lockbit | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

Resubmissions

28-07-2024 16:38

240728-t5tryssgmm 10

07-07-2024 14:07

240707-rfgd8atekm 10

07-07-2024 14:07

240707-re689awdpe 10

13-09-2022 17:54

220913-wg1lpsgbg7 10

Analysis

max time kernel
1561s
max time network
1570s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07-07-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RansomwareSamples/LockBit_14_02_2021_146KB.exe
Size

146KB
MD5

69bec32d50744293e85606a5e8f80425
SHA1

101b90ac7e0c2a8b570686c13dfa0e161ddd00e0
SHA256

95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf
SHA512

e01f976fcbfa67cfd6e97855d07350a27b67fcc825d4e813ac9d2f4e8f464bb4f8bbbbe58a26bc27e78fa15db0ee5271e8f041dd72f036c11964eb1c591b438f
SSDEEP

3072:V6ZkRGjkBrmKmY99UpkD1/34bIpVSrtLmqc2LVMMqqD/h2LuTeONA5tIHVcH:IS9rLPPUpa3VVEtLXcCqqD/hOQnaMcH

Score

10^/10

lockbit defense_evasion evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

Family

lockbit

Ransom Note

All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?BC76D224712A7481CA2A42C53921A24F | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?BC76D224712A7481CA2A42C53921A24F This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about

URLs

http://lockbit-decryptor.top/?BC76D224712A7481CA2A42C53921A24F

http://lockbitks2tvnmwk.onion/?BC76D224712A7481CA2A42C53921A24F

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note

Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link - http://lockbit-decryptor.top/?BC76D224712A7481CA2A42C53921A24F Follow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://lockbitks2tvnmwk.onion/?BC76D224712A7481CA2A42C53921A24F This link only works in Tor Browser! Follow the instructions on this page Lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about

URLs

http://lockbit-decryptor.top/?BC76D224712A7481CA2A42C53921A24F

http://lockbitks2tvnmwk.onion/?BC76D224712A7481CA2A42C53921A24F

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1832 bcdedit.exe
1604 bcdedit.exe
Renames multiple (9368) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1568 wbadmin.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2060 cmd.exe

pid	process
1832	bcdedit.exe
1604	bcdedit.exe

pid	process
1568	wbadmin.exe

pid	process
2060	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

LockBit_14_02_2021_146KB.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RansomwareSamples\\LockBit_14_02_2021_146KB.exe\""	LockBit_14_02_2021_146KB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\Users\\Admin\\Desktop\\LockBit-note.hta"	LockBit_14_02_2021_146KB.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

LockBit_14_02_2021_146KB.exe

description ioc process

File opened (read-only) \??\F: LockBit_14_02_2021_146KB.exe

description	ioc	process
File opened (read-only)	\??\F:	LockBit_14_02_2021_146KB.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

LockBit_14_02_2021_146KB.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6CA8.tmp.bmp"	LockBit_14_02_2021_146KB.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

LockBit_14_02_2021_146KB.exe

pid	process
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe
2712	LockBit_14_02_2021_146KB.exe

Drops file in Program Files directory 64 IoCs

Processes:

LockBit_14_02_2021_146KB.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\OmdProject.dll.mui	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia_Banderas	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02048_.WMF	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Civic.thmx	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN102.XML	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BROCHURE.XML	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00449_.WMF	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107258.WMF	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\weather.css	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099204.WMF	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199429.WMF	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18196_.WMF	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Modern.dotx	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBR.XML	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\init.js	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic\DEFAULT.XSL	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\localizedSettings.css	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105338.WMF	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\BUTTON.GIF	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Palau	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\cpu.css	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\utilityfunctions.js	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287417.WMF	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14983_.GIF	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15022_.GIF	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\HEADER.GIF	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_on.gif	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\gadget.xml	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149407.WMF	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR48B.GIF	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\weather.html	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services_3.4.0.v20140312-2051.jar	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\gadget.xml	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\YST9YDT	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\TAB_OFF.GIF	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\clock.js	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00345_.WMF	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02794_.WMF	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR31F.GIF	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\logo.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_zh_4.4.0.v20140623020002.jar	LockBit_14_02_2021_146KB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

2412 vssadmin.exe

pid	process
2412	vssadmin.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

LockBit_14_02_2021_146KB.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\TileWallpaper = "0"	LockBit_14_02_2021_146KB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\WallpaperStyle = "2"	LockBit_14_02_2021_146KB.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1072 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

LockBit_14_02_2021_146KB.exe

pid process

2712 LockBit_14_02_2021_146KB.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1072	PING.EXE

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

LockBit_14_02_2021_146KB.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2712	LockBit_14_02_2021_146KB.exe
Token: SeDebugPrivilege	2712	LockBit_14_02_2021_146KB.exe
Token: SeBackupPrivilege	2808	vssvc.exe
Token: SeRestorePrivilege	2808	vssvc.exe
Token: SeAuditPrivilege	2808	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2484	WMIC.exe
Token: SeSecurityPrivilege	2484	WMIC.exe
Token: SeTakeOwnershipPrivilege	2484	WMIC.exe
Token: SeLoadDriverPrivilege	2484	WMIC.exe
Token: SeSystemProfilePrivilege	2484	WMIC.exe
Token: SeSystemtimePrivilege	2484	WMIC.exe
Token: SeProfSingleProcessPrivilege	2484	WMIC.exe
Token: SeIncBasePriorityPrivilege	2484	WMIC.exe
Token: SeCreatePagefilePrivilege	2484	WMIC.exe
Token: SeBackupPrivilege	2484	WMIC.exe
Token: SeRestorePrivilege	2484	WMIC.exe
Token: SeShutdownPrivilege	2484	WMIC.exe
Token: SeDebugPrivilege	2484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2484	WMIC.exe
Token: SeRemoteShutdownPrivilege	2484	WMIC.exe
Token: SeUndockPrivilege	2484	WMIC.exe
Token: SeManageVolumePrivilege	2484	WMIC.exe
Token: 33	2484	WMIC.exe
Token: 34	2484	WMIC.exe
Token: 35	2484	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2484	WMIC.exe
Token: SeSecurityPrivilege	2484	WMIC.exe
Token: SeTakeOwnershipPrivilege	2484	WMIC.exe
Token: SeLoadDriverPrivilege	2484	WMIC.exe
Token: SeSystemProfilePrivilege	2484	WMIC.exe
Token: SeSystemtimePrivilege	2484	WMIC.exe
Token: SeProfSingleProcessPrivilege	2484	WMIC.exe
Token: SeIncBasePriorityPrivilege	2484	WMIC.exe
Token: SeCreatePagefilePrivilege	2484	WMIC.exe
Token: SeBackupPrivilege	2484	WMIC.exe
Token: SeRestorePrivilege	2484	WMIC.exe
Token: SeShutdownPrivilege	2484	WMIC.exe
Token: SeDebugPrivilege	2484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2484	WMIC.exe
Token: SeRemoteShutdownPrivilege	2484	WMIC.exe
Token: SeUndockPrivilege	2484	WMIC.exe
Token: SeManageVolumePrivilege	2484	WMIC.exe
Token: 33	2484	WMIC.exe
Token: 34	2484	WMIC.exe
Token: 35	2484	WMIC.exe
Token: SeBackupPrivilege	2892	wbengine.exe
Token: SeRestorePrivilege	2892	wbengine.exe
Token: SeSecurityPrivilege	2892	wbengine.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

