Analysis
-
max time kernel
55s -
max time network
53s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
06-11-2024 18:54
Static task
static1
Behavioral task
behavioral1
Sample
LockBit2.0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
LockBit2.0.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
LockBit2.0.exe
Resource
win11-20241023-en
General
-
Target
LockBit2.0.exe
-
Size
959KB
-
MD5
fec0ba68b3118f490dbee9dc5cc382d4
-
SHA1
c5a76c237314d970fb5acfc118c1f1109d012704
-
SHA256
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0
-
SHA512
4c202c11503607baa0fccc23223933eaf1ffe052607f46f3d596520ced90359d1bcf1369ce335d4b63de9c221cf137d6354ce88fead6e3164c54903c8e20f81c
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdMF:Ujrc2So1Ff+B3k796W
Malware Config
Extracted
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Users\Admin\Desktop\LockBit_Ransomware.hta
http-equiv="Content-Type"
http-equiv="x-ua-compatible"
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE is not expected to spawn this process 4276 3352 OfficeC2RClient.exe 104 -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1644 bcdedit.exe 1568 bcdedit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation LockBit2.0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{7866A3C0-E0E0-3A21-40E3-40AA4E080B68} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\LockBit2.0.exe\"" LockBit2.0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\Users\\Admin\\Desktop\\LockBit_Ransomware.hta" LockBit2.0.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: LockBit2.0.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\windows\SysWOW64\AE664D.ico LockBit2.0.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL LockBit2.0.exe File created C:\Windows\system32\spool\PRINTERS\00003.SPL LockBit2.0.exe File created C:\Windows\system32\spool\PRINTERS\PPu3n9sxe209g8rsbxoflip8i2d.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP10j3__rykp14_zi_njip10rkb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPvvw2yt0si09z2unzschgdv9uc.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6491.tmp.bmp" LockBit2.0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs
pid Process 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\program files\dotnet\swidtag\microsoft windows desktop runtime - 6.0.27 (x64).swidtag LockBit2.0.exe File opened for modification C:\program files\java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif LockBit2.0.exe File opened for modification C:\program files\java\jdk-1.8\lib\jawt.lib LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\licenses16\onenoter_retail-pl.xrm-ms LockBit2.0.exe File opened for modification C:\program files\java\jre-1.8\lib\deploy\messages_de.properties LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\licenses16\powerpoint2019r_grace-ul-oob.xrm-ms LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectpro2019vl_mak_ae-ppd.xrm-ms LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\office16\logoimages\winwordlogo.contrast-white_scale-100.png LockBit2.0.exe File opened for modification C:\program files\videolan\vlc\locale\lg\lc_messages\vlc.mo LockBit2.0.exe File opened for modification C:\program files\dotnet\shared\microsoft.netcore.app\7.0.16\microsoft.netcore.app.runtimeconfig.json LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\integration\c2rmanifest.office32mui.msi.16.en-us.xml LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\licenses16\proplus2019r_oem_perp2-ul-phn.xrm-ms LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\office16\sdxs\fa000000018\cardview\lib\native-common\assets\[email protected] LockBit2.0.exe File opened for modification C:\program files\mozilla firefox\omni.ja LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\document themes 16\theme fonts\times new roman-arial.xml LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\licenses16\excelvl_mak-pl.xrm-ms LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\office16\pagesize\pglbl086.xml LockBit2.0.exe File created C:\program files\microsoft office\root\vfs\programfilesx86\microsoft analysis