Overview
overview
10Static
static
100f178bc093...35.exe
windows7-x64
100f178bc093...35.exe
windows10-2004-x64
101b109db549...18.exe
windows7-x64
101b109db549...18.exe
windows10-2004-x64
101dbe9f9565...92.exe
windows7-x64
101dbe9f9565...92.exe
windows10-2004-x64
101e3bf358c7...70.exe
windows7-x64
101e3bf358c7...70.exe
windows10-2004-x64
1026b6a9fecf...39.exe
windows7-x64
1026b6a9fecf...39.exe
windows10-2004-x64
10286bffaa9c...3f.exe
windows7-x64
10286bffaa9c...3f.exe
windows10-2004-x64
10410c884d88...77.exe
windows7-x64
10410c884d88...77.exe
windows10-2004-x64
105072678821...db.exe
windows7-x64
105072678821...db.exe
windows10-2004-x64
1069d9dd7fdd...97.exe
windows7-x64
1069d9dd7fdd...97.exe
windows10-2004-x64
1076a77def28...78.exe
windows7-x64
1076a77def28...78.exe
windows10-2004-x64
1091d1ab6c30...31.exe
windows7-x64
1091d1ab6c30...31.exe
windows10-2004-x64
10ca57455fd1...75.exe
windows7-x64
10ca57455fd1...75.exe
windows10-2004-x64
10e3f236e4ae...77.exe
windows7-x64
10e3f236e4ae...77.exe
windows10-2004-x64
10faa3453ceb...69.exe
windows7-x64
10faa3453ceb...69.exe
windows10-2004-x64
10ffbb6c4d8d...4d.exe
windows7-x64
10ffbb6c4d8d...4d.exe
windows10-2004-x64
10Analysis
-
max time kernel
140s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2024 23:40
Behavioral task
behavioral1
Sample
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335.exe
Resource
win7-20240903-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
20 signatures
150 seconds
Behavioral task
behavioral3
Sample
1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
Resource
win7-20241010-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral4
Sample
1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
24 signatures
150 seconds
Behavioral task
behavioral5
Sample
1dbe9f956514460774290197ffccb11d817d1a5a5aeab81877ae7b74daa1b592.exe
Resource
win7-20240903-en
windows7-x64
23 signatures
150 seconds
Behavioral task
behavioral6
Sample
1dbe9f956514460774290197ffccb11d817d1a5a5aeab81877ae7b74daa1b592.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
20 signatures
150 seconds
Behavioral task
behavioral7
Sample
1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770.exe
Resource
win7-20240903-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral8
Sample
1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
25 signatures
150 seconds
Behavioral task
behavioral9
Sample
26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739.exe
Resource
win7-20240708-en
windows7-x64
23 signatures
150 seconds
Behavioral task
behavioral10
Sample
26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
24 signatures
150 seconds
Behavioral task
behavioral11
Sample
286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe
Resource
win7-20240903-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral12
Sample
286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
20 signatures
150 seconds
Behavioral task
behavioral13
Sample
410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe
Resource
win7-20241010-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral14
Sample
410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
20 signatures
150 seconds
Behavioral task
behavioral15
Sample
5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db.exe
Resource
win7-20240903-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral16
Sample
5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
24 signatures
150 seconds
Behavioral task
behavioral17
Sample
69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
Resource
win7-20241023-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral18
Sample
69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
24 signatures
150 seconds
Behavioral task
behavioral19
Sample
76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78.exe
Resource
win7-20240903-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral20
Sample
76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
21 signatures
150 seconds
Behavioral task
behavioral21
Sample
91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe
Resource
win7-20240729-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral22
Sample
91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
26 signatures
150 seconds
Behavioral task
behavioral23
Sample
ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75.exe
Resource
win7-20240903-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral24
Sample
ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
24 signatures
150 seconds
Behavioral task
behavioral25
Sample
e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877.exe
Resource
win7-20240708-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral26
Sample
e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
20 signatures
150 seconds
Behavioral task
behavioral27
Sample
faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe
Resource
win7-20240903-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral28
Sample
faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
20 signatures
150 seconds
Behavioral task
behavioral29
Sample
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe
Resource
win7-20240903-en
windows7-x64
32 signatures
150 seconds
Behavioral task
behavioral30
Sample
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
32 signatures
150 seconds
General
-
Target
286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe
-
Size
765KB
-
MD5
5cc28691fdaa505b8f453e3500e3d690
-
SHA1
cb3fb57b5c70c3a2f30aa3af078bbb1cfdd1bf02
-
SHA256
286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f
-
SHA512
0c4eb6a067456c91af908a4c2f77e84a80ba8d77682ba00b06a56af4062e2caf68cb7e63ef7500ae13a1bfa9a2062d838ecbc9aa418daf7faa9b0083f788d847
-
SSDEEP
12288:A1kx1gjdatSK411nhuGvv6DuQ4yPcFy62eaFsvXPAVVRSPq2hvP:A1kfoatSK41dhuGvQgy6GWQxSvX
Malware Config
Extracted
Path
C:\Program Files\dotnet\Restore-My-Files.txt
Family
lockbit
Ransom Note
All your important files are encrypted!
