Analysis
-
max time kernel
59s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 14:35
Static task
static1
Behavioral task
behavioral1
Sample
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe
Resource
win10v2004-20240226-en
General
-
Target
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe
-
Size
1.1MB
-
MD5
79cc0d4a5a23d9775ba0971c6527f615
-
SHA1
ce57b67d89440b8a942a445532daa8fb121220ef
-
SHA256
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016
-
SHA512
99ed7e7ab55ad66e86cd47b7c9868c6af584ef5e00ce524f83bf7ac13aecf9af72eaa6bd8c43001d77b296aa4d28797f2cb0d50bc313ac40844503cc1e45e412
-
SSDEEP
24576:zMs9TCjY3FV/3qdJDxOBu4nLesI+m6S9AIRl8Ma1KpHcJPJutmWTHgQ4gC:zMu/qX1OBu4nysI/P9Tlm17PktmWDg5v
Malware Config
Extracted
C:\Program Files\dotnet\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Users\Admin\Desktop\LockBit_Ransomware.hta
https://decoding.at/
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or
https://decoding.at
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid Process 4264 bcdedit.exe 5032 bcdedit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{00CD9EDF-1C1C-E787-A34E-A30657F12DD7} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe\"" 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exedescription ioc Process File opened (read-only) \??\F: 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe -
Drops file in System32 directory 1 IoCs
Processes:
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exedescription ioc Process File created C:\windows\SysWOW64\BDCDC5.ico 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
Processes:
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exepid Process 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe -
Drops file in Program Files directory 64 IoCs
Processes:
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exedescription ioc Process File opened for modification C:\program files\microsoft office\root\licenses16\o365proplusr_subscription3-pl.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365smallbuspremr_subtrial2-ul-oob.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectproco365r_subtest-ppd.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\proplusr_grace-ul-oob.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\standard2019r_trial-pl.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\java\jdk-1.8\legal\javafx\libxml2.md 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\office16\logoimages\powerpntlogo.scale-140.png 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\wordr_grace-ppd.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\wordvl_mak-ul-phn.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\office16\1033\clientvolumelicense2019_eula.txt 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\office16\pagesize\pglbl108.xml 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\java\jdk-1.8\jre\legal\jdk\ecc.md 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\java\jdk-1.8\jre\thirdpartylicensereadme-javafx.txt 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\powerpointr_oem_perp-ul-oob.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\document themes 16\theme colors\yellow.xml 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\document themes 16\theme effects\banded edge.eftx 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\mondor_subtrial-ul-oob.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365homepremr_subtest4-pl.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\publishervl_kms_client-ul-oob.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\office16\logoimages\onenotelogo.contrast-white_scale-140.png 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\dotnet\shared\microsoft.netcore.app\8.0.0\microsoft.netcore.app.runtimeconfig.json 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\java\jdk-1.8\jre\legal\jdk\thaidict.md 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\document themes 16\theme fonts\century gothic-palatino linotype.xml 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\accessvl_mak-ul-oob.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\powerpointr_retail-pl.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\proplus2019r_grace-ppd.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\proplus2019r_oem_perp4-pl.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\visiostd2019r_grace-ul-oob.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\7-zip\lang\fa.txt 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\java\jdk-1.8\legal\jdk\freebxml.md 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\homebusinessr_oem_perp4-pl.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365smallbuspremr_subtrial3-pl.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\personalr_retail-ul-oob.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectpro2019vl_kms_client_ae-ppd.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectstd2019vl_kms_client_ae-ul-oob.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\office16\library\analysis\atpvbaen.xlam 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\7-zip\lang\mk.txt 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\7-zip\lang\mng.txt 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365smallbuspremr_subscription2-ppd.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\powerpointr_retail-ul-oob.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\professional2019r_oem_perp-ppd.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\personal2019r_retail-ul-phn.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectpro2019vl_mak_ae-ul-oob.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\standardr_retail-ul-phn.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File created C:\program files\microsoft office\root\office16\livepersonacard\Restore-My-Files.txt 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectpror_retail-ppd.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\onenotevl_kms_client-ul.