services\as oledb\140\resources\1033\Restore-My-Files.txt LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\licenses16\homebusinessr_oem_perp3-ppd.xrm-ms LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectstd2019r_grace-ul-oob.xrm-ms LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\office16\1033\waclangpackeula.txt LockBit2.0.exe File created C:\program files\microsoft office\root\office16\msipc\pt\Restore-My-Files.txt LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\office16\sdxs\fa000000027\comments.win32.bundle LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\rsod\onenote.x-none.msi.16.x-none.tree.dat LockBit2.0.exe File opened for modification C:\program files\java\jdk-1.8\legal\jdk\dynalink.md LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\licenses16\homebusinesspipcr_oem_perp-ul-phn.xrm-ms LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\office16\sdxs\fa000000027\assets\icons\newcomment.png LockBit2.0.exe File opened for modification C:\program files\java\jdk-1.8\lib\jconsole.jar LockBit2.0.exe File opened for modification C:\program files\java\jre-1.8\lib\jvm.hprof.txt LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\licenses16\skypeforbusinessvl_mak-pl.xrm-ms LockBit2.0.exe File created C:\program files\videolan\vlc\locale\hi\lc_messages\Restore-My-Files.txt LockBit2.0.exe File opened for modification C:\program files\videolan\vlc\locale\hr\lc_messages\vlc.mo LockBit2.0.exe File opened for modification C:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.27\microsoft.windowsdesktop.app.runtimeconfig.json LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\licenses16\publisher2019vl_kms_client_ae-ul.xrm-ms LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\office16\1033\quickstyles\word2013bw.dotx LockBit2.0.exe File created C:\program files\videolan\vlc\locale\eo\lc_messages\Restore-My-Files.txt LockBit2.0.exe File opened for modification C:\program files\videolan\vlc\locale\ne\lc_messages\vlc.mo LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\licenses16\skypeforbusinessr_retail-pl.xrm-ms LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\licenses16\visiostdvl_kms_client-ul-oob.xrm-ms LockBit2.0.exe File opened for modification C:\program files\java\jre-1.8\lib\management\jmxremote.password.template LockBit2.0.exe File opened for modification C:\program files\microsoft office\packagemanifests\authoredextensions.16.xml LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\document themes 16\theme colors\red.xml LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\licenses16\excelr_oem_perp-ul-oob.xrm-ms LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\licenses16\powerpointr_grace-ul-oob.xrm-ms LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectpro2019r_trial-pl.xrm-ms LockBit2.0.exe File created C:\program files\microsoft office\root\office16\msipc\hu\Restore-My-Files.txt LockBit2.0.exe File opened for modification C:\program files\mozilla firefox\browser\features\[email protected] LockBit2.0.exe File opened for modification C:\program files\videolan\vlc\lua\playlist\dailymotion.luac LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\office16\mceperfctr.man LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\office16\msipc\hu\msipc.dll.mui LockBit2.0.exe File opened for modification C:\program files\java\jdk-1.8\jre\lib\flavormap.properties LockBit2.0.exe File opened for modification C:\program files\java\jdk-1.8\jre\lib\plugin.jar LockBit2.0.exe File opened for modification C:\program files\java\jre-1.8\legal\jdk\relaxngom.md LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365smallbuspremr_subscription1-pl.xrm-ms LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\licenses16\powerpointvl_mak-ul-oob.xrm-ms LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\office16\borders\msart4.bdr LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\office16\pagesize\pgmn011.xml LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\office16\sdxs\fa000000027\assets\icons\[email