Overview

overview

10

Static

static

setup_super.exe

windows7_x64

10

setup_super.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    70s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-05-2022 14:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_super.exe

  • Size

    15KB

  • MD5

    8d4fcd244f393513976aea570df1ffdd

  • SHA1

    af02515f2b9693f0920f57b6fcbc304743d5f16b

  • SHA256

    c7f353c4ca722da712da454317e9d00b77c9b6cf6194b47009dbd67517cf2abc

  • SHA512

    485f361c7f09d3ff51e537124dd342e5358551f18de09c7184360dcac0a4f9225d0a267d7be1e2f908980aad743eb5faab68a824bfd1b0282d6bab5a29676b32

Score
10/10
lockbitdiscoveryevasionpersistenceransomwareupx

Malware Config

Extracted

Path

C:\odt\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: A63564C8060E7488CF4A7B323D6A5337
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Extracted

Path

C:\Users\Admin\Desktop\LockBit_Ransomware.hta

Ransom Note
Any attempts to restore your files with the thrid-party software will be fatal for your files! To recovery your data and not to allow data leakage, it is possible only through purchase of a private key from us There is only one way to get your files back: Through a standard browser Brave (supports Tor links) FireFox Chrome Edge Opera Open link - https://decoding.at/ Through a Tor Browser - recommended Download Tor Browser - https://www.torproject.org/ and install it. Open one of links in Tor browser and follow instructions on these pages: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or mirrorhttp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion/These links work only in the Tor browser! Follow the instructions on this page https://decoding.at may be blocked. We recommend using a Tor browser (or Brave) to access the TOR site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about All your stolen important data will be loaded into our blog if you do not pay ransom. Our blog http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion or https://bigblog.at where you can see data of the companies which refused to pay ransom.
URLs

https://decoding.at/

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or

https://decoding.at

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_super.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_super.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3484
    • C:\Users\Admin\AppData\Local\Temp\super.exe
      "C:\Users\Admin\AppData\Local\Temp\super.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1188
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4528
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:640
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:216
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:5016
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:404
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit_Ransomware.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
          PID:204
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\super.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\super.exe"
          3⤵
            PID:4816
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.7 -n 3
              4⤵
              • Runs ping.exe
              PID:5116
            • C:\Windows\SysWOW64\fsutil.exe
              fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\super.exe"
              4⤵
                PID:1308
          • C:\Users\Admin\AppData\Local\Temp\screensaver.exe
            "C:\Users\Admin\AppData\Local\Temp\screensaver.exe" 7C28913B6F1CE6E452678F117954BF4EJ7521E2B4A224740AAF64D5FAD08520ACDF9F8912E7DE
            2⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            PID:1556
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\setup_super.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:5116
            • C:\Windows\system32\choice.exe
              choice /C Y /N /D Y /T 3
              3⤵
                PID:1432
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2908

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          File Deletion

          2
          T1107

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Network Service Scanning

          1
          T1046

          Query Registry

          2
          T1012

          System Information Discovery

          2
          T1082

          Remote System Discovery

          1
          T1018

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Inhibit System Recovery

          3
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\screensaver.exe
            Filesize

            272KB

            MD5

            f9073cc6566ba11318b425a761f1ce17

            SHA1

            d378ce237e83314c9844b4e6ce4867e2783737db

            SHA256

            c3ec60b8052e31db149c35080afea5b57b1e8a034386555d12035eb5edefdd68

            SHA512

            2a64e17e37a612f8126d9aaee3286d9ca8efa2e2a83a1185766adb73af7c9dc6cfce19ff186efea8bce8fcafc15e0f886bc94fd1ee38b08af292f76faa10a5f2

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\screensaver.exe
            Filesize

            272KB

            MD5

            f9073cc6566ba11318b425a761f1ce17

            SHA1

            d378ce237e83314c9844b4e6ce4867e2783737db

            SHA256

            c3ec60b8052e31db149c35080afea5b57b1e8a034386555d12035eb5edefdd68

            SHA512

            2a64e17e37a612f8126d9aaee3286d9ca8efa2e2a83a1185766adb73af7c9dc6cfce19ff186efea8bce8fcafc15e0f886bc94fd1ee38b08af292f76faa10a5f2

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\super.exe
            Filesize

            959KB

            MD5

            ca4d6c1d508d4add675edb0cf206b1ea

            SHA1

            a5c36dc1b1c307de822004f166829dc02f742f45

            SHA256

            70f85be780b095baa52deda576e4fd2898c3216809a28c396097f9a719f7558e

            SHA512

            c4a3d35914b9d43062188889341437a0c8e293f3b86a18aeff08468d1425f19f368fd0db3aa4511b9dbe91bec405c491f92b414a25e462cf124afa2d6c0bc824

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\super.exe
            Filesize

            959KB

            MD5

            ca4d6c1d508d4add675edb0cf206b1ea

            SHA1

            a5c36dc1b1c307de822004f166829dc02f742f45

            SHA256

            70f85be780b095baa52deda576e4fd2898c3216809a28c396097f9a719f7558e

            SHA512

            c4a3d35914b9d43062188889341437a0c8e293f3b86a18aeff08468d1425f19f368fd0db3aa4511b9dbe91bec405c491f92b414a25e462cf124afa2d6c0bc824

            Download Submit
          • C:\Users\Admin\Desktop\LockBit_Ransomware.hta
            Filesize

            46KB

            MD5

            c15c6adc8c923ad87981f289025c37b2

            SHA1

            bfe6533f4afe3255046f7178f289a4c75ad89e76

            SHA256

            90f3a33919fdd766e90fd96f8f20a92c2d1376b7cfdc8b738c2f8e7e6c7498b1

            SHA512

            31dd03b208e00ac012fbe4189d5af1306cc8e3640d40efefab4aa1cabab3c4735eef0cb65e7750c3c77021934e145398e5e26389975cf36b193c8f622a5fde83

            Download Submit
          • memory/204-145-0x0000000000000000-mapping.dmp
            Download
          • memory/216-142-0x0000000000000000-mapping.dmp
            Download
          • memory/404-144-0x0000000000000000-mapping.dmp
            Download
          • memory/640-140-0x0000000000000000-mapping.dmp
            Download
          • memory/1188-132-0x0000000000000000-mapping.dmp
            Download
          • memory/1308-149-0x0000000000000000-mapping.dmp
            Download
          • memory/1432-141-0x0000000000000000-mapping.dmp
            Download
          • memory/1556-136-0x0000000000000000-mapping.dmp
            Download
          • memory/3484-130-0x0000000000070000-0x000000000007A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/3484-131-0x00007FF9B79E0000-0x00007FF9B84A1000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/4528-135-0x0000000000000000-mapping.dmp
            Download
          • memory/4816-146-0x0000000000000000-mapping.dmp
            Download
          • memory/5016-143-0x0000000000000000-mapping.dmp
            Download
          • memory/5116-139-0x0000000000000000-mapping.dmp
            Download
          • memory/5116-148-0x0000000000000000-mapping.dmp
            Download