolumePrivilege 1904 WMIC.exe Token: 33 1904 WMIC.exe Token: 34 1904 WMIC.exe Token: 35 1904 WMIC.exe Token: 36 1904 WMIC.exe Token: SeIncreaseQuotaPrivilege 1904 WMIC.exe Token: SeSecurityPrivilege 1904 WMIC.exe Token: SeTakeOwnershipPrivilege 1904 WMIC.exe Token: SeLoadDriverPrivilege 1904 WMIC.exe Token: SeSystemProfilePrivilege 1904 WMIC.exe Token: SeSystemtimePrivilege 1904 WMIC.exe Token: SeProfSingleProcessPrivilege 1904 WMIC.exe Token: SeIncBasePriorityPrivilege 1904 WMIC.exe Token: SeCreatePagefilePrivilege 1904 WMIC.exe Token: SeBackupPrivilege 1904 WMIC.exe Token: SeRestorePrivilege 1904 WMIC.exe Token: SeShutdownPrivilege 1904 WMIC.exe Token: SeDebugPrivilege 1904 WMIC.exe Token: SeSystemEnvironmentPrivilege 1904 WMIC.exe Token: SeRemoteShutdownPrivilege 1904 WMIC.exe Token: SeUndockPrivilege 1904 WMIC.exe Token: SeManageVolumePrivilege 1904 WMIC.exe Token: 33 1904 WMIC.exe Token: 34 1904 WMIC.exe Token: 35 1904 WMIC.exe Token: 36 1904 WMIC.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.execmd.exedescription pid process target process PID 2216 wrote to memory of 3788 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe cmd.exe PID 2216 wrote to memory of 3788 2216 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe cmd.exe PID 3788 wrote to memory of 4188 3788 cmd.exe vssadmin.exe PID 3788 wrote to memory of 4188 3788 cmd.exe vssadmin.exe PID 3788 wrote to memory of 1904 3788 cmd.exe WMIC.exe PID 3788 wrote to memory of 1904 3788 cmd.exe WMIC.exe PID 3788 wrote to memory of 2428 3788 cmd.exe bcdedit.exe PID 3788 wrote to memory of 2428 3788 cmd.exe bcdedit.exe PID 3788 wrote to memory of 3276 3788 cmd.exe bcdedit.exe PID 3788 wrote to memory of 3276 3788 cmd.exe bcdedit.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe"C:\Users\Admin\AppData\Local\Temp\54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4188 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2428 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:3276
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1332 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:644
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4132
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5aed5d483714bf584e52d3c7fa059fe9f
SHA1d536b214f7eb55c72142d0f4e353d12a98a4f777
SHA256693171a7522e4b87ab71982b328044facfd0de4b2ed64a9bf622870814c5a53c
SHA512e7a165dc45fa054318683de54eb1a8c4f9c2f5d703d89f693a27884305ed21250b9246ef50bb1de0d2fad7cafdf57e3d7f4cadc4859b40a910faa0d9522fdf20