Overview

overview

10

Static

static

8

cafe54e85c...15.exe

windows7_x64

10

cafe54e85c...15.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    115s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    22-09-2021 12:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe

  • Size

    250KB

  • MD5

    f08e24f57501f2c4e009b6a7d9249e99

  • SHA1

    cb590e4eaab33bba84082f3acbe01f35e1ce710f

  • SHA256

    cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915

  • SHA512

    6f4305c80a49d234ffe423c08512c1685208bcc557d2e18cdff30757ad7b77c51d73046a44cb88bfe6fc31549bbd393a7bd100d1ece26ac3f56cb0e41c4cdb75

Score
10/10
lockfileransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Public\LOCKFILE-README.hta

Family

lockfile

Ransom Note
LOCK FILE Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: contact us qTox ID: B2F873769EB6B508EBC2103DDEB7366CEFB7B09AB8314DAD0C4346169072686690489B47EAEB https://tox.chat/download.html Email: [email protected] Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onion This link only works in Tor Browser! Follow the instructions on this page Do not try to recover files yourself. this process can damage your data and recovery will become impossible Do not rename encrypted files. Do not waste time trying to find the solution on the Internet. The longer you wait, the higher will become the decryption key price Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Thanks to the warning wallpaper provided by lockbit, it's easy to use
URLs

https://tox.chat/download.html

http://zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onion

Signatures

  • LockFile

    LockFile is a new ransomware that emerged in July 2021 with ProxyShell vulnerabilties.

    ransomwarelockfile
  • Drops file in Drivers directory 9 IoCs
  • Modifies extensions of user files 13 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Kills process with WMI 9 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
    "C:\Users\Admin\AppData\Local\Temp\cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe"
    1⤵
    • Drops file in Drivers directory
    • Modifies extensions of user files
    • Drops startup file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:516
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic process where "name like '%vmwp%'" call terminate
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:868
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic process where "name like '%vmwp%'" call terminate
        3⤵
        • Kills process with WMI
        • Suspicious use of AdjustPrivilegeToken
        PID:356
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic process where "name like '%virtualbox%'" call terminate
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1216
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic process where "name like '%virtualbox%'" call terminate
        3⤵
        • Kills process with WMI
        • Suspicious use of AdjustPrivilegeToken
        PID:1252
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic process where "name like '%vbox%'" call terminate
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic process where "name like '%vbox%'" call terminate
        3⤵
        • Kills process with WMI
        PID:1468
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic process where "name like '%sqlservr%'" call terminate
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic process where "name like '%sqlservr%'" call terminate
        3⤵
        • Kills process with WMI
        PID:1820
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic process where "name like '%mysqld%'" call terminate
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic process where "name like '%mysqld%'" call terminate
        3⤵
        • Kills process with WMI
        PID:2296
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic process where "name like '%omtsreco%'" call terminate
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic process where "name like '%omtsreco%'" call terminate
        3⤵
        • Kills process with WMI
        PID:2648
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic process where "name like '%oracle%'" call terminate
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic process where "name like '%oracle%'" call terminate
        3⤵
        • Kills process with WMI
        PID:3564
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic process where "name like '%tnslsnr%'" call terminate
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4036
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic process where "name like '%tnslsnr%'" call terminate
        3⤵
        • Kills process with WMI
        PID:4004
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic process where "name like '%vmware%'" call terminate
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:512
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic process where "name like '%vmware%'" call terminate
        3⤵
        • Kills process with WMI
        PID:3976
    • C:\Windows\SYSTEM32\mshta.exe
      mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
        PID:1340
      • C:\Windows\SYSTEM32\mshta.exe
        mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        2⤵
          PID:1332
        • C:\Windows\SYSTEM32\mshta.exe
          mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          2⤵
            PID:2656
          • C:\Windows\SYSTEM32\mshta.exe
            mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
            2⤵
              PID:1036
            • C:\Windows\SYSTEM32\mshta.exe
              mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
              2⤵
                PID:952
              • C:\Windows\SYSTEM32\mshta.exe
                mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                2⤵
                  PID:1648
                • C:\Windows\SYSTEM32\mshta.exe
                  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                  2⤵
                    PID:1468
                  • C:\Windows\SYSTEM32\mshta.exe
                    mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                    2⤵
                      PID:2312
                    • C:\Windows\SYSTEM32\mshta.exe
                      mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                      2⤵
                        PID:1344
                      • C:\Windows\SYSTEM32\cmd.exe
                        cmd /c ping 127.0.0.1 -n 5 && del "C:\Users\Admin\AppData\Local\Temp\cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe" && exit
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1260
                        • C:\Windows\system32\PING.EXE
                          ping 127.0.0.1 -n 5
                          3⤵
                          • Runs ping.exe
                          PID:1512
                      • C:\Windows\SYSTEM32\mshta.exe
                        mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                        2⤵
                          PID:2772

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads