Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 04:58
Static task
static1
Behavioral task
behavioral1
Sample
lb777.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
lb777.exe
Resource
win10v2004-20241007-en
General
-
Target
lb777.exe
-
Size
231KB
-
MD5
fe49d7d1ebd25845774acc939b6aad3b
-
SHA1
28c7959a129cb4549985ba4cea38993e92cbe478
-
SHA256
a39ffdc433fc726128c22452dd70b8b3407cc9db02a90307b937e8ab4a3aae97
-
SHA512
f5fa1dcc51639e1230620665c5466adefd85ef95570793a0464857fde496acd3d0bddb88436fb034dea33d05142687e6fdf3f4015e43687779ffc14e0db97384
-
SSDEEP
3072:f6/mwNj47XTyfvWyeBukAHm+cjCbhMsGjxPUC87vazsf3salBZdDmeVsPH:SbeTTyfvphBPcjCbGsGqC87rtbQTf
Malware Config
Extracted
C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.com/?8DB8A3AE8B2470959CC3A1CCA559C2AD
http://lockbitks2tvnmwk.onion/?8DB8A3AE8B2470959CC3A1CCA559C2AD
Extracted
C:\Users\Admin\Desktop\LockBit-note.hta
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2116 bcdedit.exe 2944 bcdedit.exe -
Renames multiple (9324) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2716 wbadmin.exe -
Deletes itself 1 IoCs
pid Process 2088 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lb777.exe\"" lb777.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\Users\\Admin\\Desktop\\LockBit-note.hta" lb777.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: lb777.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\F98B.tmp.bmp" lb777.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe 3012 lb777.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over_BIDI.png lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME12.CSS lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue.css lb777.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt lb777.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv lb777.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\Restore-My-Files.txt lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287019.WMF lb777.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_ja.jar lb777.exe File created C:\Program Files\Microsoft Games\More Games\de-DE\Restore-My-Files.txt lb777.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\Restore-My-Files.txt lb777.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_ButtonGraphic.png lb777.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RESUME.DPV lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107254.WMF lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPUNCT.XML lb777.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png lb777.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00010_.WMF lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_ON.GIF lb777.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\Restore-My-Files.txt lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107350.WMF lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SUMER_01.MID lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02097_.GIF lb777.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\Restore-My-Files.txt lb777.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml lb777.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00483_.WMF lb777.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tegucigalpa lb777.exe File created C:\Program Files\Java\jre7\lib\zi\Africa\Restore-My-Files.txt lb777.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\Restore-My-Files.txt lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00935_.WMF lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21505_.GIF lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL058.XML lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN109.XML lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SplashScreen.zip lb777.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg lb777.exe File opened for modification C:\Program Files\Windows Media Player\es-ES\WMPDMCCore.dll.mui lb777.exe File created C:\Program Files\Windows Sidebar\es-ES\Restore-My-Files.txt lb777.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\settings.js lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBSBR.XML lb777.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_ja_4.4.0.v20140623020002.jar lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Thatch.eftx lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\macroprogress.gif lb777.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Oral lb777.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.properties lb777.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\settings.css lb777.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv lb777.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png lb777.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mexico_City lb777.exe File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\wmplayer.exe.mui lb777.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Restore-My-Files.txt lb777.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0186348.WMF lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00965_.WMF lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099203.GIF lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00221_.WMF lb777.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml lb777.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\gadget.xml lb777.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_thunderstorm.png lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239955.WMF lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Opulent.thmx lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\+Connect to New Data Source.odc lb777.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp lb777.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lb777.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsutil.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2088 cmd.exe 2536 PING.EXE -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 892 vssadmin.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\WallpaperStyle = "2" lb777.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\TileWallpaper = "0" lb777.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2536 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3012 lb777.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3012 lb777.exe Token: SeDebugPrivilege 3012 lb777.exe Token: SeBackupPrivilege 2432 vssvc.exe Token: SeRestorePrivilege 2432 vssvc.exe Token: SeAuditPrivilege 2432 vssvc.exe Token: SeIncreaseQuotaPrivilege 612 WMIC.exe Token: SeSecurityPrivilege 612 WMIC.exe Token: SeTakeOwnershipPrivilege 612 WMIC.exe Token: SeLoadDriverPrivilege 612 WMIC.exe Token: SeSystemProfilePrivilege 612 WMIC.exe Token: SeSystemtimePrivilege 612 WMIC.exe Token: SeProfSingleProcessPrivilege 612 WMIC.exe Token: SeIncBasePriorityPrivilege 612 WMIC.exe Token: SeCreatePagefilePrivilege 612 WMIC.exe Token: SeBackupPrivilege 612 WMIC.exe Token: SeRestorePrivilege 612 WMIC.exe Token: SeShutdownPrivilege 612 WMIC.exe Token: SeDebugPrivilege 612 WMIC.exe Token: SeSystemEnvironmentPrivilege 612 WMIC.exe Token: SeRemoteShutdownPrivilege 612 WMIC.exe Token: SeUndockPrivilege 612 WMIC.exe Token: SeManageVolumePrivilege 612 WMIC.exe Token: 33 612 WMIC.exe Token: 34 612 WMIC.exe Token: 35 612 WMIC.exe Token: SeIncreaseQuotaPrivilege 612 WMIC.exe Token: SeSecurityPrivilege 612 WMIC.exe Token: SeTakeOwnershipPrivilege 612 WMIC.exe Token: SeLoadDriverPrivilege 612 WMIC.exe Token: SeSystemProfilePrivilege 612 WMIC.exe Token: SeSystemtimePrivilege 612 WMIC.exe Token: SeProfSingleProcessPrivilege 612 WMIC.exe Token: SeIncBasePriorityPrivilege 612 WMIC.exe Token: SeCreatePagefilePrivilege 612 WMIC.exe Token: SeBackupPrivilege 612 WMIC.exe Token: SeRestorePrivilege 612 WMIC.exe Token: SeShutdownPrivilege 612 WMIC.exe Token: SeDebugPrivilege 612 WMIC.exe Token: SeSystemEnvironmentPrivilege 612 WMIC.exe Token: SeRemoteShutdownPrivilege 612 WMIC.exe Token: SeUndockPrivilege 612 WMIC.exe Token: SeManageVolumePrivilege 612 WMIC.exe Token: 33 612 WMIC.exe Token: 34 612 WMIC.exe Token: 35 612 WMIC.exe Token: SeBackupPrivilege 2928 wbengine.exe Token: SeRestorePrivilege 2928 wbengine.exe Token: SeSecurityPrivilege 2928 wbengine.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2028 3012 lb777.exe 31 PID 3012 wrote to memory of 2028 3012 lb777.exe 31 PID 3012 wrote to memory of 2028 3012 lb777.exe 31 PID 3012 wrote to memory of 2028 3012 lb777.exe 31 PID 2028 wrote to memory of 892 2028 cmd.exe 33 PID 2028 wrote to memory of 892 2028 cmd.exe 33 PID 2028 wrote to memory of 892 2028 cmd.exe 33 PID 2028 wrote to memory of 612 2028 cmd.exe 36 PID 2028 wrote to memory of 612 2028 cmd.exe 36 PID 2028 wrote to memory of 612 2028 cmd.exe 36 PID 2028 wrote to memory of 2116 2028 cmd.exe 38 PID 2028 wrote to memory of 2116 2028 cmd.exe 38 PID 2028 wrote to memory of 2116 2028 cmd.exe 38 PID 2028 wrote to memory of 2944 2028 cmd.exe 39 PID 2028 wrote to memory of 2944 2028 cmd.exe 39 PID 2028 wrote to memory of 2944 2028 cmd.exe 39 PID 2028 wrote to memory of 2716 2028 cmd.exe 40 PID 2028 wrote to memory of 2716 2028 cmd.exe 40 PID 2028 wrote to memory of 2716 2028 cmd.exe 40 PID 3012 wrote to memory of 2756 3012 lb777.exe 45 PID 3012 wrote to memory of 2756 3012 lb777.exe 45 PID 3012 wrote to memory of 2756 3012 lb777.exe 45 PID 3012 wrote to memory of 2756 3012 lb777.exe 45 PID 3012 wrote to memory of 2088 3012 lb777.exe 46 PID 3012 wrote to memory of 2088 3012 lb777.exe 46 PID 3012 wrote to memory of 2088 3012 lb777.exe 46 PID 3012 wrote to memory of 2088 3012 lb777.exe 46 PID 2088 wrote to memory of 2536 2088 cmd.exe 49 PID 2088 wrote to memory of 2536 2088 cmd.exe 49 PID 2088 wrote to memory of 2536 2088 cmd.exe 49 PID 2088 wrote to memory of 2536 2088 cmd.exe 49 PID 2088 wrote to memory of 1532 2088 cmd.exe 50 PID 2088 wrote to memory of 1532 2088 cmd.exe 50 PID 2088 wrote to memory of 1532 2088 cmd.exe 50 PID 2088 wrote to memory of 1532 2088 cmd.exe 50 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\lb777.exe"C:\Users\Admin\AppData\Local\Temp\lb777.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:892
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:612
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2116
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:2944
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:2716
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit-note.hta"2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2756
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\lb777.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\lb777.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2536
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\lb777.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1532
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:200
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2100
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5235d551c00fb6625e502d5416656c996
SHA1aa1b3832ec8bee9472d9deb90b4c8a3e612a5c4c
SHA256490c931e873034c2edb31139d011bb55be191b4c388d22a7b7a6741155411fdf
SHA5120d146f0b0a6acdae9e8656fff3340fd38d76cd607ea462bef7a5b424ba883b394eac1c4ce8dc5e21f556af8638d93b5aa554d224630ddd48e755cd5710f51dd4
-
Filesize
14KB
MD5caed202fd3550cce812e6f5e1909a005
SHA122f57efaaaf69d60912203c3ceb2f34b067179e2
SHA256c8e86f78c32eec8e04f82bd5bc1cc315a54824e27fe8ab2730dc51f8a8e579a0
SHA51250a57f17cfa5b16ae6eec24cc1f48148120de7512b202753c42bafc072028c333f6edafb4932aaeab6be858973cdbd12ba37e6e40fb06b59a9c3af3e282f1f77