General
-
Target
7500476132.zip
-
Size
385KB
-
Sample
220524-r2jrgaadeq
-
MD5
0cec276fcb9669b772e3995fd29653a8
-
SHA1
bf4e107761e572f3920676a20111547c945c246e
-
SHA256
8cd0262e8a1a7c54c00bdcabceca038d6608ebeba1c1dcf9de91b692245c89bb
-
SHA512
ae3e99f76cbc1f68a32f870c8fba92b47467d5d877912f66046174b9661d17928fec579ae0efc305d6d394e1d613dd9825f909f2d78bf1c2b192144e965abdb2
Static task
static1
Behavioral task
behavioral1
Sample
5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
C:\program files\7-zip\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\odt\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Users\Admin\Desktop\LockBit_Ransomware.hta
https://decoding.at/
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or
https://decoding.at
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
Targets
-
-
Target
5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566
-
Size
959KB
-
MD5
1923ac09a520ea22858484f88fa6d925
-
SHA1
bda0ed6db876ce19ebca21b338d4ddcb85d3c340
-
SHA256
5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566
-
SHA512
ab02d27c045107510441328d5c78eab955444505179456b23737d84147030b37cefc7d7fb05bc541e122e2f91f828fdd4b53bd7747af162eb6d64fc28ded3a9c
Score10/10-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-