Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/09/2024, 08:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe
-
Size
959KB
-
MD5
bd0c0336958d4b1abda8062d43b277e9
-
SHA1
2c4d2c6262d46313990e31bf7b6437028a566ba8
-
SHA256
2047bb9f00b16a6c8afba9f9a59ca4173a644b6c3b7ff922282a5607f288da89
-
SHA512
d1edf5516f758d0020db7933dd15e8448fb66217c9f0681af8af44916ac5f0429b1008034001fad511daaae12b3a839c216b05b7a64df23ec320228e891ff16c
-
SSDEEP
24576:uLjr3s2nScu1idtz3f++5kRzFxk7rMxNeR1RkqpdsFC:Ujrc2SodFf+B3k79BOI
Malware Config
Extracted
Path
C:\Program Files\Java\jdk1.7.0_80\db\bin\Restore-My-Files.txt
Ransom Note
LockBit 2.0 Ransomware
Your data are stolen and encrypted
The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
You can contact us and decrypt one file for free on these TOR sites
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
OR
https://decoding.at
Decryption ID: 9672B03E62DF3ADD80CE8740928FB9ED
URLs
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3028 bcdedit.exe 216 bcdedit.exe -
Deletes itself 1 IoCs
pid Process 2740 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\{C072C73E-DFDF-3A24-3694-36C4CE93052F} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe\"" 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DBFD.tmp.bmp" 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveprojecttoolset\projecttoolseticonimages.jpg 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\adobe\reader 9.0\reader\tracker\submission_history.gif 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\sy01572_.wmf 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\grooveforms5\formsstyles\brightorange.css 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\windows sidebar\gadgets\calendar.gadget\images\bg-dock.png 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\adobe\reader 9.0\resource\font\pfm\zy______.pfm 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\publisher\backgrounds\wb02082_.gif 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\document themes 14\theme fonts\composite.xml 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\currency.gadget\de-de\js\init.js 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\4to3squareframe_buttongraphic.png 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\db\lib\derbylocale_cs.jar 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\config\moduleautodeps\org-openide-execution.xml 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0215210.wmf 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\catwiz.poc 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\resizingpanels\navigationup_buttongraphic.png 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\java\jre7\lib\zi\america\thunder_bay 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0152560.wmf 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\travel\16_9-frame-highlight.png 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\bahia 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File created C:\program files\mozilla firefox\defaults\pref\Restore-My-Files.txt 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\windows sidebar\gadgets\slideshow.gadget\icon.png 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\autoshap\bd18189_.wmf 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\lines\bd21303_.gif 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\outlookautodiscover\yahoo.co.jp.xml 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\java\jre7\lib\cmm\gray.pf 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\microsoft games\chess\en-us\chess.exe.mui 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File created C:\program files\microsoft office\office14\1033\Restore-My-Files.txt 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\in00118_.wmf 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\wb01747_.gif 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubspapr\zpdir37f.gif 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\microsoft.sharepoint.businessdata.administration.client.xml 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\144dpi\(144dpi)notconnectedstateicon.png 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\photoedge_videoinset.png 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_cn.jar 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvmstat.jar 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\it-it\clock.html 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\dd00256_.wmf 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0187837.wmf 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\media\cagcat10\j0299611.wmf 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\formsstyles\desert\tab_on.gif 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\calendar.gadget\images\rings-desk.png 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\en-us\clock.html 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\memories\16_9-frame-highlight.png 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\atlantic\south_georgia 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File created C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms3\Restore-My-Files.txt 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\pubspapr\pdir4f.gif 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\7-zip\lang\sr-spc.txt 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\java\jre7\lib\zi\america\fortaleza 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\so00726_.wmf 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\exptoows.xla 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\stationery\1033\pawprint.gif 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\travel\travelintrotomainmask.wmv 