General
-
Target
8967373484.zip
-
Size
385KB
-
Sample
230202-287rzsca9t
-
MD5
98b55e5cb7d0c6006dd201c9734aa59b
-
SHA1
2f9fcbd4607a5303bffed8c9562750cc8b0e8789
-
SHA256
02d9ad378627a878d8cbf0c240c13b2e3409f5e789dd585efaf5c06fd15159d0
-
SHA512
223241944b3eb4debe5174afb5777b325169421ae3f3276e458765af28d6b6dc234d1ec8f4d5bc5e6f43e20dcacf1cbfd84a9306805255d82cac8c37f627dc03
-
SSDEEP
12288:pj05WOwvDmvtoLh70tbaisl0+Em7kP0mOSfLChdXUdY:e5W9DStcAtd60Yk6Uwk6
Static task
static1
Behavioral task
behavioral1
Sample
2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
C:\program files\7-zip\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\odt\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Users\Admin\Desktop\LockBit_Ransomware.hta
https://decoding.at/
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion/or
https://decoding.at
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
Targets
-
-
Target
2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495
-
Size
959KB
-
MD5
9dbb0838eb857c2cf22ca5407d6c85d7
-
SHA1
fe486f8741f2f94fc79def45b4872030e5504d3a
-
SHA256
2bef6231c3e742815f5a3a1da2861bccd7a4197aa1387a70f297a714afbb6495
-
SHA512
1abacf15c959e3f31e54385de34ecec00291aa2dec2e00d663939edf93ff975a1303d579de1d89d00cf557e2e2984862e993ab05f1e0b125eb93d01d5618f417
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdMF:Ujrc2So1Ff+B3k796u
Score10/10-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-