Overview
overview
10Static
static
100f178bc093...35.exe
windows7-x64
100f178bc093...35.exe
windows10-2004-x64
101b109db549...18.exe
windows7-x64
101b109db549...18.exe
windows10-2004-x64
101dbe9f9565...92.exe
windows7-x64
101dbe9f9565...92.exe
windows10-2004-x64
101e3bf358c7...70.exe
windows7-x64
101e3bf358c7...70.exe
windows10-2004-x64
1026b6a9fecf...39.exe
windows7-x64
1026b6a9fecf...39.exe
windows10-2004-x64
10286bffaa9c...3f.exe
windows7-x64
10286bffaa9c...3f.exe
windows10-2004-x64
10410c884d88...77.exe
windows7-x64
10410c884d88...77.exe
windows10-2004-x64
105072678821...db.exe
windows7-x64
105072678821...db.exe
windows10-2004-x64
1069d9dd7fdd...97.exe
windows7-x64
1069d9dd7fdd...97.exe
windows10-2004-x64
1076a77def28...78.exe
windows7-x64
1076a77def28...78.exe
windows10-2004-x64
1091d1ab6c30...31.exe
windows7-x64
1091d1ab6c30...31.exe
windows10-2004-x64
10ca57455fd1...75.exe
windows7-x64
10ca57455fd1...75.exe
windows10-2004-x64
10e3f236e4ae...77.exe
windows7-x64
10e3f236e4ae...77.exe
windows10-2004-x64
10faa3453ceb...69.exe
windows7-x64
10faa3453ceb...69.exe
windows10-2004-x64
10ffbb6c4d8d...4d.exe
windows7-x64
10ffbb6c4d8d...4d.exe
windows10-2004-x64
10Analysis
-
max time kernel
76s -
max time network
26s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
28-12-2024 23:40
Behavioral task
behavioral1
Sample
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral4
Sample
1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
1dbe9f956514460774290197ffccb11d817d1a5a5aeab81877ae7b74daa1b592.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
1dbe9f956514460774290197ffccb11d817d1a5a5aeab81877ae7b74daa1b592.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral14
Sample
410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral18
Sample
69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral22
Sample
91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral26
Sample
e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe
-
Size
150KB
-
MD5
ec273b5841eadfc43b1908c9905e95a3
-
SHA1
71e7990c8c81ef6c4e265eae11030886c40cc8b0
-
SHA256
410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677
-
SHA512
164875eb5d8ff791fae4baa2a83d957cbe8fc7a6eaf1ffd3f93162ee21c52d01db80e0df17e1162991e380331b4098759f771c96a84374834603b6296c2b633d
-
SSDEEP
3072:LmB81yVWHb1eIifPpZyiGUH6pGxfF6hH0hMqqD/A6zHv/:Lc8sVWOmyaWeqqD///
Malware Config
Extracted
C:\Program Files\DVD Maker\es-ES\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?AAE804B63F2D44F79EB942613F1DCC1D
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2352 bcdedit.exe 3044 bcdedit.exe -
Renames multiple (8709) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 3284 wbadmin.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe\"" 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\installation_telemetry.json 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\gadget.xml 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Interface.zip 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Text.zip 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belem 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01590_.WMF 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0212661.WMF 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\Restore-My-Files.txt 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6CDT 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\main.css 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_COL.HXC 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RSPMECH.POC 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File created C:\Program Files (x86)\Windows Mail\de-DE\Restore-My-Files.txt 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00910_.WMF 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplate.html 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\picturePuzzle.html 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\VideoLAN\VLC\Documentation.url 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\Restore-My-Files.txt 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\reflow.api 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107516.WMF 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10336_.GIF 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14594_.GIF 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\Restore-My-Files.txt 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\Restore-My-Files.txt 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00305_.WMF 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanLetter.Dotx 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_alignleft.gif 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE11.POC 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cayenne 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749G.GIF 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14801_.GIF 