lockbit | 2047bb9f00b16a6c8afba9f9a59ca4173a644b6c3b7ff922282a5607f288da89

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
Size

959KB
MD5

bd0c0336958d4b1abda8062d43b277e9
SHA1

2c4d2c6262d46313990e31bf7b6437028a566ba8
SHA256

2047bb9f00b16a6c8afba9f9a59ca4173a644b6c3b7ff922282a5607f288da89
SHA512

d1edf5516f758d0020db7933dd15e8448fb66217c9f0681af8af44916ac5f0429b1008034001fad511daaae12b3a839c216b05b7a64df23ec320228e891ff16c
SSDEEP

24576:uLjr3s2nScu1idtz3f++5kRzFxk7rMxNeR1RkqpdsFC:Ujrc2SodFf+B3k79BOI

Score

10^/10

lockbit defense_evasion discovery evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt

Ransom Note

LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: 9672B03E62DF3ADD9D48A00D0BDA0C29

URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exe

pid	Process
1456	bcdedit.exe
2444	bcdedit.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
276	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\{C072C73E-DFDF-3A24-3694-36C4CE93052F} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe\""	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe

description	ioc	Process
File opened (read-only)	\??\F:	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe

Drops file in System32 directory 1 IoCs

Processes:

2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\168.tmp.bmp"	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe

pid	Process
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe

description	ioc	Process
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\calendar.gadget\images\calendar_double_bkg.png	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker_1.1.200.v20131119-0908.jar	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\windows sidebar\gadgets\picturepuzzle.gadget\es-es\settings.html	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0341448.jpg	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\outlookautodiscover\yahoo.com.vn.xml	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\7-zip\lang\nb.txt	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\dvd maker\shared\dvdstyles\oldage\15x15dot.png	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\media\office14\autoshap\bd18220_.wmf	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_ja.jar	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\media\cagcat10\j0235241.wmf	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0341499.jpg	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\pubwiz\pictph.poc	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\pubwiz\wsidbr98.poc	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\clock.gadget\ja-jp\js\clock.js	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\config\modules\org-netbeans-modules-keyring-fallback.xml	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jre7\lib\deploy\messages_de.properties	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\flap.wmf	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0297727.wmf	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\currency.gadget\fr-fr\css\currency.css	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\pacific\enderbury	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jre7\lib\zi\antarctica\davis	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jre7\thirdpartylicensereadme.txt	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\pubwiz\bs53boxs.poc	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\1033\pubspapr\pdir48b.gif	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\outlookautodiscover\nl.rogers.com.xml	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\stationery\1033\judgesch.htm	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\europe\luxembourg	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\document themes 14\theme fonts\solstice.xml	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\document themes 14\theme colors\median.xml	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\rssfeeds.gadget\ja-jp\css\settings.css	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\windows sidebar\gadgets\weather.gadget\images\undocked-loading.png	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0215709.wmf	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\media\office14\autoshap\bd18214_.wmf	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_ja.jar	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\dvd maker\shared\dvdstyles\huecycle\navigationright_selectionsubpicture.png	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\rankin_inlet	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\pacific\chuuk	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\pagesize\pgmn089.xml	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\currency.gadget\images\add_down.png	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\khandyga	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\adobe\reader 9.0\reader\plug_ins\search5.api	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\media\cagcat10\j0305493.wmf	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\pagesize\pglbl093.xml	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jre7\lib\zi\america\managua	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jre7\lib\zi\pacific\pago_pago	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\bs00076_.wmf	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\pubwiz\label98.poc	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\dvd maker\shared\dvdstyles\circleround_videoinset.png	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\atlantic\reykjavik	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\so00017_.wmf	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\1033\pubspapr\pdir1f.gif	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\1033\pubftscm\scheme02.css	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\convert\1033\olnoter.fae	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\dvd maker\shared\dvdstyles\rectangles\15x15dot.png	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\deploy\messages_it.properties	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File created	C:\program files\microsoft games\freecell\fr-fr\Restore-My-Files.txt	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-templates.jar	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\weather.gadget\it-it\js\weather.js	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\ag00090_.gif	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.execmd.exePING.EXEfsutil.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXE

pid	Process
276	cmd.exe
2092	PING.EXE

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exe

pid	Process
2184	vssadmin.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\WallpaperStyle = "2"	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\TileWallpaper = "0"	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2092	PING.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe

pid	Process
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exevssvc.exeWMIC.exe

