lockbit-cases.zip

General
Target

lockbit-cases.zip

Size

2MB

Sample

210824-v96gc6ka5e

Score
10 /10
MD5

de6c6b3143f6d911c84e3a328854d98f

SHA1

902d930733dd950bb376cf46511489b6c82401d6

SHA256

d63224f2076b5cdb010e31dd408b07218381fd21939f8bd3b4aa8f5c03f6a702

SHA512

e87239cb4e2b79152baded43758adcb0cf980e32b11455b9072ce4059f4a4bf67b926631e67789a97ecb8ef917c7bc5f51f3cd16b41488724c4531890ae58a2a

Malware Config

Extracted

Path C:\Program Files\7-Zip\Restore-My-Files.txt
Family lockbit
Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86BA9919DF127E95C9 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86BA9919DF127E95C9

Extracted

Path C:\odt\Restore-My-Files.txt
Family lockbit
Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86BFA283CCB065F54C This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86BFA283CCB065F54C

Extracted

Path C:\Program Files\7-Zip\Restore-My-Files.txt
Family lockbit
Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?F51E3D94FA5D7445BBB8BE7AE573420D This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?F51E3D94FA5D7445BBB8BE7AE573420D

Extracted

Path C:\odt\Restore-My-Files.txt
Family lockbit
Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?F51E3D94FA5D7445AC658FA8496DDB24 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?F51E3D94FA5D7445AC658FA8496DDB24

Extracted

Path C:\Program Files\7-Zip\Restore-My-Files.txt
Family lockbit
Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.com/?920FDCBE179431D5C7ABD78340D1431A | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?920FDCBE179431D5C7ABD78340D1431A This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.com/?920FDCBE179431D5C7ABD78340D1431A

http://lockbitks2tvnmwk.onion/?920FDCBE179431D5C7ABD78340D1431A

Extracted

Path C:\odt\Restore-My-Files.txt
Family lockbit
Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.com/?920FDCBE179431D5987920C4732F4B08 | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?920FDCBE179431D5987920C4732F4B08 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.com/?920FDCBE179431D5987920C4732F4B08

http://lockbitks2tvnmwk.onion/?920FDCBE179431D5987920C4732F4B08

Extracted

Path C:\Program Files\7-Zip\Restore-My-Files.txt
Family lockbit
Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?828C57864CBB23B6B152EF89B5036107 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?828C57864CBB23B6B152EF89B5036107

Extracted

Path C:\odt\Restore-My-Files.txt
Family lockbit
Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?828C57864CBB23B6BC6E1135DE1B910E This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?828C57864CBB23B6BC6E1135DE1B910E

Extracted

Path C:\Program Files\7-Zip\Restore-My-Files.txt
Family lockbit
Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?92727EE520AEBC7DE924ECA22D0A0ED0 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?92727EE520AEBC7DE924ECA22D0A0ED0

Extracted

Path C:\odt\Restore-My-Files.txt
Family lockbit
Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?92727EE520AEBC7DC60BFC436554DCCC This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?92727EE520AEBC7DC60BFC436554DCCC

Targets
Target

0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335

MD5

1fbef2a9007eb0e32fb586e0fca3f0e7

Filesize

151KB

Score
10 /10
SHA1

3e86304198d1185a36834e59147fc767315d8678

SHA256

0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335

SHA512

94de457c74b783413514bc5804e86f5e1f0962dc03acf12d0a22c8b383b099518242314862417c24e5b13101b135d36dce285f4db11c989f3bc4331ce1b437b0

Tags

Signatures

  • Lockbit

    Description

    Ransomware family with multiple variants released since late 2019.

    Tags

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Modifies boot configuration data using bcdedit

    Tags

    TTPs

    Inhibit System Recovery
  • Deletes backup catalog

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line Interface File Deletion Inhibit System Recovery
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18

MD5

1f4f6abfced4c347ba951a04c8d86982

Filesize

150KB

Score
10 /10
SHA1

a4c486b0926f55e99d12f749135612602cc4bf64

SHA256

1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18

SHA512

ae9d631a193d04194bcb54ccf5573730c04b2d9d732addf04af2100e7d67584a3cfba67cfaa2a9da05099d71c56dd58cfdb9f58d070b72ae58d0add20cf0afd3

Tags

Signatures

  • Lockbit

    Description

    Ransomware family with multiple variants released since late 2019.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Modifies boot configuration data using bcdedit

    Tags

    TTPs

    Inhibit System Recovery
  • Deletes backup catalog

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line Interface File Deletion Inhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    Defacement Modify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

1dbe9f956514460774290197ffccb11d817d1a5a5aeab81877ae7b74daa1b592

MD5

4de69c226426a742a17ade81cde8d1f9

Filesize

316KB

Score
10 /10
SHA1

ea10e601a2fb81362687421bc0b8f9d6238d7dfa

SHA256

1dbe9f956514460774290197ffccb11d817d1a5a5aeab81877ae7b74daa1b592

SHA512

26cab9c626d2d2332942808d1d71f0f8f114d1b8a6e1f3d760850a065a4856c1c2ba9c896be0353457c684f4251357a3bd641dc7547940651cc70fb9050a4c6a

