Analysis
-
max time kernel
97s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
29-11-2022 09:21
General
-
Target
5e79854b8a92b169212e0ea3ad0252e4a86fc7e186fc162f143bb7754a73ec63.exe
-
Size
855KB
-
MD5
b303ffe0bbddca1570940557cabdd966
-
SHA1
647b9aeb909e9900a07a1796d764469ad71ddf2e
-
SHA256
5e79854b8a92b169212e0ea3ad0252e4a86fc7e186fc162f143bb7754a73ec63
-
SHA512
0a03e1e0a87f6adaa0fd28e65a2200ffc6b6f0c27983ba3a82e8b0cd2f2384637c8f75ae676b5d3ecbb67ab0492987fe5710c57dce5af9e35ad153f1b4f21653
-
SSDEEP
12288:mbvr5nOE4wDJxr5nOE4wDgpdZk0JlVRJT:mbv9D39DczBlR
Malware Config
Extracted
C:\yYQ85HpV1.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Executes dropped EXE 1 IoCs
-
Modifies extensions of user files 18 IoCs
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Modifies Control Panel 2 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: RenamesItself 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e79854b8a92b169212e0ea3ad0252e4a86fc7e186fc162f143bb7754a73ec63.exe"C:\Users\Admin\AppData\Local\Temp\5e79854b8a92b169212e0ea3ad0252e4a86fc7e186fc162f143bb7754a73ec63.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5e79854b8a92b169212e0ea3ad0252e4a86fc7e186fc162f143bb7754a73ec63.exeﮅ2⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\CB01.tmp"C:\ProgramData\CB01.tmp"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 9322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4400 -ip 44001⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\AAAAAAAAAAAFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\BBBBBBBBBBBFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\CCCCCCCCCCCFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\DDDDDDDDDDDFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\EEEEEEEEEEEFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\FFFFFFFFFFFFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\GGGGGGGGGGGFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\HHHHHHHHHHHFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\IIIIIIIIIIIFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\JJJJJJJJJJJFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\KKKKKKKKKKKFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\LLLLLLLLLLLFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\MMMMMMMMMMMFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\NNNNNNNNNNNFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\OOOOOOOOOOOFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\PPPPPPPPPPPFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\QQQQQQQQQQQFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\RRRRRRRRRRRFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\SSSSSSSSSSSFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\TTTTTTTTTTTFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\UUUUUUUUUUUFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\VVVVVVVVVVVFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\WWWWWWWWWWWFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\XXXXXXXXXXXFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\YYYYYYYYYYYFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\desktop.iniFilesize
129B
MD5df6f23d2af58f8f46d876422170e2f7f
SHA1af158aa6fa5f76f94cd14f8248d4620d7d612ca4
SHA256fd7b508581fbfad0c8fb92334cf0900a5feeca86097d8d82510dbc6623544de2
SHA5121fd227f38b5f911c79e7efdf82bab5561f90037ede6b1631b8f9124d019b442b105430806ff40bd74835dc3b073d4e4abc8a658ae3b015d5f9bdcfa73cb94563
-
C:\ProgramData\CB01.tmpFilesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\ProgramData\CB01.tmpFilesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\nsd224.tmp\System.dllFilesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
memory/992-165-0x0000000000000000-mapping.dmp
-
memory/992-169-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/992-170-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/1704-135-0x000000000041A000-0x000000000041B000-memory.dmpFilesize
4KB
-
memory/1704-134-0x0000000000419000-0x0000000000419600-memory.dmpFilesize
1KB
-
memory/1704-133-0x0000000000000000-mapping.dmp
-
memory/1704-138-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1704-136-0x000000000041A000-0x000000000041B000-memory.dmpFilesize
4KB
-
memory/1704-137-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1704-168-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB