Overview

overview

10

Static

static

9

0f178bc093...35.exe

windows7_x64

10

0f178bc093...35.exe

windows10_x64

10

1b109db549...18.exe

windows7_x64

10

1b109db549...18.exe

windows10_x64

10

1dbe9f9565...92.exe

windows7_x64

10

1dbe9f9565...92.exe

windows10_x64

10

1e3bf358c7...70.exe

windows7_x64

10

1e3bf358c7...70.exe

windows10_x64

10

26b6a9fecf...39.exe

windows7_x64

10

26b6a9fecf...39.exe

windows10_x64

10

286bffaa9c...3f.exe

windows7_x64

10

286bffaa9c...3f.exe

windows10_x64

10

410c884d88...77.exe

windows7_x64

10

410c884d88...77.exe

windows10_x64

10

5072678821...db.exe

windows7_x64

10

5072678821...db.exe

windows10_x64

10

69d9dd7fdd...97.exe

windows7_x64

10

69d9dd7fdd...97.exe

windows10_x64

10

76a77def28...78.exe

windows7_x64

10

76a77def28...78.exe

windows10_x64

10

91d1ab6c30...31.exe

windows7_x64

10

91d1ab6c30...31.exe

windows10_x64

10

ca57455fd1...75.exe

windows7_x64

10

ca57455fd1...75.exe

windows10_x64

10

e3f236e4ae...77.exe

windows7_x64

10

e3f236e4ae...77.exe

windows10_x64

10

faa3453ceb...69.exe

windows7_x64

10

faa3453ceb...69.exe

windows10_x64

10

ffbb6c4d8d...4d.exe

windows7_x64

10

ffbb6c4d8d...4d.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    lockbit-cases.zip

  • Size

    2.5MB

  • Sample

    210824-v96gc6ka5e

  • MD5

    de6c6b3143f6d911c84e3a328854d98f

  • SHA1

    902d930733dd950bb376cf46511489b6c82401d6

  • SHA256

    d63224f2076b5cdb010e31dd408b07218381fd21939f8bd3b4aa8f5c03f6a702

  • SHA512

    e87239cb4e2b79152baded43758adcb0cf980e32b11455b9072ce4059f4a4bf67b926631e67789a97ecb8ef917c7bc5f51f3cd16b41488724c4531890ae58a2a

Score
10/10
lockbitcryptoneevasionpackerpersistenceransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86BA9919DF127E95C9 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86BA9919DF127E95C9

Extracted

Path

C:\odt\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86BFA283CCB065F54C This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86BFA283CCB065F54C

Extracted

Path

C:\Program Files\7-Zip\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?F51E3D94FA5D7445BBB8BE7AE573420D This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?F51E3D94FA5D7445BBB8BE7AE573420D

Extracted

Path

C:\odt\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?F51E3D94FA5D7445AC658FA8496DDB24 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?F51E3D94FA5D7445AC658FA8496DDB24

Extracted

Path

C:\Program Files\7-Zip\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.com/?920FDCBE179431D5C7ABD78340D1431A | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?920FDCBE179431D5C7ABD78340D1431A This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.com/?920FDCBE179431D5C7ABD78340D1431A

http://lockbitks2tvnmwk.onion/?920FDCBE179431D5C7ABD78340D1431A

Extracted

Path

C:\odt\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.com/?920FDCBE179431D5987920C4732F4B08 | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?920FDCBE179431D5987920C4732F4B08 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.com/?920FDCBE179431D5987920C4732F4B08

http://lockbitks2tvnmwk.onion/?920FDCBE179431D5987920C4732F4B08

Extracted

Path

C:\Program Files\7-Zip\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?828C57864CBB23B6B152EF89B5036107 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?828C57864CBB23B6B152EF89B5036107

Extracted

Path

C:\odt\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?828C57864CBB23B6BC6E1135DE1B910E This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?828C57864CBB23B6BC6E1135DE1B910E

Extracted

Path

C:\Program Files\7-Zip\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?92727EE520AEBC7DE924ECA22D0A0ED0 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?92727EE520AEBC7DE924ECA22D0A0ED0

Extracted

Path

C:\odt\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?92727EE520AEBC7DC60BFC436554DCCC This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?92727EE520AEBC7DC60BFC436554DCCC

Targets

    • Target

      0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335

    • Size

      151KB

    • MD5

      1fbef2a9007eb0e32fb586e0fca3f0e7

    • SHA1

      3e86304198d1185a36834e59147fc767315d8678

    • SHA256

      0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335

    • SHA512

      94de457c74b783413514bc5804e86f5e1f0962dc03acf12d0a22c8b383b099518242314862417c24e5b13101b135d36dce285f4db11c989f3bc4331ce1b437b0

