General
-
Target
8479304375.zip
-
Size
1.4MB
-
Sample
221129-lbb12shh9y
-
MD5
ed932fb2639b8675dca13e78939676a6
-
SHA1
541a1ce815384932b807eb9256e2b95184465e7f
-
SHA256
25dc1cff95675cce0ba5e80db6450feb8479b31b3129b6593d46ba1597c576a4
-
SHA512
2f2fa42a2dc92abb2b4b56a7598a2eb839bc610d93dabecadf53ec215d1b662c931b65b3e4c1e87941c3601af561ad1937d9d162b1fa401ef54ce0e67b4e2cf3
-
SSDEEP
24576:DIPTVIkcsuXcRI9ErzWy/Y9jJFaCQ6HUQEdnnkRfYZwrX9QiQozRJIMX0hz7ZoQ7:kPTXcsccq9EXWjJscAkmwrXyi3RtX0RX
Static task
static1
Behavioral task
behavioral1
Sample
5e79854b8a92b169212e0ea3ad0252e4a86fc7e186fc162f143bb7754a73ec63.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5e79854b8a92b169212e0ea3ad0252e4a86fc7e186fc162f143bb7754a73ec63.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
C:\yYQ85HpV1.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Extracted
C:\odt\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Targets
-
-
Target
5e79854b8a92b169212e0ea3ad0252e4a86fc7e186fc162f143bb7754a73ec63
-
Size
855KB
-
MD5
b303ffe0bbddca1570940557cabdd966
-
SHA1
647b9aeb909e9900a07a1796d764469ad71ddf2e
-
SHA256
5e79854b8a92b169212e0ea3ad0252e4a86fc7e186fc162f143bb7754a73ec63
-
SHA512
0a03e1e0a87f6adaa0fd28e65a2200ffc6b6f0c27983ba3a82e8b0cd2f2384637c8f75ae676b5d3ecbb67ab0492987fe5710c57dce5af9e35ad153f1b4f21653
-
SSDEEP
12288:mbvr5nOE4wDJxr5nOE4wDgpdZk0JlVRJT:mbv9D39DczBlR
Score10/10-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4
-
Size
1.5MB
-
MD5
48aa442a0670b65a82eee99c1ed1ac78
-
SHA1
12117609b746257a6cdd2808dcb50c6af9c1810d
-
SHA256
f6fbfa9fe38f69f8806d60072b7e8a9aceacf4a2b27095f7297f529ba986eab4
-
SHA512
f76db6e03154e7221f26b3329c434f00d775f99411ee9ec258652a0a7f52c90e0de9794d6754b5910cf169776ae87abf982cd778eb6f06b69fe5a11135e26e5c
-
SSDEEP
24576:9bas1P80H8OziJNLCubRnkkBqKU3QMNrm1gPB7MjsjfoxKHHU4tsQkdZ:VlH8ucW9jhmyPBYjSzHHU4tshdZ
Score10/10-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-