Any attempts to restore your files with the thrid-party software will be fatal for your files!
RESTORE YOU DATA POSIBLE ONLY BUYING private key from us.
There is only one way to get your files back:
| 1. Download Tor browser - https://www.torproject.org/ and install it.
| 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?C841D0BEAB3F0D59C7159D4B42C6D6C4
This link only works in Tor Browser!
| 3. Follow the instructions on this page
### Attention! ###
# Do not rename encrypted files.
# Do not try to decrypt using third party software, it may cause permanent data loss.
# Decryption of your files with the help of third parties may cause increased price(they add their fee to our).
# Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN.
# Tor Browser user manual https://tb-manual.torproject.org/about
URLs
http://lockbitks2tvnmwk.onion/?C841D0BEAB3F0D59C7159D4B42C6D6C4
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2336 bcdedit.exe 3676 bcdedit.exe -
Renames multiple (6439) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 1196 wbadmin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe\"" 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_TileSmallSquare.scale-100.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Studio.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.js 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\bell_empty.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\ui-strings.js 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\uninstall.log 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\Restore-My-Files.txt 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.tree.dat 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-64_altform-lightunplated.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\FeedbackThumbnail.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_altform-lightunplated_devicefamily-colorfulunplated.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-200.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_contrast-black.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-256.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICB.TTF 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\01_googleimage.luac 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File created C:\Program Files\Windows Defender\en-US\Restore-My-Files.txt 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileLargeSquare.scale-100.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsSmallTile.scale-100.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-16_altform-unplated.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlOuterCircle.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\Restore-My-Files.txt 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-72_altform-unplated_contrast-white.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxAccountsLargeTile.scale-100.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\Restore-My-Files.txt 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\PGOMESSAGES.XML 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_OwlEye.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-32_altform-lightunplated.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-down_32.svg 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSmallTile.scale-200.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\Square71x71Logo.scale-100.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.dub 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-REGULAR.TTF 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-black_scale-125.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-60_altform-unplated.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\12.rsrc 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.5eee580c.pri 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated_devicefamily-colorfulunplated.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\Restore-My-Files.txt 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ppd.xrm-ms 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-400.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\de-DE.PhoneNumber.model 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\Java\jre-1.8\LICENSE 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\Windows Media Player\it-IT\wmpnscfg.exe.mui 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\tr-TR\View3d\3DViewerProductDescription-universal.xml 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-150.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\iheart-radio.scale-200.