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18

    • Size

      150KB

    • MD5

      1f4f6abfced4c347ba951a04c8d86982

    • SHA1

      a4c486b0926f55e99d12f749135612602cc4bf64

    • SHA256

      1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18

    • SHA512

      ae9d631a193d04194bcb54ccf5573730c04b2d9d732addf04af2100e7d67584a3cfba67cfaa2a9da05099d71c56dd58cfdb9f58d070b72ae58d0add20cf0afd3

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

    • Target

      1dbe9f956514460774290197ffccb11d817d1a5a5aeab81877ae7b74daa1b592

    • Size

      316KB

    • MD5

      4de69c226426a742a17ade81cde8d1f9

    • SHA1

      ea10e601a2fb81362687421bc0b8f9d6238d7dfa

    • SHA256

      1dbe9f956514460774290197ffccb11d817d1a5a5aeab81877ae7b74daa1b592

    • SHA512

      26cab9c626d2d2332942808d1d71f0f8f114d1b8a6e1f3d760850a065a4856c1c2ba9c896be0353457c684f4251357a3bd641dc7547940651cc70fb9050a4c6a

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5behavioral6

    • Target

      1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770

    • Size

      67KB

    • MD5

      9fe9f4ee717bae3a5c9fdf1d380e015d

    • SHA1

      7df22f2fbe86a07070f262f94e233860b6ae66b2

    • SHA256

      1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770

    • SHA512

      546deacbdcfb91a01895fef3a4775f2542642cb20999c5936f50715f173db327c9a8fa5dade93e6fa5cfdc9db3b12238ce20dc7dc41fe9874453e1bf4621224a

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7behavioral8

    • Target

      26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739

    • Size

      150KB

    • MD5

      207718c939673a5f674ce51f402cfc06

    • SHA1

      791f60a24f9b6589a2afed48b3ec17fad43bc1db

    • SHA256

      26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739

    • SHA512

      61a00f0da602100ca4913e94720f873ef682b793e246d9e7e119c9947c102e2888be64cee72e851ef3d24fbbd671cbe70af162f10049e8ef75b475b4a032e701

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral9behavioral10

    • Target

      286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f

    • Size

      765KB

    • MD5

      5cc28691fdaa505b8f453e3500e3d690

    • SHA1

      cb3fb57b5c70c3a2f30aa3af078bbb1cfdd1bf02

    • SHA256

      286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f

    • SHA512

      0c4eb6a067456c91af908a4c2f77e84a80ba8d77682ba00b06a56af4062e2caf68cb7e63ef7500ae13a1bfa9a2062d838ecbc9aa418daf7faa9b0083f788d847

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral11behavioral12

    • Target

      410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677

    • Size

      150KB

    • MD5

      ec273b5841eadfc43b1908c9905e95a3

    • SHA1

      71e7990c8c81ef6c4e265eae11030886c40cc8b0

    • SHA256

      410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677

    • SHA512

      164875eb5d8ff791fae4baa2a83d957cbe8fc7a6eaf1ffd3f93162ee21c52d01db80e0df17e1162991e380331b4098759f771c96a84374834603b6296c2b633d

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral13behavioral14

    • Target

      5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db

    • Size

      546KB

    • MD5

      8ab0375228416b89becff72a0ae40654

    • SHA1

      75f06b636efe53360287c0ff1f51ea7de1e7c8b5

    • SHA256

      5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db

    • SHA512

      c9f500f347b3b35beeecc1b7ab9fda273a149376d488f68eb456a5625e9c5bf541d85ddbdd7c127c9d92406d9ea9e7d15aae9d4d4c518bce926a55bf1b106277

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997

    • Size

      150KB

    • MD5

      49250b4aa060299f0c8f67349c942d1c

    • SHA1

      4d0e6d7af9a5edece5273f3c312fdd3b9c229409

    • SHA256

      69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997

    • SHA512

      289c4277e945b1f30d07c699ebc7cf332835433e0d9f393120a6e208e1e7906133d6405665b676a8d3abccf5dbac58789f1f9372b892b36c42cd628d2638e6c3

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral17behavioral18

    • Target

      76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78

    • Size

      343KB

    • MD5

      9a246bf39f3fab9c2d45f1003bdc6b45

    • SHA1

      f05e71ed0e4a779fc30c3d732b07e15d56f8e3bc

    • SHA256

      76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78

    • SHA512

      fe0fba6970c2e08ddfcfc867644bce49e8d609f1b98aa638f7dd88dac84c71da164ad7fbbd13469504407e82282618e71bc31fb3d57e5d1df906bfb2a1b0addf

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral19behavioral20

    • Target

      91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631

    • Size

      146KB

    • MD5

      388eafffcc96c71c317cf0908d3a133b

    • SHA1

      16e5c5a81a88cb73464d92edf5bec7199907afb9

    • SHA256

      91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631

    • SHA512

      6ee2fbfdab206b2f79d423f3b26a5f8033051ab4d10596c530e381b714dcc8854a4eaf57abd02029ab2d33fdd59b2f1f9c2cdc7702442ee700a43a2411af9515

