lockbit | 1d79d85948aa4c62b8367f233b088d9adb00915475a559f7e163e12edf9b9ccb

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
Size

140KB
MD5

adee08d1d86e361d08ced8adc8ab17dc
SHA1

4ff5efcf97516cb1ef4c07fc04bab0d3b9fc1b6f
SHA256

1d79d85948aa4c62b8367f233b088d9adb00915475a559f7e163e12edf9b9ccb
SHA512

34dc8efffd83294103007003c4f95fcdf0cdb40d8f8036c6f7413bf8711a7e475beea1ca599103ceeddfb3c1f3e00985923233117f4684df3dcea02a2de04d10
SSDEEP

3072:iU8E2JPpYg/GGo2l+mL3iUfqMqqD/KqEA8PC:QE2pHNo2wW3r5qqD/2T

Score

10^/10

lockbit defense_evasion evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\jre\lib\Restore-My-Files.txt

Family

lockbit

Ransom Note

All your important files are encrypted! There is only one way to get your files back: 1. Contact with us 2. Send us 1 any encrypted your file and your personal key 3. We will decrypt 1 file for test(maximum file size - 1 MB), its guarantee what we can decrypt your files 4. Pay 5. We send for you decryptor software We accept Bitcoin Attention! Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price(they add their fee to our) Contact information: [email protected] Be sure to duplicate your message on the e-mail: [email protected] Your personal id: PVemH9OeNwCmqXsZmZnhsS9BBlglYH66KybfrzGp7VyEO7GS+hkW4qIyHthqZgjV 93VWpNuVXJQpBMOwuiWAYpOJy8Jzf9qd2oUage1KwFaGwIq40wziRsKLh2H3Ww4L OAkX+WXoSIY5RT31kUQGNqa1KbI8aSfDmDO0vlHad7ju0YUkN5GvION/LC1IazgG 3ugiRJgQ6oR2NoG0ts3xuLLaUGp8reOBGYm9MB2fY/qG3VQsPNsrae7yy9oTYyiV bLm6H1k8k7L/ZF4HcyqCKfXLEGUL8XLQ4Oqv/DvGESxLILQj25xbl7+VCvjPezti 5BDQI/pD3qkPeVjnKflZvBmWIs0L0UXV3GMXWaiO7uL/6hJxmsmWYK7ixZlp1683 w9OKcq9+5OeiN3hAoCHLI6xbP5uPqiJNYkyzhHrpF9KWuOI3uM16fK2wgWL6u26j YK2TI/iVqmQ3el1tj8aY8aLDgrLsAQP8tLmq1hhkmGjfnVogebD0nFiky8PyOUg7 9WsiLPVcEac9Y5IKXgF9got0z4pZJ73WODikQNImKh2yhoTXG8Td5pXeYCRAcyDA tvE7NY+YcOzHuPhsSeUU0o8ISRzIcdyS/xN5kkCeRBvOdJuslqmFE8S9e9E2tpWP vgj5iFdvAb9D6qysUp6p3AmI8vYM3qpO6JHR7mXFshQYwFwvB/CGQuhQLT6c1JEc TWsLt05rZWU0oQI33hG7P8rxanDE6kvSnQxgL6g1E0Vuz8to/NMVtilPIvbrhr5Y BIQsR6GYG/O+AxjDp95iUW5JF4VRFkw0h0plfVxnQCUdu1A/vLkIcGUTu4MAO/8b r8HN7d2Won/yPWAnmxST+5lNVxjewqXhmXHXpTEDWiboMXdQ6WpgR7c6ZrT9lMpd AGX+303EY3LuYINmrflxF13SGTCxQt5lrNvkEBzeVHR6UTJLOdSMcuVNlXZXoq/B DYGdSeLEUc4aoPBK0nC2KKw0MeWnaa24PAJTLUDq/kX3dbMj0JzC1Mfguxp3kHzF VZLKgaY+szECOxdbvE1KKnVvnxjaIeBPHADRpA4BgsfUp5vTdiTTUJpFjgrYuUR+ eBWrgvkGT5cnvmXFWqPQJwqMht6k5Or6lfF032oCOvQCRJQXROjYn7Sam39wMBy7 qXg14ojOt5viRerkrAuyS01qbApfreMfVMku69xmJQ+Y3T9pFI96GClCi7pgGgVx 7UR+XwI9JMZhR7SGzDOVOmmlldfzOu/m4C0aerTDF/x6I8WaeVbDyi94RkFZx92R Zkgaur4l/6SR0JOxjghYN5M5NB3Gv8mMI/lEm//4S4YYDHQ+GQTYxfvAb8iOXWlz c5qRwrnVdKg0+YOYcuKqOT6oCrMBALKWHUd87ZCrtNUjiqJbJKhNv9ucPNbMZSoj QixCODj5jsJ0+p6ppC3CqtPl2OXGAGN/HO/OOonD9nXdi0qbX3j4G4hgYfU2r5rv lpzPwXqCYkEySGfYr9QgBb/y9RtBs5JgaC2PtoyPfJIylnQZ8W9xQOOxrJ/U0o5q VS+SzYEvkuAGWHtFw9MQj383yi1NnWKZWjgzZVop2pJpskvTsqybNlTu6crOM9sR Hn5jnCKE1wkkbml/US7d3FmlbW/3IUkFwt5XbjvQCTPWBPLvSnaGPY5jtM+3EQTh 3Lwsi8t2ySidGc7rYIoRHTenwA1fOsZIwxhvF458Gwg=

