General
-
Target
05312d1c61a4c8ae14fa5a8649007a8e7e72d1e1c81e9d50bc955efac80a7ba9
-
Size
560KB
-
Sample
220511-268lhacec8
-
MD5
0f7c57b8647f802f7e37d0701dfd4b63
-
SHA1
b92c05fdc3c7f2de9fe3e52469a33bbab565a916
-
SHA256
05312d1c61a4c8ae14fa5a8649007a8e7e72d1e1c81e9d50bc955efac80a7ba9
-
SHA512
1be6e95fdd75dc5f948d7a1052192fb509df0aa64ebcb0a535e77f6b02e4da2bae4c65c591cc5ec48601a06dd74cc6a65ef0fe66be3a7250e8b0ffc38e0e938d
Static task
static1
Behavioral task
behavioral1
Sample
05312d1c61a4c8ae14fa5a8649007a8e7e72d1e1c81e9d50bc955efac80a7ba9.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
05312d1c61a4c8ae14fa5a8649007a8e7e72d1e1c81e9d50bc955efac80a7ba9.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?A2232793F05765B5C9AC68B9FAD2A1FF
http://lockbitks2tvnmwk.onion/?A2232793F05765B5C9AC68B9FAD2A1FF
Extracted
C:\odt\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?A2232793F05765B5C28D50F847219AA9
http://lockbitks2tvnmwk.onion/?A2232793F05765B5C28D50F847219AA9
Targets
-
-
Target
05312d1c61a4c8ae14fa5a8649007a8e7e72d1e1c81e9d50bc955efac80a7ba9
-
Size
560KB
-
MD5
0f7c57b8647f802f7e37d0701dfd4b63
-
SHA1
b92c05fdc3c7f2de9fe3e52469a33bbab565a916
-
SHA256
05312d1c61a4c8ae14fa5a8649007a8e7e72d1e1c81e9d50bc955efac80a7ba9
-
SHA512
1be6e95fdd75dc5f948d7a1052192fb509df0aa64ebcb0a535e77f6b02e4da2bae4c65c591cc5ec48601a06dd74cc6a65ef0fe66be3a7250e8b0ffc38e0e938d
Score10/10-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-