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral21behavioral22

    • Target

      ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75

    • Size

      546KB

    • MD5

      e4179bca5bf5b1fd51172d629f5521f8

    • SHA1

      488e532e55100da68eaeee30ba342cc05810e296

    • SHA256

      ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75

    • SHA512

      9370d3a2b8d118de6396909b0ca3c1e62e374020ddb0c8a94713f0b596391f20008797509abf300f2241327fe1bfa3338623a56b9be55bd013b6b56e26430035

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

    • Target

      e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877

    • Size

      151KB

    • MD5

      123511227718f17b3dec5431d5ae87f3

    • SHA1

      307088ae7027b55541311fd70a9337ff3709fccf

    • SHA256

      e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877

    • SHA512

      182a45c60c0c14d55e40c7941836d7d658623a66ce7760eb71d8836ffa7974a0d1d3132b919fad921abecc9215ce458f06e563417c70682a9935a02d8053b234

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral25behavioral26

    • Target

      faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869

    • Size

      762KB

    • MD5

      a04a99d946fb08b2f65ba664ad7faebd

    • SHA1

      1fe7e2f8fbd98d6b5505fd9ee66da5b4f11720a1

    • SHA256

      faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869

    • SHA512

      1afde06049a7132e552681a71f74fbb09ac5b26e05c0570af95de0ce4484eb647f2afb781c0683fdba6cb37daacf1c6be690b5208df477158a4d8d45e4c2e374

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral27behavioral28

    • Target

      ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d

    • Size

      191KB

    • MD5

      0859a78bb06a77e7c6758276eafbefd9

    • SHA1

      a72e18efa33f1e3438dbb4451c335d487cbd4082

    • SHA256

      ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d

    • SHA512

      49ca427843dd5c5cefef3d50206b0cf772152f78f82bf42a927aa0d70ceed1c1e828cb20f7f2e8dce58bf2c33e14ff75ec74319d15671b9268e0c18457722c5d

    Score
    10/10
    lockbitevasionpersistenceransomwarespywarestealer

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Modifies system executable filetype association

      persistence

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral29behavioral30

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

15
T1059

Scripting

2
T1064

Persistence

Registry Run Keys / Startup Folder

15
T1060

Change Default File Association

1
T1042

Privilege Escalation

Defense Evasion

File Deletion

45
T1107

Modify Registry

26
T1112

Scripting

2
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

30
T1012

Peripheral Device Discovery

30
T1120

System Information Discovery

43
T1082

Remote System Discovery

9
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

60
T1490

Defacement

9
T1491

Tasks

static1

cryptonepackerupx
Score
9/10

behavioral1

lockbitevasionpersistenceransomware
Score
10/10

behavioral2

lockbitevasionpersistenceransomware
Score
10/10

behavioral3

lockbitevasionpersistenceransomware
Score
10/10

behavioral4

lockbitevasionpersistenceransomware
Score
10/10

behavioral5

lockbitevasionpersistenceransomware
Score
10/10

behavioral6

lockbitevasionpersistenceransomware
Score
10/10

behavioral7

lockbitevasionpersistenceransomware
Score
10/10

behavioral8

lockbitevasionpersistenceransomware
Score
10/10

behavioral9

lockbitevasionpersistenceransomware
Score
10/10

behavioral10

lockbitevasionpersistenceransomware
Score
10/10

behavioral11

lockbitevasionpersistenceransomware
Score
10/10

behavioral12

lockbitevasionpersistenceransomware
Score
10/10

behavioral13

lockbitevasionpersistenceransomware
Score
10/10

behavioral14

lockbitevasionpersistenceransomware
Score
10/10

behavioral15

lockbitevasionpersistenceransomware
Score
10/10

behavioral16

lockbitevasionpersistenceransomware
Score
10/10

behavioral17

lockbitevasionpersistenceransomware
Score
10/10

behavioral18

lockbitevasionpersistenceransomware
Score
10/10

behavioral19

lockbitevasionpersistenceransomware
Score
10/10

behavioral20

lockbitevasionpersistenceransomware
Score
10/10

behavioral21

lockbitevasionpersistenceransomware
Score
10/10

behavioral22

lockbitevasionpersistenceransomware
Score
10/10

behavioral23

lockbitevasionpersistenceransomware
Score
10/10

behavioral24

lockbitevasionpersistenceransomware
Score
10/10

behavioral25

lockbitevasionpersistenceransomware
Score
10/10

behavioral26

lockbitevasionpersistenceransomware
Score
10/10

behavioral27

lockbitevasionpersistenceransomware
Score
10/10

behavioral28

lockbitevasionpersistenceransomware
Score
10/10

behavioral29

lockbitevasionpersistenceransomwarespywarestealer
Score
10/10

behavioral30

lockbitevasionpersistenceransomwarespywarestealer
Score
10/10