Overview
overview
10Static
static
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
7Resubmissions
28-07-2024 16:38
240728-t5tryssgmm 1007-07-2024 14:07
240707-rfgd8atekm 1007-07-2024 14:07
240707-re689awdpe 1013-09-2022 17:54
220913-wg1lpsgbg7 10Analysis
-
max time kernel
602s -
max time network
432s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
07-07-2024 14:07
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral2
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral4
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral6
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral8
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral10
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral14
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral16
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral18
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral20
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral22
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral24
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral26
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral28
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral30
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral32
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
General
-
Target
RansomwareSamples/LockBit_14_02_2021_146KB.exe
-
Size
146KB
-
MD5
69bec32d50744293e85606a5e8f80425
-
SHA1
101b90ac7e0c2a8b570686c13dfa0e161ddd00e0
-
SHA256
95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf
-
SHA512
e01f976fcbfa67cfd6e97855d07350a27b67fcc825d4e813ac9d2f4e8f464bb4f8bbbbe58a26bc27e78fa15db0ee5271e8f041dd72f036c11964eb1c591b438f
-
SSDEEP
3072:V6ZkRGjkBrmKmY99UpkD1/34bIpVSrtLmqc2LVMMqqD/h2LuTeONA5tIHVcH:IS9rLPPUpa3VVEtLXcCqqD/hOQnaMcH
Malware Config
Extracted
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?BC76D224712A7481BC414F119346F5F5
http://lockbitks2tvnmwk.onion/?BC76D224712A7481BC414F119346F5F5
Extracted
C:\Users\Admin\Desktop\LockBit-note.hta
http://lockbit-decryptor.top/?BC76D224712A7481BC414F119346F5F5
http://lockbitks2tvnmwk.onion/?BC76D224712A7481BC414F119346F5F5
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2136 bcdedit.exe 5116 bcdedit.exe -
Renames multiple (6416) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 3344 wbadmin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation LockBit_14_02_2021_146KB.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RansomwareSamples\\LockBit_14_02_2021_146KB.exe\"" LockBit_14_02_2021_146KB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\Users\\Admin\\Desktop\\LockBit-note.hta" LockBit_14_02_2021_146KB.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: LockBit_14_02_2021_146KB.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6519.tmp.bmp" LockBit_14_02_2021_146KB.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-oob.xrm-ms LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_he.json LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\en-us\resources.resjson LockBit_14_02_2021_146KB.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\Restore-My-Files.txt LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsStoreLogo.contrast-black_scale-100.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyCalendarSearch.scale-125.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fi-fi\PlayStore_icon.svg LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square71x71Logo.scale-100.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\et-EE\View3d\3DViewerProductDescription-universal.xml LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\xaml\onenote\ShareMainPage.xaml LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-200.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-default.svg LockBit_14_02_2021_146KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\Restore-My-Files.txt LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\logo.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-36_altform-unplated.png LockBit_14_02_2021_146KB.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Restore-My-Files.txt LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\4.jpg LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-200.png LockBit_14_02_2021_146KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-tw\Restore-My-Files.txt LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\MedTile.scale-100.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_zh_cn_135x40.svg LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8en.dub LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\en-US.pak LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-36_altform-unplated.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-256_altform-unplated.png LockBit_14_02_2021_146KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\Restore-My-Files.txt LockBit_14_02_2021_146KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\Restore-My-Files.txt LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SmallTile.scale-125_contrast-black.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\save-money.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-200.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\20.rsrc LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_contrast-white.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20_altform-unplated.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_contrast-black.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-16.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down.gif LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\LargeTile.scale-125.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreMedTile.scale-200.png LockBit_14_02_2021_146KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ca-es\Restore-My-Files.txt LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileMediumSquare.scale-200.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageWideTile.scale-400.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\fonts\symbol.ttf LockBit_14_02_2021_146KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\Restore-My-Files.txt LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotMatch.snippets.ps1xml LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-lightunplated.