Overview

overview

10

Static

static

5a9e1f1ec5...66.exe

windows7_x64

10

5a9e1f1ec5...66.exe

windows10-2004_x64

10

Resubmissions

24-05-2022 14:41

220524-r2jrgaadeq 10

Analysis

  • max time kernel
    28s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24-05-2022 14:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe

  • Size

    959KB

  • MD5

    1923ac09a520ea22858484f88fa6d925

  • SHA1

    bda0ed6db876ce19ebca21b338d4ddcb85d3c340

  • SHA256

    5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566

  • SHA512

    ab02d27c045107510441328d5c78eab955444505179456b23737d84147030b37cefc7d7fb05bc541e122e2f91f828fdd4b53bd7747af162eb6d64fc28ded3a9c

Score
10/10
lockbitevasionpersistenceransomware

Malware Config

Extracted

Path

C:\program files\7-zip\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: 62A6E25726A0C5D3A28B6F0DD2E02FD2
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe
    "C:\Users\Admin\AppData\Local\Temp\5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1696
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
      2⤵
        PID:2628
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe"
        2⤵
          PID:3056
          • C:\Windows\SysWOW64\fsutil.exe
            fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\5a9e1f1ec578f5ce610a2a830a63b07280688818088c7c2999a6f3f2a5d5f566.exe"
            3⤵
              PID:388
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          1⤵
          • Modifies boot configuration data using bcdedit
          PID:2992
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          1⤵
          • Modifies boot configuration data using bcdedit
          PID:2980
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          1⤵
            PID:2900
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
              PID:2724
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              1⤵
              • Interacts with shadow copies
              PID:2696
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.7 -n 3
              1⤵
              • Runs ping.exe
              PID:2684

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            File Deletion

            2
            T1107

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Remote System Discovery

            1
            T1018

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Inhibit System Recovery

            3
            T1490

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/388-62-0x0000000000000000-mapping.dmp
              Download
            • memory/1696-54-0x0000000076171000-0x0000000076173000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2684-61-0x0000000000000000-mapping.dmp
              Download
            • memory/2900-57-0x0000000000000000-mapping.dmp
              Download
            • memory/2980-58-0x0000000000000000-mapping.dmp
              Download
            • memory/2992-59-0x0000000000000000-mapping.dmp
              Download
            • memory/3056-60-0x0000000000000000-mapping.dmp
              Download