Emails

[email protected]

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Detects command variations typically used by ransomware 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2388-0-0x0000000000400000-0x0000000000428000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware

Modifies boot configuration data using bcdedit 1 TTPs 12 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	Process
3312	bcdedit.exe
3492	bcdedit.exe
3736	bcdedit.exe
1560	bcdedit.exe
3200	bcdedit.exe
3056	bcdedit.exe
308	bcdedit.exe
2576	bcdedit.exe
4872	bcdedit.exe
960	bcdedit.exe
4792	bcdedit.exe
4332	bcdedit.exe

Renames multiple (7482) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 10 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

wbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exe

pid	Process
2052	wbadmin.exe
3736	wbadmin.exe
3424	wbadmin.exe
3500	wbadmin.exe
4656	wbadmin.exe
3748	wbadmin.exe
4752	wbadmin.exe
4708	wbadmin.exe
3484	wbadmin.exe
3896	wbadmin.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

wbadmin.exe

pid	Process
3680	wbadmin.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
5588	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C\""	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

description	ioc	Process
File opened (read-only)	\??\F:	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME43.CSS	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kolkata	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Black Tie.xml	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293570.WMF	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_K_COL.HXK	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\fr-FR\MoreGames.dll.mui	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\Restore-My-Files.txt	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01084_.WMF	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\vlc.mo	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105320.WMF	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14533_.GIF	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages.properties	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Eucla	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_ja.jar	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\.lastModified	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\Restore-My-Files.txt	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh87	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker_1.1.200.v20131119-0908.jar	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212601.WMF	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CLICK.WAV	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_COL.HXT	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IE.XML	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\clock.js	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\flyout.html	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hong_Kong	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287019.WMF	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Civic.thmx	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_floating.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\sbdrop.dll.mui	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLASSIC1.WMF	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0280468.WMF	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105238.WMF	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Elegant.dotx	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielLetter.Dotx	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr.jar	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\gadget.xml	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107328.WMF	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341636.JPG	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\highDpiImageSwap.js	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_right.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\BREEZE.INF	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099172.WMF	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR19F.GIF	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid_disable.gif	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_pressed.gif	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\timeZones.js	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02373_.WMF	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_F_COL.HXK	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hardware Tracker.fdt	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_ON.GIF	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\DVD Maker\bod_r.TTF	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Reykjavik	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

Drops file in Windows directory 30 IoCs

Processes:

wbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exe

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 6 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	Process
3316	vssadmin.exe
3348	vssadmin.exe
4024	vssadmin.exe
5044	vssadmin.exe
2896	vssadmin.exe
1416	vssadmin.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
5624	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

pid	Process
2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exewmic.exewbengine.exe

