lockbit | 8cbc0b1bdd7172be981015d974ed3edec427d28d4d30e3e1275601a7e7c0e9f2

Analysis

max time kernel
76s
max time network
23s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
Size

959KB
MD5

ee3d3453412de1dcb14495adbeaf5345
SHA1

58dfce7b088183909b973596a67fb0265f8c7d96
SHA256

8cbc0b1bdd7172be981015d974ed3edec427d28d4d30e3e1275601a7e7c0e9f2
SHA512

edf93d433f1303130fc4381048c64eaf00d70ff76d28a9eaaa64fedc9fdeca61c4c7064db03d421212c5e4881caac8a55edcd722b60dc8187e0831367159d4cb
SSDEEP

24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdtF:Ujrc2So1Ff+B3k796j

Score

10^/10

lockbit defense_evasion discovery evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt

Ransom Note

LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: E239D02DB817EF4A8E1B4EBF4C97EABE

URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2100	bcdedit.exe
2852	bcdedit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F839C72D-1717-EFBA-7E8B-7E6ED29BE336} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe\""	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\E239D0.ico	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs

pid	Process
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\commondata\Restore-My-Files.txt	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\picturepuzzle.gadget\fr-fr\gadget.xml	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\bahia_banderas	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodicon.gif	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\media\office14\bullets\j0115836.gif	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\pubwiz\awardhm.poc	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\samples\solvsamp.xls	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files\microsoft games\solitaire\solitairemce.png	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0107484.wmf	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formshomepage.html	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0382926.jpg	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\launch.gif	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\pubwiz\withcomp.xml	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\tehran	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\meta-inf\eclipse_.sf	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\1033\grooveforms5\formsstyles\sts2\tab_on.gif	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\images\cursors\cursors.properties	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\adobe\reader 9.0\resource\linguistics\providers\proximity\11.00\eng.hyp	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\media\office14\bullets\bd14795_.gif	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\creston	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0107496.wmf	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\1033\issue tracking.gta	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\borders\msart8.bdr	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\clock.gadget\images\cronometer_m.png	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files\confirmmeasure.xps	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\adobe\reader 9.0\resource\cmap\identity-v	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\media\cagcat10\j0230876.wmf	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files\videolan\vlc\lua\http\dialogs\error_window.html	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files\windows sidebar\gadgets\weather.gadget\images\activity16v.png	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\adobe\reader 9.0\reader\plug_ins3d\drvsoft.x3d	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0099148.jpg	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0287643.jpg	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files\dvd maker\shared\dvdstyles\specialoccasion\whitevignette1047.png	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\denver	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\slideshow.gadget\it-it\js\slideshow.js	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\pe00555_.wmf	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\addins\outex.ecf	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\bibliography\sort\title.xsl	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\orb.idl	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\in00915_.wmf	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\formsstyles\lightspirit.css	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0227419.jpg	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\media\office14\bullets\bd14830_.gif	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\1033\pubspapr\pdir40f.gif	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\1033\quickstyles\traditional.dotx	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\bcsevents.man	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files\dvd maker\shared\dvdstyles\performance\previousmenubuttoniconsubpi.png	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0099189.jpg	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\pagesize\pglbl026.xml	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\document themes 14\theme effects\metro.eftx	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\outlookautodiscover\yahoo.co.in.xml	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\santarem	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files\windows sidebar\gadgets\rssfeeds.gadget\de-de\rssfeeds.html	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\dd00414_.wmf	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\ag00129_.gif	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\swest_01.mid	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\media\office14\bullets\bd15059_.gif	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0301432.wmf	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\document themes 14\theme fonts\clarity.xml	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms3\rtf_increaseindent.gif	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
204	2060	WerFault.exe	28

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2428	vssadmin.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\E239D0.ico"	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
Key created	\Registry\Machine\Software\Classes\.lockbit	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
Key created	\Registry\Machine\Software\Classes\.lockbit\DefaultIcon	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
Token: SeDebugPrivilege	2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
Token: SeBackupPrivilege	2848	vssvc.exe
Token: SeRestorePrivilege	2848	vssvc.exe
Token: SeAuditPrivilege	2848	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1036	WMIC.exe
Token: SeSecurityPrivilege	1036	WMIC.exe
Token: SeTakeOwnershipPrivilege	1036	WMIC.exe
Token: SeLoadDriverPrivilege	1036	WMIC.exe
Token: SeSystemProfilePrivilege	1036	WMIC.exe
Token: SeSystemtimePrivilege	1036	WMIC.exe
Token: SeProfSingleProcessPrivilege	1036	WMIC.exe
Token: SeIncBasePriorityPrivilege	1036	WMIC.exe
Token: SeCreatePagefilePrivilege	1036	WMIC.exe
Token: SeBackupPrivilege	1036	WMIC.exe
Token: SeRestorePrivilege	1036	WMIC.exe
Token: SeShutdownPrivilege	1036	WMIC.exe
Token: SeDebugPrivilege	1036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1036	WMIC.exe
Token: SeRemoteShutdownPrivilege	1036	WMIC.exe
Token: SeUndockPrivilege	1036	WMIC.exe
Token: SeManageVolumePrivilege	1036	WMIC.exe
Token: 33	1036	WMIC.exe
Token: 34	1036	WMIC.exe
Token: 35	1036	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1036	WMIC.exe
Token: SeSecurityPrivilege	1036	WMIC.exe
Token: SeTakeOwnershipPrivilege	1036	WMIC.exe
Token: SeLoadDriverPrivilege	1036	WMIC.exe
Token: SeSystemProfilePrivilege	1036	WMIC.exe
Token: SeSystemtimePrivilege	1036	WMIC.exe
Token: SeProfSingleProcessPrivilege	1036	WMIC.exe
Token: SeIncBasePriorityPrivilege	1036	WMIC.exe
Token: SeCreatePagefilePrivilege	1036	WMIC.exe
Token: SeBackupPrivilege	1036	WMIC.exe
Token: SeRestorePrivilege	1036	WMIC.exe
Token: SeShutdownPrivilege	1036	WMIC.exe
Token: SeDebugPrivilege	1036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1036	WMIC.exe
Token: SeRemoteShutdownPrivilege	1036	WMIC.exe
Token: SeUndockPrivilege	1036	WMIC.exe
Token: SeManageVolumePrivilege	1036	WMIC.exe
Token: 33	1036	WMIC.exe
Token: 34	1036	WMIC.exe
Token: 35	1036	WMIC.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2392	2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe	29
PID 2060 wrote to memory of 2392	2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe	29
PID 2060 wrote to memory of 2392	2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe	29
PID 2060 wrote to memory of 2392	2060	2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe	29
PID 2392 wrote to memory of 2428	2392	cmd.exe	32
PID 2392 wrote to memory of 2428	2392	cmd.exe	32
PID 2392 wrote to memory of 2428	2392	cmd.exe	32
PID 2392 wrote to memory of 1036	2392	cmd.exe	35
PID 2392 wrote to memory of 1036	2392	cmd.exe	35
PID 2392 wrote to memory of 1036	2392	cmd.exe	35
PID 2392 wrote to memory of 2100	2392	cmd.exe	37
PID 2392 wrote to memory of 2100	2392	cmd.exe	37
PID 2392 wrote to memory of 2100	2392	cmd.exe	37
PID 2392 wrote to memory of 2852	2392	cmd.exe	38
PID 2392 wrote to memory of 2852	2392	cmd.exe	38
PID 2392 wrote to memory of 2852	2392	cmd.exe	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-15_ee3d3453412de1dcb14495adbeaf5345_lockbit.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2428
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2100
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 808
  2⤵
  - Program crash
  PID:204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt

Filesize
512B

MD5
768fd5f30bc8e99cdec149e60890ba47

SHA1
7b20761d6f531dba09bdab584af704553c4d51ec

SHA256
2a66e614aca665d9686d699a8b60d4dce17f72d3a761a92fffef366bc0ef8d13

SHA512
b401c015c20f773a095144d78394a52f3b974613d412e6fa4c52e51c6060dad22c7fe11c39a8b7018c1e90d3ae3584986b77466261e1bf35d0b663c598ba682c

Download Submit