protected] LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\office16\sdxs\fa000000027\assets\icons\[email protected] LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\rsod\officemuiset.msi.16.en-us.tree.dat LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\templates\1033\apothecarynewsletter.dotx LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\office16\sdxs\fa000000018\cardview\lib\native-common\assets\[email protected] LockBit2.0.exe File opened for modification C:\program files\microsoft office\root\rsod\osm.x-none.msi.16.x-none.boot.tree.dat LockBit2.0.exe File opened for modification C:\program files\java\jdk-1.8\jvisualvm.txt LockBit2.0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2476 1940 WerFault.exe 106 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LockBit2.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2080 cmd.exe 4536 PING.EXE -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 544 vssadmin.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\Desktop\WallpaperStyle = "2" LockBit2.0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\Desktop\TileWallpaper = "0" LockBit2.0.exe -
Modifies registry class 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\ = "LockBit Class" LockBit2.0.exe Key created \Registry\Machine\Software\Classes\htafile\DefaultIcon LockBit2.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htafile\DefaultIcon\ = "C:\\windows\\SysWow64\\AE664D.ico" LockBit2.0.exe Key created \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings LockBit2.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\ = "LockBit" LockBit2.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\AE664D.ico" LockBit2.0.exe Key created \Registry\Machine\Software\Classes\Lockbit\shell LockBit2.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\shell\Open\Command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Admin\\Desktop\\LockBit_Ransomware.hta\"" LockBit2.0.exe Key created \Registry\Machine\Software\Classes\.lockbit LockBit2.0.exe Key created \Registry\Machine\Software\Classes\Lockbit LockBit2.0.exe Key created \Registry\Machine\Software\Classes\Lockbit\DefaultIcon LockBit2.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\AE664D.ico" LockBit2.0.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon LockBit2.0.exe Key created \Registry\Machine\Software\Classes\Lockbit\shell\Open LockBit2.0.exe Key created \Registry\Machine\Software\Classes\Lockbit\shell\Open\Command LockBit2.0.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4536 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 2656 WMIC.exe 2656 WMIC.exe 2656 WMIC.exe 2656 WMIC.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe 3788 LockBit2.0.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3788 LockBit2.0.exe Token: SeDebugPrivilege 3788 LockBit2.0.exe Token: SeBackupPrivilege 772 vssvc.exe Token: SeRestorePrivilege 772 vssvc.exe Token: SeAuditPrivilege 772 vssvc.exe Token: SeIncreaseQuotaPrivilege 2656 WMIC.exe Token: SeSecurityPrivilege 2656 WMIC.exe Token: SeTakeOwnershipPrivilege 2656 WMIC.exe Token: SeLoadDriverPrivilege 2656 WMIC.exe Token: SeSystemProfilePrivilege 2656 WMIC.exe Token: SeSystemtimePrivilege 2656 WMIC.exe Token: SeProfSingleProcessPrivilege 2656 WMIC.exe Token: SeIncBasePriorityPrivilege 2656 WMIC.exe Token: SeCreatePagefilePrivilege 2656 WMIC.exe Token: SeBackupPrivilege 2656 WMIC.exe Token: SeRestorePrivilege 2656 WMIC.exe Token: SeShutdownPrivilege 2656 WMIC.exe Token: SeDebugPrivilege 2656 WMIC.exe Token: SeSystemEnvironmentPrivilege 2656 WMIC.exe Token: SeRemoteShutdownPrivilege 2656 WMIC.exe Token: SeUndockPrivilege 2656 WMIC.exe Token: SeManageVolumePrivilege 2656 WMIC.exe Token: 33 2656 WMIC.exe Token: 34 2656 WMIC.exe Token: 35 2656 WMIC.exe Token: 36 2656 WMIC.exe Token: SeIncreaseQuotaPrivilege 2656 WMIC.exe Token: SeSecurityPrivilege 2656 WMIC.exe Token: SeTakeOwnershipPrivilege 2656 WMIC.exe Token: SeLoadDriverPrivilege 2656 WMIC.exe Token: SeSystemProfilePrivilege 2656 WMIC.exe Token: SeSystemtimePrivilege 2656 WMIC.exe Token: SeProfSingleProcessPrivilege 2656 WMIC.exe Token: SeIncBasePriorityPrivilege 2656 WMIC.exe Token: SeCreatePagefilePrivilege 2656 WMIC.exe Token: SeBackupPrivilege 2656 WMIC.exe Token: SeRestorePrivilege 2656 WMIC.exe Token: SeShutdownPrivilege 2656 WMIC.exe Token: SeDebugPrivilege 2656 WMIC.exe Token: SeSystemEnvironmentPrivilege 2656 WMIC.exe Token: SeRemoteShutdownPrivilege 2656 WMIC.exe Token: SeUndockPrivilege 2656 WMIC.exe Token: SeManageVolumePrivilege 2656 WMIC.exe Token: 33 2656 WMIC.exe Token: 34 2656 WMIC.exe Token: 35 2656 WMIC.exe Token: 36 2656 WMIC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4276 OfficeC2RClient.