Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
06-05-2021 13:37
General
-
Target
8B87A11BCEAB4AA5.exe
-
Size
146KB
-
MD5
b3175331ae74ee277e94d3e0bc982bf4
-
SHA1
db0731d693a1ac46706825dcb91193ae4efec482
-
SHA256
d5ea463e0719ee2d1705ff305cdd8529bd2ff23dde79c502c4f478937a91f874
-
SHA512
38318d3e6461b72c6111e96c4d5aab830e5824b8ef762360d894ea67d9e16b12d54087f7f0fcc8c579824753df039b137294ba6abab0171e294f2c538cc6fa8a
Score
10/10
Malware Config
Extracted
Path
C:\Program Files\7-Zip\Restore-My-Files.txt
Family
lockbit
Ransom Note
All your important files are encrypted!
Any attempts to restore your files with the thrid-party software will be fatal for your files!
RESTORE YOU DATA POSIBLE ONLY BUYING private key from us.
There is only one way to get your files back:
1) Through a standard browser(FireFox, Chrome, Edge, Opera)
| 1. Open link http://lockbit-decryptor.top/?8B87A11BCEAB4AA5C8319A110BCA9D28
| 2. Follow the instructions on this page
2) Through a Tor Browser - recommended
| 1. Download Tor browser - https://www.torproject.org/ and install it.
| 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?8B87A11BCEAB4AA5C8319A110BCA9D28
This link only works in Tor Browser!
| 3. Follow the instructions on this page
### Attention! ###
# lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site
# Do not rename encrypted files.
# Do not try to decrypt using third party software, it may cause permanent data loss.
# Decryption of your files with the help of third parties may cause increased price(they add their fee to our).
# Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN.
# Tor Browser user manual https://tb-manual.torproject.org/about
URLs
http://lockbit-decryptor.top/?8B87A11BCEAB4AA5C8319A110BCA9D28
http://lockbitks2tvnmwk.onion/?8B87A11BCEAB4AA5C8319A110BCA9D28
Extracted
Path
C:\Users\Admin\Desktop\LockBit-note.hta
Ransom Note
Lock BIT
Any attempts to restore your files with the thrid-party software will be fatal for your files!
Restore you data posible only buying private key from us.
There is only one way to get your files back:
Through a standard browser Open link - http://lockbit-decryptor.top/?8B87A11BCEAB4AA5C8319A110BCA9D28 Follow the instructions on this page
Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://lockbitks2tvnmwk.onion/?8B87A11BCEAB4AA5C8319A110BCA9D28 This link only works in Tor Browser! Follow the instructions on this page Lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about
URLs
http://lockbit-decryptor.top/?8B87A11BCEAB4AA5C8319A110BCA9D28
http://lockbitks2tvnmwk.onion/?8B87A11BCEAB4AA5C8319A110BCA9D28
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Control Panel 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of WriteProcessMemory 35 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8B87A11BCEAB4AA5.exe"C:\Users\Admin\AppData\Local\Temp\8B87A11BCEAB4AA5.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit-note.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\8B87A11BCEAB4AA5.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\8B87A11BCEAB4AA5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\8B87A11BCEAB4AA5.exe"3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\LockBit-note.htaMD5
d2341b1757aab42898d9a5c0ade6278e
SHA1ea44022173f56500c89b8ba4c10d5972238be3a6
SHA25651df3c52b04dae95151b39de4ccd44d2cb187c99359ec2b08d30977755f3a154
SHA512695f6b4e1ec9dad4221313df7a52811cccd335b44d1d273db8773339e9a2eefa13ef4169e4d202d827ef55a6009b4c22959a87b3b9663feb795b0e9942ff9535
-
memory/656-71-0x0000000000000000-mapping.dmp
-
memory/1116-59-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/1168-62-0x0000000000000000-mapping.dmp
-
memory/1708-61-0x0000000000000000-mapping.dmp
-
memory/1796-60-0x0000000000000000-mapping.dmp
-
memory/2832-63-0x0000000000000000-mapping.dmp
-
memory/2888-64-0x0000000000000000-mapping.dmp
-
memory/2944-65-0x0000000000000000-mapping.dmp
-
memory/2980-66-0x0000000000000000-mapping.dmp
-
memory/2992-67-0x0000000000000000-mapping.dmp
-
memory/3004-68-0x0000000000000000-mapping.dmp
-
memory/3004-69-0x000007FEFC301000-0x000007FEFC303000-memory.dmpFilesize
8KB