Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 04:14
Static task
static1
Behavioral task
behavioral1
Sample
74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe
Resource
win10v2004-20240226-en
General
-
Target
74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe
-
Size
959KB
-
MD5
e9cd8c321b68118611a0863b0b91b8f5
-
SHA1
dde3509b41639f4ae7383bcd7b1c17db88b667cf
-
SHA256
74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78
-
SHA512
35fd50ec73ac69aab6c98a1f107c418acaffd9c4c933133064776962520a94d54f796b59558d72ede581e78e405b55c22f7a40d0788244f6d274fe399facacf3
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdAF:Ujrc2So1Ff+B3k796W
Malware Config
Extracted
C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2740 bcdedit.exe 2516 bcdedit.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2316 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6E5E24E4-E8E8-78AC-0E52-0E6D43D0CFEE} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe\"" 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exedescription ioc process File opened (read-only) \??\F: 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe -
Drops file in System32 directory 2 IoCs
Processes:
74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exedescription ioc process File created C:\windows\SysWOW64\FB5EDC.ico 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AAC0.tmp.bmp" 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs
Processes:
74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exepid process 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe -
Drops file in Program Files directory 64 IoCs
Processes:
74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exedescription ioc process File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\wb01744_.gif 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\winword_col.hxt 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\bin\server\xusage.txt 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\java\jre7\lib\zi\etc\gmt+4 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\microsoft games\minesweeper\es-es\minesweeper.exe.mui 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\microsoft games\hearts\de-de\hearts.exe.mui 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms3\calendar.gif 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\dvd maker\ja-jp\wmm2clip.dll.mui 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\sound.properties 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\java\jre7\lib\zi\america\argentina\salta 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0232393.wmf 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\office14\pagesize\pglbl016.xml 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\java\jre7\lib\zi\america\argentina\san_luis 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\windows sidebar\gadgets\weather.gadget\images\docked_black_moon-waning-gibbous.png 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\rssfeeds.gadget\en-us\css\flyout.css 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\videolan\vlc\locale\ky\lc_messages\vlc.mo 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\windows sidebar\gadgets\currency.gadget\de-de\currency.html 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0187839.wmf 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0382927.jpg 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\pacific\tahiti 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\java\jre7\lib\zi\africa\khartoum 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\java\jre7\lib\zi\systemv\est5 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\java\jre7\lib\zi\cst6cdt 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\images\novelty_m.png 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\23.png 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\27.png 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\fd02097_.wmf 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\winword.dev_col.hxc 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\navbrph2.poc 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0086432.wmf 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0152892.wmf 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\commondata\commsincomingimagemasksmall.bmp 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\java\jre7\lib\zi\etc\gmt+8 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\windows sidebar\gadgets\weather.gadget\images\144dpi\(144dpi)redstateicon.png 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubspapr\zpdir12f.gif 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\ja-jp\clock.html 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\indiana\vincennes 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File created C:\program files\videolan\vlc\locale\kn\lc_messages\Restore-My-Files.txt 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0300862.wmf 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms3\attention.gif 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\windows sidebar\gadgets\weather.gadget\images\17.png 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\customer support.fdt 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\windows sidebar\gadgets\mediacenter.gadget\main.html 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\picturepuzzle.gadget\images\settings_corner_top_right.png 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0213449.wmf 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms5\formsprinttemplatertl.html 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_ja_4.4.0.v20140623020002.jar 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0148309.jpg 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0151061.wmf 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\undocked_black_moon-new.png 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\mazatlan 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_cn.jar 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\picturepuzzle.gadget\images\background.png 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\dvd maker\shared\dissolveanother.png 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\docked_black_thunderstorm.png 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files\java\jre7\lib\zi\systemv\cst6 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms3\rtf_bullets.gif 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so01560_.wmf 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\clipart\publisher\backgrounds\wb00760l.gif 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\grooveforms5\formsstyles\brightorange\button.gif 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2480 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallpaperStyle = "2" 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\TileWallpaper = "0" 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe -
