General
-
Target
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.sample
-
Size
191KB
-
Sample
210726-aas92be7lx
-
MD5
0859a78bb06a77e7c6758276eafbefd9
-
SHA1
a72e18efa33f1e3438dbb4451c335d487cbd4082
-
SHA256
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d
-
SHA512
49ca427843dd5c5cefef3d50206b0cf772152f78f82bf42a927aa0d70ceed1c1e828cb20f7f2e8dce58bf2c33e14ff75ec74319d15671b9268e0c18457722c5d
Static task
static1
Behavioral task
behavioral1
Sample
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.sample.exe
Resource
win10v20210410
Malware Config
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?F51E3D94FA5D7445C9CAADAA8972EE59
Extracted
C:\odt\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?F51E3D94FA5D7445AEF9BD5B3752EDE4
Targets
-
-
Target
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.sample
-
Size
191KB
-
MD5
0859a78bb06a77e7c6758276eafbefd9
-
SHA1
a72e18efa33f1e3438dbb4451c335d487cbd4082
-
SHA256
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d
-
SHA512
49ca427843dd5c5cefef3d50206b0cf772152f78f82bf42a927aa0d70ceed1c1e828cb20f7f2e8dce58bf2c33e14ff75ec74319d15671b9268e0c18457722c5d
-
Modifies system executable filetype association
-
Modifies boot configuration data using bcdedit
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-