description	pid	Process
Token: SeBackupPrivilege	2584	vssvc.exe
Token: SeRestorePrivilege	2584	vssvc.exe
Token: SeAuditPrivilege	2584	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3984	WMIC.exe
Token: SeSecurityPrivilege	3984	WMIC.exe
Token: SeTakeOwnershipPrivilege	3984	WMIC.exe
Token: SeLoadDriverPrivilege	3984	WMIC.exe
Token: SeSystemProfilePrivilege	3984	WMIC.exe
Token: SeSystemtimePrivilege	3984	WMIC.exe
Token: SeProfSingleProcessPrivilege	3984	WMIC.exe
Token: SeIncBasePriorityPrivilege	3984	WMIC.exe
Token: SeCreatePagefilePrivilege	3984	WMIC.exe
Token: SeBackupPrivilege	3984	WMIC.exe
Token: SeRestorePrivilege	3984	WMIC.exe
Token: SeShutdownPrivilege	3984	WMIC.exe
Token: SeDebugPrivilege	3984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3984	WMIC.exe
Token: SeRemoteShutdownPrivilege	3984	WMIC.exe
Token: SeUndockPrivilege	3984	WMIC.exe
Token: SeManageVolumePrivilege	3984	WMIC.exe
Token: 33	3984	WMIC.exe
Token: 34	3984	WMIC.exe
Token: 35	3984	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3984	WMIC.exe
Token: SeSecurityPrivilege	3984	WMIC.exe
Token: SeTakeOwnershipPrivilege	3984	WMIC.exe
Token: SeLoadDriverPrivilege	3984	WMIC.exe
Token: SeSystemProfilePrivilege	3984	WMIC.exe
Token: SeSystemtimePrivilege	3984	WMIC.exe
Token: SeProfSingleProcessPrivilege	3984	WMIC.exe
Token: SeIncBasePriorityPrivilege	3984	WMIC.exe
Token: SeCreatePagefilePrivilege	3984	WMIC.exe
Token: SeBackupPrivilege	3984	WMIC.exe
Token: SeRestorePrivilege	3984	WMIC.exe
Token: SeShutdownPrivilege	3984	WMIC.exe
Token: SeDebugPrivilege	3984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3984	WMIC.exe
Token: SeRemoteShutdownPrivilege	3984	WMIC.exe
Token: SeUndockPrivilege	3984	WMIC.exe
Token: SeManageVolumePrivilege	3984	WMIC.exe
Token: 33	3984	WMIC.exe
Token: 34	3984	WMIC.exe
Token: 35	3984	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3380	wmic.exe
Token: SeSecurityPrivilege	3380	wmic.exe
Token: SeTakeOwnershipPrivilege	3380	wmic.exe
Token: SeLoadDriverPrivilege	3380	wmic.exe
Token: SeSystemProfilePrivilege	3380	wmic.exe
Token: SeSystemtimePrivilege	3380	wmic.exe
Token: SeProfSingleProcessPrivilege	3380	wmic.exe
Token: SeIncBasePriorityPrivilege	3380	wmic.exe
Token: SeCreatePagefilePrivilege	3380	wmic.exe
Token: SeBackupPrivilege	3380	wmic.exe
Token: SeRestorePrivilege	3380	wmic.exe
Token: SeShutdownPrivilege	3380	wmic.exe
Token: SeDebugPrivilege	3380	wmic.exe
Token: SeSystemEnvironmentPrivilege	3380	wmic.exe
Token: SeRemoteShutdownPrivilege	3380	wmic.exe
Token: SeUndockPrivilege	3380	wmic.exe
Token: SeManageVolumePrivilege	3380	wmic.exe
Token: 33	3380	wmic.exe
Token: 34	3380	wmic.exe
Token: 35	3380	wmic.exe
Token: SeBackupPrivilege	3532	wbengine.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.execmd.exe

