Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 14:11
Static task
static1
Behavioral task
behavioral1
Sample
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe
Resource
win10v2004-20240412-en
General
-
Target
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe
-
Size
150KB
-
MD5
5761ee98b1c2fea31b5408516a8929ea
-
SHA1
4d043df23e55088bfc04c14dfb9ddb329a703cc1
-
SHA256
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76
-
SHA512
9dbf296719bc130bc700db94fd43985c32cb9de3b1867ed7c8666b62e4b9d0826b6df03cb125644c9338118d9caf679bfa1eb55da39f46b94db023bdcd9ff338
-
SSDEEP
3072:pm3/OyVPX/1jTCAR4fsp0Vb2xosM89QJ49cqO2DDHMqqD/Tx0Hv/:pq/1VP1OyysNmJyXsqqD/ls/
Malware Config
Extracted
C:\Program Files\DVD Maker\es-ES\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?A0C155001DD0CB019849170FE0737279
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1464 bcdedit.exe 224 bcdedit.exe -
Renames multiple (8415) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exepid process 2552 wbadmin.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe\"" 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exedescription ioc process File opened (read-only) \??\F: 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4FA6.tmp.bmp" 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exepid process 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe -
Drops file in Program Files directory 64 IoCs
Processes:
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_K_COL.HXK 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent_partly-cloudy.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util-lookup.jar 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-options.jar 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\Restore-My-Files.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341328.JPG 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL048.XML 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Windows Defender\en-US\MpEvMsg.dll.mui 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_ja_4.4.0.v20140623020002.jar 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\splash.gif 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\SpiderSolitaire.exe.mui 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00693_.WMF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21481_.GIF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Melbourne 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01470_.WMF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR45F.GIF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\STOPICON.JPG 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert.css 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.ssl_1.1.0.v20140827-1444.jar 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File created C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\Restore-My-Files.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00175_.GIF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFTMPL.CFG 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\Restore-My-Files.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08758_.WMF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02071_.WMF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\Restore-My-Files.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\jhall-2.0_05.jar 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.runtime_3.10.0.v20140318-2214.jar 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195248.WMF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yakutsk 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\ShvlRes.dll.mui 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_cloudy.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_F_COL.HXK 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Restore-My-Files.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\Restore-My-Files.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\BUTTON.GIF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\Restore-My-Files.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\Restore-My-Files.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\Restore-My-Files.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_04.MID 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Tokyo 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01140_.WMF 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana.css 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Menominee 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME10.CSS 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3648 2740 WerFault.exe 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2584 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "2" 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\TileWallpaper = "0" 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exepid process 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeTakeOwnershipPrivilege 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe Token: SeDebugPrivilege 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe