Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 04:15
Static task
static1
Behavioral task
behavioral1
Sample
7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe
Resource
win10v2004-20240226-en
General
-
Target
7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe
-
Size
959KB
-
MD5
de7842054652843bb0ad6b22b5d027ac
-
SHA1
40c64082e19e9fff71ca827325b16f6a724afb8a
-
SHA256
7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433
-
SHA512
461639bc7ad84ffaa91585664d726a75cb5e7eb383b74d19547269f1f4f7126265650410fd7cd5ad248be43d91769ef79083b4f05baa84805773c101ba8983c1
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdyF:Ujrc2So1Ff+B3k7960
Malware Config
Extracted
C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2720 bcdedit.exe 2688 bcdedit.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\{01941949-AFAF-1ED7-3EE1-3E0527C78F12} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe\"" 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exedescription ioc process File opened (read-only) \??\F: 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe -
Drops file in System32 directory 2 IoCs
Processes:
7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exedescription ioc process File created C:\windows\SysWOW64\F1941B.ico 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
Processes:
7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exepid process 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe -
Drops file in Program Files directory 64 IoCs
Processes:
7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exedescription ioc process File opened for modification C:\program files (x86)\microsoft office\document themes 14\angles.thmx 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubspapr\pdir19f.gif 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionprovider.exsd 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files\java\jre7\lib\zi\pacific\norfolk 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files\windows sidebar\gadgets\weather.gadget\images\docked_black_moon-first-quarter_partly-cloudy.png 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0106146.wmf 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0107090.wmf 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\images\modern_dot.png 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\adobe\reader 9.0\resource\linguistics\providers\proximity\11.00\can129.hsp 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\fd02075_.wmf 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository_1.1.300.v20131211-1531.jar 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so02617_.wmf 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\wb01734_.gif 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\document themes 14\theme colors\aspect.xml 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\profiler\config\modules\org-netbeans-modules-profiler-api.xml 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\dd01628_.wmf 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0297759.wmf 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0386270.jpg 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\whirl2.wmf 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File created C:\program files (x86)\microsoft office\office14\1033\grooveforms5\formsstyles\graycheck\Restore-My-Files.txt 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\foldproj.xml 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files\java\jre7\lib\zi\europe\chisinau 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\fd02161_.wmf 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\autoshap\bd18243_.wmf 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\fd02097_.wmf 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\fincl_02.mid 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0290548.wmf 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files\java\jdk1.7.0_80\db\lib\derbylocale_ko_kr.jar 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\etc\gmt+3 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File created C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_cn_5.5.0.165303\Restore-My-Files.txt 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\adobe\reader 9.0\reader\pmd.cer 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\explr_01.mid 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms3\formsstyles\sts2.css 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\templates\1033\urbanmergefax.dotx 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File created C:\program files\microsoft games\purble place\en-us\Restore-My-Files.txt 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0107528.wmf 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\slideshow.gadget\es-es\slideshow.html 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\currency.gadget\en-us\js\init.js 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\calendar.gadget\de-de\calendar.html 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\en-us\settings.html 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\boa_vista 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files\java\jre7\lib\images\cursors\win32_linknodrop32x32.gif 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0107458.wmf 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\media\cagcat10\j0157995.wmf 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\calendar.gadget\images\curl.png 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\stacking\navigationup_selectionsubpicture.png 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0215070.wmf 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\media\cagcat10\j0293240.wmf 