Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 08:36
Static task
static1
Behavioral task
behavioral1
Sample
bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe
Resource
win10v2004-20240426-en
General
-
Target
bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe
-
Size
483KB
-
MD5
59c3704795eeb6aed7b31cd2be1ba4a9
-
SHA1
dbb44d900dee0b00ed2f4f5c472d700811ba3e00
-
SHA256
bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0
-
SHA512
1043b98837ed8c6392e9a438ee0cb81461f1cd3a30532c804bd281cdd133dfe7d0291fe5cc1de5b885c76985c499bd28f02a443c9e6a0945574904f145f013fb
-
SSDEEP
12288:oCy1uEgiPripqTLYwnGmp3LSrqQmv295hyd58aVe8JauMI:yuEgiriuY2GyLSrFWc5hkTVladI
Malware Config
Extracted
C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid Process 828 bcdedit.exe 1800 bcdedit.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\{12FD2889-BFBF-C0EB-CDE8-CD98ED36D6CF} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe\"" bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exedescription ioc Process File opened (read-only) \??\F: bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe -
Drops file in System32 directory 2 IoCs
Processes:
bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exedescription ioc Process File created C:\windows\SysWOW64\DDFDBB.ico bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
Processes:
bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exepid Process 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe -
Drops file in Program Files directory 64 IoCs
Processes:
bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exedescription ioc Process File opened for modification C:\program files\windows sidebar\gadgets\weather.gadget\images\42.png bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft visual studio 8\common7\ide\vsta\itemtemplates\visualbasic\1033\dataset.zip bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\rssfeeds.gadget\fr-fr\js\settings.js bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\bullets\bd10299_.gif bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms3\formsstyles\softblue.css bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\windows mail\ja-jp\msoeres.dll.mui bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\picturepuzzle.gadget\images\settings_corner_top_right.png bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\systemv\hst10 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\config\modules\org-netbeans-core-output2.xml_hidden bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files\windows sidebar\gadgets\rssfeeds.gadget\es-es\settings.html bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0099158.wmf bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_cn_5.5.0.165303.jar bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\grooveforms5\formsstyles\desert\tab_on.gif bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveprojecttoolset\briefcaseiconmask.bmp bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\office14\outlookautodiscover\yahoo.ie.xml bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\images\settings_box_top.png bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\currency.gadget\ja-jp\currency.html bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\45.png bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files\microsoft games\chess\it-it\chess.exe.mui bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files\windows sidebar\gadgets\weather.gadget\images\44.png bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\pe02369_.wmf bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\bg_formshomepageblank.gif bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0105288.wmf bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\document themes 14\theme colors\opulent.xml bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms\fieldtypepreview\numeric.jpg bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\office14\mspub.exe.manifest bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\specialoccasion\navigationright_selectionsubpicture.png bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files\videolan\vlc\lua\modules\simplexml.luac bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files\windows sidebar\gadgets\mediacenter.gadget\images\gadget_waitcursor.gif bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files\windows sidebar\gadgets\weather.gadget\images\undocked_black_cloudy.png bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\office14\outlookautodiscover\yahoo.co.th.xml bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\slideshow.gadget\images\in_sidebar\slideshow_glass_frame.png bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\colombo bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\australia\perth bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvm.jar bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File created C:\program files (x86)\microsoft office\office14\pubba\Restore-My-Files.txt bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\news.dpv bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File created C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\Restore-My-Files.txt bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files\mozilla firefox\gmp-clearkey\0.1\manifest.json bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File created C:\program files\videolan\vlc\locale\en_gb\lc_messages\Restore-My-Files.txt bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0103402.wmf bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0239057.wmf bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms5\delete.gif bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\cpu.gadget\de-de\cpu.html bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\pacific\tarawa bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0101857.bmp bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0105410.wmf bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files\7-zip\lang\de.txt bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File created C:\program files\videolan\vlc\locale\sm\lc_messages\Restore-My-Files.txt bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files\windows sidebar\gadgets\weather.gadget\images\docked_black_thunderstorm.png bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms3\formsstyles\springgreen.css bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0238927.wmf bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft visual studio 8\common7\ide\vsta\itemtemplates\csharp\1033\appconfig.zip bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft visual studio 8\common7\ide\vsta\itemtemplates\csharp\1033\textfile.zip bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\ag00157_.gif bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\document themes 14\civic.thmx bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\calendar.gadget\images\bnext-disable.png bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files\windows sidebar\gadgets\cpu.gadget\images\dial.png bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0105412.wmf bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0195320.wmf bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\office14\powerpnt.exe.manifest bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files\videolan\vlc\lua\http\requests\readme.txt bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so02886_.wmf bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid Process 2288 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exedescription ioc Process Key created \Registry\Machine\Software\Classes\.lockbit bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\DDFDBB.ico" bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exepid Process 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exevssvc.exeWMIC.exedescription pid Process Token: SeTakeOwnershipPrivilege 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe Token: SeDebugPrivilege 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe Token: SeBackupPrivilege 2980 vssvc.exe Token: SeRestorePrivilege 2980 vssvc.exe Token: SeAuditPrivilege 2980 vssvc.exe Token: SeIncreaseQuotaPrivilege 1880 WMIC.exe Token: SeSecurityPrivilege 1880 WMIC.exe Token: SeTakeOwnershipPrivilege 1880 WMIC.exe Token: SeLoadDriverPrivilege 1880 WMIC.exe Token: SeSystemProfilePrivilege 1880 WMIC.exe Token: SeSystemtimePrivilege 1880 WMIC.exe Token: SeProfSingleProcessPrivilege 1880 WMIC.exe Token: SeIncBasePriorityPrivilege 1880 WMIC.exe Token: SeCreatePagefilePrivilege 1880 WMIC.exe Token: SeBackupPrivilege 1880 WMIC.exe Token: SeRestorePrivilege 1880 WMIC.exe Token: SeShutdownPrivilege 1880 WMIC.exe Token: SeDebugPrivilege 1880 WMIC.exe Token: SeSystemEnvironmentPrivilege 1880 WMIC.exe Token: SeRemoteShutdownPrivilege 1880 WMIC.exe Token: SeUndockPrivilege 1880 WMIC.exe Token: SeManageVolumePrivilege 1880 WMIC.exe Token: 33 1880 WMIC.exe Token: 34 1880 WMIC.exe Token: 35 1880 WMIC.exe Token: SeIncreaseQuotaPrivilege 1880 WMIC.exe Token: SeSecurityPrivilege 1880 WMIC.exe Token: SeTakeOwnershipPrivilege 1880 WMIC.exe Token: SeLoadDriverPrivilege 1880 WMIC.exe Token: SeSystemProfilePrivilege 1880 WMIC.exe Token: SeSystemtimePrivilege 1880 WMIC.exe Token: SeProfSingleProcessPrivilege 1880 WMIC.exe Token: SeIncBasePriorityPrivilege 1880 WMIC.exe Token: SeCreatePagefilePrivilege 1880 WMIC.exe Token: SeBackupPrivilege 1880 WMIC.exe Token: SeRestorePrivilege 1880 WMIC.exe Token: SeShutdownPrivilege 1880 WMIC.exe Token: SeDebugPrivilege 1880 WMIC.exe Token: SeSystemEnvironmentPrivilege 1880 WMIC.exe Token: SeRemoteShutdownPrivilege 1880 WMIC.exe Token: SeUndockPrivilege 1880 WMIC.exe Token: SeManageVolumePrivilege 1880 WMIC.exe Token: 33 1880 WMIC.exe Token: 34 1880 WMIC.exe Token: 35 1880 WMIC.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.execmd.exedescription pid Process procid_target PID 3016 wrote to memory of 2484 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 28 PID 3016 wrote to memory of 2484 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 28 PID 3016 wrote to memory of 2484 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 28 PID 3016 wrote to memory of 2484 3016 bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe 28 PID 2484 wrote to memory of 2288 2484 cmd.exe 31 PID 2484 wrote to memory of 2288 2484 cmd.exe 31 PID 2484 wrote to memory of 2288 2484 cmd.exe 31 PID 2484 wrote to memory of 1880 2484 cmd.exe 34 PID 2484 wrote to memory of 1880 2484 cmd.exe 34 PID 2484 wrote to memory of 1880 2484 cmd.exe 34 PID 2484 wrote to memory of 828 2484 cmd.exe 36 PID 2484 wrote to memory of 828 2484 cmd.exe 36 PID 2484 wrote to memory of 828 2484 cmd.exe 36 PID 2484 wrote to memory of 1800 2484 cmd.exe 37 PID 2484 wrote to memory of 1800 2484 cmd.exe 37 PID 2484 wrote to memory of 1800 2484 cmd.exe 37 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe"C:\Users\Admin\AppData\Local\Temp\bbdf95831d8fff14ce1341b41f8540841137fb05aa1443a1a68966ab1cdfe0f0.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2288
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:828
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:1800
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD54ce90b5e4d1111a46d482a7f9b0af870
SHA109ce57a70a5378e1665352459deadb21dde84e74
SHA256e26c07496070b7f549d69ba0aaf9ac8cbdc6c0240c2fcbf8bd9fcf60e47eea51
SHA5129aca8652f57b5d58daed500fe2ee62ddd8df4a7ccf7aa28be6c5ab99176fe7bb9d9e37f90f020d62b3f777e30969992f51f93fc7cb93496045ce1c76cf895a61