Modifies registry class 3 IoCs
Processes:
74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exedescription ioc process Key created \Registry\Machine\Software\Classes\.lockbit 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\FB5EDC.ico" 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exepid process 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exevssvc.exeWMIC.exedescription pid process Token: SeTakeOwnershipPrivilege 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe Token: SeDebugPrivilege 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe Token: SeBackupPrivilege 1680 vssvc.exe Token: SeRestorePrivilege 1680 vssvc.exe Token: SeAuditPrivilege 1680 vssvc.exe Token: SeIncreaseQuotaPrivilege 2508 WMIC.exe Token: SeSecurityPrivilege 2508 WMIC.exe Token: SeTakeOwnershipPrivilege 2508 WMIC.exe Token: SeLoadDriverPrivilege 2508 WMIC.exe Token: SeSystemProfilePrivilege 2508 WMIC.exe Token: SeSystemtimePrivilege 2508 WMIC.exe Token: SeProfSingleProcessPrivilege 2508 WMIC.exe Token: SeIncBasePriorityPrivilege 2508 WMIC.exe Token: SeCreatePagefilePrivilege 2508 WMIC.exe Token: SeBackupPrivilege 2508 WMIC.exe Token: SeRestorePrivilege 2508 WMIC.exe Token: SeShutdownPrivilege 2508 WMIC.exe Token: SeDebugPrivilege 2508 WMIC.exe Token: SeSystemEnvironmentPrivilege 2508 WMIC.exe Token: SeRemoteShutdownPrivilege 2508 WMIC.exe Token: SeUndockPrivilege 2508 WMIC.exe Token: SeManageVolumePrivilege 2508 WMIC.exe Token: 33 2508 WMIC.exe Token: 34 2508 WMIC.exe Token: 35 2508 WMIC.exe Token: SeIncreaseQuotaPrivilege 2508 WMIC.exe Token: SeSecurityPrivilege 2508 WMIC.exe Token: SeTakeOwnershipPrivilege 2508 WMIC.exe Token: SeLoadDriverPrivilege 2508 WMIC.exe Token: SeSystemProfilePrivilege 2508 WMIC.exe Token: SeSystemtimePrivilege 2508 WMIC.exe Token: SeProfSingleProcessPrivilege 2508 WMIC.exe Token: SeIncBasePriorityPrivilege 2508 WMIC.exe Token: SeCreatePagefilePrivilege 2508 WMIC.exe Token: SeBackupPrivilege 2508 WMIC.exe Token: SeRestorePrivilege 2508 WMIC.exe Token: SeShutdownPrivilege 2508 WMIC.exe Token: SeDebugPrivilege 2508 WMIC.exe Token: SeSystemEnvironmentPrivilege 2508 WMIC.exe Token: SeRemoteShutdownPrivilege 2508 WMIC.exe Token: SeUndockPrivilege 2508 WMIC.exe Token: SeManageVolumePrivilege 2508 WMIC.exe Token: 33 2508 WMIC.exe Token: 34 2508 WMIC.exe Token: 35 2508 WMIC.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.execmd.execmd.exedescription pid process target process PID 2128 wrote to memory of 1464 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe cmd.exe PID 2128 wrote to memory of 1464 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe cmd.exe PID 2128 wrote to memory of 1464 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe cmd.exe PID 2128 wrote to memory of 1464 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe cmd.exe PID 1464 wrote to memory of 2480 1464 cmd.exe vssadmin.exe PID 1464 wrote to memory of 2480 1464 cmd.exe vssadmin.exe PID 1464 wrote to memory of 2480 1464 cmd.exe vssadmin.exe PID 1464 wrote to memory of 2508 1464 cmd.exe WMIC.exe PID 1464 wrote to memory of 2508 1464 cmd.exe WMIC.exe PID 1464 wrote to memory of 2508 1464 cmd.exe WMIC.exe PID 1464 wrote to memory of 2740 1464 cmd.exe bcdedit.exe PID 1464 wrote to memory of 2740 1464 cmd.exe bcdedit.exe PID 1464 wrote to memory of 2740 1464 cmd.exe bcdedit.exe PID 1464 wrote to memory of 2516 1464 cmd.exe bcdedit.exe PID 1464 wrote to memory of 2516 1464 cmd.exe bcdedit.exe PID 1464 wrote to memory of 2516 1464 cmd.exe bcdedit.exe PID 2128 wrote to memory of 2316 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe cmd.exe PID 2128 wrote to memory of 2316 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe cmd.exe PID 2128 wrote to memory of 2316 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe cmd.exe PID 2128 wrote to memory of 2316 2128 74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe cmd.exe PID 2316 wrote to memory of 1856 2316 cmd.exe PING.EXE PID 2316 wrote to memory of 1856 2316 cmd.exe PING.EXE PID 2316 wrote to memory of 1856 2316 cmd.exe PING.EXE PID 2316 wrote to memory of 1856 2316 cmd.exe PING.EXE PID 2316 wrote to memory of 2584 2316 cmd.exe fsutil.exe PID 2316 wrote to memory of 2584 2316 cmd.exe fsutil.exe PID 2316 wrote to memory of 2584 2316 cmd.exe fsutil.exe PID 2316 wrote to memory of 2584 2316 cmd.exe fsutil.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe"C:\Users\Admin\AppData\Local\Temp\74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2480
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2740
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:2516
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:1856
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\74437ac6c9f630c52c7e230d57d38c4cbc3affb3bec9215f090a0e3dca8e9d78.exe"3⤵PID:2584
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD535e4e948e3d561ef22e375b7a93a751c
SHA1172f06ea0822279e7c172c71dbe7d8283023a301
SHA2566f58bc544d6eff7cf0e621494d4f79e789f035a99fdb0958078c6aee27d6de12
SHA5124a5cdaa190855311f32b379f2fdf7b3adc8ebf4fc3982ed935aaadd84a833de693ee633379af2aa4247946889582ae3f8c4c508df75bb6e06c07c7838312fc82