04psi.zip

General
Target

04psi.zip

Size

100KB

Sample

201110-tjrd82d9ee

Score
10 /10
MD5

ea211b888d483e9d624e7927aa6487bb

SHA1

e7cec3c59fb6055ad5c62e1178a96a84e01d2a93

SHA256

a10400d1b68c46db52f94a07b4e2714bbcf319778ee9eda05f6aab0e9f545c09

SHA512

5c4a0eebc6910a39503d80d7cdcdb2a977576a7fccba7319bfd6434df58ce2e54de2bc4bcc64f0e5141d98f46eba465c79ece11e83d857bb8f9e28fb70817f68

Malware Config

Extracted

Path C:\Program Files\7-Zip\Restore-My-Files.txt
Family lockbit
Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?9E834EF1D6581820AFA5574D180B63CE | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?9E834EF1D6581820AFA5574D180B63CE This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?9E834EF1D6581820AFA5574D180B63CE

http://lockbitks2tvnmwk.onion/?9E834EF1D6581820AFA5574D180B63CE

Extracted

Family smokeloader
Version 2020
C2

http://rexstat35xm.xyz/statweb577/

http://dexspot2cx.club/statweb577/

http://atxspot20cx.best/statweb577/

http://rexspot7xm.xyz/statweb577/

http://datasectex.com/statweb577/

http://servicem977xm.xyz/statweb577/

http://advertxman7cx.xyz/statweb577/

http://starxpush7xm.xyz/statweb577/

rc4.i32
rc4.i32

Extracted

Family dridex
Botnet 10111
C2

194.150.118.7:443

49.212.179.180:3889

69.64.62.4:4443

rc4.plain
rc4.plain

Extracted

Path C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email pexdatax@gmail.com YOUR ID If you have not been answered via the link within 12 hours, write to Telegram:@pexdata - our telegram contact or http://pexdatax.com/ or email pexdatax@gmail.com Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

pexdatax@gmail.com

URLs

http://pexdatax.com/

Extracted

Path C:\Users\Admin\Desktop\LockBit-note.hta
Ransom Note
Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link - http://lockbit-decryptor.top/?9E834EF1D6581820AFA5574D180B63CE Follow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://lockbitks2tvnmwk.onion/?9E834EF1D6581820AFA5574D180B63CE This link only works in Tor Browser! Follow the instructions on this page Lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?9E834EF1D6581820AFA5574D180B63CE

http://lockbitks2tvnmwk.onion/?9E834EF1D6581820AFA5574D180B63CE

Targets
Target

04psi.exe

MD5

4bc2708122b1e43131888d1beee6c560

Filesize

237KB

Score
10 /10
SHA1

8a82caf8b8f908898145e953ef8f1e665e8058db

SHA256

3fc06d1926ada759903e4ebc197f9da5baa80fb8f729f34395dd7c67e2d58a8c

SHA512

fcf714de9ae1d23ebe054f601938653f9643dbbf288319b4c3b2872544dbb2c82c5db8a4abc64a146648da9f5b71760ce485c1b5935473d214736438dffc2749

Tags

Signatures

  • Dharma

    Description

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    Tags

  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    Tags

  • Lockbit

    Description

    Ransomware family with multiple variants released since late 2019.

    Tags

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • xmrig

    Description

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    Tags

  • CryptOne packer

    Description

    Detects CryptOne packer defined in NCC blogpost.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Dridex Loader

    Description

    Detects Dridex both x86 and x64 loader in memory.

    Tags

  • Modifies boot configuration data using bcdedit

    Tags

    TTPs

    Inhibit System Recovery
  • Deletes backup catalog

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line Interface File Deletion Inhibit System Recovery
  • Executes dropped EXE

  • Deletes itself

  • Drops startup file

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • JavaScript code in executable

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications

    Description

    Malware can proxy its traffic through Tor for more anonymity.

    TTPs

    Connection Proxy
  • Drops file in System32 directory

  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    Defacement Modify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
Credential Access
Exfiltration
    Initial Access
      Lateral Movement
        Privilege Escalation