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\dgdots.xml 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files\dvd maker\shared\filters.xml 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\office14\borders\msart10.bdr 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft visual studio 8\common7\ide\vsta\itemtemplates\visualbasic\1033\module.zip 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\oldage\navigationleft_selectionsubpicture.png 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\pets\pets_btn-back-over-select.png 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0281008.wmf 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\office14\outlookautodiscover\yahoo.jp.xml 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe File opened for modification C:\program files (x86)\microsoft office\office14\pagesize\pglbl102.xml 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1916 2032 WerFault.exe 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1452 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exedescription ioc process Key created \Registry\Machine\Software\Classes\.lockbit 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\F1941B.ico" 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exepid process 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exevssvc.exeWMIC.exedescription pid process Token: SeTakeOwnershipPrivilege 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe Token: SeDebugPrivilege 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe Token: SeBackupPrivilege 1864 vssvc.exe Token: SeRestorePrivilege 1864 vssvc.exe Token: SeAuditPrivilege 1864 vssvc.exe Token: SeIncreaseQuotaPrivilege 2496 WMIC.exe Token: SeSecurityPrivilege 2496 WMIC.exe Token: SeTakeOwnershipPrivilege 2496 WMIC.exe Token: SeLoadDriverPrivilege 2496 WMIC.exe Token: SeSystemProfilePrivilege 2496 WMIC.exe Token: SeSystemtimePrivilege 2496 WMIC.exe Token: SeProfSingleProcessPrivilege 2496 WMIC.exe Token: SeIncBasePriorityPrivilege 2496 WMIC.exe Token: SeCreatePagefilePrivilege 2496 WMIC.exe Token: SeBackupPrivilege 2496 WMIC.exe Token: SeRestorePrivilege 2496 WMIC.exe Token: SeShutdownPrivilege 2496 WMIC.exe Token: SeDebugPrivilege 2496 WMIC.exe Token: SeSystemEnvironmentPrivilege 2496 WMIC.exe Token: SeRemoteShutdownPrivilege 2496 WMIC.exe Token: SeUndockPrivilege 2496 WMIC.exe Token: SeManageVolumePrivilege 2496 WMIC.exe Token: 33 2496 WMIC.exe Token: 34 2496 WMIC.exe Token: 35 2496 WMIC.exe Token: SeIncreaseQuotaPrivilege 2496 WMIC.exe Token: SeSecurityPrivilege 2496 WMIC.exe Token: SeTakeOwnershipPrivilege 2496 WMIC.exe Token: SeLoadDriverPrivilege 2496 WMIC.exe Token: SeSystemProfilePrivilege 2496 WMIC.exe Token: SeSystemtimePrivilege 2496 WMIC.exe Token: SeProfSingleProcessPrivilege 2496 WMIC.exe Token: SeIncBasePriorityPrivilege 2496 WMIC.exe Token: SeCreatePagefilePrivilege 2496 WMIC.exe Token: SeBackupPrivilege 2496 WMIC.exe Token: SeRestorePrivilege 2496 WMIC.exe Token: SeShutdownPrivilege 2496 WMIC.exe Token: SeDebugPrivilege 2496 WMIC.exe Token: SeSystemEnvironmentPrivilege 2496 WMIC.exe Token: SeRemoteShutdownPrivilege 2496 WMIC.exe Token: SeUndockPrivilege 2496 WMIC.exe Token: SeManageVolumePrivilege 2496 WMIC.exe Token: 33 2496 WMIC.exe Token: 34 2496 WMIC.exe Token: 35 2496 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.execmd.exedescription pid process target process PID 2032 wrote to memory of 2228 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe cmd.exe PID 2032 wrote to memory of 2228 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe cmd.exe PID 2032 wrote to memory of 2228 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe cmd.exe PID 2032 wrote to memory of 2228 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe cmd.exe PID 2228 wrote to memory of 1452 2228 cmd.exe vssadmin.exe PID 2228 wrote to memory of 1452 2228 cmd.exe vssadmin.exe PID 2228 wrote to memory of 1452 2228 cmd.exe vssadmin.exe PID 2228 wrote to memory of 2496 2228 cmd.exe WMIC.exe PID 2228 wrote to memory of 2496 2228 cmd.exe WMIC.exe PID 2228 wrote to memory of 2496 2228 cmd.exe WMIC.exe PID 2228 wrote to memory of 2720 2228 cmd.exe bcdedit.exe PID 2228 wrote to memory of 2720 2228 cmd.exe bcdedit.exe PID 2228 wrote to memory of 2720 2228 cmd.exe bcdedit.exe PID 2228 wrote to memory of 2688 2228 cmd.exe bcdedit.exe PID 2228 wrote to memory of 2688 2228 cmd.exe bcdedit.exe PID 2228 wrote to memory of 2688 2228 cmd.exe bcdedit.exe PID 2032 wrote to memory of 1916 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe WerFault.exe PID 2032 wrote to memory of 1916 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe WerFault.exe PID 2032 wrote to memory of 1916 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe WerFault.exe PID 2032 wrote to memory of 1916 2032 7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe WerFault.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe"C:\Users\Admin\AppData\Local\Temp\7ba8bebf45f155fcaa7ac341106fd9366051d5999a28ebeabb7acb22f8737433.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1452
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2720
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:2688
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 25122⤵
- Program crash
PID:1916
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD540283d35d4d0cb84a1ead20741eee63c
SHA17511b796f8764957aeb7d99b9cf390affc9f96ef
SHA2564e32a30501117ef8adb150adbdd0c41c3110759e4d7a71acf1260f95578d0443
SHA51292bbf99fd533a1224d42dab2e7dd3237a4e5024a5a69edcf1d5154adbb3b0f955cc06bb2aea31366181887b36aef813e21150d6ee8f19d8ebebbe33bb688023d