Analysis
-
max time kernel
74s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 04:20
Static task
static1
Behavioral task
behavioral1
Sample
b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe
Resource
win10v2004-20240226-en
General
-
Target
b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe
-
Size
959KB
-
MD5
1e9e399b7a31cc85062cb039bae72a44
-
SHA1
3702b81069cbb9251be59f85d25c54b55443ae72
-
SHA256
b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060
-
SHA512
edf2c5cc11d564b40850e1741eec8477d90e55304d1bc08646c826f100877ae71057e8fbd4b1df164d67e891c826f30be1127d7d9a8dced09dafad7693031a9a
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdxF:Ujrc2So1Ff+B3k796n
Malware Config
Extracted
C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 440 bcdedit.exe 844 bcdedit.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\{18F5C893-A5A5-D946-503F-504D77C27140} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe\"" b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exedescription ioc process File opened (read-only) \??\F: b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe -
Drops file in System32 directory 1 IoCs
Processes:
b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exedescription ioc process File created C:\windows\SysWOW64\83F567.ico b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs
Processes:
b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exepid process 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe -
Drops file in Program Files directory 64 IoCs
Processes:
b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exedescription ioc process File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\flap.wmf b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0187839.wmf b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0239191.wmf b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_zh_4.4.0.v20140623020002.jar b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\config\modules\org-netbeans-swing-tabcontrol.xml b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files\java\jre7\lib\zi\pacific\guadalcanal b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File created C:\program files (x86)\adobe\reader 9.0\reader\optional\Restore-My-Files.txt b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\an04174_.wmf b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so00476_.wmf b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\media\cagcat10\j0301480.wmf b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveprojecttoolset\projectstatusiconsmask.bmp b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\dgwebref.xml b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft visual studio 8\common7\ide\vsta\itemtemplates\csharp\1033\form.zip b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files\java\jre7\lib\cmm\srgb.pf b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\dd01157_.wmf b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\lines\bd14711_.gif b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\office14\pagesize\pglbl083.xml b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\fr-fr\clock.html b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\fr-fr\js\clock.js b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so00257_.wmf b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\document themes 14\theme effects\origin.eftx b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\jayapura b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File created C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\meta-inf\Restore-My-Files.txt b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File created C:\program files\videolan\vlc\lua\http\css\Restore-My-Files.txt b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\ph02503u.bmp b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\europe\tallinn b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\an04355_.wmf b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\ph00780u.bmp b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\formsstyles\brightyellow\tab_on.gif b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\undocked_black_thunderstorm.png b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubspapr\pdir41f.gif b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files\java\jre7\lib\zi\asia\ashgabat b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files\videolan\vlc\locale\kn\lc_messages\vlc.mo b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files\windows sidebar\gadgets\slideshow.gadget\fr-fr\gadget.xml b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\grooveforms5\formsstyles\sts2\tab_on.gif b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\powerpnt.dev.hxs b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\office14\pagesize\pgmn002.xml b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\picturepuzzle.gadget\images\settings_right_pressed.png b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\indian\chagos b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File created C:\program files\java\jdk1.7.0_80\jre\lib\zi\indian\Restore-My-Files.txt b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\bs00076_.wmf b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so00668_.wmf b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubspapr\pdir29f.gif b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files\java\jre7\lib\images\cursors\win32_movenodrop32x32.gif b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files\windows sidebar\gadgets\weather.gadget\es-es\weather.html b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubspapr\zpdir4b.gif