description	pid	Process
Token: SeTakeOwnershipPrivilege	3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
Token: SeDebugPrivilege	3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
Token: SeBackupPrivilege	2948	vssvc.exe
Token: SeRestorePrivilege	2948	vssvc.exe
Token: SeAuditPrivilege	2948	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1932	WMIC.exe
Token: SeSecurityPrivilege	1932	WMIC.exe
Token: SeTakeOwnershipPrivilege	1932	WMIC.exe
Token: SeLoadDriverPrivilege	1932	WMIC.exe
Token: SeSystemProfilePrivilege	1932	WMIC.exe
Token: SeSystemtimePrivilege	1932	WMIC.exe
Token: SeProfSingleProcessPrivilege	1932	WMIC.exe
Token: SeIncBasePriorityPrivilege	1932	WMIC.exe
Token: SeCreatePagefilePrivilege	1932	WMIC.exe
Token: SeBackupPrivilege	1932	WMIC.exe
Token: SeRestorePrivilege	1932	WMIC.exe
Token: SeShutdownPrivilege	1932	WMIC.exe
Token: SeDebugPrivilege	1932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1932	WMIC.exe
Token: SeRemoteShutdownPrivilege	1932	WMIC.exe
Token: SeUndockPrivilege	1932	WMIC.exe
Token: SeManageVolumePrivilege	1932	WMIC.exe
Token: 33	1932	WMIC.exe
Token: 34	1932	WMIC.exe
Token: 35	1932	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1932	WMIC.exe
Token: SeSecurityPrivilege	1932	WMIC.exe
Token: SeTakeOwnershipPrivilege	1932	WMIC.exe
Token: SeLoadDriverPrivilege	1932	WMIC.exe
Token: SeSystemProfilePrivilege	1932	WMIC.exe
Token: SeSystemtimePrivilege	1932	WMIC.exe
Token: SeProfSingleProcessPrivilege	1932	WMIC.exe
Token: SeIncBasePriorityPrivilege	1932	WMIC.exe
Token: SeCreatePagefilePrivilege	1932	WMIC.exe
Token: SeBackupPrivilege	1932	WMIC.exe
Token: SeRestorePrivilege	1932	WMIC.exe
Token: SeShutdownPrivilege	1932	WMIC.exe
Token: SeDebugPrivilege	1932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1932	WMIC.exe
Token: SeRemoteShutdownPrivilege	1932	WMIC.exe
Token: SeUndockPrivilege	1932	WMIC.exe
Token: SeManageVolumePrivilege	1932	WMIC.exe
Token: 33	1932	WMIC.exe
Token: 34	1932	WMIC.exe
Token: 35	1932	WMIC.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.execmd.execmd.exe

description	pid	Process	procid_target
PID 3004 wrote to memory of 2792	3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe	30
PID 3004 wrote to memory of 2792	3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe	30
PID 3004 wrote to memory of 2792	3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe	30
PID 3004 wrote to memory of 2792	3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe	30
PID 2792 wrote to memory of 2184	2792	cmd.exe	32
PID 2792 wrote to memory of 2184	2792	cmd.exe	32
PID 2792 wrote to memory of 2184	2792	cmd.exe	32
PID 2792 wrote to memory of 1932	2792	cmd.exe	35
PID 2792 wrote to memory of 1932	2792	cmd.exe	35
PID 2792 wrote to memory of 1932	2792	cmd.exe	35
PID 2792 wrote to memory of 1456	2792	cmd.exe	37
PID 2792 wrote to memory of 1456	2792	cmd.exe	37
PID 2792 wrote to memory of 1456	2792	cmd.exe	37
PID 2792 wrote to memory of 2444	2792	cmd.exe	38
PID 2792 wrote to memory of 2444	2792	cmd.exe	38
PID 2792 wrote to memory of 2444	2792	cmd.exe	38
PID 3004 wrote to memory of 276	3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe	41
PID 3004 wrote to memory of 276	3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe	41
PID 3004 wrote to memory of 276	3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe	41
PID 3004 wrote to memory of 276	3004	2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe	41
PID 276 wrote to memory of 2092	276	cmd.exe	43
PID 276 wrote to memory of 2092	276	cmd.exe	43
PID 276 wrote to memory of 2092	276	cmd.exe	43
PID 276 wrote to memory of 2092	276	cmd.exe	43
PID 276 wrote to memory of 2068	276	cmd.exe	44
PID 276 wrote to memory of 2068	276	cmd.exe	44
PID 276 wrote to memory of 2068	276	cmd.exe	44
PID 276 wrote to memory of 2068	276	cmd.exe	44

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2184
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1456
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2444
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:276
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2092
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-09-15_bd0c0336958d4b1abda8062d43b277e9_lockbit.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt

Filesize
512B

MD5
c7bf4ab4e0736481467e7223a7f0127f

SHA1
eb4bbafbbb2461147a2d6b2b6b21b0ac23c48f9a

SHA256
b016d77d802feb63003da6d89ea7a145955b289674500c362347f811b0982f12

SHA512
99d53a4af965cee35d295fb0295b444907a1217fb67b156d5f0e12a194ee652107b06ae33d913a703b9b4512dde14e98ac31b3cea66072f02d47e4a98305117c

Download Submit