Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-09-2024 02:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Lockbit2.0/Mutated/Mutated_acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
Lockbit2.0/Mutated/Mutated_acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
21 signatures
150 seconds
Behavioral task
behavioral3
Sample
Lockbit2.0/acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral4
Sample
Lockbit2.0/acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
Lockbit2.0/acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe
-
Size
959KB
-
MD5
84866fca8a5ceb187bca8e257e4f875a
-
SHA1
038bc02c0997770a1e764d0203303ef8fcad11fb
-
SHA256
acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c
-
SHA512
aec85f1b12701d61dbc2d9343613ae99660a8580818ed5cff9c88e6d41fd8134b507af91ea06005eb1d0ec90dd28fc4d673e739007a92bd2edd4928aedd35f34
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdFF:Ujrc2So1Ff+B3k796v
Malware Config
Extracted
Path
C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt
Ransom Note
LockBit 2.0 Ransomware
Your data are stolen and encrypted
The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
You can contact us and decrypt one file for free on these TOR sites
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
OR
https://decoding.at
Decryption ID: BDCDC5DFEC1CE7336A52E6731BCB3C9E
URLs
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2296 bcdedit.exe 1472 bcdedit.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\{00CD9EDF-1C1C-E787-A34E-A30657F12DD7} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Lockbit2.0\\acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe\"" acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\windows\SysWOW64\BDCDC5.ico acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
pid Process 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\es-es\js\localizedstrings.js acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files\java\jre7\lib\zi\america\porto_velho acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\adobe\reader 9.0\reader\tracker\br.gif acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\sy00792_.wmf acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\autoshap\bd18187_.wmf acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\currency.gadget\de-de\currency.html acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubftscm\scheme35.css acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubspapr\pdir11f.gif acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubspapr\pdir29b.gif acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms3\button_left.gif acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\an01545_.wmf acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\flap.wmf acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\ph02810j.jpg acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\wb01241_.gif acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\office14\outlookautodiscover\yahoo.com.au.xml acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\calendar.gadget\images\calendar_single_bkg_orange.png acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\na00452_.wmf acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\office14\outlookautodiscover\yahoo.com.cn.xml acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\stationery\1033\pinelumb.jpg acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\lines\bd21325_.gif acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveprojecttoolset\projecttool\project report type\fancy\hierarchy.xsl acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\config\modules\com-sun-tools-visualvm-host-remote.xml acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\adobe\reader 9.0\resource\linguistics\providers\proximity\11.00\usa03.ths acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0200521.wmf acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0086432.wmf acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0297757.wmf acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File created C:\program files\videolan\vlc\locale\bn_in\lc_messages\Restore-My-Files.txt acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0103058.wmf acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0178639.jpg acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\babygirl\flower_trans_rgb.wmv acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\europe\chisinau acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\bullets\bd14565_.gif acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\ois_col.hxc acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\ph02071u.bmp acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\office14\accessweb\clntwrap.htm acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\office14\addins\outex.ecf acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms5\formsviewattachmenticons.jpg acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\pe02282_.wmf acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\media\cagcat10\j0199727.wmf acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File created C:\program files (x86)\microsoft office\office14\bibliography\Restore-My-Files.txt acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\office14\mspub.tlb acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\travel\passport_mask_right.png acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files\videolan\vlc\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms3\formsstyles\greentea.css acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files\videolan\vlc\locale\sv\lc_messages\vlc.mo acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms\search.gif acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\coupon.poc acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\templates\1033\originreport.dotx acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files\windows sidebar\gadgets\currency.gadget\fr-fr\js\init.js acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\computers\computericon.jpg acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\formsstyles\slate\tab_off.gif acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-text.jar acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files\videolan\vlc\locale\cs\lc_messages\vlc.mo acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0187849.wmf acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so00918_.wmf acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileregistry\jmc.profile\1423861261279.profile.gz acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files\videolan\vlc\locale\eo\lc_messages\vlc.mo acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\autoshap\bd18228_.wmf acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\sy00882_.wmf acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe File opened for modification C:\program files (x86)\windows sidebar\ja-jp\sidebar.exe.mui acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1092 vssadmin.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \Registry\Machine\Software\Classes\.lockbit acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\BDCDC5.ico" acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe Token: SeDebugPrivilege 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe Token: SeBackupPrivilege 668 vssvc.exe Token: SeRestorePrivilege 668 vssvc.exe Token: SeAuditPrivilege 668 vssvc.exe Token: SeIncreaseQuotaPrivilege 2716 WMIC.exe Token: SeSecurityPrivilege 2716 WMIC.exe Token: SeTakeOwnershipPrivilege 2716 WMIC.exe Token: SeLoadDriverPrivilege 2716 WMIC.exe Token: SeSystemProfilePrivilege 2716 WMIC.exe Token: SeSystemtimePrivilege 2716 WMIC.exe Token: SeProfSingleProcessPrivilege 2716 WMIC.exe Token: SeIncBasePriorityPrivilege 2716 WMIC.exe Token: SeCreatePagefilePrivilege 2716 WMIC.exe Token: SeBackupPrivilege 2716 WMIC.exe Token: SeRestorePrivilege 2716 WMIC.exe Token: SeShutdownPrivilege 2716 WMIC.exe Token: SeDebugPrivilege 2716 WMIC.exe Token: SeSystemEnvironmentPrivilege 2716 WMIC.exe Token: SeRemoteShutdownPrivilege 2716 WMIC.exe Token: SeUndockPrivilege 2716 WMIC.exe Token: SeManageVolumePrivilege 2716 WMIC.exe Token: 33 2716 WMIC.exe Token: 34 2716 WMIC.exe Token: 35 2716 WMIC.exe Token: SeIncreaseQuotaPrivilege 2716 WMIC.exe Token: SeSecurityPrivilege 2716 WMIC.exe Token: SeTakeOwnershipPrivilege 2716 WMIC.exe Token: SeLoadDriverPrivilege 2716 WMIC.exe Token: SeSystemProfilePrivilege 2716 WMIC.exe Token: SeSystemtimePrivilege 2716 WMIC.exe Token: SeProfSingleProcessPrivilege 2716 WMIC.exe Token: SeIncBasePriorityPrivilege 2716 WMIC.exe Token: SeCreatePagefilePrivilege 2716 WMIC.exe Token: SeBackupPrivilege 2716 WMIC.exe Token: SeRestorePrivilege 2716 WMIC.exe Token: SeShutdownPrivilege 2716 WMIC.exe Token: SeDebugPrivilege 2716 WMIC.exe Token: SeSystemEnvironmentPrivilege 2716 WMIC.exe Token: SeRemoteShutdownPrivilege 2716 WMIC.exe Token: SeUndockPrivilege 2716 WMIC.exe Token: SeManageVolumePrivilege 2716 WMIC.exe Token: 33 2716 WMIC.exe Token: 34 2716 WMIC.exe Token: 35 2716 WMIC.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2104 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 30 PID 2096 wrote to memory of 2104 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 30 PID 2096 wrote to memory of 2104 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 30 PID 2096 wrote to memory of 2104 2096 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe 30 PID 2104 wrote to memory of 1092 2104 cmd.exe 33 PID 2104 wrote to memory of 1092 2104 cmd.exe 33 PID 2104 wrote to memory of 1092 2104 cmd.exe 33 PID 2104 wrote to memory of 2716 2104 cmd.exe 36 PID 2104 wrote to memory of 2716 2104 cmd.exe 36 PID 2104 wrote to memory of 2716 2104 cmd.exe 36 PID 2104 wrote to memory of 2296 2104 cmd.exe 38 PID 2104 wrote to memory of 2296 2104 cmd.exe 38 PID 2104 wrote to memory of 2296 2104 cmd.exe 38 PID 2104 wrote to memory of 1472 2104 cmd.exe 39 PID 2104 wrote to memory of 1472 2104 cmd.exe 39 PID 2104 wrote to memory of 1472 2104 cmd.exe 39 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lockbit2.0\acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe"C:\Users\Admin\AppData\Local\Temp\Lockbit2.0\acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1092
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2296
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:1472
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:668
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD59e993ac8deb3f479f481c8972406227a
SHA1f94dcd88d27cff8aac067d6077f275845906d40c
SHA2567a2721f4b5d7dcd1a6f5b4f36b1e91cfa25a52f8d1983a42f66e3259a1915b35
SHA512967b4b8ae932f773af865990fb206f8071891281a6bfe77ed30c785f0eb96318f0587b15dd162d8d8f06dfc4d72eff1becdf6c3a765e775d8dcd038ed5e44a71