jupyter | 23c4794ca962fc10014553c6104a7a3376daca28eab3b1ac68d9f3730a731364

Analysis

max time kernel
135s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
Size

4.7MB
MD5

c9f9ddc9c5b15abee4fea6cf5ec271bd
SHA1

9e63d0e79cc4b5b0decb2edc48e86ac106008bb5
SHA256

23c4794ca962fc10014553c6104a7a3376daca28eab3b1ac68d9f3730a731364
SHA512

2ba741c36c77d8512cad1880d51cf54c9dcf1e7ea1632de13fe853af90262c38a483c0f4227f1038962a92f2a95d72e714cd11b2282be04443bdf688c12f9536
SSDEEP

24576:Klxi3JTsw4N98PaPCGh8o0gwvtbxC4673zOQyS5lv3b8aURcAnbDHwKc:Kx467iDSTg

Score

10^/10

jupyter maze backdoor discovery ransomware spyware stealer trojan

Malware Config

Signatures

Jupyter family
jupyter
Jupyter, SolarMarker
Jupyter is a backdoor and infostealer first seen in mid 2020.
backdoor trojan stealer jupyter
Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Maze family
maze

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\system32\DRIVERS\c3.bat	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\DRIVERS\c3.bat\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\DRIVERS\vmtray.dll	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe

Reads ssh keys stored on the system 2 TTPs
Tries to access SSH used by SSH programs.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened (read-only)	\??\J:	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened (read-only)	\??\M:	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened (read-only)	\??\N:	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened (read-only)	\??\T:	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened (read-only)	\??\U:	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened (read-only)	\??\Y:	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened (read-only)	\??\K:	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened (read-only)	\??\O:	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened (read-only)	\??\L:	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened (read-only)	\??\P:	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened (read-only)	\??\V:	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened (read-only)	\??\W:	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened (read-only)	\??\X:	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened (read-only)	\??\Z:	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened (read-only)	\??\G:	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened (read-only)	\??\I:	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened (read-only)	\??\Q:	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened (read-only)	\??\R:	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened (read-only)	\??\S:	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened (read-only)	\??\E:	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\system32\LogonUIinf.exe\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\SPOOL\DRIVERS\COLOR\tmp.vbs\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\INETSRV\CONFIG\ai.pst\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\9cda11af69ab0a2b6a9167f7131e7b93.key\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\oci.dll\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\msinp.ps1	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\LogonUIinf.exe	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\INETSRV\logging.dll\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\9cda11af69ab0a2b6a9167f7131e7b93.key	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\Explrer	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\winsta.exe	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\oci.dll	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\UIAnimation.xml	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\1.update	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\IsAdm.txt	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\SPOOL\DRIVERS\COLOR\photo.vbs\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\CDPSSVC.DLL\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\thumb.db	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\RED.ps1\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\perfconfm.dat\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\msrdc64.dat	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\mssysmgr.ocx\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\INETSRV\logging.dll	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\winsta.exe\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\qzy.txt\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\INETSRV\CONFIG\ai.pst	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\nsreg1.dat	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\INETSRV\cache.dll	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\INETSRV\cache.dll\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\WBEM\MOF\sysnullevnt.mof	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\WBEM\MOF\sysnullevnt.mof\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\SYSVOLS\commands.txt	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\wsdchngr.drx	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\LOGMEINUPDSERVICE\PCI.JPG	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\INETSRV\Config\	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\LOGMEINUPDSERVICE\HDWID.DAT\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\WINDOWSPOWERSHELL\V1.0\dbghelp.dll\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\SPOOL\DRIVERS\COLOR\office.vbs	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\CDPSSVC.DLL	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\defender.reg	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\qzy.txt	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\LOGMEINUPDSERVICE\SINF.DAT	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\wmkawe_3636071.data	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\1055cf76.tmp	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\UIAnimation.xml\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\MUI\log.log	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\igfxme.vbs\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\SPOOL\DRIVERS\COLOR\photo.vbs	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\msmp4dec.dll\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\perfcon.dat\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\SYSVOLS\log.log	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\LogMeInUpdService\	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\RED\	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\igfxme.vbs	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\LOGMEINUPDSERVICE\SINF.DAT\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\LOGMEINUPDSERVICE\HDWID.DAT	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\SPOOL\DRIVERS\COLOR\office.vbs\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\mssysmgr.ocx	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\defender.reg\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\IsAdm.txt\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\msinp.ps1\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\WINDOWSPOWERSHELL\V1.0\dbghelp.dll	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\SPOOL\DRIVERS\COLOR\tmp.vbs	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\msobjs.drx\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\dmlconf.dat	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\dmlconf.dat\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\complete.dat	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\ieproxysocket64.dll	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\ieproxysocket64.dll\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\TCLS	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\WinSoft Update Service\pythonw.exe	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\IOBIT\iobit.dll\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\complete.dat\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\ieproxysocket.dll	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\ieproxysocket.dll\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\TCLS\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\WinSoft Update Service\	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\IOBIT\iobit.dll	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe

Drops file in Windows directory 61 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\INF\averbh_noav.pnf	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\HELP\cnwb.html	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\dimens.exe\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\udbcgiut.dat	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\Sql\	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\searchfiles.exe\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\Basta_Ransomware.exe\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\MsMpEng.exe	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\tWjdf.js	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\SATURN_RANSOM.exe	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\SYSTEM\ApcHelper.sys	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\MICROSOFT.NET\traffmonetizer\	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\SYSTEM\my1.bat	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\update4.ps1	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\logg.bat	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\TASKS\sqlwriter.exe	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\SQL\taskhost.exe\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\client.exe\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\TASKS\commit.dll\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\dispci.exe\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\INF\ie11.pnf	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\spoolsw.exe	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\INF\mtmndkb32.pnf	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\INF\mtmndkb32.pnf\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\WEB\c3.bat	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\SYSTEM\ApcHelper.sys\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\dispci.exe	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\spoolsw.exe\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\MsMpEng.exe\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\api.config\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\wmi.dll.bak	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\Wininet.bat\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\Pagesfilo.sys	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\dimens.exe	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\q1.dll	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\tWjdf.js\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\hdv_725x.sys\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\SQL\taskhost.exe	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\TASKS\sqlwriter.exe\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\delog.bat	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\wmi.dll.bak\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\logg.bat\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\Wininet.bat	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\Basta_Ransomware.exe	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\searchfiles.exe	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\setupact64.log	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\WEB\c3.bat\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\client.exe	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\TASKS\commit.dll	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\setupact64.log\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\INF\averbh_noav.pnf\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\SYSTEM\my1.bat\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\update4.ps1\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\sysupdate.log	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\Pagesfilo.sys\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\MICROSOFT.NET\traffmonetizer\Traffmonetizer.exe	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\SATURN_RANSOM.exe\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\delog.bat\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\api.config	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\sysupdate.log\TEXPLORE	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\hdv_725x.sys	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
848	2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-07_c9f9ddc9c5b15abee4fea6cf5ec271bd_derusbi_lockbit_wannacry.exe"
1⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\EXTROYAN\Windows\Tedea

Filesize
30B

MD5
e6731435bd09c2a059162569ef98d177

SHA1
adb8ac77a81873966fdc94daba861e12e872c780

SHA256
ca59656b89b2bd54323eac6099b41b34892269a3706edf81eedea8f6dc7e22a1

SHA512
aa0e96472609649d592c99869050ce7dfb994e6ee54023364c76af3b887744bcce4f86225fbe34169d164a610d34f6da20e07e748dc0561bdc718256e16037fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Timetest

Filesize
16KB

MD5
577ac518fe278a7c161e4876fa630d57

SHA1
cd67b2a189b821364381e348cc6df062dc680532

SHA256
c27907a7ac72ed1312c38a07e469ce9583f1858d2417d4408dca7bdd214ceaa9

SHA512
279bb5763145b4800b08fd97be36413399b126599e0778f019cdfb25fd84dd3b010071067b126102ec36c34d4cff030e248c509932fa177ede289a8496536321

Download Submit
C:\eris.was

Filesize
20B

MD5
dc1187cdd2ecc593e027d5e0a22e3136

SHA1
a7b53cc8bd6a1e2cdd2c50edaece16eccd45c15e

SHA256
a9b7de9a4a699b745d4ac014f7f6bbe3c84cdc89834caf630a7509d3754e6f1f

SHA512
5ee7e518796d4b5c34af36cbf64be6c27807d27e3a5cc8a0068ac7338108cde2460bb4d8db4c7a096129d3145a3a05bc9d06bf7b90ebe50154f1e3bcfbc5195b

Download Submit