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\java\jre7\lib\zi\indian\mahe 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\autoshap\bd18223_.wmf 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\calendar\calendartooliconimagesmask.bmp 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\config\modules\com-sun-tools-visualvm-profiling.xml 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\an02724_.wmf 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\microsoft office\document themes 14\theme fonts\essential.xml 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\7-zip\lang\sw.txt 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files\dvd maker\de-de\wmm2clip.dll.mui 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\ja-jp\js\clock.js 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsutil.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2740 cmd.exe 2872 PING.EXE -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3020 vssadmin.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\WallpaperStyle = "2" 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\TileWallpaper = "0" 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2872 PING.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe Token: SeDebugPrivilege 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe Token: SeBackupPrivilege 1640 vssvc.exe Token: SeRestorePrivilege 1640 vssvc.exe Token: SeAuditPrivilege 1640 vssvc.exe Token: SeIncreaseQuotaPrivilege 1156 WMIC.exe Token: SeSecurityPrivilege 1156 WMIC.exe Token: SeTakeOwnershipPrivilege 1156 WMIC.exe Token: SeLoadDriverPrivilege 1156 WMIC.exe Token: SeSystemProfilePrivilege 1156 WMIC.exe Token: SeSystemtimePrivilege 1156 WMIC.exe Token: SeProfSingleProcessPrivilege 1156 WMIC.exe Token: SeIncBasePriorityPrivilege 1156 WMIC.exe Token: SeCreatePagefilePrivilege 1156 WMIC.exe Token: SeBackupPrivilege 1156 WMIC.exe Token: SeRestorePrivilege 1156 WMIC.exe Token: SeShutdownPrivilege 1156 WMIC.exe Token: SeDebugPrivilege 1156 WMIC.exe Token: SeSystemEnvironmentPrivilege 1156 WMIC.exe Token: SeRemoteShutdownPrivilege 1156 WMIC.exe Token: SeUndockPrivilege 1156 WMIC.exe Token: SeManageVolumePrivilege 1156 WMIC.exe Token: 33 1156 WMIC.exe Token: 34 1156 WMIC.exe Token: 35 1156 WMIC.exe Token: SeIncreaseQuotaPrivilege 1156 WMIC.exe Token: SeSecurityPrivilege 1156 WMIC.exe Token: SeTakeOwnershipPrivilege 1156 WMIC.exe Token: SeLoadDriverPrivilege 1156 WMIC.exe Token: SeSystemProfilePrivilege 1156 WMIC.exe Token: SeSystemtimePrivilege 1156 WMIC.exe Token: SeProfSingleProcessPrivilege 1156 WMIC.exe Token: SeIncBasePriorityPrivilege 1156 WMIC.exe Token: SeCreatePagefilePrivilege 1156 WMIC.exe Token: SeBackupPrivilege 1156 WMIC.exe Token: SeRestorePrivilege 1156 WMIC.exe Token: SeShutdownPrivilege 1156 WMIC.exe Token: SeDebugPrivilege 1156 WMIC.exe Token: SeSystemEnvironmentPrivilege 1156 WMIC.exe Token: SeRemoteShutdownPrivilege 1156 WMIC.exe Token: SeUndockPrivilege 1156 WMIC.exe Token: SeManageVolumePrivilege 1156 WMIC.exe Token: 33 1156 WMIC.exe Token: 34 1156 WMIC.exe Token: 35 1156 WMIC.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1076 wrote to memory of 2828 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 30 PID 1076 wrote to memory of 2828 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 30 PID 1076 wrote to memory of 2828 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 30 PID 1076 wrote to memory of 2828 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 30 PID 2828 wrote to memory of 3020 2828 cmd.exe 32 PID 2828 wrote to memory of 3020 2828 cmd.exe 32 PID 2828 wrote to memory of 3020 2828 cmd.exe 32 PID 2828 wrote to memory of 1156 2828 cmd.exe 35 PID 2828 wrote to memory of 1156 2828 cmd.exe 35 PID 2828 wrote to memory of 1156 2828 cmd.exe 35 PID 2828 wrote to memory of 3028 2828 cmd.exe 37 PID 2828 wrote to memory of 3028 2828 cmd.exe 37 PID 2828 wrote to memory of 3028 2828 cmd.exe 37 PID 2828 wrote to memory of 216 2828 cmd.exe 38 PID 2828 wrote to memory of 216 2828 cmd.exe 38 PID 2828 wrote to memory of 216 2828 cmd.exe 38 PID 1076 wrote to memory of 2740 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 41 PID 1076 wrote to memory of 2740 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 41 PID 1076 wrote to memory of 2740 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 41 PID 1076 wrote to memory of 2740 1076 20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe 41 PID 2740 wrote to memory of 2872 2740 cmd.exe 43 PID 2740 wrote to memory of 2872 2740 cmd.exe 43 PID 2740 wrote to memory of 2872 2740 cmd.exe 43 PID 2740 wrote to memory of 2872 2740 cmd.exe 43 PID 2740 wrote to memory of 2260 2740 cmd.exe 44 PID 2740 wrote to memory of 2260 2740 cmd.exe 44 PID 2740 wrote to memory of 2260 2740 cmd.exe 44 PID 2740 wrote to memory of 2260 2740 cmd.exe 44 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe"C:\Users\Admin\AppData\Local\Temp\20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3020
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:3028
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:216
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2872
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\20240915bd0c0336958d4b1abda8062d43b277e9lockbit.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2260
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD57e7f9ae2587cbe97a9d218fe8290b793
SHA1aed8dad3e03bbc4de2171b13f1652749721f958e
SHA256bcfe9915e69ec11f0d407bec9b75da3ea9c1fede2ce1da01a57f354753d0edff
SHA5120fcb21d67cc0f7909877c1d34803e3e59fd15b9ff6338578972f38761f817674725758ed3aba48dcc4d34f5f460bc3829aac4fe0e98b48e2341b2aafc7505e60