Analysis
-
max time kernel
82s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-05-2022 14:24
General
-
Target
setup_super.exe
-
Size
15KB
-
MD5
8d4fcd244f393513976aea570df1ffdd
-
SHA1
af02515f2b9693f0920f57b6fcbc304743d5f16b
-
SHA256
c7f353c4ca722da712da454317e9d00b77c9b6cf6194b47009dbd67517cf2abc
-
SHA512
485f361c7f09d3ff51e537124dd342e5358551f18de09c7184360dcac0a4f9225d0a267d7be1e2f908980aad743eb5faab68a824bfd1b0282d6bab5a29676b32
Malware Config
Extracted
C:\program files\7-zip\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 3 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_super.exe"C:\Users\Admin\AppData\Local\Temp\setup_super.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\super.exe"C:\Users\Admin\AppData\Local\Temp\super.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\super.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\super.exe"3⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\super.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\screensaver.exe"C:\Users\Admin\AppData\Local\Temp\screensaver.exe" 7C28913B6F1CE6E452678F117954BF4EJ7521E2B4A224740AAF64D5FAD08520ACDF9F8912E7DE2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\setup_super.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\screensaver.exeFilesize
272KB
MD5f9073cc6566ba11318b425a761f1ce17
SHA1d378ce237e83314c9844b4e6ce4867e2783737db
SHA256c3ec60b8052e31db149c35080afea5b57b1e8a034386555d12035eb5edefdd68
SHA5122a64e17e37a612f8126d9aaee3286d9ca8efa2e2a83a1185766adb73af7c9dc6cfce19ff186efea8bce8fcafc15e0f886bc94fd1ee38b08af292f76faa10a5f2
-
C:\Users\Admin\AppData\Local\Temp\screensaver.exeFilesize
272KB
MD5f9073cc6566ba11318b425a761f1ce17
SHA1d378ce237e83314c9844b4e6ce4867e2783737db
SHA256c3ec60b8052e31db149c35080afea5b57b1e8a034386555d12035eb5edefdd68
SHA5122a64e17e37a612f8126d9aaee3286d9ca8efa2e2a83a1185766adb73af7c9dc6cfce19ff186efea8bce8fcafc15e0f886bc94fd1ee38b08af292f76faa10a5f2
-
C:\Users\Admin\AppData\Local\Temp\super.exeFilesize
959KB
MD5ca4d6c1d508d4add675edb0cf206b1ea
SHA1a5c36dc1b1c307de822004f166829dc02f742f45
SHA25670f85be780b095baa52deda576e4fd2898c3216809a28c396097f9a719f7558e
SHA512c4a3d35914b9d43062188889341437a0c8e293f3b86a18aeff08468d1425f19f368fd0db3aa4511b9dbe91bec405c491f92b414a25e462cf124afa2d6c0bc824
-
C:\Users\Admin\AppData\Local\Temp\super.exeFilesize
959KB
MD5ca4d6c1d508d4add675edb0cf206b1ea
SHA1a5c36dc1b1c307de822004f166829dc02f742f45
SHA25670f85be780b095baa52deda576e4fd2898c3216809a28c396097f9a719f7558e
SHA512c4a3d35914b9d43062188889341437a0c8e293f3b86a18aeff08468d1425f19f368fd0db3aa4511b9dbe91bec405c491f92b414a25e462cf124afa2d6c0bc824
-
memory/560-59-0x0000000000000000-mapping.dmp
-
memory/844-58-0x0000000075741000-0x0000000075743000-memory.dmpFilesize
8KB
-
memory/844-56-0x0000000000000000-mapping.dmp
-
memory/884-54-0x0000000001190000-0x000000000119A000-memory.dmpFilesize
40KB
-
memory/884-55-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmpFilesize
8KB
-
memory/956-73-0x0000000000000000-mapping.dmp
-
memory/980-61-0x0000000000000000-mapping.dmp
-
memory/1136-68-0x0000000000000000-mapping.dmp
-
memory/1664-71-0x0000000000000000-mapping.dmp
-
memory/1736-63-0x0000000000000000-mapping.dmp
-
memory/1752-67-0x0000000000000000-mapping.dmp
-
memory/2060-69-0x0000000000000000-mapping.dmp
-
memory/2176-72-0x0000000000000000-mapping.dmp
-
memory/2308-65-0x0000000000000000-mapping.dmp
-
memory/2400-66-0x0000000000000000-mapping.dmp