General
-
Target
bf30ee00753e7066ca5648d07c32306f0347ad59897d22b3f0a607f14a822f38
-
Size
202KB
-
Sample
220524-1vrceahdd8
-
MD5
7d6fdb848b13baaa910d9526e63e8489
-
SHA1
61a4735ed7da281859269b727c60dd15285e610a
-
SHA256
bf30ee00753e7066ca5648d07c32306f0347ad59897d22b3f0a607f14a822f38
-
SHA512
89b48f078831393ea87b4adc9ca31a97d810eefd70d3209691a213718c6b2b08e8e350a9f271752571b21f5d69d1f7b54c35fb8af722d779db782dc3832aeff1
Static task
static1
Behavioral task
behavioral1
Sample
bf30ee00753e7066ca5648d07c32306f0347ad59897d22b3f0a607f14a822f38.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
bf30ee00753e7066ca5648d07c32306f0347ad59897d22b3f0a607f14a822f38.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.com/?ADDD79899D34FB7491C6FF7476CE466D
http://lockbitks2tvnmwk.onion/?ADDD79899D34FB7491C6FF7476CE466D
Extracted
C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.com/?ADDD79899D34FB7491C6FF7476CE466D
http://lockbitks2tvnmwk.onion/?ADDD79899D34FB7491C6FF7476CE466D
Extracted
C:\Users\Admin\Desktop\LockBit-note.hta
Extracted
C:\odt\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.com/?ADDD79899D34FB74C43F52B0A95DA6A7
http://lockbitks2tvnmwk.onion/?ADDD79899D34FB74C43F52B0A95DA6A7
Targets
-
-
Target
bf30ee00753e7066ca5648d07c32306f0347ad59897d22b3f0a607f14a822f38
-
Size
202KB
-
MD5
7d6fdb848b13baaa910d9526e63e8489
-
SHA1
61a4735ed7da281859269b727c60dd15285e610a
-
SHA256
bf30ee00753e7066ca5648d07c32306f0347ad59897d22b3f0a607f14a822f38
-
SHA512
89b48f078831393ea87b4adc9ca31a97d810eefd70d3209691a213718c6b2b08e8e350a9f271752571b21f5d69d1f7b54c35fb8af722d779db782dc3832aeff1
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-