Overview

overview

10

Static

static

ca57455fd1...le.exe

windows7_x64

10

ca57455fd1...le.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    171s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    26-07-2021 12:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75.sample.exe

  • Size

    546KB

  • MD5

    e4179bca5bf5b1fd51172d629f5521f8

  • SHA1

    488e532e55100da68eaeee30ba342cc05810e296

  • SHA256

    ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75

  • SHA512

    9370d3a2b8d118de6396909b0ca3c1e62e374020ddb0c8a94713f0b596391f20008797509abf300f2241327fe1bfa3338623a56b9be55bd013b6b56e26430035

Score
10/10
lockbitevasionpersistenceransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?92727EE520AEBC7DCF6A6E2621246736 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?92727EE520AEBC7DCF6A6E2621246736

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75.sample.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Sets desktop wallpaper using registry
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1156
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:1752
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1832
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2752
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2764
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:2776
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" & Del /f /q "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2860
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.7 -n 3
          4⤵
          • Runs ping.exe
          PID:1776
        • C:\Windows\SysWOW64\fsutil.exe
          fsutil file setZeroData offset=0 length=524288 "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
          4⤵
          • Drops file in Windows directory
          PID:1544
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 740
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2816
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1628
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2876
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2916
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:2944

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1032-64-0x00000000020B0000-0x00000000020B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1032-60-0x0000000075591000-0x0000000075593000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1156-62-0x000000000041B160-mapping.dmp
        Download
      • memory/1156-61-0x0000000000400000-0x000000000042A000-memory.dmp
        Filesize

        168KB

        Download
      • memory/1156-65-0x0000000000400000-0x000000000042A000-memory.dmp
        Filesize

        168KB

        Download
      • memory/1544-77-0x0000000000000000-mapping.dmp
        Download
      • memory/1724-66-0x0000000000000000-mapping.dmp
        Download
      • memory/1752-67-0x0000000000000000-mapping.dmp
        Download
      • memory/1776-75-0x0000000000000000-mapping.dmp
        Download
      • memory/1832-68-0x0000000000000000-mapping.dmp
        Download
      • memory/2752-69-0x0000000000000000-mapping.dmp
        Download
      • memory/2764-70-0x0000000000000000-mapping.dmp
        Download
      • memory/2776-72-0x000007FEFB991000-0x000007FEFB993000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2776-71-0x0000000000000000-mapping.dmp
        Download
      • memory/2816-74-0x0000000000000000-mapping.dmp
        Download
      • memory/2816-76-0x0000000000E00000-0x0000000000E01000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2860-73-0x0000000000000000-mapping.dmp
        Download