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LISTBOX.JPG 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\Restore-My-Files.txt 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Dialog.accdt 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveReport.dotx 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01840_.GIF 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18193_.WMF 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR23F.GIF 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Restore-My-Files.txt 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00779_.WMF 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Azores 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\cpu.css 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2448 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe Token: SeDebugPrivilege 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe Token: SeBackupPrivilege 2868 vssvc.exe Token: SeRestorePrivilege 2868 vssvc.exe Token: SeAuditPrivilege 2868 vssvc.exe Token: SeIncreaseQuotaPrivilege 3256 WMIC.exe Token: SeSecurityPrivilege 3256 WMIC.exe Token: SeTakeOwnershipPrivilege 3256 WMIC.exe Token: SeLoadDriverPrivilege 3256 WMIC.exe Token: SeSystemProfilePrivilege 3256 WMIC.exe Token: SeSystemtimePrivilege 3256 WMIC.exe Token: SeProfSingleProcessPrivilege 3256 WMIC.exe Token: SeIncBasePriorityPrivilege 3256 WMIC.exe Token: SeCreatePagefilePrivilege 3256 WMIC.exe Token: SeBackupPrivilege 3256 WMIC.exe Token: SeRestorePrivilege 3256 WMIC.exe Token: SeShutdownPrivilege 3256 WMIC.exe Token: SeDebugPrivilege 3256 WMIC.exe Token: SeSystemEnvironmentPrivilege 3256 WMIC.exe Token: SeRemoteShutdownPrivilege 3256 WMIC.exe Token: SeUndockPrivilege 3256 WMIC.exe Token: SeManageVolumePrivilege 3256 WMIC.exe Token: 33 3256 WMIC.exe Token: 34 3256 WMIC.exe Token: 35 3256 WMIC.exe Token: SeIncreaseQuotaPrivilege 3256 WMIC.exe Token: SeSecurityPrivilege 3256 WMIC.exe Token: SeTakeOwnershipPrivilege 3256 WMIC.exe Token: SeLoadDriverPrivilege 3256 WMIC.exe Token: SeSystemProfilePrivilege 3256 WMIC.exe Token: SeSystemtimePrivilege 3256 WMIC.exe Token: SeProfSingleProcessPrivilege 3256 WMIC.exe Token: SeIncBasePriorityPrivilege 3256 WMIC.exe Token: SeCreatePagefilePrivilege 3256 WMIC.exe Token: SeBackupPrivilege 3256 WMIC.exe Token: SeRestorePrivilege 3256 WMIC.exe Token: SeShutdownPrivilege 3256 WMIC.exe Token: SeDebugPrivilege 3256 WMIC.exe Token: SeSystemEnvironmentPrivilege 3256 WMIC.exe Token: SeRemoteShutdownPrivilege 3256 WMIC.exe Token: SeUndockPrivilege 3256 WMIC.exe Token: SeManageVolumePrivilege 3256 WMIC.exe Token: 33 3256 WMIC.exe Token: 34 3256 WMIC.exe Token: 35 3256 WMIC.exe Token: SeBackupPrivilege 3808 wbengine.exe Token: SeRestorePrivilege 3808 wbengine.exe Token: SeSecurityPrivilege 3808 wbengine.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 840 wrote to memory of 2288 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 30 PID 840 wrote to memory of 2288 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 30 PID 840 wrote to memory of 2288 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 30 PID 840 wrote to memory of 2288 840 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe 30 PID 2288 wrote to memory of 2448 2288 cmd.exe 32 PID 2288 wrote to memory of 2448 2288 cmd.exe 32 PID 2288 wrote to memory of 2448 2288 cmd.exe 32 PID 2288 wrote to memory of 3256 2288 cmd.exe 35 PID 2288 wrote to memory of 3256 2288 cmd.exe 35 PID 2288 wrote to memory of 3256 2288 cmd.exe 35 PID 2288 wrote to memory of 2352 2288 cmd.exe 37 PID 2288 wrote to memory of 2352 2288 cmd.exe 37 PID 2288 wrote to memory of 2352 2288 cmd.exe 37 PID 2288 wrote to memory of 3044 2288 cmd.exe 38 PID 2288 wrote to memory of 3044 2288 cmd.exe 38 PID 2288 wrote to memory of 3044 2288 cmd.exe 38 PID 2288 wrote to memory of 3284 2288 cmd.exe 39 PID 2288 wrote to memory of 3284 2288 cmd.exe 39 PID 2288 wrote to memory of 3284 2288 cmd.exe 39 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe"C:\Users\Admin\AppData\Local\Temp\410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2448
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3256
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2352
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:3044
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:3284
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3808
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3636
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:3512
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
960B
MD590dcd77bf56b3893fd8d81020f0e2e02
SHA17967e8f85ce935e317e74931847123fbeec9ebce
SHA256f0e61e76b0af872eaba38d8978c32db4c6afbd45dbe771195546a86b02ff0e1c
SHA512863773cf36657ba713fab446a1edc9416ae7de3469479dc315a46689cb615b0472505d1e4638102f7abcfd829f47199a79f5069eb6e0417473e3987dff4298d6