LockBit_14_02_2021_146KB.execmd.execmd.exe

description	pid	process	target process
PID 2712 wrote to memory of 2020	2712	LockBit_14_02_2021_146KB.exe	cmd.exe
PID 2712 wrote to memory of 2020	2712	LockBit_14_02_2021_146KB.exe	cmd.exe
PID 2712 wrote to memory of 2020	2712	LockBit_14_02_2021_146KB.exe	cmd.exe
PID 2712 wrote to memory of 2020	2712	LockBit_14_02_2021_146KB.exe	cmd.exe
PID 2020 wrote to memory of 2412	2020	cmd.exe	vssadmin.exe
PID 2020 wrote to memory of 2412	2020	cmd.exe	vssadmin.exe
PID 2020 wrote to memory of 2412	2020	cmd.exe	vssadmin.exe
PID 2020 wrote to memory of 2484	2020	cmd.exe	WMIC.exe
PID 2020 wrote to memory of 2484	2020	cmd.exe	WMIC.exe
PID 2020 wrote to memory of 2484	2020	cmd.exe	WMIC.exe
PID 2020 wrote to memory of 1832	2020	cmd.exe	bcdedit.exe
PID 2020 wrote to memory of 1832	2020	cmd.exe	bcdedit.exe
PID 2020 wrote to memory of 1832	2020	cmd.exe	bcdedit.exe
PID 2020 wrote to memory of 1604	2020	cmd.exe	bcdedit.exe
PID 2020 wrote to memory of 1604	2020	cmd.exe	bcdedit.exe
PID 2020 wrote to memory of 1604	2020	cmd.exe	bcdedit.exe
PID 2020 wrote to memory of 1568	2020	cmd.exe	wbadmin.exe
PID 2020 wrote to memory of 1568	2020	cmd.exe	wbadmin.exe
PID 2020 wrote to memory of 1568	2020	cmd.exe	wbadmin.exe
PID 2712 wrote to memory of 2052	2712	LockBit_14_02_2021_146KB.exe	mshta.exe
PID 2712 wrote to memory of 2052	2712	LockBit_14_02_2021_146KB.exe	mshta.exe
PID 2712 wrote to memory of 2052	2712	LockBit_14_02_2021_146KB.exe	mshta.exe
PID 2712 wrote to memory of 2052	2712	LockBit_14_02_2021_146KB.exe	mshta.exe
PID 2712 wrote to memory of 2060	2712	LockBit_14_02_2021_146KB.exe	cmd.exe
PID 2712 wrote to memory of 2060	2712	LockBit_14_02_2021_146KB.exe	cmd.exe
PID 2712 wrote to memory of 2060	2712	LockBit_14_02_2021_146KB.exe	cmd.exe
PID 2712 wrote to memory of 2060	2712	LockBit_14_02_2021_146KB.exe	cmd.exe
PID 2060 wrote to memory of 1072	2060	cmd.exe	PING.EXE
PID 2060 wrote to memory of 1072	2060	cmd.exe	PING.EXE
PID 2060 wrote to memory of 1072	2060	cmd.exe	PING.EXE
PID 2060 wrote to memory of 1072	2060	cmd.exe	PING.EXE
PID 2060 wrote to memory of 944	2060	cmd.exe	fsutil.exe
PID 2060 wrote to memory of 944	2060	cmd.exe	fsutil.exe
PID 2060 wrote to memory of 944	2060	cmd.exe	fsutil.exe
PID 2060 wrote to memory of 944	2060	cmd.exe	fsutil.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2412
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1832
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1604
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:1568
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit-note.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:2052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:1072
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"
    3⤵
    PID:944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2312

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

Filesize
1KB

MD5
f1f9fa7e0ac011f93ea508f6c0c595ef

SHA1
933ec77d7416e7cbb2d3e30a2250da2259112679

SHA256
54bb61b3fa4c51f7a518089987984e77ca4eb2ab4776fa458cb986dff1ddf816

SHA512
b96b3c5eb97484762a0cb52193ffb900d336edda4034bd57480f9f6e1b38bd2455eef9d058b24ca4b6da10df6b83c1fba549235428614f72df23532a28774fc7

Download Submit
C:\Users\Admin\Desktop\LockBit-note.hta

Filesize
17KB

MD5
83b62f624992a5ac6afb087554d25c31

SHA1
5bf1c39eb8208e2a48dc6d9fc6f8f6f270e2bcde

SHA256
1e5f657e4ee5ec3beb3ffe32e4a514194e5617da74aec07eadd587670cf63a8b

SHA512
47a56042a5d1468ab8fc7609ff67ef23c5639866922953ec7afa391d384f4d28eaa566638f750bf0810747032bb816ed79bd11e5d40db7db06e941fa7cde8846

Download Submit