General
-
Target
f3a8fbd973addb975bd4e9e86772b276ae7cc8bac3c1a0f94cf88f518efd348d
-
Size
627KB
-
Sample
220427-wj2xjsfga3
-
MD5
042227360a51cc44e56bae065eec9a90
-
SHA1
85b0ec628c72b07e930a87158c73c71651def497
-
SHA256
f3a8fbd973addb975bd4e9e86772b276ae7cc8bac3c1a0f94cf88f518efd348d
-
SHA512
97dcb2c9df3f3d86faa64fec1e4377029ae3b8792fc1421e70cf971336aed885be0db6f48501c601780a790a3cb986686f04df2857899835dfc6d5582996723d
Behavioral task
behavioral1
Sample
f3a8fbd973addb975bd4e9e86772b276ae7cc8bac3c1a0f94cf88f518efd348d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f3a8fbd973addb975bd4e9e86772b276ae7cc8bac3c1a0f94cf88f518efd348d.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?9B7FDA8D33FEC3F9AE90FBCE3CE3B2CD
http://lockbitks2tvnmwk.onion/?9B7FDA8D33FEC3F9AE90FBCE3CE3B2CD
Extracted
C:\Users\Admin\Desktop\LockBit-note.hta
http://lockbit-decryptor.top/?9B7FDA8D33FEC3F9AE90FBCE3CE3B2CD
http://lockbitks2tvnmwk.onion/?9B7FDA8D33FEC3F9AE90FBCE3CE3B2CD
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?9B7FDA8D33FEC3F9C4D1CFE696A5EF31
http://lockbitks2tvnmwk.onion/?9B7FDA8D33FEC3F9C4D1CFE696A5EF31
Targets
-
-
Target
f3a8fbd973addb975bd4e9e86772b276ae7cc8bac3c1a0f94cf88f518efd348d
-
Size
627KB
-
MD5
042227360a51cc44e56bae065eec9a90
-
SHA1
85b0ec628c72b07e930a87158c73c71651def497
-
SHA256
f3a8fbd973addb975bd4e9e86772b276ae7cc8bac3c1a0f94cf88f518efd348d
-
SHA512
97dcb2c9df3f3d86faa64fec1e4377029ae3b8792fc1421e70cf971336aed885be0db6f48501c601780a790a3cb986686f04df2857899835dfc6d5582996723d
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-