Analysis
-
max time kernel
141s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 14:35
Static task
static1
Behavioral task
behavioral1
Sample
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe
Resource
win10v2004-20240226-en
General
-
Target
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe
-
Size
1.1MB
-
MD5
79cc0d4a5a23d9775ba0971c6527f615
-
SHA1
ce57b67d89440b8a942a445532daa8fb121220ef
-
SHA256
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016
-
SHA512
99ed7e7ab55ad66e86cd47b7c9868c6af584ef5e00ce524f83bf7ac13aecf9af72eaa6bd8c43001d77b296aa4d28797f2cb0d50bc313ac40844503cc1e45e412
-
SSDEEP
24576:zMs9TCjY3FV/3qdJDxOBu4nLesI+m6S9AIRl8Ma1KpHcJPJutmWTHgQ4gC:zMu/qX1OBu4nysI/P9Tlm17PktmWDg5v
Malware Config
Extracted
C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid Process 1504 bcdedit.exe 2584 bcdedit.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\{00CD9EDF-1C1C-E787-A34E-A30657F12DD7} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe\"" 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exedescription ioc Process File opened (read-only) \??\F: 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe -
Drops file in System32 directory 1 IoCs
Processes:
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exedescription ioc Process File created C:\windows\SysWOW64\BDCDC5.ico 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
Processes:
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exepid Process 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe -
Drops file in Program Files directory 64 IoCs
Processes:
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exedescription ioc Process File created C:\program files\videolan\vlc\lua\http\dialogs\Restore-My-Files.txt 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\hh01058_.wmf 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\wb01838_.gif 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\en-us\css\clock.css 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\7-zip\lang\nb.txt 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_zh_cn.jar 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\java\jre7\lib\zi\america\vancouver 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\windows sidebar\gadgets\weather.gadget\images\undocked_blue_snow.png 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft sync framework\v1.0\runtime\x86\resources\1033\synchronization.rll 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\windows mail\it-it\msoeres.dll.mui 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\full\navigationup_selectionsubpicture.png 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\config\modules\org-netbeans-modules-queries.xml 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\sy00882_.wmf 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\rssfeeds.gadget\de-de\flyout.html 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\rssfeeds.gadget\fr-fr\css\flyout.css 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_ja.jar 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\windows sidebar\gadgets\weather.gadget\ja-jp\js\settings.js 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\lines\bd21309_.gif 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File created C:\program files\videolan\vlc\locale\ca\lc_messages\Restore-My-Files.txt 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\bd00160_.wmf 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0232797.wmf 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File created C:\program files (x86)\microsoft office\office14\addins\Restore-My-Files.txt 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\formtoolimages.jpg 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\undocked_black_moon-waning-crescent.png 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\dvd maker\shared\dissolvenoise.png 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\windows sidebar\gadgets\currency.gadget\es-es\js\init.js 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\fd02116_.wmf 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\rssfeeds.gadget\ja-jp\flyout.html 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\java\jdk1.7.0_80\db\lib\derbylocale_fr.jar 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\config\modules\org-openide-util-enumerations.xml 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\bd09662_.wmf 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0384862.jpg 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\grooveforms5\formsstyles\teal.css 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms3\macroprogress.gif 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\dvd maker\offset.ax 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\travel\travelintrotomainmask_pal.wmv 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\europe\warsaw 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\windows sidebar\gadgets\clock.gadget\en-us\js\clock.js 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\windows sidebar\gadgets\picturepuzzle.gadget\images\settings_right_hover.png 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\windows sidebar\gadgets\weather.gadget\images\undocked_black_thunderstorm.png 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\formsstyles\lightspirit.css 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\java\jdk1.7.0_80\db\3rdparty 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di_1.4.0.v20140414-1837.jar 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\autoshap\bd18200_.wmf 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\office14\proof\mssp7fr.lex 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\cpu.gadget\images\dial.png 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\argentina\rio_gallegos 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\mozilla firefox\install.log 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\adobe\reader 9.0\reader\plug_ins\vdkhome\vdk10.thd 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\sy00560_.wmf 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0341645.jpg 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\na00396_.wmf 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\winword.dev_col.hxt 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms\button_left.gif 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\office14\convert\olnote.fae 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\specialoccasion\specialnavigationup_buttongraphic.png 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\novosibirsk 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File created C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\Restore-My-Files.txt 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft games\spidersolitaire\es-es\spidersolitaire.exe.mui 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\an00965_.wmf 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0107316.wmf 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\ph02758u.bmp 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2256 2088 WerFault.exe 27 -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid Process 1376 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exedescription ioc Process Key created \Registry\Machine\Software\Classes\.lockbit 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\BDCDC5.ico" 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exepid Process 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exevssvc.exeWMIC.exedescription pid Process Token: SeTakeOwnershipPrivilege 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe Token: SeDebugPrivilege 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe Token: SeBackupPrivilege 356 vssvc.exe Token: SeRestorePrivilege 356 vssvc.exe Token: SeAuditPrivilege 356 vssvc.exe Token: SeIncreaseQuotaPrivilege 2644 WMIC.exe Token: SeSecurityPrivilege 2644 WMIC.exe Token: SeTakeOwnershipPrivilege 2644 WMIC.exe Token: SeLoadDriverPrivilege 2644 WMIC.exe Token: SeSystemProfilePrivilege 2644 WMIC.exe Token: SeSystemtimePrivilege 2644 WMIC.exe Token: SeProfSingleProcessPrivilege 2644 WMIC.exe Token: SeIncBasePriorityPrivilege 2644 WMIC.exe Token: SeCreatePagefilePrivilege 2644 WMIC.exe Token: SeBackupPrivilege 2644 WMIC.exe Token: SeRestorePrivilege 2644 WMIC.exe Token: SeShutdownPrivilege 2644 WMIC.exe Token: SeDebugPrivilege 2644 WMIC.exe Token: SeSystemEnvironmentPrivilege 2644 WMIC.exe Token: SeRemoteShutdownPrivilege 2644 WMIC.exe Token: SeUndockPrivilege 2644 WMIC.exe Token: SeManageVolumePrivilege 2644 WMIC.exe Token: 33 2644 WMIC.exe Token: 34 2644 WMIC.exe Token: 35 2644 WMIC.exe Token: SeIncreaseQuotaPrivilege 2644 WMIC.exe Token: SeSecurityPrivilege 2644 WMIC.exe Token: SeTakeOwnershipPrivilege 2644 WMIC.exe Token: SeLoadDriverPrivilege 2644 WMIC.exe Token: SeSystemProfilePrivilege 2644 WMIC.exe Token: SeSystemtimePrivilege 2644 WMIC.exe Token: SeProfSingleProcessPrivilege 2644 WMIC.exe Token: SeIncBasePriorityPrivilege 2644 WMIC.exe Token: SeCreatePagefilePrivilege 2644 WMIC.exe Token: SeBackupPrivilege 2644 WMIC.exe Token: SeRestorePrivilege 2644 WMIC.exe Token: SeShutdownPrivilege 2644 WMIC.exe Token: SeDebugPrivilege 2644 WMIC.exe Token: SeSystemEnvironmentPrivilege 2644 WMIC.exe Token: SeRemoteShutdownPrivilege 2644 WMIC.exe Token: SeUndockPrivilege 2644 WMIC.exe Token: SeManageVolumePrivilege 2644 WMIC.exe Token: 33 2644 WMIC.exe Token: 34 2644 WMIC.exe Token: 35 2644 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.execmd.exedescription pid Process procid_target PID 2088 wrote to memory of 2252 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 28 PID 2088 wrote to memory of 2252 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 28 PID 2088 wrote to memory of 2252 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 28 PID 2088 wrote to memory of 2252 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 28 PID 2252 wrote to memory of 1376 2252 cmd.exe 31 PID 2252 wrote to memory of 1376 2252 cmd.exe 31 PID 2252 wrote to memory of 1376 2252 cmd.exe 31 PID 2252 wrote to memory of 2644 2252 cmd.exe 34 PID 2252 wrote to memory of 2644 2252 cmd.exe 34 PID 2252 wrote to memory of 2644 2252 cmd.exe 34 PID 2252 wrote to memory of 1504 2252 cmd.exe 36 PID 2252 wrote to memory of 1504 2252 cmd.exe 36 PID 2252 wrote to memory of 1504 2252 cmd.exe 36 PID 2252 wrote to memory of 2584 2252 cmd.exe 37 PID 2252 wrote to memory of 2584 2252 cmd.exe 37 PID 2252 wrote to memory of 2584 2252 cmd.exe 37 PID 2088 wrote to memory of 2256 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 39 PID 2088 wrote to memory of 2256 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 39 PID 2088 wrote to memory of 2256 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 39 PID 2088 wrote to memory of 2256 2088 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 39 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe"C:\Users\Admin\AppData\Local\Temp\1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1376
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:1504
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:2584
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 25202⤵
- Program crash
PID:2256
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5f766b55660f029dda531c4ededb839c1
SHA11fb404955b3ff4ef75b7d89e230819180c85615f
SHA2568e0ae20367d8837766ba5b2dd559d7c454ef5c57a4f910234e079ed35cee6df6
SHA512eef4d4e9aef7250eb434bdf582c3b9d45f00496972521d4984c7b48a7181ab66f7eafdbbe8bf4c841e1a3be62276e002cf23c7307bc73670f79b11225891f993