Resubmissions

10-11-2020 12:55

201110-tjrd82d9ee 10

07-11-2020 10:12

201107-lxpdbv9h4n 10

Analysis

  • max time kernel
    598s
  • max time network
    544s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    10-11-2020 12:55

General

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?9E834EF1D6581820AFA5574D180B63CE | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?9E834EF1D6581820AFA5574D180B63CE This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?9E834EF1D6581820AFA5574D180B63CE

http://lockbitks2tvnmwk.onion/?9E834EF1D6581820AFA5574D180B63CE

Extracted

Family

smokeloader

Version

2020

C2

http://rexstat35xm.xyz/statweb577/

http://dexspot2cx.club/statweb577/

http://atxspot20cx.best/statweb577/

http://rexspot7xm.xyz/statweb577/

http://datasectex.com/statweb577/

http://servicem977xm.xyz/statweb577/

http://advertxman7cx.xyz/statweb577/

http://starxpush7xm.xyz/statweb577/

rc4.i32
rc4.i32

Extracted

Family

dridex

Botnet

10111

C2

194.150.118.7:443

49.212.179.180:3889

69.64.62.4:4443

rc4.plain
rc4.plain

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours, write to Telegram:@pexdata - our telegram contact or http://pexdatax.com/ or email [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
URLs

http://pexdatax.com/

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note
Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link - http://lockbit-decryptor.top/?9E834EF1D6581820AFA5574D180B63CE Follow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://lockbitks2tvnmwk.onion/?9E834EF1D6581820AFA5574D180B63CE This link only works in Tor Browser! Follow the instructions on this page Lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?9E834EF1D6581820AFA5574D180B63CE

http://lockbitks2tvnmwk.onion/?9E834EF1D6581820AFA5574D180B63CE

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • CryptOne packer 2 IoCs

    Detects CryptOne packer defined in NCC blogpost.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Executes dropped EXE 10 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 5 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 7 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 72 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • JavaScript code in executable 60 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 275 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 52628 IoCs