General
-
Target
2023-01-28_2525d5867b27f5ee3949880186c35ed7_lockbit.exe
-
Size
959KB
-
Sample
230129-f247mabd8w
-
MD5
2525d5867b27f5ee3949880186c35ed7
-
SHA1
8fc6dd893d10eb3f4d7c06fda1d3e05a8c7ba8ad
-
SHA256
2a32c844885b05e65769a051dae825aecef887c2c60035e5a20ae42533cc1695
-
SHA512
589b76ae5cddff763af93164eb817cf971a3a137a7d3a6ad6ac8c3dfcb703c49c13afb69c00d1984edbfeecc63cdefa4a6b78e1c70f6b65fb057e0e82c526376
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdRF:Ujrc2So1Ff+B3k796r
Static task
static1
Behavioral task
behavioral1
Sample
2023-01-28_2525d5867b27f5ee3949880186c35ed7_lockbit.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2023-01-28_2525d5867b27f5ee3949880186c35ed7_lockbit.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
C:\program files\7-zip\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\odt\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Users\Admin\Desktop\LockBit_Ransomware.hta
https://decoding.at/
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or
https://decoding.at
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
Targets
-
-
Target
2023-01-28_2525d5867b27f5ee3949880186c35ed7_lockbit.exe
-
Size
959KB
-
MD5
2525d5867b27f5ee3949880186c35ed7
-
SHA1
8fc6dd893d10eb3f4d7c06fda1d3e05a8c7ba8ad
-
SHA256
2a32c844885b05e65769a051dae825aecef887c2c60035e5a20ae42533cc1695
-
SHA512
589b76ae5cddff763af93164eb817cf971a3a137a7d3a6ad6ac8c3dfcb703c49c13afb69c00d1984edbfeecc63cdefa4a6b78e1c70f6b65fb057e0e82c526376
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdRF:Ujrc2So1Ff+B3k796r
Score10/10-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-