General
-
Target
6456728996708352.zip
-
Size
7.3MB
-
Sample
211020-qa5zyshag9
-
MD5
fb3dd594d3b743beed9232420fbbc6c7
-
SHA1
857e437d05e3189e261887b83631b0d1b30c9c9b
-
SHA256
471d8ae1784e16720232d5cb7d6ab79e24c27bf595c462f2aca8e761ce355854
-
SHA512
e61feac8c41b32038d65150efdcfb519f772bd991bb99bed5099835e938d89ded47885b88e0b2a04ade0a20403bc3ddae171158f07aa23fa60e9f2cc551562d4
Static task
static1
Behavioral task
behavioral1
Sample
90af3848d5a0c5eb9c6ddc1ee2e6c539dd6cb5ec5a433d00a6dae22fb221c446.exe
Resource
win10-en-20210920
Malware Config
Extracted
C:\odt\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Users\Admin\Desktop\LockBit_Ransomware.hta
https://decoding.at/
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or
https://decoding.at
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
Targets
-
-
Target
90af3848d5a0c5eb9c6ddc1ee2e6c539dd6cb5ec5a433d00a6dae22fb221c446
-
Size
7.5MB
-
MD5
ce5d09832339eb7ef86f2c22b4904a20
-
SHA1
e2db01d0a5572f580f5b7b28b4c9f1a04b35dc06
-
SHA256
90af3848d5a0c5eb9c6ddc1ee2e6c539dd6cb5ec5a433d00a6dae22fb221c446
-
SHA512
3c6c6dc0943320f151aacdf04bb417fe42454f52b7b5a1cf2a1e8f6c0e57e8d73a1637c90253cbef87815dfc857c118cb1d29f313e2814d1ea30a19789db5d26
Score10/10-
Modifies boot configuration data using bcdedit
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-