General

  • Target

    935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c

  • Size

    409KB

  • Sample

    220524-a3nndaaec9

  • MD5

    ca5f6009311c61f27ad3be2914b9fc59

  • SHA1

    d20a8fef26ee4d833ee81c2bd6aaa8a06f322562

  • SHA256

    935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c

  • SHA512

    4823125186d614a40b5356b042ea893a71be12930e5b5f454a6fb0b99ba90cf00f29919fe9ac9f9f793ae7a51cf8a2334a31727e14bbfdb393566ad3023eabfa

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������56 57 9C 8D 44 43 25 E3 E8 AD 00 74 2C A9 7B B6 1C 82 90 94 60 CF 4C 73 FD F3 88 00 17 7B EE 62 C7 02 3C B3 A6 1F 71 28 8D B1 E9 33 F5 83 EB 05 42 AB 8E 02 8D 86 73 C3 02 A9 6A 9C DC 7C 7F D0 F6 A8 0F 35 88 CD 4F 10 03 E3 14 B4 DA E2 3A B6 5F F2 4B 23 6D 45 73 77 68 D2 98 3E F9 4A 0C 10 AC 9B 16 F6 72 7F 0C 3E 31 FE 5F 8A B3 70 B8 49 AE BF 5D 44 C9 02 CC 36 D8 CB C9 8B 56 97 A8 F2 A4 B0 04 D0 7C F0 C3 6F E9 39 8E 42 C7 31 7B B7 5D 16 E1 B9 92 4E F6 F7 DB E3 65 81 20 6A C4 18 C1 BD 1E D4 78 45 62 F3 9E 36 9D E7 43 56 38 DA 0A 44 A9 5E 7B EE 46 75 61 43 F9 46 4F F3 6B 63 2B A0 43 85 D1 17 C4 2C CF 67 DD 02 FF C9 23 32 C7 78 F2 A2 E0 D6 5D 4F FA 66 F6 95 78 49 3C 78 B5 22 4C 3B 26 CD F7 26 E1 62 CD B3 2E 16 90 74 F2 20 76 F9 8C 28 C8 D2 CA 05 A2 60 F0 87 D2 EC ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������39 BA 3C 4B F4 5C E0 FD D4 55 A9 60 1C F5 6D 0B AD 54 01 E8 4A 98 2B F7 45 0B 4F 41 B3 87 67 19 97 43 15 E1 29 84 23 F3 B5 60 5F D9 82 78 34 3E 25 96 DC 6F 9B 57 94 19 20 10 8A 15 C5 97 23 C3 DF D6 11 CB 4C 06 99 7A 63 2C 55 ED A0 91 D5 E0 63 0D 5D 7D DE 02 3C 8F 8F C5 75 5E D8 F9 FF 51 79 B5 78 20 3F 8C 10 FD 56 C7 F8 CD E9 F3 18 F4 E3 A7 33 2E 70 E8 20 EB F3 5E 54 2A 1F 92 A7 60 60 1A 3F 67 24 1A D7 F8 98 AF E8 C2 C4 DA 71 76 E9 BB BD A3 A3 2D B9 D0 6B 51 33 00 C5 C3 3D 70 DC 95 D2 B9 ED 6F 1F AA 4C 62 82 3B 58 C0 F7 EA C9 60 BD C1 81 AE 02 B2 DD EE AC BE 79 01 FC 52 91 C7 DE 89 D3 1A 6D 69 1F B7 68 FC 29 6C EC 47 58 43 3E F3 E8 45 08 5A 05 E6 24 6B 07 53 73 F6 7B B7 9B 4F F5 87 7D CF 04 FB BD 59 0E 78 71 A3 5D 69 AD 18 FD AC 94 DD 16 C0 5B 8C 73 A9 6C 8C ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Targets

    • Target

      935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c

    • Size

      409KB

    • MD5

      ca5f6009311c61f27ad3be2914b9fc59

    • SHA1

      d20a8fef26ee4d833ee81c2bd6aaa8a06f322562

    • SHA256

      935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c

    • SHA512

      4823125186d614a40b5356b042ea893a71be12930e5b5f454a6fb0b99ba90cf00f29919fe9ac9f9f793ae7a51cf8a2334a31727e14bbfdb393566ad3023eabfa

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks