Analysis
-
max time kernel
72s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
05-05-2022 17:05
General
-
Target
pandora/ce8559871b410e23057393eb2d9fb76ec902da2ff1f8006ad312c81852a41f6f.exe
-
Size
150KB
-
MD5
94d7e268d4a1bc11f50b7e493a76d7a0
-
SHA1
5cfdfa1aa620ad8dcf85685b0f8103441211e0ed
-
SHA256
ce8559871b410e23057393eb2d9fb76ec902da2ff1f8006ad312c81852a41f6f
-
SHA512
3e769697a3ad8dec988875aef053a1355f46e40df5c4695192e03f22941f9f94ef8d0c2ac8c11b8e1bfc4c4fbfa55bffe35ad706de691c19f057f3c2a5a4f0ab
Score
10/10
Malware Config
Extracted
Path
C:\Program Files\7-Zip\Restore-My-Files.txt
Family
lockbit
Ransom Note
All your important files are encrypted!
Any attempts to restore your files with the thrid-party software will be fatal for your files!
RESTORE YOU DATA POSIBLE ONLY BUYING private key from us.
There is only one way to get your files back:
| 1. Download Tor browser - https://www.torproject.org/ and install it.
| 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?BAFB4B71D8094A85EFFF008CC98B9B3A
This link only works in Tor Browser!
| 3. Follow the instructions on this page
### Attention! ###
# Do not rename encrypted files.
# Do not try to decrypt using third party software, it may cause permanent data loss.
# Decryption of your files with the help of third parties may cause increased price(they add their fee to our).
# Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN.
# Tor Browser user manual https://tb-manual.torproject.org/about
!!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on.
Don't forget about GDPR.
URLs
http://lockbitks2tvnmwk.onion/?BAFB4B71D8094A85EFFF008CC98B9B3A
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Control Panel 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of WriteProcessMemory 35 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\pandora\ce8559871b410e23057393eb2d9fb76ec902da2ff1f8006ad312c81852a41f6f.exe"C:\Users\Admin\AppData\Local\Temp\pandora\ce8559871b410e23057393eb2d9fb76ec902da2ff1f8006ad312c81852a41f6f.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\pandora\ce8559871b410e23057393eb2d9fb76ec902da2ff1f8006ad312c81852a41f6f.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\pandora\ce8559871b410e23057393eb2d9fb76ec902da2ff1f8006ad312c81852a41f6f.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\pandora\ce8559871b410e23057393eb2d9fb76ec902da2ff1f8006ad312c81852a41f6f.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 33402⤵
- Program crash
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/536-54-0x0000000075B61000-0x0000000075B63000-memory.dmpFilesize
8KB
-
memory/576-57-0x0000000000000000-mapping.dmp
-
memory/980-59-0x0000000000000000-mapping.dmp
-
memory/1292-56-0x0000000000000000-mapping.dmp
-
memory/1568-58-0x0000000000000000-mapping.dmp
-
memory/1584-60-0x0000000000000000-mapping.dmp
-
memory/1584-61-0x000007FEFB721000-0x000007FEFB723000-memory.dmpFilesize
8KB
-
memory/1636-55-0x0000000000000000-mapping.dmp
-
memory/1804-65-0x0000000000000000-mapping.dmp
-
memory/2996-62-0x0000000000000000-mapping.dmp
-
memory/3020-63-0x0000000000000000-mapping.dmp
-
memory/3040-64-0x0000000000000000-mapping.dmp