Tags

Signatures

  • Lockbit

    Description

    Ransomware family with multiple variants released since late 2019.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Modifies boot configuration data using bcdedit

    Tags

    TTPs

    Inhibit System Recovery
  • Deletes backup catalog

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line Interface File Deletion Inhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Deletes itself

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    Defacement Modify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770

MD5

9fe9f4ee717bae3a5c9fdf1d380e015d

Filesize

67KB

Score
10 /10
SHA1

7df22f2fbe86a07070f262f94e233860b6ae66b2

SHA256

1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770

SHA512

546deacbdcfb91a01895fef3a4775f2542642cb20999c5936f50715f173db327c9a8fa5dade93e6fa5cfdc9db3b12238ce20dc7dc41fe9874453e1bf4621224a

Tags

Signatures

  • Lockbit

    Description

    Ransomware family with multiple variants released since late 2019.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Modifies boot configuration data using bcdedit

    Tags

    TTPs

    Inhibit System Recovery
  • Deletes backup catalog

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line Interface File Deletion Inhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    Defacement Modify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739

MD5

207718c939673a5f674ce51f402cfc06

Filesize

150KB

Score
10 /10
SHA1

791f60a24f9b6589a2afed48b3ec17fad43bc1db

SHA256

26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739

SHA512

61a00f0da602100ca4913e94720f873ef682b793e246d9e7e119c9947c102e2888be64cee72e851ef3d24fbbd671cbe70af162f10049e8ef75b475b4a032e701

Tags

Signatures

  • Lockbit

    Description

    Ransomware family with multiple variants released since late 2019.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Modifies boot configuration data using bcdedit

    Tags

    TTPs

    Inhibit System Recovery
  • Deletes backup catalog

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line Interface File Deletion Inhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    Defacement Modify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f

MD5

5cc28691fdaa505b8f453e3500e3d690

Filesize

765KB

Score
10 /10
SHA1

cb3fb57b5c70c3a2f30aa3af078bbb1cfdd1bf02

SHA256

286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f

SHA512

0c4eb6a067456c91af908a4c2f77e84a80ba8d77682ba00b06a56af4062e2caf68cb7e63ef7500ae13a1bfa9a2062d838ecbc9aa418daf7faa9b0083f788d847

Tags

Signatures

  • Lockbit

    Description

    Ransomware family with multiple variants released since late 2019.

    Tags

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Modifies boot configuration data using bcdedit

    Tags

    TTPs

    Inhibit System Recovery
  • Deletes backup catalog

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line Interface File Deletion Inhibit System Recovery
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677

MD5

ec273b5841eadfc43b1908c9905e95a3

Filesize

150KB

Score
10 /10
SHA1

71e7990c8c81ef6c4e265eae11030886c40cc8b0

SHA256

410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677

SHA512

164875eb5d8ff791fae4baa2a83d957cbe8fc7a6eaf1ffd3f93162ee21c52d01db80e0df17e1162991e380331b4098759f771c96a84374834603b6296c2b633d

Tags

Signatures

  • Lockbit

    Description

    Ransomware family with multiple variants released since late 2019.

    Tags

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Modifies boot configuration data using bcdedit

    Tags

    TTPs

    Inhibit System Recovery
  • Deletes backup catalog

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line Interface File Deletion Inhibit System Recovery
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db

MD5

8ab0375228416b89becff72a0ae40654

Filesize

546KB

Score
10 /10
SHA1

75f06b636efe53360287c0ff1f51ea7de1e7c8b5

SHA256

5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db

SHA512

c9f500f347b3b35beeecc1b7ab9fda273a149376d488f68eb456a5625e9c5bf541d85ddbdd7c127c9d92406d9ea9e7d15aae9d4d4c518bce926a55bf1b106277

Tags

Signatures

  • Lockbit

    Description

    Ransomware family with multiple variants released since late 2019.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Modifies boot configuration data using bcdedit

    Tags

    TTPs

    Inhibit System Recovery
  • Deletes backup catalog

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line Interface File Deletion Inhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    Defacement Modify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

Target

69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997

MD5

49250b4aa060299f0c8f67349c942d1c

Filesize

150KB

Score
10 /10
SHA1

4d0e6d7af9a5edece5273f3c312fdd3b9c229409

SHA256

69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997

SHA512

289c4277e945b1f30d07c699ebc7cf332835433e0d9f393120a6e208e1e7906133d6405665b676a8d3abccf5dbac58789f1f9372b892b36c42cd628d2638e6c3