Token: SeBackupPrivilege 2580 vssvc.exe Token: SeRestorePrivilege 2580 vssvc.exe Token: SeAuditPrivilege 2580 vssvc.exe Token: SeIncreaseQuotaPrivilege 2220 WMIC.exe Token: SeSecurityPrivilege 2220 WMIC.exe Token: SeTakeOwnershipPrivilege 2220 WMIC.exe Token: SeLoadDriverPrivilege 2220 WMIC.exe Token: SeSystemProfilePrivilege 2220 WMIC.exe Token: SeSystemtimePrivilege 2220 WMIC.exe Token: SeProfSingleProcessPrivilege 2220 WMIC.exe Token: SeIncBasePriorityPrivilege 2220 WMIC.exe Token: SeCreatePagefilePrivilege 2220 WMIC.exe Token: SeBackupPrivilege 2220 WMIC.exe Token: SeRestorePrivilege 2220 WMIC.exe Token: SeShutdownPrivilege 2220 WMIC.exe Token: SeDebugPrivilege 2220 WMIC.exe Token: SeSystemEnvironmentPrivilege 2220 WMIC.exe Token: SeRemoteShutdownPrivilege 2220 WMIC.exe Token: SeUndockPrivilege 2220 WMIC.exe Token: SeManageVolumePrivilege 2220 WMIC.exe Token: 33 2220 WMIC.exe Token: 34 2220 WMIC.exe Token: 35 2220 WMIC.exe Token: SeIncreaseQuotaPrivilege 2220 WMIC.exe Token: SeSecurityPrivilege 2220 WMIC.exe Token: SeTakeOwnershipPrivilege 2220 WMIC.exe Token: SeLoadDriverPrivilege 2220 WMIC.exe Token: SeSystemProfilePrivilege 2220 WMIC.exe Token: SeSystemtimePrivilege 2220 WMIC.exe Token: SeProfSingleProcessPrivilege 2220 WMIC.exe Token: SeIncBasePriorityPrivilege 2220 WMIC.exe Token: SeCreatePagefilePrivilege 2220 WMIC.exe Token: SeBackupPrivilege 2220 WMIC.exe Token: SeRestorePrivilege 2220 WMIC.exe Token: SeShutdownPrivilege 2220 WMIC.exe Token: SeDebugPrivilege 2220 WMIC.exe Token: SeSystemEnvironmentPrivilege 2220 WMIC.exe Token: SeRemoteShutdownPrivilege 2220 WMIC.exe Token: SeUndockPrivilege 2220 WMIC.exe Token: SeManageVolumePrivilege 2220 WMIC.exe Token: 33 2220 WMIC.exe Token: 34 2220 WMIC.exe Token: 35 2220 WMIC.exe Token: SeBackupPrivilege 308 wbengine.exe Token: SeRestorePrivilege 308 wbengine.exe Token: SeSecurityPrivilege 308 wbengine.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.execmd.execmd.exedescription pid process target process PID 2740 wrote to memory of 2956 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe cmd.exe PID 2740 wrote to memory of 2956 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe cmd.exe PID 2740 wrote to memory of 2956 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe cmd.exe PID 2740 wrote to memory of 2956 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe cmd.exe PID 2956 wrote to memory of 2584 2956 cmd.exe vssadmin.exe PID 2956 wrote to memory of 2584 2956 cmd.exe vssadmin.exe PID 2956 wrote to memory of 2584 2956 cmd.exe vssadmin.exe PID 2956 wrote to memory of 2220 2956 cmd.exe WMIC.exe PID 2956 wrote to memory of 2220 2956 cmd.exe WMIC.exe PID 2956 wrote to memory of 2220 2956 cmd.exe WMIC.exe PID 2956 wrote to memory of 1464 2956 cmd.exe bcdedit.exe PID 2956 wrote to memory of 1464 2956 cmd.exe bcdedit.exe PID 2956 wrote to memory of 1464 2956 cmd.exe bcdedit.exe PID 2956 wrote to memory of 224 2956 cmd.exe bcdedit.exe PID 2956 wrote to memory of 224 2956 cmd.exe bcdedit.exe PID 2956 wrote to memory of 224 2956 cmd.exe bcdedit.exe PID 2956 wrote to memory of 2552 2956 cmd.exe wbadmin.exe PID 2956 wrote to memory of 2552 2956 cmd.exe wbadmin.exe PID 2956 wrote to memory of 2552 2956 cmd.exe wbadmin.exe PID 2740 wrote to memory of 3636 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe cmd.exe PID 2740 wrote to memory of 3636 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe cmd.exe PID 2740 wrote to memory of 3636 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe cmd.exe PID 2740 wrote to memory of 3636 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe cmd.exe PID 2740 wrote to memory of 3648 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe WerFault.exe PID 2740 wrote to memory of 3648 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe WerFault.exe PID 2740 wrote to memory of 3648 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe WerFault.exe PID 2740 wrote to memory of 3648 2740 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe WerFault.exe PID 3636 wrote to memory of 3724 3636 cmd.exe PING.EXE PID 3636 wrote to memory of 3724 3636 cmd.exe PING.EXE PID 3636 wrote to memory of 3724 3636 cmd.exe PING.EXE PID 3636 wrote to memory of 3724 3636 cmd.exe PING.EXE PID 3636 wrote to memory of 3772 3636 cmd.exe fsutil.exe PID 3636 wrote to memory of 3772 3636 cmd.exe fsutil.exe PID 3636 wrote to memory of 3772 3636 cmd.exe fsutil.exe PID 3636 wrote to memory of 3772 3636 cmd.exe fsutil.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe"C:\Users\Admin\AppData\Local\Temp\0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 7242⤵
- Program crash
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\DVD Maker\es-ES\Restore-My-Files.txtFilesize
1KB
MD581fb301f1a22840b8b45d85b6da4d25b
SHA15bde9588be606bb56c78346bf1d92e991f0ecd26
SHA256e62e1af39e08237b91be9e95482d6b66dfc4120105a7221e32ae6d59a690980c
SHA512f13abbe33af50f689cd3ce289022b77852a77d888fdc5b0958c1929c9854d4eae5be557fd4194efd6741b8daeebd85a46ab86892904dbc323b70bb794a5c42fd