b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files\windows sidebar\gadgets\clock.gadget\images\settings_right_hover.png b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\commondata\alertimage_off.jpg b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\marquee.poc b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\office14\pagesize\pglbl102.xml b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\dgdots.dpv b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\rssfeeds.gadget\es-es\js\settings.js b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\pst8pdt b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0099151.wmf b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0099153.wmf b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\bullets\bd21376_.gif b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\rssfeeds.gadget\en-us\js\settings.js b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files\videolan\vlc\locale\bn_in\lc_messages\vlc.mo b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\adobe\reader 9.0\reader\tracker\pdf.gif b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0199473.wmf b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe File opened for modification C:\program files (x86)\microsoft office\document themes 14\theme effects\flow.eftx b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1944 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\83F567.ico" b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe Key created \Registry\Machine\Software\Classes\.lockbit b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exepid process 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exevssvc.exeWMIC.exedescription pid process Token: SeTakeOwnershipPrivilege 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe Token: SeDebugPrivilege 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe Token: SeBackupPrivilege 2312 vssvc.exe Token: SeRestorePrivilege 2312 vssvc.exe Token: SeAuditPrivilege 2312 vssvc.exe Token: SeIncreaseQuotaPrivilege 1736 WMIC.exe Token: SeSecurityPrivilege 1736 WMIC.exe Token: SeTakeOwnershipPrivilege 1736 WMIC.exe Token: SeLoadDriverPrivilege 1736 WMIC.exe Token: SeSystemProfilePrivilege 1736 WMIC.exe Token: SeSystemtimePrivilege 1736 WMIC.exe Token: SeProfSingleProcessPrivilege 1736 WMIC.exe Token: SeIncBasePriorityPrivilege 1736 WMIC.exe Token: SeCreatePagefilePrivilege 1736 WMIC.exe Token: SeBackupPrivilege 1736 WMIC.exe Token: SeRestorePrivilege 1736 WMIC.exe Token: SeShutdownPrivilege 1736 WMIC.exe Token: SeDebugPrivilege 1736 WMIC.exe Token: SeSystemEnvironmentPrivilege 1736 WMIC.exe Token: SeRemoteShutdownPrivilege 1736 WMIC.exe Token: SeUndockPrivilege 1736 WMIC.exe Token: SeManageVolumePrivilege 1736 WMIC.exe Token: 33 1736 WMIC.exe Token: 34 1736 WMIC.exe Token: 35 1736 WMIC.exe Token: SeIncreaseQuotaPrivilege 1736 WMIC.exe Token: SeSecurityPrivilege 1736 WMIC.exe Token: SeTakeOwnershipPrivilege 1736 WMIC.exe Token: SeLoadDriverPrivilege 1736 WMIC.exe Token: SeSystemProfilePrivilege 1736 WMIC.exe Token: SeSystemtimePrivilege 1736 WMIC.exe Token: SeProfSingleProcessPrivilege 1736 WMIC.exe Token: SeIncBasePriorityPrivilege 1736 WMIC.exe Token: SeCreatePagefilePrivilege 1736 WMIC.exe Token: SeBackupPrivilege 1736 WMIC.exe Token: SeRestorePrivilege 1736 WMIC.exe Token: SeShutdownPrivilege 1736 WMIC.exe Token: SeDebugPrivilege 1736 WMIC.exe Token: SeSystemEnvironmentPrivilege 1736 WMIC.exe Token: SeRemoteShutdownPrivilege 1736 WMIC.exe Token: SeUndockPrivilege 1736 WMIC.exe Token: SeManageVolumePrivilege 1736 WMIC.exe Token: 33 1736 WMIC.exe Token: 34 1736 WMIC.exe Token: 35 1736 WMIC.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.execmd.exedescription pid process target process PID 1100 wrote to memory of 1480 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe cmd.exe PID 1100 wrote to memory of 1480 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe cmd.exe PID 1100 wrote to memory of 1480 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe cmd.exe PID 1100 wrote to memory of 1480 1100 b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe cmd.exe PID 1480 wrote to memory of 1944 1480 cmd.exe vssadmin.exe PID 1480 wrote to memory of 1944 1480 cmd.exe vssadmin.exe PID 1480 wrote to memory of 1944 1480 cmd.exe vssadmin.exe PID 1480 wrote to memory of 1736 1480 cmd.exe WMIC.exe PID 1480 wrote to memory of 1736 1480 cmd.exe WMIC.exe PID 1480 wrote to memory of 1736 1480 cmd.exe WMIC.exe PID 1480 wrote to memory of 440 1480 cmd.exe bcdedit.exe PID 1480 wrote to memory of 440 1480 cmd.exe bcdedit.exe PID 1480 wrote to memory of 440 1480 cmd.exe bcdedit.exe PID 1480 wrote to memory of 844 1480 cmd.exe bcdedit.exe PID 1480 wrote to memory of 844 1480 cmd.exe bcdedit.exe PID 1480 wrote to memory of 844 1480 cmd.exe bcdedit.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe"C:\Users\Admin\AppData\Local\Temp\b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1944 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1736 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:440 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe"2⤵PID:3516
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:3476 -
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe"3⤵PID:3508
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5f637250bab48a35b5c30eb0bcecd6d3a
SHA1e8917f3538abeb5cb6e19c8e09d82fed1dd8bbff
SHA2566d63f064ddd2ecf1094cbedc8842c2bd97ba2dab1ddb6a5ff5bcb5b9da9b4630
SHA5122902d3511a70c1254b6b1d4f2b66b91bb208289b4d40da18f077b2098c07b634682efb7826f66e767fa5d428870319464191d29c143738aa14c177662d55e32c