Tags

Signatures

  • Lockbit

    Description

    Ransomware family with multiple variants released since late 2019.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Modifies boot configuration data using bcdedit

    Tags

    TTPs

    Inhibit System Recovery
  • Deletes backup catalog

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line Interface File Deletion Inhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    Defacement Modify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78

MD5

9a246bf39f3fab9c2d45f1003bdc6b45

Filesize

343KB

Score
10 /10
SHA1

f05e71ed0e4a779fc30c3d732b07e15d56f8e3bc

SHA256

76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78

SHA512

fe0fba6970c2e08ddfcfc867644bce49e8d609f1b98aa638f7dd88dac84c71da164ad7fbbd13469504407e82282618e71bc31fb3d57e5d1df906bfb2a1b0addf

Tags

Signatures

  • Lockbit

    Description

    Ransomware family with multiple variants released since late 2019.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Modifies boot configuration data using bcdedit

    Tags

    TTPs

    Inhibit System Recovery
  • Deletes backup catalog

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line Interface File Deletion Inhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631

MD5

388eafffcc96c71c317cf0908d3a133b

Filesize

146KB

Score
10 /10
SHA1

16e5c5a81a88cb73464d92edf5bec7199907afb9

SHA256

91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631

SHA512

6ee2fbfdab206b2f79d423f3b26a5f8033051ab4d10596c530e381b714dcc8854a4eaf57abd02029ab2d33fdd59b2f1f9c2cdc7702442ee700a43a2411af9515

Tags

Signatures

  • Lockbit

    Description

    Ransomware family with multiple variants released since late 2019.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Modifies boot configuration data using bcdedit

    Tags

    TTPs

    Inhibit System Recovery
  • Deletes backup catalog

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line Interface File Deletion Inhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Deletes itself

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    Defacement Modify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75

MD5

e4179bca5bf5b1fd51172d629f5521f8

Filesize

546KB

Score
10 /10
SHA1

488e532e55100da68eaeee30ba342cc05810e296

SHA256

ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75

SHA512

9370d3a2b8d118de6396909b0ca3c1e62e374020ddb0c8a94713f0b596391f20008797509abf300f2241327fe1bfa3338623a56b9be55bd013b6b56e26430035

Tags

Signatures

  • Lockbit

    Description

    Ransomware family with multiple variants released since late 2019.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Modifies boot configuration data using bcdedit

    Tags

    TTPs

    Inhibit System Recovery
  • Deletes backup catalog

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line Interface File Deletion Inhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    Defacement Modify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

Target

e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877

MD5

123511227718f17b3dec5431d5ae87f3

Filesize

151KB

Score
10 /10
SHA1

307088ae7027b55541311fd70a9337ff3709fccf

SHA256

e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877

SHA512

182a45c60c0c14d55e40c7941836d7d658623a66ce7760eb71d8836ffa7974a0d1d3132b919fad921abecc9215ce458f06e563417c70682a9935a02d8053b234

Tags

Signatures

  • Lockbit

    Description

    Ransomware family with multiple variants released since late 2019.

    Tags

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Modifies boot configuration data using bcdedit

    Tags

    TTPs

    Inhibit System Recovery
  • Deletes backup catalog

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line Interface File Deletion Inhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869

MD5

a04a99d946fb08b2f65ba664ad7faebd

Filesize

762KB

Score
10 /10
SHA1

1fe7e2f8fbd98d6b5505fd9ee66da5b4f11720a1

SHA256

faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869

SHA512

1afde06049a7132e552681a71f74fbb09ac5b26e05c0570af95de0ce4484eb647f2afb781c0683fdba6cb37daacf1c6be690b5208df477158a4d8d45e4c2e374

Tags

Signatures

  • Lockbit

    Description

    Ransomware family with multiple variants released since late 2019.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Modifies boot configuration data using bcdedit

    Tags

    TTPs

    Inhibit System Recovery
  • Deletes backup catalog

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line Interface File Deletion Inhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d

MD5

0859a78bb06a77e7c6758276eafbefd9

Filesize

191KB

Score
10 /10
SHA1

a72e18efa33f1e3438dbb4451c335d487cbd4082

SHA256

ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d

SHA512

49ca427843dd5c5cefef3d50206b0cf772152f78f82bf42a927aa0d70ceed1c1e828cb20f7f2e8dce58bf2c33e14ff75ec74319d15671b9268e0c18457722c5d

Tags

Signatures

  • Lockbit

    Description

    Ransomware family with multiple variants released since late 2019.

    Tags

  • Modifies system executable filetype association

    Tags

    TTPs

    Modify Registry Change Default File Association
  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Modifies boot configuration data using bcdedit

    Tags

    TTPs

    Inhibit System Recovery
  • Deletes backup catalog

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line Interface File Deletion Inhibit System Recovery
  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    Defacement Modify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

MITRE ATT&CK Matrix
Tasks

static1

9/10