General
-
Target
ba38aeea388ec9f7f932835c8346a56a9543bf5dd8f66070d3b9c79989a78363.bin.sample
-
Size
1000KB
-
Sample
220506-pgvl5ahgg7
-
MD5
e47d18c3e85ac47fad841f0b8f566485
-
SHA1
19de6498d579a2773306c032c593d82e159ef827
-
SHA256
ba38aeea388ec9f7f932835c8346a56a9543bf5dd8f66070d3b9c79989a78363
-
SHA512
6ba0e3aa8e8f3bed2f3b8c983113fa07fc4e310f943e95a421fc689dc0649f5de5069af077120027658a1f4469f9f0aa2f03f0d5475e03a0634fa3522b1ead7c
Static task
static1
Behavioral task
behavioral1
Sample
ba38aeea388ec9f7f932835c8346a56a9543bf5dd8f66070d3b9c79989a78363.bin.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ba38aeea388ec9f7f932835c8346a56a9543bf5dd8f66070d3b9c79989a78363.bin.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
C:\program files\7-zip\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\odt\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Users\Admin\Desktop\LockBit_Ransomware.hta
https://decoding.at/
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or
https://decoding.at
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
Targets
-
-
Target
ba38aeea388ec9f7f932835c8346a56a9543bf5dd8f66070d3b9c79989a78363.bin.sample
-
Size
1000KB
-
MD5
e47d18c3e85ac47fad841f0b8f566485
-
SHA1
19de6498d579a2773306c032c593d82e159ef827
-
SHA256
ba38aeea388ec9f7f932835c8346a56a9543bf5dd8f66070d3b9c79989a78363
-
SHA512
6ba0e3aa8e8f3bed2f3b8c983113fa07fc4e310f943e95a421fc689dc0649f5de5069af077120027658a1f4469f9f0aa2f03f0d5475e03a0634fa3522b1ead7c
-
Detect Neshta Payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Modifies boot configuration data using bcdedit
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-