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3788 wrote to memory of 2144 3788 LockBit2.0.exe 85 PID 3788 wrote to memory of 2144 3788 LockBit2.0.exe 85 PID 2144 wrote to memory of 544 2144 cmd.exe 87 PID 2144 wrote to memory of 544 2144 cmd.exe 87 PID 2144 wrote to memory of 2656 2144 cmd.exe 90 PID 2144 wrote to memory of 2656 2144 cmd.exe 90 PID 2144 wrote to memory of 1644 2144 cmd.exe 92 PID 2144 wrote to memory of 1644 2144 cmd.exe 92 PID 2144 wrote to memory of 1568 2144 cmd.exe 93 PID 2144 wrote to memory of 1568 2144 cmd.exe 93 PID 3300 wrote to memory of 3352 3300 printfilterpipelinesvc.exe 104 PID 3300 wrote to memory of 3352 3300 printfilterpipelinesvc.exe 104 PID 3352 wrote to memory of 4276 3352 ONENOTE.EXE 105 PID 3352 wrote to memory of 4276 3352 ONENOTE.EXE 105 PID 3788 wrote to memory of 1940 3788 LockBit2.0.exe 106 PID 3788 wrote to memory of 1940 3788 LockBit2.0.exe 106 PID 3788 wrote to memory of 1940 3788 LockBit2.0.exe 106 PID 3788 wrote to memory of 2080 3788 LockBit2.0.exe 107 PID 3788 wrote to memory of 2080 3788 LockBit2.0.exe 107 PID 3788 wrote to memory of 2080 3788 LockBit2.0.exe 107 PID 2080 wrote to memory of 4536 2080 cmd.exe 109 PID 2080 wrote to memory of 4536 2080 cmd.exe 109 PID 2080 wrote to memory of 4536 2080 cmd.exe 109 PID 2080 wrote to memory of 4940 2080 cmd.exe 114 PID 2080 wrote to memory of 4940 2080 cmd.exe 114 PID 2080 wrote to memory of 4940 2080 cmd.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\LockBit2.0.exe"C:\Users\Admin\AppData\Local\Temp\LockBit2.0.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:544
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:1644
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:1568
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit_Ransomware.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 17963⤵
- Program crash
PID:2476
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\LockBit2.0.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\LockBit2.0.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4536
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\LockBit2.0.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4940
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:772
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3572
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{5CB3FE24-E201-45EC-BF90-EB4F5AB19E76}.xps" 1337539289959400002⤵
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeOfficeC2RClient.exe /error PID=3352 ProcessName="Microsoft OneNote" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=13⤵
- Process spawned unexpected child process
- Suspicious use of SetWindowsHookEx
PID:4276
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1940 -ip 19401⤵PID:1580
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Discovery
Network Service Discovery
1Peripheral Device Discovery
1Query Registry
2Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD51200f375096f32a380151661e3a2d862
SHA1d1b2ae542f83dab9bc67f22556c52d3f775ccea2
SHA25609ea15626fb5502ee7e0d72dad47f17f79709ab04bccd02c7ff5f37df82f5fb9
SHA512690acaaf5038ad419cbf41551e9900dd703fb38d7fddf715497f3d575c6cd29075257c8a4d514f77d7ec145c70b5e29d4a33f59ba4e8f49d85371128371f0f8f
-
Filesize
46KB
MD5c15c6adc8c923ad87981f289025c37b2
SHA1bfe6533f4afe3255046f7178f289a4c75ad89e76
SHA25690f3a33919fdd766e90fd96f8f20a92c2d1376b7cfdc8b738c2f8e7e6c7498b1
SHA51231dd03b208e00ac012fbe4189d5af1306cc8e3640d40efefab4aa1cabab3c4735eef0cb65e7750c3c77021934e145398e5e26389975cf36b193c8f622a5fde83