General
-
Target
이_력_서[230124 경력사항도 같이 기재하였습니다 잘 부탁드립니다].exe.vir
-
Size
512KB
-
Sample
230126-cs4b7adg2w
-
MD5
6a98b2b6e37c7c92368548e902e9a139
-
SHA1
9ba6adee7dc59242d15c6506fa8d51d40a38ca9e
-
SHA256
d1a4e6a654f0f8afa998099cd95faf882918a9d266028b578be7bcf4e123ba17
-
SHA512
a62753b579651d4006283182972b4b952f21b3f86ae6d99366170bad859a34a8b69a0f70c8643bd156e01f07395f037f63debbdeac3c77b58742355cb1b21340
-
SSDEEP
12288:7yPQxK0GtV6Yc2rzgfur479pAZDATfzmRf9mC6H:mQk/tQz2HWFNTfzqfoh
Static task
static1
Behavioral task
behavioral1
Sample
이_력_서[230124 경력사항도 같이 기재하였습니다 잘 부탁드립니다].exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
C:\odt\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Users\Admin\Desktop\LockBit_Ransomware.hta
https://decoding.at/
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or
https://decoding.at
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
Targets
-
-
Target
이_력_서[230124 경력사항도 같이 기재하였습니다 잘 부탁드립니다].exe.vir
-
Size
512KB
-
MD5
6a98b2b6e37c7c92368548e902e9a139
-
SHA1
9ba6adee7dc59242d15c6506fa8d51d40a38ca9e
-
SHA256
d1a4e6a654f0f8afa998099cd95faf882918a9d266028b578be7bcf4e123ba17
-
SHA512
a62753b579651d4006283182972b4b952f21b3f86ae6d99366170bad859a34a8b69a0f70c8643bd156e01f07395f037f63debbdeac3c77b58742355cb1b21340
-
SSDEEP
12288:7yPQxK0GtV6Yc2rzgfur479pAZDATfzmRf9mC6H:mQk/tQz2HWFNTfzqfoh
Score10/10-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-