Overview

overview

10

Static

static

9

0f178bc093...35.exe

windows7_x64

10

0f178bc093...35.exe

windows10_x64

10

1b109db549...18.exe

windows7_x64

10

1b109db549...18.exe

windows10_x64

10

1dbe9f9565...92.exe

windows7_x64

10

1dbe9f9565...92.exe

windows10_x64

10

1e3bf358c7...70.exe

windows7_x64

10

1e3bf358c7...70.exe

windows10_x64

10

26b6a9fecf...39.exe

windows7_x64

10

26b6a9fecf...39.exe

windows10_x64

10

286bffaa9c...3f.exe

windows7_x64

10

286bffaa9c...3f.exe

windows10_x64

10

410c884d88...77.exe

windows7_x64

10

410c884d88...77.exe

windows10_x64

10

5072678821...db.exe

windows7_x64

10

5072678821...db.exe

windows10_x64

10

69d9dd7fdd...97.exe

windows7_x64

10

69d9dd7fdd...97.exe

windows10_x64

10

76a77def28...78.exe

windows7_x64

10

76a77def28...78.exe

windows10_x64

10

91d1ab6c30...31.exe

windows7_x64

10

91d1ab6c30...31.exe

windows10_x64

10

ca57455fd1...75.exe

windows7_x64

10

ca57455fd1...75.exe

windows10_x64

10

e3f236e4ae...77.exe

windows7_x64

10

e3f236e4ae...77.exe

windows10_x64

10

faa3453ceb...69.exe

windows7_x64

10

faa3453ceb...69.exe

windows10_x64

10

ffbb6c4d8d...4d.exe

windows7_x64

10

ffbb6c4d8d...4d.exe

windows10_x64

10

Analysis

  • max time kernel
    612s
  • max time network
    390s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    24-08-2021 05:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe

  • Size

    146KB

  • MD5

    388eafffcc96c71c317cf0908d3a133b

  • SHA1

    16e5c5a81a88cb73464d92edf5bec7199907afb9

  • SHA256

    91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631

  • SHA512

    6ee2fbfdab206b2f79d423f3b26a5f8033051ab4d10596c530e381b714dcc8854a4eaf57abd02029ab2d33fdd59b2f1f9c2cdc7702442ee700a43a2411af9515

Score
10/10
lockbitevasionpersistenceransomware

Malware Config

Extracted

Path

C:\odt\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?A94ED07AA2CAF6C8E1AC231471E0C10A | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?A94ED07AA2CAF6C8E1AC231471E0C10A This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?A94ED07AA2CAF6C8E1AC231471E0C10A

http://lockbitks2tvnmwk.onion/?A94ED07AA2CAF6C8E1AC231471E0C10A

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note
Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link - http://lockbit-decryptor.top/?A94ED07AA2CAF6C8E1AC231471E0C10A Follow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://lockbitks2tvnmwk.onion/?A94ED07AA2CAF6C8E1AC231471E0C10A This link only works in Tor Browser! Follow the instructions on this page Lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?A94ED07AA2CAF6C8E1AC231471E0C10A

http://lockbitks2tvnmwk.onion/?A94ED07AA2CAF6C8E1AC231471E0C10A

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe
    "C:\Users\Admin\AppData\Local\Temp\91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3980
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:188
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3448
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1240
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1532
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        3⤵
        • Deletes backup catalog
        PID:3136
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit-note.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
        PID:5076
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5100
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.7 -n 3
          3⤵
          • Runs ping.exe
          PID:408
        • C:\Windows\SysWOW64\fsutil.exe
          fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe"
          3⤵
            PID:4896
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2748
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:248
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:4004
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
          • Checks SCSI registry key(s)
          PID:3376

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Command-Line Interface

        1
        T1059

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        File Deletion

        3
        T1107

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Query Registry

        2
        T1012

        Peripheral Device Discovery

        2
        T1120

        System Information Discovery

        3
        T1082

        Remote System Discovery

        1
        T1018

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Inhibit System Recovery

        4
        T1490

        Defacement

        1
        T1491

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\LockBit-note.hta
          MD5

          b11b9cd05addc72d3518174491268fb5

          SHA1

          a38a426de1407e5e0c5ba5edff29bd524f7cc193

          SHA256

          53e433a9c7264979430878c101c89e739b7f635fae247b294d77ff015d2c727a

          SHA512

          03f51f92b3d2607dd0a38d7572f7c64daef44721ce80ff30150984330922c23f06a743e9fc0c167107f32fb5c9ca3c5738013ad005cb4f871dc3a5b2621c06c7

          Download Submit
        • memory/188-115-0x0000000000000000-mapping.dmp
          Download
        • memory/408-122-0x0000000000000000-mapping.dmp
          Download
        • memory/1240-117-0x0000000000000000-mapping.dmp
          Download
        • memory/1532-118-0x0000000000000000-mapping.dmp
          Download
        • memory/3136-119-0x0000000000000000-mapping.dmp
          Download
        • memory/3448-116-0x0000000000000000-mapping.dmp
          Download
        • memory/3980-114-0x0000000000000000-mapping.dmp
          Download
        • memory/4896-124-0x0000000000000000-mapping.dmp
          Download
        • memory/5076-120-0x0000000000000000-mapping.dmp
          Download
        • memory/5100-121-0x0000000000000000-mapping.dmp
          Download