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-24.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-256_altform-unplated_contrast-white.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg1a.jpg 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\ui-strings.js 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main.css 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nb-no\ui-strings.js 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File created C:\Program Files (x86)\Windows Media Player\en-US\Restore-My-Files.txt 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-150.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Regular.otf 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable-dark.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-60_altform-unplated.png 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2440 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe Token: SeDebugPrivilege 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe Token: SeBackupPrivilege 5032 vssvc.exe Token: SeRestorePrivilege 5032 vssvc.exe Token: SeAuditPrivilege 5032 vssvc.exe Token: SeIncreaseQuotaPrivilege 4616 WMIC.exe Token: SeSecurityPrivilege 4616 WMIC.exe Token: SeTakeOwnershipPrivilege 4616 WMIC.exe Token: SeLoadDriverPrivilege 4616 WMIC.exe Token: SeSystemProfilePrivilege 4616 WMIC.exe Token: SeSystemtimePrivilege 4616 WMIC.exe Token: SeProfSingleProcessPrivilege 4616 WMIC.exe Token: SeIncBasePriorityPrivilege 4616 WMIC.exe Token: SeCreatePagefilePrivilege 4616 WMIC.exe Token: SeBackupPrivilege 4616 WMIC.exe Token: SeRestorePrivilege 4616 WMIC.exe Token: SeShutdownPrivilege 4616 WMIC.exe Token: SeDebugPrivilege 4616 WMIC.exe Token: SeSystemEnvironmentPrivilege 4616 WMIC.exe Token: SeRemoteShutdownPrivilege 4616 WMIC.exe Token: SeUndockPrivilege 4616 WMIC.exe Token: SeManageVolumePrivilege 4616 WMIC.exe Token: 33 4616 WMIC.exe Token: 34 4616 WMIC.exe Token: 35 4616 WMIC.exe Token: 36 4616 WMIC.exe Token: SeIncreaseQuotaPrivilege 4616 WMIC.exe Token: SeSecurityPrivilege 4616 WMIC.exe Token: SeTakeOwnershipPrivilege 4616 WMIC.exe Token: SeLoadDriverPrivilege 4616 WMIC.exe Token: SeSystemProfilePrivilege 4616 WMIC.exe Token: SeSystemtimePrivilege 4616 WMIC.exe Token: SeProfSingleProcessPrivilege 4616 WMIC.exe Token: SeIncBasePriorityPrivilege 4616 WMIC.exe Token: SeCreatePagefilePrivilege 4616 WMIC.exe Token: SeBackupPrivilege 4616 WMIC.exe Token: SeRestorePrivilege 4616 WMIC.exe Token: SeShutdownPrivilege 4616 WMIC.exe Token: SeDebugPrivilege 4616 WMIC.exe Token: SeSystemEnvironmentPrivilege 4616 WMIC.exe Token: SeRemoteShutdownPrivilege 4616 WMIC.exe Token: SeUndockPrivilege 4616 WMIC.exe Token: SeManageVolumePrivilege 4616 WMIC.exe Token: 33 4616 WMIC.exe Token: 34 4616 WMIC.exe Token: 35 4616 WMIC.exe Token: 36 4616 WMIC.exe Token: SeBackupPrivilege 1616 wbengine.exe Token: SeRestorePrivilege 1616 wbengine.exe Token: SeSecurityPrivilege 1616 wbengine.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1624 wrote to memory of 1928 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 87 PID 1624 wrote to memory of 1928 1624 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe 87 PID 1928 wrote to memory of 2440 1928 cmd.exe 89 PID 1928 wrote to memory of 2440 1928 cmd.exe 89 PID 1928 wrote to memory of 4616 1928 cmd.exe 93 PID 1928 wrote to memory of 4616 1928 cmd.exe 93 PID 1928 wrote to memory of 2336 1928 cmd.exe 94 PID 1928 wrote to memory of 2336 1928 cmd.exe 94 PID 1928 wrote to memory of 3676 1928 cmd.exe 95 PID 1928 wrote to memory of 3676 1928 cmd.exe 95 PID 1928 wrote to memory of 1196 1928 cmd.exe 96 PID 1928 wrote to memory of 1196 1928 cmd.exe 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe"C:\Users\Admin\AppData\Local\Temp\286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2440
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4616
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2336
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:3676
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:1196
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2648
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2592
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
960B
MD58e4ad01192eec3560b717529fa8e9d93
SHA1e64aa9d4d0e9d92e48d9cfe8caa0b8d417988555
SHA256a0198970d055c2028d74ab79390cc8238dfeb26492c91dec21539b25827cd431
SHA512c19214856c3081019b9dbfd91e2619c90e7cba16dd3795ac28822b73b06139b446a2c6b7cea46a192b62c5b2210cc056b2f118af526d65fd304e9873e9c063c4