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\RotateVerticallyOverlay.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-20_contrast-white.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailWideTile.scale-400.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare71x71Logo.scale-125_contrast-black.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-48_altform-unplated.png LockBit_14_02_2021_146KB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\LargeTile.scale-100.png LockBit_14_02_2021_146KB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3856 5872 WerFault.exe 102 -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3048 vssadmin.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\Desktop\WallpaperStyle = "2" LockBit_14_02_2021_146KB.exe Set value (str) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\Desktop\TileWallpaper = "0" LockBit_14_02_2021_146KB.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings LockBit_14_02_2021_146KB.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5476 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4924 LockBit_14_02_2021_146KB.exe 4924 LockBit_14_02_2021_146KB.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4924 LockBit_14_02_2021_146KB.exe Token: SeDebugPrivilege 4924 LockBit_14_02_2021_146KB.exe Token: SeBackupPrivilege 2652 vssvc.exe Token: SeRestorePrivilege 2652 vssvc.exe Token: SeAuditPrivilege 2652 vssvc.exe Token: SeIncreaseQuotaPrivilege 892 WMIC.exe Token: SeSecurityPrivilege 892 WMIC.exe Token: SeTakeOwnershipPrivilege 892 WMIC.exe Token: SeLoadDriverPrivilege 892 WMIC.exe Token: SeSystemProfilePrivilege 892 WMIC.exe Token: SeSystemtimePrivilege 892 WMIC.exe Token: SeProfSingleProcessPrivilege 892 WMIC.exe Token: SeIncBasePriorityPrivilege 892 WMIC.exe Token: SeCreatePagefilePrivilege 892 WMIC.exe Token: SeBackupPrivilege 892 WMIC.exe Token: SeRestorePrivilege 892 WMIC.exe Token: SeShutdownPrivilege 892 WMIC.exe Token: SeDebugPrivilege 892 WMIC.exe Token: SeSystemEnvironmentPrivilege 892 WMIC.exe Token: SeRemoteShutdownPrivilege 892 WMIC.exe Token: SeUndockPrivilege 892 WMIC.exe Token: SeManageVolumePrivilege 892 WMIC.exe Token: 33 892 WMIC.exe Token: 34 892 WMIC.exe Token: 35 892 WMIC.exe Token: 36 892 WMIC.exe Token: SeIncreaseQuotaPrivilege 892 WMIC.exe Token: SeSecurityPrivilege 892 WMIC.exe Token: SeTakeOwnershipPrivilege 892 WMIC.exe Token: SeLoadDriverPrivilege 892 WMIC.exe Token: SeSystemProfilePrivilege 892 WMIC.exe Token: SeSystemtimePrivilege 892 WMIC.exe Token: SeProfSingleProcessPrivilege 892 WMIC.exe Token: SeIncBasePriorityPrivilege 892 WMIC.exe Token: SeCreatePagefilePrivilege 892 WMIC.exe Token: SeBackupPrivilege 892 WMIC.exe Token: SeRestorePrivilege 892 WMIC.exe Token: SeShutdownPrivilege 892 WMIC.exe Token: SeDebugPrivilege 892 WMIC.exe Token: SeSystemEnvironmentPrivilege 892 WMIC.exe Token: SeRemoteShutdownPrivilege 892 WMIC.exe Token: SeUndockPrivilege 892 WMIC.exe Token: SeManageVolumePrivilege 892 WMIC.exe Token: 33 892 WMIC.exe Token: 34 892 WMIC.exe Token: 35 892 WMIC.exe Token: 36 892 WMIC.exe Token: SeBackupPrivilege 2920 wbengine.exe Token: SeRestorePrivilege 2920 wbengine.exe Token: SeSecurityPrivilege 2920 wbengine.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4924 wrote to memory of 1988 4924 LockBit_14_02_2021_146KB.exe 85 PID 4924 wrote to memory of 1988 4924 LockBit_14_02_2021_146KB.exe 85 PID 1988 wrote to memory of 3048 1988 cmd.exe 87 PID 1988 wrote to memory of 3048 1988 cmd.exe 87 PID 1988 wrote to memory of 892 1988 cmd.exe 90 PID 1988 wrote to memory of 892 1988 cmd.exe 90 PID 1988 wrote to memory of 2136 1988 cmd.exe 93 PID 1988 wrote to memory of 2136 1988 cmd.exe 93 PID 1988 wrote to memory of 5116 1988 cmd.exe 94 PID 1988 wrote to memory of 5116 1988 cmd.exe 94 PID 1988 wrote to memory of 3344 1988 cmd.exe 95 PID 1988 wrote to memory of 3344 1988 cmd.exe 95 PID 4924 wrote to memory of 5872 4924 LockBit_14_02_2021_146KB.exe 102 PID 4924 wrote to memory of 5872 4924 LockBit_14_02_2021_146KB.exe 102 PID 4924 wrote to memory of 5872 4924 LockBit_14_02_2021_146KB.exe 102 PID 4924 wrote to memory of 2780 4924 LockBit_14_02_2021_146KB.exe 103 PID 4924 wrote to memory of 2780 4924 LockBit_14_02_2021_146KB.exe 103 PID 4924 wrote to memory of 2780 4924 LockBit_14_02_2021_146KB.exe 103 PID 2780 wrote to memory of 5476 2780 cmd.exe 105 PID 2780 wrote to memory of 5476 2780 cmd.exe 105 PID 2780 wrote to memory of 5476 2780 cmd.exe 105 PID 2780 wrote to memory of 4000 2780 cmd.exe 110 PID 2780 wrote to memory of 4000 2780 cmd.exe 110 PID 2780 wrote to memory of 4000 2780 cmd.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3048
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:892
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2136
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:5116
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:3344
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit-note.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:5872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5872 -s 17723⤵
- Program crash
PID:3856
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:5476
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"3⤵PID:4000
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:696
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5872 -ip 58721⤵PID:5416
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57cb40cb4967a12e34ccdaa253afd6c42
SHA11ea841e1d70d9a0ad184029d699e1c2640b4fbe1
SHA2566338597083527e125cb19c2cdd820416ec4f55d82239f83b79f9960d34edc4b9
SHA5125ba003930d6e20d44c0075a58d6120f7dc21ad27efdf692934166b6e7171d50dbf075a713d9ba20cbbff3111667934281c81de365f2a1c583c67067eb3620d3b
-
Filesize
17KB
MD5d6edb656f9ce21b5894f876e5aad83ed
SHA138553433bfa22e69805b09cf72df6b6a9ef4840e
SHA256f6762e4496c3ac91fc42511ccc71fd5adefcc4636eedf724d7f63111b0185dda
SHA51242e680c7c7c5d57f0dc7dd1040f8d9c7b91c11266a757ff1383ad87a8809409f3303cb7b8b4a973be1d74edb6251180ded3f70646aab9c2bd36718c9f3c0ef3b