Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26/03/2024, 11:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe
Resource
win7-20231129-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
18 signatures
150 seconds
General
-
Target
19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe
-
Size
148KB
-
MD5
64fc181e2dead2367f1c04ab9261e84d
-
SHA1
acea0a849bb13ea7254639612dc73271f90caddb
-
SHA256
19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708
-
SHA512
d43feb42582460e4fd9af0231e746ea2d05d579d2b2669550240b740e57b05f3fb3f3c751f940c0483d09c8960dd3c087ac075b5ab75b109c7e674ac0f44db8d
-
SSDEEP
3072:ym0ROZIL87L1yoklfzGp3XjRaDRMqqD/A6lHlC:ypMCL8rpHjRaOqqD/RjC
Score
10/10
Malware Config
Extracted
Path
C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt
Family
lockbit
Ransom Note
All your important files are encrypted!
Any attempts to restore your files with the thrid-party software will be fatal for your files!
RESTORE YOU DATA POSIBLE ONLY BUYING private key from us.
There is only one way to get your files back:
1) Through a standard browser(FireFox, Chrome, Edge, Opera)
| 1. Open link http://lockbit-decryptor.com/?BD61F8CA9173670ADB51210091D94032
| 2. Follow the instructions on this page
2) Through a Tor Browser - recommended
| 1. Download Tor browser - https://www.torproject.org/ and install it.
| 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?BD61F8CA9173670ADB51210091D94032
This link only works in Tor Browser!
| 3. Follow the instructions on this page
### Attention! ###
# lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site
# Do not rename encrypted files.
# Do not try to decrypt using third party software, it may cause permanent data loss.
# Decryption of your files with the help of third parties may cause increased price(they add their fee to our).
# Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN.
# Tor Browser user manual https://tb-manual.torproject.org/about
URLs
http://lockbit-decryptor.com/?BD61F8CA9173670ADB51210091D94032
http://lockbitks2tvnmwk.onion/?BD61F8CA9173670ADB51210091D94032
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2928 bcdedit.exe 2452 bcdedit.exe -
Renames multiple (9357) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2908 wbadmin.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe\"" 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115875.GIF.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR30F.GIF.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Premium.css.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Lima.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241037.WMF.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Windows Media Player\fr-FR\wmpnssci.dll.mui.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01770_.GIF.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STRBRST.POC.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\flyout.html.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\35.png.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsImageTemplate.html.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Louisville.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File created C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\Restore-My-Files.txt 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\Restore-My-Files.txt 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\trusted.libraries.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Paramaribo.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\GMT.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations_2.4.0.v20131119-0908.jar.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14595_.GIF.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR20F.GIF.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBSBR.DPV.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Omsk.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Person.gif.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime.css.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105378.WMF.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\cpu.css.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Windows Sidebar\ja-JP\sbdrop.dll.mui.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.KR.XML.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE.XML.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\TAB_OFF.GIF.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\jhall-2.0_05.jar.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00234_.WMF.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240175.WMF.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21535_.GIF.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV11.POC.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.ja_5.5.0.165303.jar.