description	pid	Process	procid_target
PID 2388 wrote to memory of 2788	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	28
PID 2388 wrote to memory of 2788	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	28
PID 2388 wrote to memory of 2788	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	28
PID 2388 wrote to memory of 2788	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	28
PID 2788 wrote to memory of 2896	2788	cmd.exe	30
PID 2788 wrote to memory of 2896	2788	cmd.exe	30
PID 2788 wrote to memory of 2896	2788	cmd.exe	30
PID 2388 wrote to memory of 1416	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	33
PID 2388 wrote to memory of 1416	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	33
PID 2388 wrote to memory of 1416	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	33
PID 2388 wrote to memory of 1416	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	33
PID 2388 wrote to memory of 3312	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	36
PID 2388 wrote to memory of 3312	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	36
PID 2388 wrote to memory of 3312	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	36
PID 2388 wrote to memory of 3312	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	36
PID 2388 wrote to memory of 3492	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	38
PID 2388 wrote to memory of 3492	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	38
PID 2388 wrote to memory of 3492	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	38
PID 2388 wrote to memory of 3492	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	38
PID 2388 wrote to memory of 2052	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	40
PID 2388 wrote to memory of 2052	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	40
PID 2388 wrote to memory of 2052	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	40
PID 2388 wrote to memory of 2052	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	40
PID 2388 wrote to memory of 3736	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	42
PID 2388 wrote to memory of 3736	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	42
PID 2388 wrote to memory of 3736	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	42
PID 2388 wrote to memory of 3736	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	42
PID 2788 wrote to memory of 3984	2788	cmd.exe	44
PID 2788 wrote to memory of 3984	2788	cmd.exe	44
PID 2788 wrote to memory of 3984	2788	cmd.exe	44
PID 2388 wrote to memory of 3380	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	46
PID 2388 wrote to memory of 3380	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	46
PID 2388 wrote to memory of 3380	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	46
PID 2388 wrote to memory of 3380	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	46
PID 2788 wrote to memory of 3736	2788	cmd.exe	48
PID 2788 wrote to memory of 3736	2788	cmd.exe	48
PID 2788 wrote to memory of 3736	2788	cmd.exe	48
PID 2788 wrote to memory of 1560	2788	cmd.exe	49
PID 2788 wrote to memory of 1560	2788	cmd.exe	49
PID 2788 wrote to memory of 1560	2788	cmd.exe	49
PID 2788 wrote to memory of 3680	2788	cmd.exe	50
PID 2788 wrote to memory of 3680	2788	cmd.exe	50
PID 2788 wrote to memory of 3680	2788	cmd.exe	50
PID 2388 wrote to memory of 3316	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	52
PID 2388 wrote to memory of 3316	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	52
PID 2388 wrote to memory of 3316	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	52
PID 2388 wrote to memory of 3316	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	52
PID 2388 wrote to memory of 3200	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	56
PID 2388 wrote to memory of 3200	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	56
PID 2388 wrote to memory of 3200	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	56
PID 2388 wrote to memory of 3200	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	56
PID 2388 wrote to memory of 3056	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	58
PID 2388 wrote to memory of 3056	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	58
PID 2388 wrote to memory of 3056	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	58
PID 2388 wrote to memory of 3056	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	58
PID 2388 wrote to memory of 3424	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	72
PID 2388 wrote to memory of 3424	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	72
PID 2388 wrote to memory of 3424	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	72
PID 2388 wrote to memory of 3424	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	72
PID 2388 wrote to memory of 3500	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	62
PID 2388 wrote to memory of 3500	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	62
PID 2388 wrote to memory of 3500	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	62
PID 2388 wrote to memory of 3500	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	62
PID 2388 wrote to memory of 4360	2388	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	78

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2896
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3984
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3736
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1560
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:3680
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1416
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3312
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3492
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:2052
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:3736
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3380
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:3316
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3200
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3056
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:3424
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:3500
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:4360
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:3348
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:308
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2576
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:4656
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:3748
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:3328
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:4024
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4872
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:960
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:4752
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:4708
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:112
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:5044
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4792
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4332
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:3484
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:3896
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:3648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 20 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe"
  2⤵
  - Deletes itself
  PID:5588
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 20
    3⤵
    - Runs ping.exe
    PID:5624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1692

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:3740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-798195307849291450695753539304295202-558630511299696761568225059-847561954"
1⤵
PID:3424

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "99983788212187492082009267232-18714249881266659816538712590-17604453371333522791"
1⤵
PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\lib\Restore-My-Files.txt

Filesize
2KB

MD5
2b3e0befd861cb24705468bc62606a92

SHA1
ef729447185c6db29e55b02fe6e6039dd0d4f69e

SHA256
3b8f51098ac42efb10a979456542bb4e65d2c96f29a3806971ece607b464b663

SHA512
2f5e78f214006d42db885955c38d277f66cb90b19ceff991bee01be1b936bd03ee7465b71f213ab13c9f8528dfb28e788439e56f290ce5e51c1338cb39b6e19d

Download Submit
C:\Users\Admin\Desktop\resultlog10.dll

Filesize
1KB

MD5
64f02e0eecd9b51f84aa1648fd3860a0

SHA1
03d3b643f917328d040be6ec52a08da7cdcf58df

SHA256
884c99ec4cacab1302228de8bd9e51c6ab0e1295e57a6580dc0e94cf4133558b

SHA512
1ec4faa72a1148634d8d0327a0e816955a40e6407f3e202c3260e5322bdecf1b309fa5079e9d038e7d78e0ddfbb9d4e40105b548ae6ecaae15123a9b19700a98

Download Submit
C:\Users\Admin\Desktop\resultlog10.dll

Filesize
4KB

MD5
b752110d9d5f773f0d88271bd213429c

SHA1
e78008fd997150e44555be2c761df1aca7932c1c

SHA256
569f87bbdbfd691dcf7651848b2582c40e3155727ccff6816208d6dd0678e9f1

SHA512
76d913b349098d8c2a175bc58f642cee04dc7d565c582732ee30893104723ed73c2d3bfc77e1e8440ebaa106f8913d3db50e51d9bddc813e5e058d18fc41969e

Download Submit
memory/2388-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download