lockbit | d63224f2076b5cdb010e31dd408b07218381fd21939f8bd3b4aa8f5c03f6a702

pid	Process
1472	bcdedit.exe
2076	bcdedit.exe

Renames multiple (6447) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
300	wbadmin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe\""	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CFFB.tmp.bmp"	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\WidescreenPresentation.potx	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-30_altform-unplated_contrast-black.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-black_scale-100.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\ui-strings.js	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-125_contrast-white.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-unplated_contrast-white.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-100_contrast-white.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-hover.svg	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Microsoft.Support.SDK\Assets\VALoading.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-16_altform-unplated_contrast-black.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_contrast-black.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\Restore-My-Files.txt	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare71x71Logo.scale-100_contrast-black.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-256_altform-lightunplated.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\ui-strings.js	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-100_contrast-white.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\Restore-My-Files.txt	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.ce48eef1.pri	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-100_contrast-white.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\LargeTile.scale-200.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\main-selector.css	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-125.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pl-PL\View3d\3DViewerProductDescription-universal.xml	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-100.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\Restore-My-Files.txt	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\Restore-My-Files.txt	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\Restore-My-Files.txt	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\MSFT_PackageManagementSource.schema.mfl	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ImagePlaceholder.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-150.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICB.TTF	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\chrome-ext-2x.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\Icons_Icon_Wind_sm.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-36_altform-unplated.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupLargeTile.scale-150.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-100.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\ui-strings.js	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\uk-ua\Restore-My-Files.txt	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\music_offline_demo_page2.jpg	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\Restore-My-Files.txt	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\ui-strings.js	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssui.dll.mui	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-200_contrast-white.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nb-no\ui-strings.js	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\circle_2x.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5388	PING.EXE
5384	cmd.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

Direct Volume Access

T1006

pid	Process
1092	vssadmin.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\WallpaperStyle = "2"	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\TileWallpaper = "0"	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5388	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
Token: SeDebugPrivilege	2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
Token: SeBackupPrivilege	4508	vssvc.exe
Token: SeRestorePrivilege	4508	vssvc.exe
Token: SeAuditPrivilege	4508	vssvc.exe
Token: SeIncreaseQuotaPrivilege	5004	WMIC.exe
Token: SeSecurityPrivilege	5004	WMIC.exe
Token: SeTakeOwnershipPrivilege	5004	WMIC.exe
Token: SeLoadDriverPrivilege	5004	WMIC.exe
Token: SeSystemProfilePrivilege	5004	WMIC.exe
Token: SeSystemtimePrivilege	5004	WMIC.exe
Token: SeProfSingleProcessPrivilege	5004	WMIC.exe
Token: SeIncBasePriorityPrivilege	5004	WMIC.exe
Token: SeCreatePagefilePrivilege	5004	WMIC.exe
Token: SeBackupPrivilege	5004	WMIC.exe
Token: SeRestorePrivilege	5004	WMIC.exe
Token: SeShutdownPrivilege	5004	WMIC.exe
Token: SeDebugPrivilege	5004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5004	WMIC.exe
Token: SeRemoteShutdownPrivilege	5004	WMIC.exe
Token: SeUndockPrivilege	5004	WMIC.exe
Token: SeManageVolumePrivilege	5004	WMIC.exe
Token: 33	5004	WMIC.exe
Token: 34	5004	WMIC.exe
Token: 35	5004	WMIC.exe
Token: 36	5004	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5004	WMIC.exe
Token: SeSecurityPrivilege	5004	WMIC.exe
Token: SeTakeOwnershipPrivilege	5004	WMIC.exe
Token: SeLoadDriverPrivilege	5004	WMIC.exe
Token: SeSystemProfilePrivilege	5004	WMIC.exe
Token: SeSystemtimePrivilege	5004	WMIC.exe
Token: SeProfSingleProcessPrivilege	5004	WMIC.exe
Token: SeIncBasePriorityPrivilege	5004	WMIC.exe
Token: SeCreatePagefilePrivilege	5004	WMIC.exe
Token: SeBackupPrivilege	5004	WMIC.exe
Token: SeRestorePrivilege	5004	WMIC.exe
Token: SeShutdownPrivilege	5004	WMIC.exe
Token: SeDebugPrivilege	5004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5004	WMIC.exe
Token: SeRemoteShutdownPrivilege	5004	WMIC.exe
Token: SeUndockPrivilege	5004	WMIC.exe
Token: SeManageVolumePrivilege	5004	WMIC.exe
Token: 33	5004	WMIC.exe
Token: 34	5004	WMIC.exe
Token: 35	5004	WMIC.exe
Token: 36	5004	WMIC.exe
Token: SeBackupPrivilege	2828	wbengine.exe
Token: SeRestorePrivilege	2828	wbengine.exe
Token: SeSecurityPrivilege	2828	wbengine.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 4240	2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe	83
PID 2368 wrote to memory of 4240	2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe	83
PID 4240 wrote to memory of 1092	4240	cmd.exe	85
PID 4240 wrote to memory of 1092	4240	cmd.exe	85
PID 4240 wrote to memory of 5004	4240	cmd.exe	88
PID 4240 wrote to memory of 5004	4240	cmd.exe	88
PID 4240 wrote to memory of 1472	4240	cmd.exe	90
PID 4240 wrote to memory of 1472	4240	cmd.exe	90
PID 4240 wrote to memory of 2076	4240	cmd.exe	91
PID 4240 wrote to memory of 2076	4240	cmd.exe	91
PID 4240 wrote to memory of 300	4240	cmd.exe	92
PID 4240 wrote to memory of 300	4240	cmd.exe	92
PID 2368 wrote to memory of 5384	2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe	105
PID 2368 wrote to memory of 5384	2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe	105
PID 2368 wrote to memory of 5384	2368	69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe	105
PID 5384 wrote to memory of 5388	5384	cmd.exe	107
PID 5384 wrote to memory of 5388	5384	cmd.exe	107
PID 5384 wrote to memory of 5388	5384	cmd.exe	107
PID 5384 wrote to memory of 5476	5384	cmd.exe	108
PID 5384 wrote to memory of 5476	5384	cmd.exe	108
PID 5384 wrote to memory of 5476	5384	cmd.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
"C:\Users\Admin\AppData\Local\Temp\69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1092
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5004
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1472
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2076
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:300
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:5384
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5388
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5476

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3848

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery