Overview

overview

10

Static

static

8

pandora/3b...be.exe

windows7_x64

10

pandora/3b...be.exe

windows10-2004_x64

10

pandora/43...e4.exe

windows7_x64

10

pandora/43...e4.exe

windows10-2004_x64

10

pandora/54...97.exe

windows7_x64

10

pandora/54...97.exe

windows10-2004_x64

10

pandora/58...ce.exe

windows7_x64

10

pandora/58...ce.exe

windows10-2004_x64

10

pandora/6d...ae.exe

windows7_x64

10

pandora/6d...ae.exe

windows10-2004_x64

10

pandora/74...2d.exe

windows7_x64

10

pandora/74...2d.exe

windows10-2004_x64

10

pandora/89...d4.exe

windows7_x64

10

pandora/89...d4.exe

windows10-2004_x64

10

pandora/95...cf.exe

windows7_x64

10

pandora/95...cf.exe

windows10-2004_x64

10

pandora/b1...00.exe

windows7_x64

10

pandora/b1...00.exe

windows10-2004_x64

10

pandora/ce...6f.exe

windows7_x64

10

pandora/ce...6f.exe

windows10-2004_x64

10

pandora/ce...30.exe

windows7_x64

10

pandora/ce...30.exe

windows10-2004_x64

10

pandora/ce...e1.exe

windows7_x64

10

pandora/ce...e1.exe

windows10-2004_x64

10

pandora/eb...1d.exe

windows7_x64

10

pandora/eb...1d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    05-05-2022 17:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pandora/95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf.exe

  • Size

    146KB

  • MD5

    69bec32d50744293e85606a5e8f80425

  • SHA1

    101b90ac7e0c2a8b570686c13dfa0e161ddd00e0

  • SHA256

    95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf

  • SHA512

    e01f976fcbfa67cfd6e97855d07350a27b67fcc825d4e813ac9d2f4e8f464bb4f8bbbbe58a26bc27e78fa15db0ee5271e8f041dd72f036c11964eb1c591b438f

Score
10/10
lockbitevasionpersistenceransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?BC76D224712A7481E0C0EAA9CBE8F2F8 | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?BC76D224712A7481E0C0EAA9CBE8F2F8 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?BC76D224712A7481E0C0EAA9CBE8F2F8

http://lockbitks2tvnmwk.onion/?BC76D224712A7481E0C0EAA9CBE8F2F8

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note
Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link - http://lockbit-decryptor.top/?BC76D224712A7481E0C0EAA9CBE8F2F8 Follow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://lockbitks2tvnmwk.onion/?BC76D224712A7481E0C0EAA9CBE8F2F8 This link only works in Tor Browser! Follow the instructions on this page Lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?BC76D224712A7481E0C0EAA9CBE8F2F8

http://lockbitks2tvnmwk.onion/?BC76D224712A7481E0C0EAA9CBE8F2F8

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pandora\95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf.exe
    "C:\Users\Admin\AppData\Local\Temp\pandora\95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1836
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1880
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2732
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2820
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2832
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        3⤵
        • Deletes backup catalog
        PID:2844
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit-note.hta"
      2⤵
      • Modifies Internet Explorer settings
      PID:2828
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\pandora\95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\pandora\95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.7 -n 3
        3⤵
        • Runs ping.exe
        PID:3012
      • C:\Windows\SysWOW64\fsutil.exe
        fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\pandora\95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf.exe"
        3⤵
          PID:2960
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2008
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2904
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:2936
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:2964

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Command-Line Interface

        1
        T1059

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        File Deletion

        3
        T1107

        Modify Registry

        3
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Remote System Discovery

        1
        T1018

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Inhibit System Recovery

        4
        T1490

        Defacement

        1
        T1491

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\LockBit-note.hta
          Filesize

          17KB

          MD5

          a1925f234967fa9a2421c1e5a73dc99b

          SHA1

          1cd00aca38a52ae13858033300b62b8769ae5cc4

          SHA256

          004cec23690b7c65a21bfab262086a488b62ef02511299e1998eb29288ee251f

          SHA512

          5baddb7c9e6b122f354ccd6a4a0c1ac7499f0d473a6794a770c279c55041e23c5b73f5554daf873504a5e830f60edefbe32770fc9a4bd6090863b8d304e6969a

          Download Submit
        • memory/1472-54-0x0000000074F21000-0x0000000074F23000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1836-55-0x0000000000000000-mapping.dmp
          Download
        • memory/1880-56-0x0000000000000000-mapping.dmp
          Download
        • memory/2732-57-0x0000000000000000-mapping.dmp
          Download
        • memory/2820-58-0x0000000000000000-mapping.dmp
          Download
        • memory/2828-62-0x0000000000000000-mapping.dmp
          Download
        • memory/2832-59-0x0000000000000000-mapping.dmp
          Download
        • memory/2836-63-0x0000000000000000-mapping.dmp
          Download
        • memory/2844-61-0x000007FEFB971000-0x000007FEFB973000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2844-60-0x0000000000000000-mapping.dmp
          Download
        • memory/2960-67-0x0000000000000000-mapping.dmp
          Download
        • memory/3012-64-0x0000000000000000-mapping.dmp
          Download