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\Restore-My-Files.txt 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_COL.HXT.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107492.WMF.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02886_.WMF.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Discussion.gta.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN081.XML.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritius.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00010_.WMF.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304875.WMF.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help_3.6.0.v20130326-1254.jar.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\sd\jamendo.luac.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_floating.png.lockbit 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2512 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe Token: SeDebugPrivilege 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe Token: SeBackupPrivilege 2920 vssvc.exe Token: SeRestorePrivilege 2920 vssvc.exe Token: SeAuditPrivilege 2920 vssvc.exe Token: SeIncreaseQuotaPrivilege 2308 WMIC.exe Token: SeSecurityPrivilege 2308 WMIC.exe Token: SeTakeOwnershipPrivilege 2308 WMIC.exe Token: SeLoadDriverPrivilege 2308 WMIC.exe Token: SeSystemProfilePrivilege 2308 WMIC.exe Token: SeSystemtimePrivilege 2308 WMIC.exe Token: SeProfSingleProcessPrivilege 2308 WMIC.exe Token: SeIncBasePriorityPrivilege 2308 WMIC.exe Token: SeCreatePagefilePrivilege 2308 WMIC.exe Token: SeBackupPrivilege 2308 WMIC.exe Token: SeRestorePrivilege 2308 WMIC.exe Token: SeShutdownPrivilege 2308 WMIC.exe Token: SeDebugPrivilege 2308 WMIC.exe Token: SeSystemEnvironmentPrivilege 2308 WMIC.exe Token: SeRemoteShutdownPrivilege 2308 WMIC.exe Token: SeUndockPrivilege 2308 WMIC.exe Token: SeManageVolumePrivilege 2308 WMIC.exe Token: 33 2308 WMIC.exe Token: 34 2308 WMIC.exe Token: 35 2308 WMIC.exe Token: SeIncreaseQuotaPrivilege 2308 WMIC.exe Token: SeSecurityPrivilege 2308 WMIC.exe Token: SeTakeOwnershipPrivilege 2308 WMIC.exe Token: SeLoadDriverPrivilege 2308 WMIC.exe Token: SeSystemProfilePrivilege 2308 WMIC.exe Token: SeSystemtimePrivilege 2308 WMIC.exe Token: SeProfSingleProcessPrivilege 2308 WMIC.exe Token: SeIncBasePriorityPrivilege 2308 WMIC.exe Token: SeCreatePagefilePrivilege 2308 WMIC.exe Token: SeBackupPrivilege 2308 WMIC.exe Token: SeRestorePrivilege 2308 WMIC.exe Token: SeShutdownPrivilege 2308 WMIC.exe Token: SeDebugPrivilege 2308 WMIC.exe Token: SeSystemEnvironmentPrivilege 2308 WMIC.exe Token: SeRemoteShutdownPrivilege 2308 WMIC.exe Token: SeUndockPrivilege 2308 WMIC.exe Token: SeManageVolumePrivilege 2308 WMIC.exe Token: 33 2308 WMIC.exe Token: 34 2308 WMIC.exe Token: 35 2308 WMIC.exe Token: SeBackupPrivilege 2224 wbengine.exe Token: SeRestorePrivilege 2224 wbengine.exe Token: SeSecurityPrivilege 2224 wbengine.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2004 wrote to memory of 2128 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 29 PID 2004 wrote to memory of 2128 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 29 PID 2004 wrote to memory of 2128 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 29 PID 2004 wrote to memory of 2128 2004 19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe 29 PID 2128 wrote to memory of 2512 2128 cmd.exe 31 PID 2128 wrote to memory of 2512 2128 cmd.exe 31 PID 2128 wrote to memory of 2512 2128 cmd.exe 31 PID 2128 wrote to memory of 2308 2128 cmd.exe 34 PID 2128 wrote to memory of 2308 2128 cmd.exe 34 PID 2128 wrote to memory of 2308 2128 cmd.exe 34 PID 2128 wrote to memory of 2928 2128 cmd.exe 36 PID 2128 wrote to memory of 2928 2128 cmd.exe 36 PID 2128 wrote to memory of 2928 2128 cmd.exe 36 PID 2128 wrote to memory of 2452 2128 cmd.exe 37 PID 2128 wrote to memory of 2452 2128 cmd.exe 37 PID 2128 wrote to memory of 2452 2128 cmd.exe 37 PID 2128 wrote to memory of 2908 2128 cmd.exe 38 PID 2128 wrote to memory of 2908 2128 cmd.exe 38 PID 2128 wrote to memory of 2908 2128 cmd.exe 38 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe"C:\Users\Admin\AppData\Local\Temp\19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2512
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2928
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:2452
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:2908
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2416
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2152
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Restore-My-Files.txt1⤵PID:2984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f1b478a961391aa2151b5fbfc18534e0
SHA1038303f65642479ee028894c96ca390027403822
SHA2563b58ad6888cce6231b3125ce4979cbe0c7e8177c023896a7b8000665f11faf0d
SHA5123712565debdcbd054d0db61663b9769174e4a997dad8b65744807e2fb86c45f735795cb1284e51af4cca1d6891da0191f710a64bc017e097e2cc7d2c06ff5bbf