Overview

overview

10

Static

static

9

0d71cbd1e2...61.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61

  • Size

    628KB

  • Sample

    220506-r8jp2scfhp

  • MD5

    c2e08dbd62f3121911275d0931e64780

  • SHA1

    48d1e2e0795a51c116412636632c9160fd1ffcea

  • SHA256

    0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61

  • SHA512

    61694a4372f9461447f03fd50b7ad3af61fa64b9dfeb569979c4f3b9900d3b96aa365fd787f447135dea213e3e2e25ef2496a83332ff257abd3d35b5f927ba86

Score
10/10
lockbitcryptoneevasionpackerpersistenceransomware

Malware Config

Extracted

Path

C:\odt\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?9B7FDA8D33FEC3F997360F45C651CD80 | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?9B7FDA8D33FEC3F997360F45C651CD80 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?9B7FDA8D33FEC3F997360F45C651CD80

http://lockbitks2tvnmwk.onion/?9B7FDA8D33FEC3F997360F45C651CD80

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note
Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link - http://lockbit-decryptor.top/?9B7FDA8D33FEC3F997360F45C651CD80 Follow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://lockbitks2tvnmwk.onion/?9B7FDA8D33FEC3F997360F45C651CD80 This link only works in Tor Browser! Follow the instructions on this page Lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?9B7FDA8D33FEC3F997360F45C651CD80

http://lockbitks2tvnmwk.onion/?9B7FDA8D33FEC3F997360F45C651CD80

Targets

    • Target

      0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61

    • Size

      628KB

    • MD5

      c2e08dbd62f3121911275d0931e64780

    • SHA1

      48d1e2e0795a51c116412636632c9160fd1ffcea

    • SHA256

      0d71cbd1e262b6abbbcc2f09ff3fad26549ba5d5b8f547ba2dd24b84f17afb61

    • SHA512

      61694a4372f9461447f03fd50b7ad3af61fa64b9dfeb569979c4f3b9900d3b96aa365fd787f447135dea213e3e2e25ef2496a83332ff257abd3d35b5f927ba86

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Deletion

3
T1107

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Defacement

1
T1491

Tasks