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\word2019r_retail-pl.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\wordr_retail-ul-oob.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\office16\addins\powerpivot excel add-in\cartridges\orcl7.xsl 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\office16\msipc\es\msipc.dll.mui 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\7-zip\lang\cy.txt 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\excel2019r_grace-ppd.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\visiopro2019xc2rvl_makc2r-ul-oob.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\visiostdr_retail-ppd.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\visiostdxc2rvl_makc2r-ul-oob.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\java\jdk-1.8\jre\lib\jfr.jar 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\pkeyconfig-office.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\publisher2019r_oem_perp-ul-phn.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\skypeforbusinessvl_mak-ul-oob.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\java\jdk-1.8\jre\lib\ext\localedata.jar 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\packagemanifests\appxmanifest.90160000-0016-0409-1000-0000000ff1ce.xml 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\licenses16\proplusmsdnr_retail-ul-phn.xrm-ms 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe File opened for modification C:\program files\microsoft office\root\office16\logoimages\firstrunlogo.scale-180.png 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1556 3176 WerFault.exe 110 -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid Process 2976 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exedescription ioc Process Key created \Registry\Machine\Software\Classes\.lockbit 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\BDCDC5.ico" 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exepid Process 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exevssvc.exeWMIC.exedescription pid Process Token: SeTakeOwnershipPrivilege 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe Token: SeDebugPrivilege 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe Token: SeBackupPrivilege 3696 vssvc.exe Token: SeRestorePrivilege 3696 vssvc.exe Token: SeAuditPrivilege 3696 vssvc.exe Token: SeIncreaseQuotaPrivilege 4396 WMIC.exe Token: SeSecurityPrivilege 4396 WMIC.exe Token: SeTakeOwnershipPrivilege 4396 WMIC.exe Token: SeLoadDriverPrivilege 4396 WMIC.exe Token: SeSystemProfilePrivilege 4396 WMIC.exe Token: SeSystemtimePrivilege 4396 WMIC.exe Token: SeProfSingleProcessPrivilege 4396 WMIC.exe Token: SeIncBasePriorityPrivilege 4396 WMIC.exe Token: SeCreatePagefilePrivilege 4396 WMIC.exe Token: SeBackupPrivilege 4396 WMIC.exe Token: SeRestorePrivilege 4396 WMIC.exe Token: SeShutdownPrivilege 4396 WMIC.exe Token: SeDebugPrivilege 4396 WMIC.exe Token: SeSystemEnvironmentPrivilege 4396 WMIC.exe Token: SeRemoteShutdownPrivilege 4396 WMIC.exe Token: SeUndockPrivilege 4396 WMIC.exe Token: SeManageVolumePrivilege 4396 WMIC.exe Token: 33 4396 WMIC.exe Token: 34 4396 WMIC.exe Token: 35 4396 WMIC.exe Token: 36 4396 WMIC.exe Token: SeIncreaseQuotaPrivilege 4396 WMIC.exe Token: SeSecurityPrivilege 4396 WMIC.exe Token: SeTakeOwnershipPrivilege 4396 WMIC.exe Token: SeLoadDriverPrivilege 4396 WMIC.exe Token: SeSystemProfilePrivilege 4396 WMIC.exe Token: SeSystemtimePrivilege 4396 WMIC.exe Token: SeProfSingleProcessPrivilege 4396 WMIC.exe Token: SeIncBasePriorityPrivilege 4396 WMIC.exe Token: SeCreatePagefilePrivilege 4396 WMIC.exe Token: SeBackupPrivilege 4396 WMIC.exe Token: SeRestorePrivilege 4396 WMIC.exe Token: SeShutdownPrivilege 4396 WMIC.exe Token: SeDebugPrivilege 4396 WMIC.exe Token: SeSystemEnvironmentPrivilege 4396 WMIC.exe Token: SeRemoteShutdownPrivilege 4396 WMIC.exe Token: SeUndockPrivilege 4396 WMIC.exe Token: SeManageVolumePrivilege 4396 WMIC.exe Token: 33 4396 WMIC.exe Token: 34 4396 WMIC.exe Token: 35 4396 WMIC.exe Token: 36 4396 WMIC.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.execmd.exedescription pid Process procid_target PID 2432 wrote to memory of 1728 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 92 PID 2432 wrote to memory of 1728 2432 1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe 92 PID 1728 wrote to memory of 2976 1728 cmd.exe 94 PID 1728 wrote to memory of 2976 1728 cmd.exe 94 PID 1728 wrote to memory of 4396 1728 cmd.exe 97 PID 1728 wrote to memory of 4396 1728 cmd.exe 97 PID 1728 wrote to memory of 4264 1728 cmd.exe 99 PID 1728 wrote to memory of 4264 1728 cmd.exe 99 PID 1728 wrote to memory of 5032 1728 cmd.exe 100 PID 1728 wrote to memory of 5032 1728 cmd.exe 100 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe"C:\Users\Admin\AppData\Local\Temp\1b98e58b5acf0de215b2bad7f734d453b0815cbe335d11bcb8d59124fd8c2016.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2976
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:4264
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:5032
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit_Ransomware.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:3176
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 16923⤵
- Program crash
PID:1556
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵PID:1812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3176 -ip 31761⤵PID:2708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5e5a292e268b6064902f3f5c41e550fdd
SHA1597957e74e9ef282c81fe6f1d85a06c8d0debc5b
SHA2560af2a2d865df1245e846bfe0bb4761c53d10e74c2595b7d1e7073808869b8016
SHA512274fa2fd771d94e1499197b127da06d7ad4f05ace5069ea94ddd8de5d3a15e2d21c09bbe481a4ff0a613edb713837029130a6aa5d6c2d3e5319b5cd870fe7ffd
-
Filesize
46KB
MD5c15c6adc8c923ad87981f289025c37b2
SHA1bfe6533f4afe3255046f7178f289a4c75ad89e76
SHA25690f3a33919fdd766e90fd96f8f20a92c2d1376b7cfdc8b738c2f8e7e6c7498b1
SHA51231dd03b208e00ac012fbe4189d5af1306cc8e3640d40efefab4aa1cabab3c4735eef0cb65e7750c3c77021934e145398e5e26389975cf36b193c8f622a5fde83