Analysis
-
max time kernel
153s -
max time network
79s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-04-2022 17:57
General
-
Target
0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe
-
Size
628KB
-
MD5
c2e08dbd62f3121911275d0931e64780
-
SHA1
48d1e2e0795a51c116412636632c9160fd1ffcea
-
SHA256
0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61
-
SHA512
61694a4372f9461447f03fd50b7ad3af61fa64b9dfeb569979c4f3b9900d3b96aa365fd787f447135dea213e3e2e25ef2496a83332ff257abd3d35b5f927ba86
Score
10/10
Malware Config
Extracted
Path
C:\Program Files\7-Zip\Restore-My-Files.txt
Family
lockbit
Ransom Note
All your important files are encrypted!
Any attempts to restore your files with the thrid-party software will be fatal for your files!
RESTORE YOU DATA POSIBLE ONLY BUYING private key from us.
There is only one way to get your files back:
1) Through a standard browser(FireFox, Chrome, Edge, Opera)
| 1. Open link http://lockbit-decryptor.top/?9B7FDA8D33FEC3F9DB236228DDE80C43
| 2. Follow the instructions on this page
2) Through a Tor Browser - recommended
| 1. Download Tor browser - https://www.torproject.org/ and install it.
| 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?9B7FDA8D33FEC3F9DB236228DDE80C43
This link only works in Tor Browser!
| 3. Follow the instructions on this page
### Attention! ###
# lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site
# Do not rename encrypted files.
# Do not try to decrypt using third party software, it may cause permanent data loss.
# Decryption of your files with the help of third parties may cause increased price(they add their fee to our).
# Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN.
# Tor Browser user manual https://tb-manual.torproject.org/about
URLs
http://lockbit-decryptor.top/?9B7FDA8D33FEC3F9DB236228DDE80C43
http://lockbitks2tvnmwk.onion/?9B7FDA8D33FEC3F9DB236228DDE80C43
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe"C:\Users\Admin\AppData\Local\Temp\0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1352-57-0x0000000000000000-mapping.dmp
-
memory/1480-54-0x0000000074F91000-0x0000000074F93000-memory.dmpFilesize
8KB
-
memory/1480-55-0x00000000001B0000-0x00000000001D6000-memory.dmpFilesize
152KB
-
memory/1480-56-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/1528-58-0x0000000000000000-mapping.dmp
-
memory/2764-59-0x0000000000000000-mapping.dmp
-
memory/2844-60-0x0000000000000000-mapping.dmp
-
memory/2856-61-0x0000000000000000-mapping.dmp
-
memory/2868-62-0x0000000000000000-mapping.dmp
-
memory/2868-63-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmpFilesize
8KB