General
-
Target
b3175331_by_Libranalysis
-
Size
146KB
-
Sample
210506-wz4yy86j9j
-
MD5
b3175331ae74ee277e94d3e0bc982bf4
-
SHA1
db0731d693a1ac46706825dcb91193ae4efec482
-
SHA256
d5ea463e0719ee2d1705ff305cdd8529bd2ff23dde79c502c4f478937a91f874
-
SHA512
38318d3e6461b72c6111e96c4d5aab830e5824b8ef762360d894ea67d9e16b12d54087f7f0fcc8c579824753df039b137294ba6abab0171e294f2c538cc6fa8a
Static task
static1
Behavioral task
behavioral1
Sample
b3175331_by_Libranalysis.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
b3175331_by_Libranalysis.exe
Resource
win10v20210408
Malware Config
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?8B87A11BCEAB4AA5A78753A51BA078A4
http://lockbitks2tvnmwk.onion/?8B87A11BCEAB4AA5A78753A51BA078A4
Extracted
C:\Users\Admin\Desktop\LockBit-note.hta
http://lockbit-decryptor.top/?8B87A11BCEAB4AA5A78753A51BA078A4
http://lockbitks2tvnmwk.onion/?8B87A11BCEAB4AA5A78753A51BA078A4
Extracted
C:\odt\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?8B87A11BCEAB4AA5CFA3F7DE8D570CD4
http://lockbitks2tvnmwk.onion/?8B87A11BCEAB4AA5CFA3F7DE8D570CD4
Extracted
C:\Users\Admin\Desktop\LockBit-note.hta
http://lockbit-decryptor.top/?8B87A11BCEAB4AA5CFA3F7DE8D570CD4
http://lockbitks2tvnmwk.onion/?8B87A11BCEAB4AA5CFA3F7DE8D570CD4
Targets
-
-
Target
b3175331_by_Libranalysis
-
Size
146KB
-
MD5
b3175331ae74ee277e94d3e0bc982bf4
-
SHA1
db0731d693a1ac46706825dcb91193ae4efec482
-
SHA256
d5ea463e0719ee2d1705ff305cdd8529bd2ff23dde79c502c4f478937a91f874
-
SHA512
38318d3e6461b72c6111e96c4d5aab830e5824b8ef762360d894ea67d9e16b12d54087f7f0fcc8c579824753df039b137294ba6abab0171e294f2c538cc6fa8a
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Deletes itself
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-