General
-
Target
c66519665d397eafb24e44f562e822fc7c98f02afe44f9ab179ee8048af7596d
-
Size
445KB
-
Sample
220418-n5mqrahga6
-
MD5
1a7eb7fc0b6c28388e1f1e3beab03892
-
SHA1
0fdbdc0e8aa192f245ce68888012313c81a95be0
-
SHA256
c66519665d397eafb24e44f562e822fc7c98f02afe44f9ab179ee8048af7596d
-
SHA512
b08ad87c757236e1eaa3669c185610aae19c83ed51248d9bbeb7c5ded936d6ce45f7fe7fc71b9fdbec1fb2ace9bac397d0e72b3b885917a9f6f0030c8ecddc1d
Static task
static1
Behavioral task
behavioral1
Sample
c66519665d397eafb24e44f562e822fc7c98f02afe44f9ab179ee8048af7596d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c66519665d397eafb24e44f562e822fc7c98f02afe44f9ab179ee8048af7596d.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?DFB941278EE2558CAFF12CE3F728BA43
http://lockbitks2tvnmwk.onion/?DFB941278EE2558CAFF12CE3F728BA43
Extracted
C:\Users\Admin\Desktop\LockBit-note.hta
http://lockbit-decryptor.top/?DFB941278EE2558CAFF12CE3F728BA43
http://lockbitks2tvnmwk.onion/?DFB941278EE2558CAFF12CE3F728BA43
Extracted
C:\odt\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?DFB941278EE2558CB40B41D429FA1B53
http://lockbitks2tvnmwk.onion/?DFB941278EE2558CB40B41D429FA1B53
Targets
-
-
Target
c66519665d397eafb24e44f562e822fc7c98f02afe44f9ab179ee8048af7596d
-
Size
445KB
-
MD5
1a7eb7fc0b6c28388e1f1e3beab03892
-
SHA1
0fdbdc0e8aa192f245ce68888012313c81a95be0
-
SHA256
c66519665d397eafb24e44f562e822fc7c98f02afe44f9ab179ee8048af7596d
-
SHA512
b08ad87c757236e1eaa3669c185610aae19c83ed51248d9bbeb7c5ded936d6ce45f7fe7fc71b9fdbec1fb2ace9bac397d0e72b3b885917a9f6f0030c8ecddc1d
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-